IBM Support

IV33532: IN HYBRID IBMJDK, KEYPAIR GENERATION USING KEYTOOL FAILED WITH N OSUCHALGORITHMEXCEPTION.

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: keytool error:
    java.security.NoSuchAlgorithmException: unrecognized algorithm
    name: SHA256withRSA
    .
    Stack Trace: When enabling java.security.debug=jca, we can see
    the following stack trace:
    java.lang.Exception: Call trace
            at
    sun.security.jca.ProviderList.loadAll(ProviderList.java:277)
            at
    sun.security.jca.ProviderList.removeInvalid(ProviderList.java:29
    8)
            at
    sun.security.jca.Providers.getFullProviderList(Providers.java:17
    6)
            at
    java.security.Security.getProviders(Security.java:458)
            at
    sun.security.x509.AlgorithmId.algOID(AlgorithmId.java:551)
            at
    sun.security.x509.AlgorithmId.get(AlgorithmId.java:409)
            at
    sun.security.x509.AlgorithmId.getAlgorithmId(AlgorithmId.java:39
    5)
            at
    sun.security.x509.CertAndKeyGen.getSelfCertificate(CertAndKeyGen
    .java:232)
            at
    sun.security.tools.KeyTool.doGenKeyPair(KeyTool.java:1551)
            at
    sun.security.tools.KeyTool.doCommands(KeyTool.java:969)
            at sun.security.tools.KeyTool.run(KeyTool.java:340)
            at sun.security.tools.KeyTool.main(KeyTool.java:333)
    .
    1. The problem happens when -sigalg option is not specified or
    specified as "SHA256withRSA".
    2. The problem does not happens when -sigalg option is specified
    as "SHA2withRSA".
    

Local fix

  • 1. Specify -sigalg as "SHA2withRSA".
    2. Use IBM's KeyTool with "java com.ibm.crypto.tools.KeyTool".
    

Problem summary

  • The problem happens because the signature name "SHA2WithRSA"
    registered in IBMJCE provider cannot be recognized by Sun's
    keytool in hybrid JVM.
    

Problem conclusion

  • This defect will be fixed in:
    7.0.0 SR4
    6.0.1 SR5
    6.0.0 SR13
    5.0.0 SR16
    .
    A fix is made to AlgorithmId.get() to recognize "SHA2withRSA"
    signature name.
    The associated Hursley CMVC defect is 195127
    The associated Austin CMVC defect is 113413
    A fix is made to IBMJCE provider to use the signature name
    "SHA256withRSA",  "SHA384WithRSA" and "SHA512WithRSA"
    The associated Hursley CMVC defect is 195282
    The associated Austin CMVC defect is 113421
    JVMs affected: Java 5.0 SR15, Java 6.0 SR12, Java 626 SR4, and
    Java 7.0 SR3.
    The fix was delivered for  Java 5.0 SR16, Java 6.0 SR13, Java
    626 SR5, and Java 7.0 SR4.
    The affected jar is "ibmjceprovider.jar".
    The build level of this jar for the affected releases is
    "20121213"
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV33532

  • Reported component name

    JAVA 5 SECURITY

  • Reported component ID

    620500125

  • Reported release

    500

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2012-12-17

  • Closed date

    2013-01-04

  • Last modified date

    2013-01-04

  • APAR is sysrouted FROM one or more of the following:

    IV33531

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    JAVA 5 SECURITY

  • Fixed component ID

    620500125

Applicable component levels

  • R500 PSY

       UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
07 December 2020