Free Support Forum - aspose.com

Aspose.Slides not FIPS compliant


#1

Hi,

using the latest Aspose.Slides package from Aspose.Total.net on a FIPS enabled environment we get the error “InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.” while doing the following operations:

  1. saving a PPTX file with password protection (due to a call done by Aspose.Slides to System.Security.Cryptography.RijndaelManaged class constructor);
  2. saving a PowerPoint file to PDF filetype, also without password protection (due to a call done by Aspose.Slides to System.Security.Cryptography.MD5.Create() method).

Point 1 can be easily solved replacing RijndaelManaged instance object with AesCryptoServiceProvider instance object.
Point 2 can be solved using a FIPS compliant hashing algorithm implementation (SHA256CryptoServiceProvider or even SHA1CryptoServiceProvider, at least at the time of writing).

Would it be kindly possible to get a FIPS compliant version of Aspose please? According to your site it should be already FIPS compliant (see page Aspose.Total for .NET - FIPS Compliance).
A similar case is Exception thrown when converting PPTX to PDF with FIPS mode enabled (work should have started in week 43, mid October).

Pasting the obfuscated stack trace for Point 1 and Point 2.

Thanks
Andrea

Point 1 StackTrace (Save to PPTX with password protection):

System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.Security.Cryptography.RijndaelManaged…ctor()
at Aspose.Slides. …ctor( , Byte[] , CipherMode )
at Aspose.Slides. .(Byte[] )
at Aspose.Slides. .()
at Aspose.Slides. .(Stream , String , Stream , )
at Aspose.Slides.Presentation.(Stream , PresentationTypeEx , IPptxOptions )
at Aspose.Slides.Presentation.Save(Stream stream, SaveFormat format, ISaveOptions options)

Point 2 StackTrace (Save to PDF even without password protection):

System.InvalidOperationException: This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeConstructorInfo.Invoke(BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at System.Security.Cryptography.CryptoConfig.CreateFromName(String name, Object[] args)
at System.Security.Cryptography.MD5.Create()
at Aspose.Slides. .…ctor( , )
at Aspose.Slides. .( , )
at Aspose.Slides.​ .( , )
at Aspose.Slides. .( , Boolean )
at Aspose.Slides. .( )
at Aspose.Slides.​ .36gb8j2pxayk423lsm4qwj9yq55a7hwh ( )
at Aspose.Slides. .lhrksw4qmpxsb9gbrklg24zzqz43kn79 ( ​ , )
at Aspose.Slides. ​ .lhrksw4qmpxsb9gbrklg24zzqz43kn79 ( ​ , )
at Aspose.Slides. ​ .lhrksw4qmpxsb9gbrklg24zzqz43kn79 ( ​ , )
at Aspose.Slides. ​ .lhrksw4qmpxsb9gbrklg24zzqz43kn79 ( ​ , )
at Aspose.Slides.​ .lhrksw4qmpxsb9gbrklg24zzqz43kn79 ( ​ , )
at Aspose.Slides.​ .( ​ , )
at Aspose.Slides. .(Presentation , Stream , Int32[] , PdfOptions , InterruptionToken )
at Aspose.Slides. .(Presentation , Stream , PdfOptions , InterruptionToken )
at Aspose.Slides.Presentation.Save(Stream stream, SaveFormat format, ISaveOptions options)
at Aspose.Slides.Presentation.Save(String fname, SaveFormat format, ISaveOptions options)


#2

@andreagasparin,

I have observed your requirements and regret to share that at present Aspose.Slides is not FIPS compliant and an issue with ID SLIDESNET-39845 has already been added in our issue tracking system to provide requested support. This thread has been linked with the issue so that you may be notified once the issue will be fixed.


#3

Hi Mudassir,

thanks for your reply. Could it be possible to know which version of Aspose.Slides will contain the fix for case SLIDESNET-39845?

Moreover, and maybe even more important: if possible we need a guarantee that all the “not FIPS compliant calls/code blocks” still present in Aspose are not used to handle any security aspect within Aspose library.
For example: all the code blocks that use MD5 are unrelated to security (MD5 is just used as fast digest of items of a dictionary that does not have any security implication).

Could Aspose absolutely guarantee this?

Thanks
Andrea


#4

@andreagasparin,

I have observed your comments. I regret to inform that issue is still unresolved and i request for your patience. We will share details with you regarding ETA soon.

For your above question we need to investigate this if we can provide this facility. We will get back to you soon.