MD5 checksum crash in AWS SQS receive messages

[gorell]

Describe the bug

Hi Team,
We run our JDK in FIPS mode - that doesn't include MD5 as a supported algorithm. When trying to receive messages using the AWS SDK v2 code, the following exception is thrown:

java.lang.IllegalStateException: java.security.NoSuchAlgorithmException: MD5 MessageDigest not available  
	at software.amazon.awssdk.utils.Md5Utils.computeMD5Hash(Md5Utils.java:84)
	at software.amazon.awssdk.services.sqs.internal.MessageMD5ChecksumInterceptor.calculateMessageBodyMd5(MessageMD5ChecksumInterceptor.java:208)
	at software.amazon.awssdk.services.sqs.internal.MessageMD5ChecksumInterceptor.receiveMessageResultMd5Check(MessageMD5ChecksumInterceptor.java:136)
	at software.amazon.awssdk.services.sqs.internal.MessageMD5ChecksumInterceptor.afterExecution(MessageMD5ChecksumInterceptor.java:88)
	at software.amazon.awssdk.core.interceptor.ExecutionInterceptorChain.lambda$afterExecution$10(ExecutionInterceptorChain.java:195)
	at software.amazon.awssdk.core.interceptor.ExecutionInterceptorChain.reverseForEach(ExecutionInterceptorChain.java:237)
	at software.amazon.awssdk.core.interceptor.ExecutionInterceptorChain.afterExecution(ExecutionInterceptorChain.java:195)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.AfterExecutionInterceptorsStage.execute(AfterExecutionInterceptorsStage.java:26)
	at software.amazon.awssdk.core.internal.http.pipeline.RequestPipelineBuilder$ComposingRequestPipelineStage.execute(RequestPipelineBuilder.java:206)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.ExecutionFailureExceptionReportingStage.execute(ExecutionFailureExceptionReportingStage.java:37)
	at software.amazon.awssdk.core.internal.http.pipeline.stages.ExecutionFailureExceptionReportingStage.execute(ExecutionFailureExceptionReportingStage.java:26)
	at software.amazon.awssdk.core.internal.http.AmazonSyncHttpClient$RequestExecutionBuilderImpl.execute(AmazonSyncHttpClient.java:193)
	at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.invoke(BaseSyncClientHandler.java:103)
	at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.doExecute(BaseSyncClientHandler.java:171)
	at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.lambda$execute$1(BaseSyncClientHandler.java:82)
	at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.measureApiCallSuccess(BaseSyncClientHandler.java:179)
	at software.amazon.awssdk.core.internal.handler.BaseSyncClientHandler.execute(BaseSyncClientHandler.java:76)
	at software.amazon.awssdk.core.client.handler.SdkSyncClientHandler.execute(SdkSyncClientHandler.java:45)
	at software.amazon.awssdk.awscore.client.handler.AwsSyncClientHandler.execute(AwsSyncClientHandler.java:56)
	at software.amazon.awssdk.services.sqs.DefaultSqsClient.receiveMessage(DefaultSqsClient.java:1400)

We create our SQS client using the following AWS SDK v2 code:

SqsClientBuilder sqsClientBuilder = SqsClient.builder()
    .fipsEnabled(true)
    .region(Region.of(region));
SqsClient sqsClient = sqsClientBuilder.build();

And we use this code for the message retrieval:

ReceiveMessageRequest receiveMessageRequest = ReceiveMessageRequest.builder()
    .queueUrl(queueUrl)
    .attributeNamesWithStrings(APPROXIMATE_RECEIVE_COUNT.toString())
    .messageAttributeNames("All")
    .maxNumberOfMessages(maxMessageCount)
    .build();
List<Message>  messages = sqsClient.receiveMessage(receiveMessageRequest).messages();

For the regular JDK the above code works fine. The problem for the FIPS-compliant JDK seems to be with the MD5 checksum being activated explicitly in AWS SDK v2 code, below please see the screenshot of software.amazon.awssdk.services.sqs.DefaultSqsBaseClientBuilder with the problematic code seemingly being activated in a hard coded way.

Expected Behavior

MD5 checksum shouldn't be done explicitly for SQS receive messages, or there should be a way to disable it. The above flow should pass. Send messages show work the similar way.

Current Behavior

Getting the above mentioned exception in SQS receive messages.

Reproduction Steps

Run receive messages as described above for a JDK that doesn't support MD5.

Possible Solution

There should be a way to disable the MD5 checksum.

Additional Information/Context

This S3 bug seems to be related though for S3 there is a workaround how to disable the checksum.

AWS Java SDK version used

2.20.42

JDK version used

openjdk 17.0.7

Operating System and version

Linux service-5b7c8c4788-c62fp 5.4.238-148.347.amzn2.x86_64 #1 SMP Thu Apr 6 19:42:57 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

[debora-ito]

@gorell acknowledged, there should be a way to disable the SQS message MD5 checksum validation in this case.

Can you share more details about the FIPS compliant mode in the JDK you're using? How do you enable this mode in OpenJDK?

[ppeddadaatsfdc]

We have customized OpenJDK for Salesforce needs where all the crypto operations are handled by the FIPS security provider which doesn't have support for MD5 any longer.

[github-actions]

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

[debora-ito]

Just to leave a quick example here, the SQS client now supports a checksumValidationEnabled attribute, defaults to true. To disable the md5 checksum, set it to false:

SqsClient sqsClient = SqsClient.builder()
                .checksumValidationEnabled(false)
                .build();

SqsAsyncClient asyncClient = SqsAsyncClient.builder()
                .checksumValidationEnabled(false)
                .build();

Check the Javadocs for more info. The new attribute is available starting SDK version 2.21.38.

[sharpnk]

@debora-ito Are there any plans to support checksum validation in other format? Like what the s3 client is doing? Simply providing the ability to turn it off seems like a temporary rather than a long term solution?