Issue 2335: NuGet.exe not FIPS compliant.

Currently, SHA512.Create() will always use the SHA512Managed class, which is not FIPS compliant and will throw an exception when FIPS compliance is turned on in Windows. We have code in Configuration.CryptoHashProvider that uses the appropriate class when FIPS compliance is turned on. I've switched Packaging.PackageExtractor to use that same logic. I expect that ideally this shared logic should probably live in a more common location (NuGet.Common, I guess?), but we would like to get this change in for 3.4 RTM (by EOW), and I'm OOF for the next two days. Either we can take this as it is for 3.4, and I can clean it up a bit next week, or someone else could take on that task tomorrow. This resolves NuGet/Home#2335
NuGet · Mar 24, 2016 · 2754069 · 2754069
1 parent d74b04c
commit 2754069
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 5 deletions.
diff --git a/src/NuGet.Core/NuGet.Packaging/PackageExtractor.cs b/src/NuGet.Core/NuGet.Packaging/PackageExtractor.cs
@@ -6,11 +6,11 @@
 using System.Globalization;
 using System.IO;
 using System.Linq;
-using System.Security.Cryptography;
 using System.Threading;
 using System.Threading.Tasks;
 using System.Xml.Linq;
 using NuGet.Common;
+using NuGet.Configuration;
 using NuGet.Packaging.Core;
 
 namespace NuGet.Packaging
@@ -285,10 +285,7 @@ await ConcurrencyUtilities.ExecuteWithFileLockedAsync(targetNupkg,
 
                                 string packageHash;
                                 nupkgStream.Position = 0;
-                                using (var sha512 = SHA512.Create())
-                                {
-                                    packageHash = Convert.ToBase64String(sha512.ComputeHash(nupkgStream));
-                                }
+                                packageHash = Convert.ToBase64String(new CryptoHashProvider("SHA512").CalculateHash(nupkgStream));
 
                                 File.WriteAllText(tempHashPath, packageHash);
                             }

diff --git a/src/NuGet.Core/NuGet.Packaging/project.json b/src/NuGet.Core/NuGet.Packaging/project.json
@@ -21,6 +21,9 @@
     "NuGet.Common": {
       "target": "project"
     },
+    "NuGet.Configuration": {
+      "target": "project"
+    },
     "NuGet.Packaging.Core": {
       "target": "project"
     },