PdfEncryptionAlgorithm Enumeration does not include any FIPS 140-2 Compliant algorithms

Subject: PdfEncryptionAlgorithm Enumeration does not include any FIPS 140-2 Compliant algorithms
Date: 2012-07-06 17:00:15
From: Denis Manchon
Source: pdfencryptionalgorithm-enumeration-not-include-fips-140-2-compliant-algorithms
----------------------------------------------------------------------

Overview:

Using VS-2010, ASP.Net 4.0/C#, saving a PDF file works when code is run locally on development PCs, however fails when run on a server that enforces FIPS 140-2 compliant algorithms (http://en.wikipedia.org/wiki/FIPS_140-2).  We cannot turn off FIPS on these servers.



Code Snippet:

string[] paths = new string[] { filename1, filename2 };

PdfDocument doc = new PdfDocument();

PdfDocument.Merge(paths);

doc.Save(outFileName);



Symptom:

The above code works when run locally on our development PCs.  However, when we deploy to a webserver the code fails on the Save() with the following error: 'This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.'



Unfortunately, the PdfEncryptionAlgorithm Enumeration defined within Ultimate PDF only supports 2 algorithms, neither or which is FIPS 140-2 compliant.  Therefore, explicitly setting either algorithm does not solve the problem.

   - RC4

   - AES



QUESTIONS

1. If no settings are explicitly set through the PdfDocument.Security Member, why does a call to PdfDocument.Save() internally invoke encryption?



2. How do we get around this problem (Note: we cannot turn off FIPS  on these servers)?



3. Is this product FIPS 140-2 compliant?  



4.  Are there any hotfixes or patches available to correct the problem?



Final Word

Any sort of response is greatly appreciated.  Unfortunately we are running out of time.  We need a solution ASAP or we will need to look elsewhere for a server-side PDF component.



Regards,



Denis Manchon

----------------------------------------------------------------------

Note: This question has been asked on the Q&A forum of Thang Dang's fraudulent ComponentPro brand
If you purchased anything from ComponentPro, you have been scammed. Contact the payment processor
who sold you the license and ask for your money back.

Back to ComponentPro Q&A Forum Index