IZ53404: ARRAYINDEXOUTOFBOUNDSEXCEPTION WHILE QUERYING ATTRIBUTES OF NETSCAPECERTTYPEEXTENSION.

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Component: IBM PKCS
    
    APAR Description : ArrayIndexOutOfBoundsException while querying
    attributes of  NetscapeCertTypeExtension.
    
    JVM Affected:  JDK 142, 50, 60
    

Local fix

  • Level 3 to update
    

Problem summary

  • ArrayIndexOutOfBoundsException happens in isSet() method of
    NetscapeCertTypeExtension.java. The exception occurs if  value
    of  "position" is greater than or equal to length of bitString
    array.
    
        private boolean isSet(int position) {
            if (debug != null) {
                debug.entry(Debug.TYPE_PRIVATE, className, "isSet",
    new Integer(position));
                debug.exit(Debug.TYPE_PRIVATE, className, "isSet",
    bitString[position]);
            }
            return bitString[position];
    
    bitString is a boolean array obtained from DER encoded value of
    the NetscapeCertType extension present in the certificate.
    
    bitString represents the status of the attributes of
    NetscapeCertType extension. The various attributes of
    NetscapeCertType extension and their positions  are listed
    below:
    
    SSL_CLIENT,   0
    SSL_SERVER,   1
    S_MIME,    2
    OBJECT_SIGNING,  3
    bit 4 is reserved
    SSL_CA,    5
    S_MIME_CA,  6
    OBJECT_SIGNING_CA,  7
    
    
    The DER value for NetscapeCertType extension of our certificate
    is   { 3, 2, 6, 64)
    
    3 -> Tag which indicates BitString
    2 -> length of the value
    6 -> Number of bits to be ignored starting from least
    significant
    64 (0x40)-> decimal representation of the binary BITSTRING
    (0100 0000) :  Here each bit represents the Status of
    attributes of NetscapeCertType extension. The first bit being 0
    indicates that SSL_CLIENT is not set.  The second bit being 1
    indicates that SSL_SERVER attribute is set.
    
    While converting the DerValue to Bitstring, the length of the
    BitString would be 2 (as  6 bits towards right are ignored). So
    the BitString would be (0,1)which is appropriate.
    
    ---------------------------------------------
    
    Now in isSet() routine,  while querying for an attribute, it
    returns bitString[position].   If position of the attributes
    exceeds the length of the bitString, it results in
    ArrayIndexOutofBoundsException. For our certificate, the
    exception would be thrown, while querying for all the attributes
    from S_MIME to OBJECT_SIGNING_CA.
    

Problem conclusion

  • Following fix (in green below) resolves this problem. Here
    isSet()  returns "false" for all 'position' values which are
    greater than or equal to length of bitString :
    
        private boolean isSet(int position) {
         if (debug != null) {
                debug.entry(Debug.TYPE_PRIVATE, className, "isSet",
    new Integer(position));
                debug.exit(Debug.TYPE_PRIVATE, className, "isSet",
    bitString.length > position ? bitString[position] : false);
            }
            return bitString.length > position ? bitString[position]
    : false;
        }
    
    
    
    
    Fixes for this APAR have been dropped for:
    - 1.4.2 SR14
    - 5.0 SR11
    - 6.0 SR6
    
    The affected Java Security component is "PKCS".  The affected
    jar is "ibmpkcs.jar".
    The Austin CMVC build level associated with this jar is
    20090617.
    The associated Hursley CMVC defect is 152366.
    The associated Austin CMVC defect is 10694
    

Temporary fix

Comments

APAR Information

  • APAR number

    IZ53404

  • Reported component name

    TIVOLI JAVA PKC

  • Reported component ID

    TIVSECPKC

  • Reported release

    100

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2009-06-16

  • Closed date

    2009-06-24

  • Last modified date

    2009-06-24

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    TIVOLI JAVA PKC

  • Fixed component ID

    TIVSECPKC

Applicable component levels

  • R100 PSY

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Tivoli Components - Java Security
PKCS

Software version:

100

Reference #:

IZ53404

Modified date:

2009-06-24

Translate my page

Machine Translation

Content navigation