IV27267: CLASS COM.IBM.CRYPTO.HDWRCCA.PROVIDER.WRAPPERKEY IS INCORRECTLY ALLOWED TO WRAP A PRIVATE KEY OF INSTANCE COM.IBM.CRYPTO.HDWRCCA

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Error Message: No visible error messages are seen.
    .
    Stack Trace: N/A
    .
    

Local fix

  • Application code that constructs a new
    com.ibm.crypto.hdwrCCA.provider.WrapperKey class can be modified
    to avoid ambiguous behavior. When constructing a WrapperKey
    class the instance of the private key used must not be
    com.ibm.crypto.hdwrCCA.provider.DSAPrivateHWKey or
    com.ibm.crypto.hdwrCCA.provider.RSAPrivateHWKey classes.
    

Problem summary

  • When using the com.ibm.crypto.hdwrCCA.provider.WrapperKey class
    to migrate a key object to the IBMJCECCA hardware environment
    the hardware attributes are only associated with a private key
    in the case where the key was not already an instance of the
    com.ibm.crypto.hdwrCCA.provider.RSAPrivateHWKey or
    com.ibm.crypto.hdwrCCA.provider.DSAPrivateHWKey classes. When
    using the com.ibm.crypto.hdwrCCA.provider.DSAPrivateHWKey or
    com.ibm.crypto.hdwrCCA.provider.RSAPrivateHWKey types of keys
    the hardware attributes were not associated with the key object
    since these instances of key objects are already bound to the
    hardware and the IBMJCECCA provider. This behavior provided an
    incorrect sense of having a set of hardware attributes
    associated with a key.
    

Problem conclusion

  • This defect will be fixed in:
    5.0.0 SR15
    .
    Logic was added to the
    com.ibm.crypto.hdwrCCA.provider.WrapperKey class to restrict
    what types of keys may be used on its constructor. The
    com.ibm.crypto.hdwrCCA.provider.DSAPrivateHWKey and
    com.ibm.crypto.hdwrCCA.provider.RSAPrivateHWKey types of keys
    are no longer permitted to be used with the
    com.ibm.crypto.hdwrCCA.provider.WrapperKey class constructor and
    an exception will be thrown. With the installation of this APAR
    customers may experience an exception being thrown that is an
    instance of the Exception class and will contain the message
    "Cannot construct a WrapperKey from a RSAPrivateHWKey.
    RSAPrivateHWKey already bound to the hardware." The Java
    environment variable ibm.ibmjcecca.allowwrapperhwkey is being
    made available to allow the JVM to fallback to prior invalid
    behavior when set to true. This option has been made available
    until user applications can be updated to handle the new
    exception being thrown, or pass non hardware bound key material
    to the com.ibm.crypto.hdwrCCA.provider.WrapperKey constructor.
    To set this environment variable specify the -D option on the
    java command line similar to the following example "java
    -Dibm.ibmjcecca.allowwrapperhwkey=true <Application>" It is
    strongly recommended to only use the fallback option for a
    limited time, until applications are modified to handle the
    exception.  This new option is only a temporary mechanism and
    will be removed in a future service refresh.  Users of the
    fallback option will be exposed to the same security
    vulnerability which existed prior to this APAR.
    

Temporary fix

  • See workaround.
    

Comments

APAR Information

  • APAR number

    IV27267

  • Reported component name

    JAVA 5 SECURITY

  • Reported component ID

    620500125

  • Reported release

    500

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-08-30

  • Closed date

    2012-08-30

  • Last modified date

    2012-08-30

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    JAVA 5 SECURITY

  • Fixed component ID

    620500125

Applicable component levels

  • R500 PSY

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

Runtimes for Java Technology
Security

Software version:

5.0

Reference #:

IV27267

Modified date:

2012-08-30

Translate my page

Machine Translation

Content navigation