有什么方法可以将非openssl md5用于python中的hashlib吗? [英] Is there any way to use non-openssl md5 for hashlib in python?

问题描述

我生成了md5内容散列以进行上传验证，但是最近引起我注意的是，对于在启用了FIPS的计算机上运行的所有用户，此操作都将失败.当我尝试初始化hashlib时，FIPS禁用openssl md5，结果为ValueError.通常我会改用SHA，但是我依赖于需要content-md5标头的外部服务.

I generate md5 content hashes for upload verification, but it has recently come to my attention that this will fail for any users running on a FIPS enabled machine. FIPS disables openssl md5, resulting in a ValueError when I try to initialize hashlib. Normally I would use SHA instead, but I'm relying on an external service which requires a content-md5 header.

我的问题是:有什么方法可以强制Python使用非openssl哈希函数? 此处关于添加usedforsecurity标志的讨论，但似乎并没有解决

My question is this: Is there any way to force Python to use a non-openssl hashing function? There was some talk here about adding a usedforsecurity flag, but it doesn't seem to have gone anywhere.

推荐答案

如何从FIPS模式计算机发送content-md5标头"的答案是您不使用未经FIPS验证的算法启用FIPS模式，因为这样做可能会违反联邦法规或组织政策，因为FIPS启用计算机的唯一重要原因是是否存在监管(或预防政策)要求

The answer to "how can I send a content-md5 header from a FIPS mode machine" is you don't use non-FIPS validated algorithms when FIPS mode is enabled as you would likely be violating federal regulations or organizational policy by doing so, since the only significant reason to FIPS enable a machine is if there is a regulatory (or perhaps preventive policy) requirement to do so.

在此github问题列表中也进行了一些讨论，这表明content-md5必须是可选的.

There is some discussion in this github issues list as well, suggesting that content-md5 must be optional.

鉴于法规要求，您不能使用MD5，因为它不是FIPS兼容算法，因此不能具有FIPS经过验证的(！)实现.

Give that regulatory requirement, you CANNOT use MD5, since it is not a FIPS compliant algorithm, and therefore CANNOT have a FIPS validated(!) implementation.

您需要执行以下一项操作:

You need to do one of the following:

• 使该服务不需要content-md5标头

• get that service to not require the content-md5 header

使用其他服务

使用不需要处于FIPS模式的其他原始计算机

use a different originating machine which is not required to be in FIPS mode

如果您的管理层需要参考，请参见附录A批准的安全功能FIPS PUB 140-2 ，直接来自nist.gov.

If your management needs a reference, see Annex A Approved Security Functions for FIPS PUB 140-2, straight from nist.gov.

这篇关于有什么方法可以将非openssl md5用于python中的hashlib吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！