SHA256CryptoServiceProvider not FIPS compliant?

Question

I am looking for a SHA256 implementation in C# that is FIPS compliant. It turns out that SHA1CryptoServiceProvider works. But why does SHA256CryptoServiceProvider trip the

{"This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms."}

error? Seems like it should just work.

var sha = System.Security.Cryptography.SHA256CryptoServiceProvider.Create();   // not FIPS

In this case I am using .NET 4.5, but the same thing happens in 3.5 and 4.0. I thought SHA256CryptoServiceProvider was the FIPS-compliant alternative to SHA256Managed. SHA256Cng throws the same error.

Update. I think I needed to make a "new SHA256CryptoServiceProvider" instead of using Create()

Answer 1

As the original poster suggested in the update, the solution is to actually create a new instance of the SHA256CryptoServiceProvider (or 512). Calling Create will not work:

var csp = new SHA512CryptoServiceProvider();
byte[] hashedBytes = csp.ComputeHash(......);
String hashedText = Convert.ToBase64String(hashedBytes); 

Answer 2

There is no SHA256CryptoServiceProvider.Create(), but there is a SHA256.Create() :

On the .NET Framework, this method creates an instance of the SHA256Managed class if FIPS mode is not active; if FIPS mode is active, it creates an instance of the SHA256Cng class.

There is one caveat, however (which maybe was the original problem):

On .NET 4.6.1 and earlier, with FIPS enabled, this picked SHA256Managed, which is not FIPS-compliant.

If you want to target .NET <= 4.6.1, you can use something along the lines of:

public static SHA256 CreateSHA256()
{
    try
    {
        return SHA256.Create();
    }
    catch (TargetInvocationException)
    {
        return SHA256CryptoServiceProvider.Create();
    }
}