So, is it possible that the issue I'm getting isn't because of the MD5
algorithm, but the RC4? I can try commenting that out and replacing it; but I
don't know what would be the natural, and compliant, replacement algorithm for
that.
Elsewhere in the application, I am using managed TripleDES.
From: lrose...@adobe.com
To: itext-questions@lists.sourceforge.net
Date: Mon, 7 Nov 2011 07:16:35 -0800
Subject: Re: [iText-questions] iTextSharp 5.1.2 and FIPS Compliance
You can't just blanket replace MD5->SHA-256, since there are parts of PDF where
you MUST use MD5 (and not doing so would create an invalid document).
Instead, you would need to disable the specific parts of iText that require MD5
and for others that can accept alternative hash algorithms, use one.
Additionally, you will need to be sure to disable the various password methods
that use RC4 or other non-FIPS algorithms.
Leonard
From: Paul Blecha <pjble...@hotmail.com>
Reply-To: Post here <itext-questions@lists.sourceforge.net>
Date: Mon, 7 Nov 2011 06:43:40 -0800
To: Post here <itext-questions@lists.sourceforge.net>
Subject: Re: [iText-questions] iTextSharp 5.1.2 and FIPS Compliance
In my previous version of iTextSharp, I changed out all references of MD5 to
use SHA-256. Under that scenario, when I turned on the FIPS flag, my
application worked fine. The issue that prevented me moving forward at that
point was, PDFs that were being generated required a password to open, even
when I was passing a null value to the SetEncryption() method for the password.
And, since the password wasn't being set, the PDF was essentially useless.
At that point, I did research and upgraded to 5.1.2. After implementing 5.1.2
as part of my solution, I turned the FIPS flag on; and received the usual "This
implementation is not part of the Windows Platform FIPS validated cryptographic
algorithms." response.
Since the rest of my code worked prior to the implementation of 5.1.2, I know
it is not a problem with my code; the problem is that 5.1.2 cannot be FIPS
compliant. Since these are government machines, I will eventually be required
to have the FIPS flag set to true. So, unfortunately, in this instance, your
statement is untrue.
If I replace all references to MD5 with SHA-256, how can I prevent the PDF from
requiring a password to open it? Or, do you have other alternatives available?
Paul
From: psoa...@glintt.com
To: itext-questions@lists.sourceforge.net
Date: Mon, 7 Nov 2011 10:51:12 +0000
Subject: Re: [iText-questions] iTextSharp 5.1.2 and FIPS Compliance
iTextSharp is FIPS compliant. The MD5 need by the PDF is generated with the
bouncycastle library and won't be affected by the compliance flag turned on.
Paulo
From: Paul Blecha [mailto:pjble...@hotmail.com]
Sent: Friday, November 04, 2011 3:21 PM
To: itext-questions@lists.sourceforge.net
Subject: [iText-questions] iTextSharp 5.1.2 and FIPS Compliance
I'm a govt contractor on a web application project, and:
I recently upgraded to a utilization of version 5.1.2, since I had read that at
least version 5 was required for FIPS compliance.
I have noted that there are other algorithms in the code besides those that are
FIPS compliant.
I just saw a post from Paulo on another forum site indicating that MD5 was
required for PDF generation.
My server environment will eventually, probably within six months, require the
"Enable FIPS compliance" flag to be turned ON.
When the FIPS flag is on, ANY code that references non-compliant encryption
algorithms will break, EVEN IF those references are not utilized or called from
my application.
So, has anyone created a port of the latest iTextSharp that really IS FIPS
compliant? Or at the very least, has anyone determined how to make the
existing code really WORK with the FIPS compliance flag being turned to "on"?
I'm assuming that if I just comment out the references to non-compliant
algorithms, it should work; but is Paulo's statement about MD5 being required
still true? Do I need to consider a different PDF creation solution?
Thanks for your help in advance.
Paul
------------------------------------------------------------------------------
RSA(R) Conference 2012 Save $700 by Nov 18 Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________ iText-questions mailing list
iText-questions@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a
registered trademark of 1T3XT BVBA. Many questions posted to this list can (and
will) be answered with a reference to the iText book:
http://www.itextpdf.com/book/ Please check the keywords list before you ask for
examples: http://itextpdf.com/themes/keywords.php
------------------------------------------------------------------------------
RSA(R) Conference 2012 Save $700 by Nov 18 Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________ iText-questions mailing list
iText-questions@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/itext-questions iText(R) is a
registered trademark of 1T3XT BVBA. Many questions posted to this list can (and
will) be answered with a reference to the iText book:
http://www.itextpdf.com/book/ Please check the keywords list before you ask for
examples: http://itextpdf.com/themes/keywords.php
------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
iText-questions mailing list
iText-questions@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/itext-questions
iText(R) is a registered trademark of 1T3XT BVBA.
Many questions posted to this list can (and will) be answered with a reference
to the iText book: http://www.itextpdf.com/book/
Please check the keywords list before you ask for examples:
http://itextpdf.com/themes/keywords.php