IBM Support

IV18625: IBM JVM SHOULD SUPPORT DECRYPTING USING THE PUBLIC KEY

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

APAR status

  • Closed as program error.

Error description

  • We have agreed to provide a flag for use at runtime to allow for
    the RSA encryption of data with the private key, as well as
    decryption of data with the public key.  This flag can be set
    with the following property:
    
    -Dcom.ibm.crypto.provider.DoRSATypeChecking=false
    
    In Java 5, 6, 6.0_26, and 7, the default value will be "true" --
    meaning that IBM's Java will have the old behavior.  If this
    flag is set to "false" IBM's Java will allow for the atypical
    scenario with the reversal of the keys described above.
    
    Please note: This configuration is not recommended for use by
    developers of standard applications.  It is understood that by
    setting this flag, a developer understands the behavior that is
    being enabled (encrypting with the private key/permitting anyone
    with the public key to decrypt).  In nearly all cases,
    performing a signature in the standard way (with the private key
    to sign and the public key to verify) is preferred and
    recommended.
    
    With this APAR we are making sure the PUBLIC KEY can be used for
    DECRYPT.
    

Local fix

  • N/A
    

Problem summary

  • ERROR DESCRIPTION:
    
    IBM JVM should support encrypting using the private key and
    decrypting using the public key
    
    Note: This is a follow-up to APAR IV17344, which allows the
    public key to decrypt properly in this configuration
    

Problem conclusion

  • We have agreed to provide a flag for use at runtime to allow for
    the RSA encryption of data with the private key, as well as
    decryption of data with the public key.  This flag can be set
    with the following property:
    
    -Dcom.ibm.crypto.provider.DoRSATypeChecking=false
    
    In Java 5, 6, 6.0_26, and 7, the default value will be "true" --
    meaning that IBM's Java will have the old behavior.  If this
    flag is set to "false" IBM's Java will allow for the atypical
    scenario with the reversal of the keys described above.
    
    Please note: This configuration is not recommended for use by
    developers of standard applications.  It is understood that by
    setting this flag, a developer understands the behavior that is
    being enabled (encrypting with the private key/permitting anyone
    with the public key to decrypt).  In nearly all cases,
    performing a signature in the standard way (with the private key
    to sign and the public key to verify) is preferred and
    recommended.
    
    Hursley defect: 190326.
    
    Affects ibmjceprovider.jar.  Available in 5.0 SR 14, 6.0 SR11,
    6.0_26 SR 3, and 7.0 SR 5
    
    Jar build date: 20120404
    
    WORKAROUNDS:
    
    None
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV18625

  • Reported component name

    TIV JAVA CRYPTO

  • Reported component ID

    TIVSECJCE

  • Reported release

    100

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-03-30

  • Closed date

    2012-03-30

  • Last modified date

    2012-04-26

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    TIV JAVA CRYPTO

  • Fixed component ID

    TIVSECJCE

Applicable component levels

  • R100 PSY

       UP



Document information

More support for: Tivoli Components - Java Security
JCE

Software version: 100

Reference #: IV18625

Modified date: 26 April 2012