Security question. Is Roslyn FIPS 140-2 compliant?

[KleinMichalGit]

Dear community,

I would like to ask if Roslyn.Net version 3.0.0-beta4; 2.1.1-rtm-30846 is FIPS 140-2 compliant.

Thank you.
Michal

[jaredpar]

FIPS compliance has a couple of components:

• Which algorithms are you using?
• Does the runtime use certified crypto libraries when available?
• Are the crypto libraries being used certified?

In terms of algorithms Roslyn is capable of using SHA-1 and SHA-256 depending on the options and scenarios provided. By default SHA-256 is used for invocations that go through dotnet build and msbuild for hashing purposes. That can be configured to use SHA-1 for legacy compat reasons. When strong name signing is performed then SHA-1 will be used as that is required by the underlying ECMA standard.

In terms of does the runtime use certified crypto libraries when available. The most common runtimes that execute the compiler are .NET Framework and .NET Core. The FIPS guidance / information for those can be found here.

In terms of are the crypto libraries themselves certified, that is most typically a property of the operating system. You'll likely need to refer to the operating system to see if it supports FIPS and what steps need to be taken to enable it.