No security provider to read private key with openjdk 11

[magwas]

I'm submitting a ...

• [ x] bug report
• feature request

Describe the issue
When trying to connect using certificate authentication, the following error occurs:

 Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting 1.2.840.113549.1.5.13
     at java.base/javax.crypto.Cipher.getInstance(Cipher.java:565)
     at org.postgresql.ssl.LazyKeyManager.getPrivateKey(LazyKeyManager.java:205)

Driver Version?

42.2.8

Java Version?

11

OS Version?

Ubuntu Bionic

PostgreSQL Version?

10.10-0ubuntu0.18.04.1

To Reproduce

https://stackoverflow.com/questions/58488774/configure-tomcat-hibernate-to-have-a-cryptographic-provider-supporting-1-2-840-1

Expected behaviour

To be able to connect to the database.
If I could add BouncyCastle cryptographic security provider to the configuration, that would serve as a good workaround.

Logs

Oct 21 17:12:39 market/market tomcat9[17060]: Hibernate: select user0_.id as id1_0_, user0_.auth0id as auth2_0_, user0_.email as email3_0_, user0_.name as name4_0_ from User user0_ where user0_.auth0id=?
Oct 21 17:12:39 market/market tomcat9[17060]: [ajp-nio-8009-exec-11] WARN org.hibernate.engine.jdbc.spi.SqlExceptionHelper - SQL Error: 0, SQLState: null
Oct 21 17:12:39 market/market tomcat9[17060]: [ajp-nio-8009-exec-11] ERROR org.hibernate.engine.jdbc.spi.SqlExceptionHelper - Cannot create PoolableConnectionFactory (Could not find a java cryptographic algorithm: Cannot find any provider supporting 1.2.840.113549.1.5.13.
)
Oct 21 17:12:39 market/market tomcat9[17060]: Servlet.service() for servlet [com.kodekonveyor.market.servlets.LoginServlet] in context with path [/market] threw exception
Oct 21 17:12:39 market/market tomcat9[17060]: org.springframework.orm.jpa.JpaSystemException: Unable to acquire JDBC Connection; nested exception is org.hibernate.exception.GenericJDBCException: Unable to acquire JDBC Connection
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.orm.jpa.vendor.HibernateJpaDialect.convertHibernateAccessException(HibernateJpaDialect.java:352)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.orm.jpa.vendor.HibernateJpaDialect.translateExceptionIfPossible(HibernateJpaDialect.java:254)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.orm.jpa.AbstractEntityManagerFactoryBean.translateExceptionIfPossible(AbstractEntityManagerFactoryBean.java:528)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.dao.support.ChainedPersistenceExceptionTranslator.translateExceptionIfPossible(ChainedPersistenceExceptionTranslator.java:61)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.dao.support.DataAccessUtils.translateIfNecessary(DataAccessUtils.java:242)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.dao.support.PersistenceExceptionTranslationInterceptor.invoke(PersistenceExceptionTranslationInterceptor.java:153)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.data.jpa.repository.support.CrudMethodMetadataPostProcessor$CrudMethodMetadataPopulatingMethodInterceptor.invoke(CrudMethodMetadataPostProcessor.java:149)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:93)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:212)
Oct 21 17:12:39 market/market tomcat9[17060]: at com.sun.proxy.$Proxy150.findByAuth0id(Unknown Source)
Oct 21 17:12:39 market/market tomcat9[17060]: at com.kodekonveyor.market.login.LoginService.call(LoginService.java:41)
Oct 21 17:12:39 market/market tomcat9[17060]: at com.kodekonveyor.market.servlets.LoginServlet.doGet(LoginServlet.java:29)
Oct 21 17:12:39 market/market tomcat9[17060]: at javax.servlet.http.HttpServlet.service(HttpServlet.java:634)
Oct 21 17:12:39 market/market tomcat9[17060]: at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:200)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:490)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:668)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:394)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:834)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1415)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
Oct 21 17:12:39 market/market tomcat9[17060]: at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
Oct 21 17:12:39 market/market tomcat9[17060]: at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
Oct 21 17:12:39 market/market tomcat9[17060]: at java.base/java.lang.Thread.run(Thread.java:834)
Oct 21 17:12:39 market/market tomcat9[17060]: Caused by: org.hibernate.exception.GenericJDBCException: Unable to acquire JDBC Connection
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.exception.internal.StandardSQLExceptionConverter.convert(StandardSQLExceptionConverter.java:47)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:113)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.engine.jdbc.spi.SqlExceptionHelper.convert(SqlExceptionHelper.java:99)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.acquireConnectionIfNeeded(LogicalConnectionManagedImpl.java:107)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.getPhysicalConnection(LogicalConnectionManagedImpl.java:134)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.engine.jdbc.internal.StatementPreparerImpl.connection(StatementPreparerImpl.java:50)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$5.doPrepare(StatementPreparerImpl.java:149)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.engine.jdbc.internal.StatementPreparerImpl$StatementPreparationTemplate.prepareStatement(StatementPreparerImpl.java:176)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.engine.jdbc.internal.StatementPreparerImpl.prepareQueryStatement(StatementPreparerImpl.java:151)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.loader.Loader.prepareQueryStatement(Loader.java:2099)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:2029)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.loader.Loader.executeQueryStatement(Loader.java:2007)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.loader.Loader.doQuery(Loader.java:953)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.loader.Loader.doQueryAndInitializeNonLazyCollections(Loader.java:354)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.loader.Loader.doList(Loader.java:2810)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.loader.Loader.doList(Loader.java:2792)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.loader.Loader.listIgnoreQueryCache(Loader.java:2624)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.loader.Loader.list(Loader.java:2619)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.loader.hql.QueryLoader.list(QueryLoader.java:506)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.hql.internal.ast.QueryTranslatorImpl.list(QueryTranslatorImpl.java:396)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.engine.query.spi.HQLQueryPlan.performList(HQLQueryPlan.java:219)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.internal.SessionImpl.list(SessionImpl.java:1410)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.query.internal.AbstractProducedQuery.doList(AbstractProducedQuery.java:1558)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.query.internal.AbstractProducedQuery.list(AbstractProducedQuery.java:1526)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.query.Query.getResultList(Query.java:165)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.query.criteria.internal.compile.CriteriaQueryTypeQueryAdapter.getResultList(CriteriaQueryTypeQueryAdapter.java:76)
Oct 21 17:12:39 market/market tomcat9[17060]: at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Oct 21 17:12:39 market/market tomcat9[17060]: at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Oct 21 17:12:39 market/market tomcat9[17060]: at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Oct 21 17:12:39 market/market tomcat9[17060]: at java.base/java.lang.reflect.Method.invoke(Method.java:566)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.orm.jpa.SharedEntityManagerCreator$DeferredQueryInvocationHandler.invoke(SharedEntityManagerCreator.java:409)
Oct 21 17:12:39 market/market tomcat9[17060]: at com.sun.proxy.$Proxy161.getResultList(Unknown Source)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.data.jpa.repository.query.JpaQueryExecution$CollectionExecution.doExecute(JpaQueryExecution.java:126)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.data.jpa.repository.query.JpaQueryExecution.execute(JpaQueryExecution.java:88)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.data.jpa.repository.query.AbstractJpaQuery.doExecute(AbstractJpaQuery.java:154)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.data.jpa.repository.query.AbstractJpaQuery.execute(AbstractJpaQuery.java:142)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.data.repository.core.support.RepositoryFactorySupport$QueryExecutorMethodInterceptor.doInvoke(RepositoryFactorySupport.java:618)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.data.repository.core.support.RepositoryFactorySupport$QueryExecutorMethodInterceptor.invoke(RepositoryFactorySupport.java:605)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.transaction.interceptor.TransactionAspectSupport.invokeWithinTransaction(TransactionAspectSupport.java:353)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.transaction.interceptor.TransactionInterceptor.invoke(TransactionInterceptor.java:99)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.springframework.dao.support.PersistenceExceptionTranslationInterceptor.invoke(PersistenceExceptionTranslationInterceptor.java:139)
Oct 21 17:12:39 market/market tomcat9[17060]: ... 38 more
Oct 21 17:12:39 market/market tomcat9[17060]: Caused by: java.sql.SQLException: Cannot create PoolableConnectionFactory (Could not find a java cryptographic algorithm: Cannot find any provider supporting 1.2.840.113549.1.5.13.)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.apache.tomcat.dbcp.dbcp2.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:735)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.apache.tomcat.dbcp.dbcp2.BasicDataSource.createDataSource(BasicDataSource.java:605)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.apache.tomcat.dbcp.dbcp2.BasicDataSource.getConnection(BasicDataSource.java:794)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.engine.jdbc.connections.internal.DatasourceConnectionProviderImpl.getConnection(DatasourceConnectionProviderImpl.java:122)
Oct 21 17:12:39 market/market tomcat9[17060]: at org.hibernate.internal.NonContextualJdbcConnectionAccess.obtainConnection(NonContextualJdbcConnectionAccess.java:38)
Oct 21 17:12:40 market/market tomcat9[17060]: at org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl.acquireConnectionIfNeeded(LogicalConnectionManagedImpl.java:104)
Oct 21 17:12:40 market/market tomcat9[17060]: ... 77 more
Oct 21 17:12:40 market/market tomcat9[17060]: Caused by: org.postgresql.util.PSQLException: Could not find a java cryptographic algorithm: Cannot find any provider supporting 1.2.840.113549.1.5.13.
Oct 21 17:12:40 market/market tomcat9[17060]: at org.postgresql.ssl.LazyKeyManager.getPrivateKey(LazyKeyManager.java:253)
Oct 21 17:12:40 market/market tomcat9[17060]: at java.base/sun.security.ssl.AbstractKeyManagerWrapper.getPrivateKey(SSLContextImpl.java:1764)
Oct 21 17:12:40 market/market tomcat9[17060]: at java.base/sun.security.ssl.X509Authentication$X509PossessionGenerator.createClientPossession(X509Authentication.java:197)
Oct 21 17:12:40 market/market tomcat9[17060]: at java.base/sun.security.ssl.X509Authentication$X509PossessionGenerator.createPossession(X509Authentication.java:154)
Oct 21 17:12:40 market/market tomcat9[17060]: at java.base/sun.security.ssl.X509Authentication.createPossession(X509Authentication.java:87)
Oct 21 17:12:40 market/market tomcat9[17060]: at java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.choosePossession(CertificateMessage.java:1052)
Oct 21 17:12:40 market/market tomcat9[17060]: at java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.onProduceCertificate(CertificateMessage.java:1073)
Oct 21 17:12:40 market/market tomcat9[17060]: at java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.produce(CertificateMessage.java:930)
Oct 21 17:12:40 market/market tomcat9[17060]: at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436)
Oct 21 17:12:40 market/market tomcat9[17060]: at java.base/sun.security.ssl.Finished$T13FinishedConsumer.onConsumeFinished(Finished.java:981)
Oct 21 17:12:40 market/market tomcat9[17060]: at java.base/sun.security.ssl.Finished$T13FinishedConsumer.consume(Finished.java:856)
Oct 21 17:12:40 market/market tomcat9[17060]: at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
Oct 21 17:12:40 market/market tomcat9[17060]: at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
Oct 21 17:12:40 market/market tomcat9[17060]: at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
Oct 21 17:12:40 market/market tomcat9[17060]: at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:177)
Oct 21 17:12:40 market/market tomcat9[17060]: at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
Oct 21 17:12:40 market/market tomcat9[17060]: at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
Oct 21 17:12:40 market/market tomcat9[17060]: at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
Oct 21 17:12:40 market/market tomcat9[17060]: at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
Oct 21 17:12:40 market/market tomcat9[17060]: at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
Oct 21 17:12:40 market/market tomcat9[17060]: at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:441)
Oct 21 17:12:40 market/market tomcat9[17060]: at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
Oct 21 17:12:40 market/market tomcat9[17060]: at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
Oct 21 17:12:40 market/market tomcat9[17060]: at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
Oct 21 17:12:40 market/market tomcat9[17060]: at org.postgresql.jdbc.PgConnection.(PgConnection.java:195)
Oct 21 17:12:40 market/market tomcat9[17060]: at org.postgresql.Driver.makeConnection(Driver.java:458)
Oct 21 17:12:40 market/market tomcat9[17060]: at org.postgresql.Driver.connect(Driver.java:260)
Oct 21 17:12:40 market/market tomcat9[17060]: at org.apache.tomcat.dbcp.dbcp2.DriverConnectionFactory.createConnection(DriverConnectionFactory.java:53)
Oct 21 17:12:40 market/market tomcat9[17060]: at org.apache.tomcat.dbcp.dbcp2.PoolableConnectionFactory.makeObject(PoolableConnectionFactory.java:355)
Oct 21 17:12:40 market/market tomcat9[17060]: at org.apache.tomcat.dbcp.dbcp2.BasicDataSource.validateConnectionFactory(BasicDataSource.java:116)
Oct 21 17:12:40 market/market tomcat9[17060]: at org.apache.tomcat.dbcp.dbcp2.BasicDataSource.createPoolableConnectionFactory(BasicDataSource.java:731)
Oct 21 17:12:40 market/market tomcat9[17060]: ... 82 more
Oct 21 17:12:40 market/market tomcat9[17060]: Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting 1.2.840.113549.1.5.13
Oct 21 17:12:40 market/market tomcat9[17060]: at java.base/javax.crypto.Cipher.getInstance(Cipher.java:565)
Oct 21 17:12:40 market/market tomcat9[17060]: at org.postgresql.ssl.LazyKeyManager.getPrivateKey(LazyKeyManager.java:205)
Oct 21 17:12:40 market/market tomcat9[17060]: ... 112 more

[davecramer]

Please read https://jdbc.postgresql.org/documentation/head/connect.html specifically Note: The key file must be in DER format. A PEM key can be converted to DER format using the openssl command

[magwas]

The file ~tomcat/.postgresql/postgresql.pk8 is created by the command
openssl pkcs8 -topk8 -inform PEM -in /keys/tomcat/privkey.pem -outform DER -out postgresql.pk8
as per the instructions of the documentation you referenced.

The resource definition in context.xml:

<Resource name="jdbc/users" auth="Container"
          type="javax.sql.DataSource" driverClassName="org.postgresql.Driver"
          url="jdbc:postgresql://infra.kodekonveyor.com:5432/users?ssl=true&amp;sslmode=verify-ca"
          username="market" maxTotal="20" maxIdle="10"
	  maxWaitMillis="-1"/>

[davecramer]

How would pgjdbc know where to find it?

[magwas]

apparently it does find it, as it is at the default path for the sslkey option.
According to strace, it does find and read the file.

[magwas]

Just tell me what should I try to investigate the problem, any workaround, or if you would like to login to the test host and look around.

[davecramer]

@magwas What I would do is take tomcat out of the equation and see if I could make a small program written in java that connected via SSL, at least if it fails then I could replicate it simply.

[magwas]

root@market:~/tmp# ls
PgjdbcTest.java
root@market:~/tmp# javac PgjdbcTest.java 
root@market:~/tmp# java -cp /usr/local/tomcat9/lib/postgresql-42.2.8.jar:. PgjdbcTest "jdbc:postgresql://infra.kodekonveyor.com:5432/users?ssl=true"
jdbc:postgresql://infra.kodekonveyor.com:5432/users?ssl=true
Exception in thread "main" org.postgresql.util.PSQLException: Could not find a java cryptographic algorithm: Cannot find any provider supporting 1.2.840.113549.1.5.13.
	at org.postgresql.ssl.LazyKeyManager.getPrivateKey(LazyKeyManager.java:253)
	at java.base/sun.security.ssl.AbstractKeyManagerWrapper.getPrivateKey(SSLContextImpl.java:1764)
	at java.base/sun.security.ssl.X509Authentication$X509PossessionGenerator.createClientPossession(X509Authentication.java:197)
	at java.base/sun.security.ssl.X509Authentication$X509PossessionGenerator.createPossession(X509Authentication.java:154)
	at java.base/sun.security.ssl.X509Authentication.createPossession(X509Authentication.java:87)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.choosePossession(CertificateMessage.java:1052)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.onProduceCertificate(CertificateMessage.java:1073)
	at java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.produce(CertificateMessage.java:930)
	at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436)
	at java.base/sun.security.ssl.Finished$T13FinishedConsumer.onConsumeFinished(Finished.java:981)
	at java.base/sun.security.ssl.Finished$T13FinishedConsumer.consume(Finished.java:856)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:177)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1152)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1063)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402)
	at org.postgresql.ssl.MakeSSL.convert(MakeSSL.java:40)
	at org.postgresql.core.v3.ConnectionFactoryImpl.enableSSL(ConnectionFactoryImpl.java:441)
	at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:94)
	at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192)
	at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
	at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195)
	at org.postgresql.Driver.makeConnection(Driver.java:458)
	at org.postgresql.Driver.connect(Driver.java:260)
	at java.sql/java.sql.DriverManager.getConnection(DriverManager.java:677)
	at java.sql/java.sql.DriverManager.getConnection(DriverManager.java:251)
	at PgjdbcTest.main(PgjdbcTest.java:13)
Caused by: java.security.NoSuchAlgorithmException: Cannot find any provider supporting 1.2.840.113549.1.5.13
	at java.base/javax.crypto.Cipher.getInstance(Cipher.java:565)
	at org.postgresql.ssl.LazyKeyManager.getPrivateKey(LazyKeyManager.java:205)
	... 29 more
root@market:~/tmp# ls -lL ~/.postgresql/
total 11
-rw-r--r-- 1 root   root 4597 Oct 21 12:49 postgresql.crt
-r-------- 1 tomcat root 1329 Oct 21 17:40 postgresql.pk8
-rw-r--r-- 1 root   root 1493 Oct 21 12:49 root.crt
root@market:~/tmp# cat PgjdbcTest.java 

import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.sql.Statement;

public class PgjdbcTest {

	public static void main(final String[] argv) throws SQLException {
		final String url = argv[0];
		System.out.println(url);
		final Connection conn = DriverManager.getConnection(url);
		final Statement st = conn.createStatement();
		final ResultSet rs = st.executeQuery("SELECT username FROM users");
		while (rs.next())
			System.out.print("username:" + rs.getString(1));
		rs.close();
		st.close();
	}
}

[magwas]

Are we absolutely sure that it is supposed to work with postgresql.crt being a PEM encoded certificate and postgresql.pk8 being a DER encoded pkcs-8?
Are there other certificate/key formats I should try?

[davecramer]

Yes we test every commit with SSL https://travis-ci.org/pgjdbc/pgjdbc/jobs/599551465

[magwas]

I have tried it with the certs and keys provided in the source in certdir. (yes, I have set up a postgres server with the server key there). That does work.
I did not originally include -v1 PBE-MD5-DES in the commandline creating pkcs8. I recreated the key with it, but the problem is the same.
The problem is the same with an empty postgresql.pkcs8
Maybe then the problem is with the certificate. I do have a SAN there.
I try to check with a certificate without SAN.

[ChristopherSchultz]

The JDBC driver documentation doesn't specify what types all those files should be. It suggests PKCS#8 just based upon the filenames, but then there is DER (binary) versus PEM.

The docs also describes a slightly different keying format if you are using "Java's default mechanism (not LibPQFactory)". Is that the common case? How does one know if one is using LibPQFactory or not?

Let's assume you are using "Java's default mechanism (not LibPQFactory)" and you have to convert your client key and certificate into a JKS or PKCS12 keystore. Where do you put the keystore? How do you tell the driver where your keystore is? Do you have really have to use system properties to affect the whole JVM and can't specify those details in the JDBC URL? The docs only show how to set the trust store (which establishes trust of the server) and not the key store (which contains the client's secrets and certificate).

@davecramer I'm curious where I can look for information about use of client-certificates in the output of the Travis job.

[magwas]

Please disregard the previous post, I used the wrong filename for the private key.
The culprit was not using -v1 PBE-MD5-DES in the commandline generating the pk8 file.
I am creating a PR with a patch to the documentation, as it is missing there.

[ChristopherSchultz]

The culprit was not using -v1 PBE-MD5-DES in the commandline generating the pk8 file.

How are you generating your PKCS8 file? With openssl pkcs8? Why bother specifying the algorithm instead of using the default? Please be sure to show your exact command-lines when describing how you have generated your key, certificate, and keystore.

[davecramer]

@magwas up to now you did not have to specify this. Thanks for digging into this.

[davecramer]

@ChristopherSchultz by default it uses java's keystore and you do not have to tell it where it is. It is in JAVA_HOME (somewhere) as for using LibPQFactory you specify that on the connection. However I now see that this is not documented. I know it once was.

[davecramer]

@ChristopherSchultz see https://github.com/pgjdbc/pgjdbc/blob/master/certdir/README.md for how the certs were created.

[ChristopherSchultz]

@davecramer Thanks. I'm looking at the code for LazyKeyManager for an eye towards allowing PEM-encoded files as well as DER-encoded files. DER files suck :(

[davecramer]

@ChristopherSchultz Awesome!

[davecramer]

Just found this in the openssl release notes
*) Change default algorithms in pkcs8 utility to use PKCS#5 v2.0,
256 bit AES and HMAC with SHA256.
[Steve Henson]

This appears to start with 1.1.1

I've confirmed this is the case.

openssl version
OpenSSL 1.1.1 11 Sep 2018

[magwas]

I don't know whether it worth to reopen this issue or open a new one for it. but the situation now is the following:

• openssl have gone forward with the security of the private key by changing the pkcs8 utility to use more modern algorithms
• this documentation change recommends users to use an old set of algorithms.

This can create a security vulnerability in some setups as cryptography moves forward.
My use case does not depend on cryptography of the key file for security, as I am generating the key in situ, and relying on OS access control. But any use case which involves sending the keys around in untrusted channels (and some of the real-world key distribution setups do that), could be made vulnerable by the inability to use stat of the art crypto to protect the keys.
I see the following ways to remediate the situation:

1. figure out how to support state of the art crypto, or
2. place a warning in the documentation about possible vulnerabilities.

Of course I regard the second solution as inadequate, as it would make pgjdbc unsuitable for use in any large enterprise with a usual security policy.

[magwas]

This excellent stack overflow answer gives even more details about the original problem, and suggest a cipher suite which is maybe better: https://stackoverflow.com/questions/58488774/configure-tomcat-hibernate-to-have-a-cryptographic-provider-supporting-1-2-840-1

[davecramer]

So what key encryption will java accept ?