Bug 2084209

Summary: postgresql jdbc driver not able to connect in FIPS mode
Product: Red Hat Enterprise Linux 8 Reporter: Mike Millson <mmillson>
Component: postgresql-jdbcAssignee: Zuzana Miklankova <zmiklank>
Status: CLOSED DUPLICATE QA Contact: RHEL CS Apps Subsystem QE <rhel-cs-apps-subsystem-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: ---CC: databases-maint, fjanus, mkulik, pkubat
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-28 18:32:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mike Millson 2022-05-11 16:35:34 UTC 
postgresql jdbc driver version 42.2.43 is not able to connect to the postgresql database when RHEL is running in FIPS mode.

You get the following exception:

properties: FIPS mode default keystore.type = PKCS11
properties: FIPS mode javax.net.ssl.keyStore = NONE
properties: FIPS mode javax.net.ssl.trustStoreType = pkcs12
properties: FIPS support enabled with plain key support
Something unusual has occurred to cause the driver to fail. Please report this exception.
org.postgresql.util.PSQLException: Something unusual has occurred to cause the driver to fail. Please report this exception.
               at org.postgresql.Driver.connect(Driver.java:280)
               at java.sql/java.sql.DriverManager.getConnection(DriverManager.java:677)
               at java.sql/java.sql.DriverManager.getConnection(DriverManager.java:228)
               at gms.pgtest.PostgreSQLJDBC.connect(PostgreSQLJDBC.java:24)
               at gms.pgtest.PostgreSQLJDBC.main(PostgreSQLJDBC.java:41)
Caused by: java.lang.RuntimeException: Platform error: unsupported key for HMAC algorithm
               at org.postgresql.shaded.com.ongres.scram.common.util.CryptoUtil.hmac(CryptoUtil.java:147)
               at org.postgresql.shaded.com.ongres.scram.common.ScramMechanisms.hmac(ScramMechanisms.java:143)
               at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.hmac(ScramFunctions.java:70)
               at org.postgresql.shaded.com.ongres.scram.common.ScramFunctions.clientKey(ScramFunctions.java:85)
               at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:188)
               at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:194)
               at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ClientFinalProcessor.<init>(ScramSession.java:163)
               at org.postgresql.shaded.com.ongres.scram.client.ScramSession$ServerFirstProcessor.clientFinalProcessor(ScramSession.java:130)
               at org.postgresql.jre7.sasl.ScramAuthenticator.processServerFirstMessage(ScramAuthenticator.java:147)
               at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:816)
               at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:180)
               at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:235)
               at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
               at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:223)
               at org.postgresql.Driver.makeConnection(Driver.java:400)
               at org.postgresql.Driver.connect(Driver.java:259)
               ... 4 more
Unable to connect to the database ... check the logs for the exception message

It works when FIPS mode is disabled with "-Dcom.redhat.fips=false".
Comment 1 Zuzana Miklankova 2022-05-13 12:52:24 UTC 
> postgresql jdbc driver version 42.2.43 is not able to connect to the postgresql database when RHEL is running in FIPS mode.

The latest versions of postgresql-jdbc 42.2.x is currently 42.2.25[1]. Could you please recheck the version of the affected pgjdbc?

Is there any minimal reproducer, which could be used for debugging?

[1] https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.25
Comment 5 Mike Millson 2022-06-28 18:32:53 UTC 

*** This bug has been marked as a duplicate of bug 2020290 ***