APAR status
Closed as program error.
Error description
Error Message: N/A . Stack Trace: This customer was experiencing two similar failures.In BOTH cases, the IBMJCE provider was ahead of thePKCS#11 provider. The HSM was Luna SA 5.0.The first was the following keytool failure:keytool -genkey -keyalg EC -alias alice -dname "CN=alice,C=GB" -keystore NONE -storetype PKCS11IMPLKSJVMDUMP039I Processing dump event "throw", detail "java/lang/NullPointerException" at 2015/03/10 12:43:12 - please wait.Thread=main (0000010010142740) Status=Runningat java/math/BigInteger.multiply(Ljava/math/BigInteger;)Ljava/math/ BigInteger; (BigInteger.java:1136)at com/ibm/crypto/provider/SHA2withECDSA.a(Ljava/security/SecureRan dom;)<OSB>B (Bytecode PC: 180)at com/ibm/crypto/provider/SHA2withECDSA.engineSign()<OSB>B (Bytecode PC: 10)at java/security/Signature$Delegate.engineSign()<OSB>B (Signature.java:1189)at java/security/Signature.sign()<OSB>B (Signature.java:559)at com/ibm/security/x509/X509CertImpl.sign(Ljava/security/PrivateKe y;Ljava/lang/String;Ljava/lang/String;)V (X509CertImpl.java:665)at com/ibm/security/x509/X509CertImpl.sign(Ljava/security/PrivateKe y;Ljava/lang/String;)V (X509CertImpl.java:595)at com/ibm/security/x509/CertAndKeyGen.getSelfCertificate(Lcom/ibm/ security/x509/X500Name;Ljava/util/Date;J)Ljava/security/cert/X50 9Certificate; (CertAndKeyGen.java:588)at com/ibm/crypto/tools/KeyTool.a(Ljava/lang/String;Ljava/lang/Stri ng;Ljava/lang/String;ILjava/lang/String;)V (Bytecode PC: 387)at com/ibm/crypto/tools/KeyTool.a(Ljava/io/PrintStream;)V (Bytecode PC: 3359)at com/ibm/crypto/tools/KeyTool.a(<OSB>Ljava/lang/String;Ljava/io/P rintStream;)V (Bytecode PC: 14)at com/ibm/crypto/tools/KeyTool.main(<OSB>Ljava/lang/String;)V (Bytecode PC: 13)The second failure was experienced by a JSR105test case which was passing PKCS#11 Luna SA keysto JSR105. The following error was seen:java.lang.NullPointerExceptionat java.math.BigInteger.multiply(BigInteger.java:1136)at com.ibm.crypto.provider.SHA2withECDSA.a(Unknown Source)at com.ibm.crypto.provider.SHA2withECDSA.engineSign(Unknown Source)at java.security.Signature$Delegate.engineSign(Signature.java:1189) at java.security.Signature.sign(Signature.java:559)at com.ibm.xml.crypto.dsig.SignatureEngineECDSA.sign(SignatureEngin eECDSA.java:104)at com.ibm.xml.crypto.dsig.dom.SignedInfoImpl.sign(SignedInfoImpl.j ava:187)at com.ibm.xml.crypto.dsig.dom.XMLSignatureImpl.sign(XMLSignatureIm pl.java:168)at IbmDugidsXmlSignatureExample.a(IbmDugidsXmlSignatureExample.java :119)at IbmDugidsXmlSignatureExample.<init>(IbmDugidsXmlSignatureExample .java:62)at IbmDugidsXmlSignatureExample.main(IbmDugidsXmlSignatureExample.j ava:174)In both cases, IBMJCE is being invoked to performa signing operation using a Luna SA PrivateKey.The first is the signing of the self signed certwithin the KeyStore PrivateKeyEntry being created.The second is the signing of XML data withinthe JSR105 test case. .
Local fix
Problem summary
This customer was experiencing two similar failures.In BOTH cases, the IBMJCE provider was ahead of thePKCS#11 provider. The HSM was Luna SA 5.0.The first was the following keytool failure:keytool -genkey -keyalg EC -alias alice -dname "CN=alice,C=GB" -keystore NONE -storetype PKCS11IMPLKSJVMDUMP039I Processing dump event "throw", detail "java/lang/NullPointerException" at 2015/03/10 12:43:12 - please wait.Thread=main (0000010010142740) Status=Runningat java/math/BigInteger.multiply(Ljava/math/BigInteger;)Ljava/math/ BigInteger; (BigInteger.java:1136)at com/ibm/crypto/provider/SHA2withECDSA.a(Ljava/security/SecureRan dom;)<OSB>B (Bytecode PC: 180)at com/ibm/crypto/provider/SHA2withECDSA.engineSign()<OSB>B (Bytecode PC: 10)at java/security/Signature$Delegate.engineSign()<OSB>B (Signature.java:1189)at java/security/Signature.sign()<OSB>B (Signature.java:559)at com/ibm/security/x509/X509CertImpl.sign(Ljava/security/PrivateKe y;Ljava/lang/String;Ljava/lang/String;)V (X509CertImpl.java:665)at com/ibm/security/x509/X509CertImpl.sign(Ljava/security/PrivateKe y;Ljava/lang/String;)V (X509CertImpl.java:595)at com/ibm/security/x509/CertAndKeyGen.getSelfCertificate(Lcom/ibm/ security/x509/X500Name;Ljava/util/Date;J)Ljava/security/cert/X50 9Certificate; (CertAndKeyGen.java:588)at com/ibm/crypto/tools/KeyTool.a(Ljava/lang/String;Ljava/lang/Stri ng;Ljava/lang/String;ILjava/lang/String;)V (Bytecode PC: 387)at com/ibm/crypto/tools/KeyTool.a(Ljava/io/PrintStream;)V (Bytecode PC: 3359)at com/ibm/crypto/tools/KeyTool.a(<OSB>Ljava/lang/String;Ljava/io/P rintStream;)V (Bytecode PC: 14)at com/ibm/crypto/tools/KeyTool.main(<OSB>Ljava/lang/String;)V (Bytecode PC: 13)The second failure was experienced by a JSR105test case which was passing PKCS#11 Luna SA keysto JSR105. The following error was seen:java.lang.NullPointerExceptionat java.math.BigInteger.multiply(BigInteger.java:1136)at com.ibm.crypto.provider.SHA2withECDSA.a(Unknown Source)at com.ibm.crypto.provider.SHA2withECDSA.engineSign(Unknown Source)at java.security.Signature$Delegate.engineSign(Signature.java:1189) at java.security.Signature.sign(Signature.java:559)at com.ibm.xml.crypto.dsig.SignatureEngineECDSA.sign(SignatureEngin eECDSA.java:104)at com.ibm.xml.crypto.dsig.dom.SignedInfoImpl.sign(SignedInfoImpl.j ava:187)at com.ibm.xml.crypto.dsig.dom.XMLSignatureImpl.sign(XMLSignatureIm pl.java:168)at IbmDugidsXmlSignatureExample.a(IbmDugidsXmlSignatureExample.java :119)at IbmDugidsXmlSignatureExample.<init>(IbmDugidsXmlSignatureExample .java:62)at IbmDugidsXmlSignatureExample.main(IbmDugidsXmlSignatureExample.j ava:174)In both cases, IBMJCE is being invoked to performa signing operation using a Luna SA PrivateKey.The first is the signing of the self signed certwithin the KeyStore PrivateKeyEntry being created.The second is the signing of XML data withinthe JSR105 test case.
Problem conclusion
There was a problem within the "delayed provider selection" logic. PKCS11ECPrivateKey.getFormat()was reporting the wrong key type (that is "PKCS#8").This led the IBMJCEService class (Within IBMJCE.java) to erroneously report that it "could support" a PKCS#11 EC Private Key for a data signing operation. It would have returned "false" if the key type reported by thePKCS11ECPrivateKey.getKeyType( ) has been correct. . This APAR will be fixed in the following Java Releases: 7 SR9 (7.0.9.0) 6 R1 SR8 FP4 (6.1.8.4) 6 SR16 FP4 (6.0.16.4) 8 SR1 (8.0.1.0) 7 R1 SR3 (7.1.3.0) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
IV71019
Reported component name
SECURITY
Reported component ID
620700125
Reported release
260
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-03-13
Closed date
2015-03-19
Last modified date
2015-03-19
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
R260 PSY
UP
R600 PSY
UP
R270 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"260","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020