APAR status
Closed as program error.
Error description
Error Message: Following the addition of logic to the PKCS SimpleValidator class to check certificates within the UntrustedCertificates class, the following exception was seen on the z/OS platform whenever the IBMPKCS11Impl security provider was in use: ERRORS, EXCEPTIONS AND TRACE 196511--> 195580--> --------------------------------- 196511--> 195580--> K0319java.lang.ExceptionInInitializerError 196511--> 195580--> at java.lang.J9VMInternals.initialize(J9VMInternals.java:284) 196511--> 195580--> at com.ibm.security.validator.SimpleValidator.engineValidate(Simple Validator.java:170) 196511--> 195580--> at com.ibm.security.validator.Validator.validate(Validator.java:257 ) 196511--> 195580--> at com.ibm.security.validator.Validator.validate(Validator.java:233 ) 196511--> 195580--> at com.ibm.security.validator.Validator.validate(Validator.java:202 ) 196511--> 195580--> at javax.crypto.a.a(Unknown Source) 196511--> 195580--> at javax.crypto.a.a(Unknown Source) 196511--> 195580--> at javax.crypto.a.a(Unknown Source) 196511--> 195580--> at javax.crypto.a.a(Unknown Source) 196511--> 195580--> at javax.crypto.b.b(Unknown Source) 196511--> 195580--> at javax.crypto.b.a(Unknown Source) 196511--> 195580--> at javax.crypto.b.a(Unknown Source) 196511--> 195580--> at javax.crypto.KeyGenerator.getInstance(Unknown Source) 196511--> 195580--> at tests.com.ibm.jtc.zosSec.testDES.main(testDES.java:100) 196511--> 195580--> Caused by: java.lang.RuntimeException: Incorrect untrusted certificate: digicert-server-cross-to-cybertrust-4C0E636A 196511--> 195580--> at com.ibm.security.util.UntrustedCertificates.add(UntrustedCertifi cates.java:69) 196511--> 195580--> at com.ibm.security.util.UntrustedCertificates.<clinit>(UntrustedCe rtificates.java:92) 196511--> 195580--> at java.lang.J9VMInternals.initializeImpl(Native Method) 196511--> 195580--> at java.lang.J9VMInternals.initialize(J9VMInternals.java:262) 196511--> 195580--> ... 13 more 196511--> 195580--> Caused by: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: insufficient data 196511--> 195580--> at com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:260) 196511--> 195580--> at com.ibm.crypto.pkcs11impl.provider.X509Factory.engineGenerateCer tificate(X509Factory.java:145) 196511--> 195580--> at java.security.cert.CertificateFactory.generateCertificate(Certif icateFactory.java:407) 196511--> 195580--> at com.ibm.security.util.UntrustedCertificates.add(UntrustedCertifi cates.java:62) 196511--> 195580--> This error was not seen when the IBM JCE provider was in use. . Stack Trace: See text above. .
Local fix
Problem summary
Following the addition of logic to the PKCS SimpleValidator class to check certificates within the UntrustedCertificates class, the following exception was seen on the z/OS platform whenever the IBMPKCS11Impl security provider was in use: ERRORS, EXCEPTIONS AND TRACE 196511--> 195580--> --------------------------------- 196511--> 195580--> K0319java.lang.ExceptionInInitializerError 196511--> 195580--> at java.lang.J9VMInternals.initialize(J9VMInternals.java:284) 196511--> 195580--> at com.ibm.security.validator.SimpleValidator.engineValidate(Simple Validator.java:170) 196511--> 195580--> at com.ibm.security.validator.Validator.validate(Validator.java:257 ) 196511--> 195580--> at com.ibm.security.validator.Validator.validate(Validator.java:233 ) 196511--> 195580--> at com.ibm.security.validator.Validator.validate(Validator.java:202 ) 196511--> 195580--> at javax.crypto.a.a(Unknown Source) 196511--> 195580--> at javax.crypto.a.a(Unknown Source) 196511--> 195580--> at javax.crypto.a.a(Unknown Source) 196511--> 195580--> at javax.crypto.a.a(Unknown Source) 196511--> 195580--> at javax.crypto.b.b(Unknown Source) 196511--> 195580--> at javax.crypto.b.a(Unknown Source) 196511--> 195580--> at javax.crypto.b.a(Unknown Source) 196511--> 195580--> at javax.crypto.KeyGenerator.getInstance(Unknown Source) 196511--> 195580--> at tests.com.ibm.jtc.zosSec.testDES.main(testDES.java:100) 196511--> 195580--> Caused by: java.lang.RuntimeException: Incorrect untrusted certificate: digicert-server-cross-to-cybertrust-4C0E636A 196511--> 195580--> at com.ibm.security.util.UntrustedCertificates.add(UntrustedCertifi cates.java:69) 196511--> 195580--> at com.ibm.security.util.UntrustedCertificates.<clinit>(UntrustedCe rtificates.java:92) 196511--> 195580--> at java.lang.J9VMInternals.initializeImpl(Native Method) 196511--> 195580--> at java.lang.J9VMInternals.initialize(J9VMInternals.java:262) 196511--> 195580--> ... 13 more 196511--> 195580--> Caused by: java.security.cert.CertificateException: Unable to initialize, java.io.IOException: insufficient data 196511--> 195580--> at com.ibm.security.x509.X509CertImpl.<init>(X509CertImpl.java:260) 196511--> 195580--> at com.ibm.crypto.pkcs11impl.provider.X509Factory.engineGenerateCer tificate(X509Factory.java:145) 196511--> 195580--> at java.security.cert.CertificateFactory.generateCertificate(Certif icateFactory.java:407) 196511--> 195580--> at com.ibm.security.util.UntrustedCertificates.add(UntrustedCertifi cates.java:62) 196511--> 195580--> This error was not seen when the IBM JCE provider was in use.
Problem conclusion
This defect will be fixed in: 7.0.0 SR5 6.0.1 SR6 6.0.0 SR14 5.0.0 SR17 . The IBM JCE security component had included special certificate processing logic unique to the z/OS platform within the X509Factory.engineGenerateCertificate( ) method. This enabled the IBM JCE provider to parse/instantiate the certificates within the UntrustedCertificates class when the IBMPKCS11Impl provider could not. This logic was not present within the corresponding X509Factory.engineGenerateCertificate( ) method within the IBMPKCS11Impl provider. It has now been added to resolve this error.
Temporary fix
Comments
APAR Information
APAR number
IV38515
Reported component name
SECURITY
Reported component ID
620700125
Reported release
260
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2013-03-21
Closed date
2013-03-22
Last modified date
2013-03-22
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
R260 PSY
UP
R600 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"260","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020