IBM Support

IV33531: IN HYBRID IBMJDK, KEYPAIR GENERATION USING KEYTOOL FAILED WITH N OSUCHALGORITHMEXCEPTION.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Error Message: keytool error:
    java.security.NoSuchAlgorithmException: unrecognized algorithm
    name: SHA256withRSA
    .
    Stack Trace: When enabling java.security.debug=jca, we can see
    the following stack trace:
    java.lang.Exception: Call trace
            at
    sun.security.jca.ProviderList.loadAll(ProviderList.java:277)
            at
    sun.security.jca.ProviderList.removeInvalid(ProviderList.java:29
    8)
            at
    sun.security.jca.Providers.getFullProviderList(Providers.java:17
    6)
            at
    java.security.Security.getProviders(Security.java:458)
            at
    sun.security.x509.AlgorithmId.algOID(AlgorithmId.java:551)
            at
    sun.security.x509.AlgorithmId.get(AlgorithmId.java:409)
            at
    sun.security.x509.AlgorithmId.getAlgorithmId(AlgorithmId.java:39
    5)
            at
    sun.security.x509.CertAndKeyGen.getSelfCertificate(CertAndKeyGen
    .java:232)
            at
    sun.security.tools.KeyTool.doGenKeyPair(KeyTool.java:1551)
            at
    sun.security.tools.KeyTool.doCommands(KeyTool.java:969)
            at sun.security.tools.KeyTool.run(KeyTool.java:340)
            at sun.security.tools.KeyTool.main(KeyTool.java:333)
    .
    1. The problem happens when -sigalg option is not specified or
    specified as "SHA256withRSA".
    2. The problem does not happens when -sigalg option is specified
    as "SHA2withRSA".
    

Local fix

  • 1. Specify -sigalg as "SHA2withRSA".
    2. Use IBM's KeyTool with "java com.ibm.crypto.tools.KeyTool".
    

Problem summary

  • The problem happens because the signature name "SHA2WithRSA"
    registered in IBMJCE provider cannot be recognized by Sun's
    keytool in hybrid JVM.
    

Problem conclusion

  • This defect will be fixed in:
    7.0.0 SR4
    6.0.1 SR5
    6.0.0 SR13
    5.0.0 SR16
    .
    A fix is made to AlgorithmId.get() to recognize "SHA2withRSA"
    signature name.
    The associated Hursley CMVC defect is 195127
    The associated Austin CMVC defect is 113413
    A fix is made to IBMJCE provider to use the signature name
    "SHA256withRSA",  "SHA384WithRSA" and "SHA512WithRSA"
    The associated Hursley CMVC defect is 195282
    The associated Austin CMVC defect is 113421
    JVMs affected: Java 5.0 SR15, Java 6.0 SR12, Java 626 SR4, and
    Java 7.0 SR3.
    The fix was delivered for  Java 5.0 SR16, Java 6.0 SR13, Java
    626 SR5, and Java 7.0 SR4.
    The affected jar is "ibmjceprovider.jar".
    The build level of this jar for the affected releases is
    "20121213"
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV33531

  • Reported component name

    SECURITY

  • Reported component ID

    620700125

  • Reported release

    260

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-12-17

  • Closed date

    2013-01-04

  • Last modified date

    2013-01-04

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IV33532

Fix information

  • Fixed component name

    SECURITY

  • Fixed component ID

    620700125

Applicable component levels

  • R260 PSY

       UP

  • R600 PSY

       UP



Document information

More support for: Runtimes for Java Technology
Security

Software version: 260

Reference #: IV33531

Modified date: 04 January 2013