Aspose.Slides not FIPS compliant


#1

Hi,

using the latest Aspose.Slides package from Aspose.Total.net on a FIPS enabled environment we get the error “InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.” while doing the following operations:

  1. saving a PPTX file with password protection (due to a call done by Aspose.Slides to System.Security.Cryptography.RijndaelManaged class constructor);
  2. saving a PowerPoint file to PDF filetype, also without password protection (due to a call done by Aspose.Slides to System.Security.Cryptography.MD5.Create() method).

Point 1 can be easily solved replacing RijndaelManaged instance object with AesCryptoServiceProvider instance object.
Point 2 can be solved using a FIPS compliant hashing algorithm implementation (SHA256CryptoServiceProvider or even SHA1CryptoServiceProvider, at least at the time of writing).

Would it be kindly possible to get a FIPS compliant version of Aspose please? According to your site it should be already FIPS compliant (see page Aspose.Total for .NET - FIPS Compliance).
A similar case is Exception thrown when converting PPTX to PDF with FIPS mode enabled (work should have started in week 43, mid October).

Pasting the obfuscated stack trace for Point 1 and Point 2.

Thanks
Andrea

Point 1 StackTrace (Save to PPTX with password protection):

System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.RijndaelManaged…ctor()
at Aspose.Slides. …ctor( , Byte[] , CipherMode )
at Aspose.Slides. .(Byte[] )
at Aspose.Slides. .()
at Aspose.Slides. .(Stream , String , Stream , )
at Aspose.Slides.Presentation.(Stream , PresentationTypeEx , IPptxOptions )
at Aspose.Slides.Presentation.Save(Stream stream, SaveFormat format, ISaveOptions options)

Point 2 StackTrace (Save to PDF even without password protection):

System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object[] args)
at System.Security.Cryptography.MD5.Create()
at Aspose.Slides. .…ctor( , )
at Aspose.Slides. .( , )
at Aspose.Slides.​ .( , )
at Aspose.Slides. .( , Boolean )
at Aspose.Slides. .( )
at Aspose.Slides.​ .36gb8j2pxayk423lsm4qwj9yq55a7hwh ( )
at Aspose.Slides. .lhrksw4qmpxsb9gbrklg24zzqz43kn79 ( ​ , )
at Aspose.Slides. ​ .lhrksw4qmpxsb9gbrklg24zzqz43kn79 ( ​ , )
at Aspose.Slides. ​ .lhrksw4qmpxsb9gbrklg24zzqz43kn79 ( ​ , )
at Aspose.Slides. ​ .lhrksw4qmpxsb9gbrklg24zzqz43kn79 ( ​ , )
at Aspose.Slides.​ .lhrksw4qmpxsb9gbrklg24zzqz43kn79 ( ​ , )
at Aspose.Slides.​ .( ​ , )
at Aspose.Slides. .(Presentation , Stream , Int32[] , PdfOptions , InterruptionToken )
at Aspose.Slides. .(Presentation , Stream , PdfOptions , InterruptionToken )
at Aspose.Slides.Presentation.Save(Stream stream, SaveFormat format, ISaveOptions options)
at Aspose.Slides.Presentation.Save(String fname, SaveFormat format, ISaveOptions options)


#2

@andreagasparin,

I have observed your requirements and regret to share that at present Aspose.Slides is not FIPS compliant and an issue with ID SLIDESNET-39845 has already been added in our issue tracking system to provide requested support. This thread has been linked with the issue so that you may be notified once the issue will be fixed.


#3

Hi Mudassir,

thanks for your reply. Could it be possible to know which version of Aspose.Slides will contain the fix for case SLIDESNET-39845?

Moreover, and maybe even more important: if possible we need a guarantee that all the “not FIPS compliant calls/code blocks” still present in Aspose are not used to handle any security aspect within Aspose library.
For example: all the code blocks that use MD5 are unrelated to security (MD5 is just used as fast digest of items of a dictionary that does not have any security implication).

Could Aspose absolutely guarantee this?

Thanks
Andrea


#4

@andreagasparin,

I have observed your comments. I regret to inform that issue is still unresolved and i request for your patience. We will share details with you regarding ETA soon.

For your above question we need to investigate this if we can provide this facility. We will get back to you soon.


#5

Hi,

are there any news regarding the questions I asked above? We have in particular some urgency to have an answer to the following question:

“Moreover, and maybe even more important: if possible we need a guarantee that all the “not FIPS compliant calls/code blocks” still present in Aspose are not used to handle any security aspect within Aspose library.
For example: all the code blocks that use MD5 are unrelated to security (MD5 is just used as fast digest of items of a dictionary that does not have any security implication).”

Or if it is not possible for you we need an ETA for the two FIPS related fixes I wrote above.

Thanks
Andrea


#6

@andreagasparin,

I have observed your comments and regret to inform that we are still investigating this and will be able to answer on Monday. I also like to inform that tickets are going to be resolved tentatively in Aspose.Slides 19.3. We will share good news with you soon.


#7

Hi Adnan,

are there any news for this issue? Will the fix be released with version 19.3?

Thanks
Andrea


#8

@andreagasparin,

I have observed your comments. I like to inform that issue is still in progress and Aspose.Slides 19.3 will be released by end of March 2019. I request for your patience and we will share good news with you soon.


#9

Hi Adnan,

sorry to bother you again, but do you have some news to share about this topic?

Thanks
Andrea


#10

@andreagasparin,

I like to inform this issue is going to be resolved tentatively in Aspose.Slides 19.3. We will share good news with you soon.


#11

The issues you have found earlier (filed as SLIDESNET-39845) have been fixed in this update.


#12

Hi Adnan,

we tested Aspose 19.3, and while the Save to PDF (Point 2 in my first post) has been solved, we have still some troubles with Point 1 (Save to PPTX with password protection).
Now we have this stack trace:

System.NullReferenceException: Object reference not set to an instance of an object.
at Aspose.Slides. .qkzuvnamwb5tapbc49p52fafgz86qp54 (Boolean )
at Aspose.Slides. .Dispose()
at Aspose.Slides. .(Stream , String , Stream , ​ )
at Aspose.Slides.Presentation.(Stream , PresentationTypeEx , IPptxOptions )
at Aspose.Slides.Presentation.Save(Stream stream, SaveFormat format, ISaveOptions options)

This happens only on machines with FIPS policy enabled. If the FIPS policy is disabled or if no password is used there are no issues.

So while now it is FIPS compliant (let’s say) we still cannot use it because it does not work due to a NullReferenceException on a Dispose method.

Waiting fror an answer from you about this issue.

Thanks and best regards
Andrea


#13

@andreagasparin,

I have observed your comments. An issue with ID SLIDESNET-41069 has already been added in our issue tracking system to resolve this issue. This thread has been linked with the issue so that you may be notified once the issue will be fixed.


#14

Hi Adnan,

could you kindly share any news about issue SLIDESNET-41069, if any?

Thanks
Andrea


#15

@andreagasparin,

I regret to share that at present the issue is still unresolved. We request for your patience till the time the issue gets resolved in our issue tracking system. We will share feedback with you once issue will be fixed.