IV89529: JCEFIPS THROWING "KEY IS NOT AN RSAPRIVATEKEY" DURING DATAWITHRSA.ENGINEINITSIGN() USING IBMCAC RSAPRIVATEKE

APAR status

Closed as program error.

Error description

Error Message, as reported by customer:

JSSE SSLHandshakeException Message: "Error signing certificate
verify" during SSL handshake.

Stack Trace, if applicable:

javax.net.ssl.SSLHandshakeException: Error signing certificate
verify
 at com.ibm.jsse2.j.a(j.java:12)
 at com.ibm.jsse2.as.a(as.java:118)
 at com.ibm.jsse2.C.a(C.java:193)
 at com.ibm.jsse2.D.a(D.java:631)
 at com.ibm.jsse2.D.a(D.java:139)
 at com.ibm.jsse2.C.r(C.java:69)
 at com.ibm.jsse2.C.a(C.java:580)
 at com.ibm.jsse2.as.a(as.java:512)
 at com.ibm.jsse2.as.i(as.java:969)
 at com.ibm.jsse2.as.a(as.java:680)
 at com.ibm.jsse2.as.startHandshake(as.java:859)
 at
com.ibm.eNetwork.security.ssl.HODJSSEImpl.createSocket(HODJSSEIm
pl.java:417)
 at
com.ibm.eNetwork.security.ssl.HODSSLImpl.createSocket(HODSSLImpl
.java:233)
 at
com.ibm.eNetwork.security.ssl.HODSSLImpl.createSocket(HODSSLImpl
.java:195)
 at
com.ibm.eNetwork.ECL.Transport.initialize_tail2(Transport.java:1
133)
 at
com.ibm.eNetwork.ECL.Transport.initialize_tail(Transport.java:10
68)
 at
com.ibm.eNetwork.ECL.Transport.initialize(Transport.java:991)
 at
com.ibm.eNetwork.ECL.Transport.registerWithThreadManager(Transpo
rt.java:689)
 at com.ibm.eNetwork.ECL.Transport.open(Transport.java:549)
 at
com.ibm.eNetwork.ECL.ECLConnection.StartCommunication(ECLConnect
ion.java:1615)
 at
com.ibm.eNetwork.beans.HOD.Session$2.run(Session.java:3198)
 at
com.ibm.eNetwork.HOD.common.ThreadPoolThread.run(HODThread.java:
219)
Caused by: java.security.InvalidKeyException: Key is not an
RSAPrivateKey
 at com.ibm.crypto.fips.provider.DatawithRSA.a(Unknown
Source)
 at
com.ibm.crypto.fips.provider.DatawithRSA.engineInitSign(Unknown
Source)
 at
java.security.SignatureSpi.engineInitSign(SignatureSpi.java:114)
 at java.security.Signature.initSign(Signature.java:556)
 at com.ibm.jsse2.aa.a(aa.java:21)
 at com.ibm.jsse2.x$c.<init>(x$c.java:55)
 at com.ibm.jsse2.D.a(D.java:692)
 ... 18 more

Other Error Information, as reported by customer:

N/A

Local fix

```
N/A
```

Problem summary

The com.ibm.security.capi.RSAPrivateKey class was not
implementing the java.security.interfaces.RSAPrivateCrtKey as
required by the JCEFIPS component.


ERROR DESCRIPTION:

The customer is using FIPS and CAC and he gets a
"javax.net.ssl.SSLHandshakeException: Error signing certificate
verify" exception while performing a TLS handshake.

Thread-12, handling exception:
javax.net.ssl.SSLHandshakeException: Error signing certificate
verify
SSLHandshakeException Message: Error signing certificate verify
javax.net.ssl.SSLHandshakeException: Error signing certificate
verify
    at com.ibm.jsse2.j.a(j.java:12)
    at com.ibm.jsse2.as.a(as.java:118)
    at com.ibm.jsse2.C.a(C.java:193)
    at com.ibm.jsse2.D.a(D.java:631)
    at com.ibm.jsse2.D.a(D.java:139)
    at com.ibm.jsse2.C.r(C.java:69)
    at com.ibm.jsse2.C.a(C.java:580)
    at com.ibm.jsse2.as.a(as.java:512)
    at com.ibm.jsse2.as.i(as.java:969)
    at com.ibm.jsse2.as.a(as.java:680)
    at com.ibm.jsse2.as.startHandshake(as.java:859)
Caused by: java.security.InvalidKeyException: Key is not an
RSAPrivateKey
    at com.ibm.crypto.fips.provider.DatawithRSA.a(Unknown
Source)
    at
com.ibm.crypto.fips.provider.DatawithRSA.engineInitSign(Unknown
Source)
    at
java.security.SignatureSpi.engineInitSign(SignatureSpi.java:114)
    at java.security.Signature.initSign(Signature.java:556)
    at com.ibm.jsse2.aa.a(aa.java:21)
    at com.ibm.jsse2.x$c.<init>(x$c.java:55)
    at com.ibm.jsse2.D.a(D.java:692)
    ... 18 more

Problem conclusion

Updated the com.ibm.security.capi.RSAPrivateKey class to
implement the java.security.interfaces.RSAPrivateCrtKey.
Also, added the associated getter methods, and mscapi native
code, to retrieve the extended CRT signature parameter set.



The associated RTC PR is 124608
The associated Austin CMVC defect for Java 8 is 117602
The associated Austin CMVC defect for Java 7 & 727 is 117608
The associated Austin APAR is IV89529



JVMs affected : Java 8 & 7

The fix was delivered for: Java 8 SR4 FP5, Java 7 SR10 FP5, Java
727 SR4 FP5

The affected files:  ibmcac.jar, ibmcac.dll (32 & 64 bit
versions)

The build level of this jar for Java 8 is "20170222"
The build level of this jar for Java 7 & 727 is "20170307"

Temporary fix

Comments

APAR Information

APAR number
IV89529
Reported component name
TIV JAVA CRYPTO
Reported component ID
TIVSECJCE
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-09-28
Closed date
2017-03-08
Last modified date
2017-03-08

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
TIV JAVA CRYPTO
Fixed component ID
TIVSECJCE

Applicable component levels

R100 PSY
UP

[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCZL42","label":"JCE"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"100","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
08 March 2017

Tips

IV89529: JCEFIPS THROWING "KEY IS NOT AN RSAPRIVATEKEY" DURING DATAWITHRSA.ENGINEINITSIGN() USING IBMCAC RSAPRIVATEKE

Subscribe to this APAR

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R100 PSY

Document Information

Share your feedback

Need support?