IZ47986: INSTANTIATING A CONTENTINFO OBJECT TAKES A LONG TIME FOR CERTAINFILES.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • IBM JDK 150 SR8A
    
    Component: IBM PKCS
    
    Problem Description:
    ====================
    
    Instantiating a ContentInfo object can take a long time for
    certain files because of poor byte array manipulation within the
    getIndefSeqSet( )  method of the DerIndefLenConverter class.
    Example:    ContentInfo contentInfo = new ContentInfo(filename,
    false);
    
    JDK affected: 142, 150, 160
    
    JARs affected: ibmpkcs.jar
    
    Customer Observation:
    ======================
    
    Websphere Partner Gateway
    
    During interoperability testing of WPG, a business partner is
    sending a compressed, signed and encrypted document to WPG. The
    document has to be decrypted, signature has to be verified and
    decompression has to be done. During decryption, it is observed
    that about 25 to 29 minutes are taken in parsing the ContentInfo
    structure.
    
    The problem is most likely because of the document structure.
    The document contains a constructed Octet String component with
    indefinite length encoding,      which contains lot of small
    Octet String components having length 34 or  26 bytes.  Another
    document having the same structure, but having the Octet String
    components of more length i.e. 2048 bytes or 4096 bytes, is
    processed completely in WPG in 1 minute or so.
    

Local fix

  • Level 3 to update
    

Problem summary

  • During interoperability testing of WPG (WebSphere Partner
    Gateway),
    a business partner is sending a compressed, signed, and
    encrypted
    document to WPG. The document has to be decrypted, signature has
    to be verified,
    and decompression has to be done. It was observed that about 25
    to 29
    minutes was taken to process ContentInfo object created from
    this document.
    
    The logic within the PKCS utility class
    DerIndefLenConverter.java
    is being invoked to convert indefinite length DER encoded byte
    arrays
    taken from this document to definite length DER encoded byte
    arrays.
    
    The getIndefSeqSet( ) method within this utility class is
    incrementally processing
    the document data by allocating a new byte array to contain both
    "all data processed on
    previous iterations" plus "all data processed on the most recent
    iteration", and
    then copying both sets of data into this newly allocated byte
    array.
    This is done on each iteration.
    
    This processing is not only redundantly copying all the data
    processed so far
    on each iteration, it is also creating large numbers of byte
    arrays for disposal
    by the java garbage collector.
    
    The fix is to eliminate the logic which allocates a new byte
    array to contain
    the data on each iteration, and replace it with logic which
    simply appends the
    data to an ArrayList - that is, a data structure that can grow.
    
    This problem affects the 1.4.2, 5.0, and 6.0 releases.
    

Problem conclusion

  • This problem will be repaired in 1.4.2 SR14, 5.0 SR10 and 6.0
    SR5 under
    Austin CMVC defect 106583 (Hursley defect 148597).
    The associated Austin CMVC build level is  20090331_02 for the
    PKCS142 release.
    The associated Austin CMVC build level is  20090331  for the
    pkcs15 and pkcs16 releases.
    The problem was repaired within the PKCS component, specifically
    file ibmpkcs.jar.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IZ47986

  • Reported component name

    TIVOLI JAVA PKC

  • Reported component ID

    TIVSECPKC

  • Reported release

    100

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2009-03-31

  • Closed date

    2009-04-06

  • Last modified date

    2009-04-06

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    TIVOLI JAVA PKC

  • Fixed component ID

    TIVSECPKC

Applicable component levels

  • R100 PSY

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

Tivoli Components - Java Security
PKCS

Software version:

100

Reference #:

IZ47986

Modified date:

2009-04-06

Translate my page

Machine Translation

Content navigation