APAR status
Closed as program error.
Error description
Component: IBM PKCS APAR Description : ArrayIndexOutOfBoundsException while querying attributes of NetscapeCertTypeExtension. JVM Affected: JDK 142, 50, 60
Local fix
Level 3 to update
Problem summary
ArrayIndexOutOfBoundsException happens in isSet() method of NetscapeCertTypeExtension.java. The exception occurs if value of "position" is greater than or equal to length of bitString array. private boolean isSet(int position) { if (debug != null) { debug.entry(Debug.TYPE_PRIVATE, className, "isSet", new Integer(position)); debug.exit(Debug.TYPE_PRIVATE, className, "isSet", bitString[position]); } return bitString[position]; bitString is a boolean array obtained from DER encoded value of the NetscapeCertType extension present in the certificate. bitString represents the status of the attributes of NetscapeCertType extension. The various attributes of NetscapeCertType extension and their positions are listed below: SSL_CLIENT, 0 SSL_SERVER, 1 S_MIME, 2 OBJECT_SIGNING, 3 bit 4 is reserved SSL_CA, 5 S_MIME_CA, 6 OBJECT_SIGNING_CA, 7 The DER value for NetscapeCertType extension of our certificate is { 3, 2, 6, 64) 3 -> Tag which indicates BitString 2 -> length of the value 6 -> Number of bits to be ignored starting from least significant 64 (0x40)-> decimal representation of the binary BITSTRING (0100 0000) : Here each bit represents the Status of attributes of NetscapeCertType extension. The first bit being 0 indicates that SSL_CLIENT is not set. The second bit being 1 indicates that SSL_SERVER attribute is set. While converting the DerValue to Bitstring, the length of the BitString would be 2 (as 6 bits towards right are ignored). So the BitString would be (0,1)which is appropriate. --------------------------------------------- Now in isSet() routine, while querying for an attribute, it returns bitString[position]. If position of the attributes exceeds the length of the bitString, it results in ArrayIndexOutofBoundsException. For our certificate, the exception would be thrown, while querying for all the attributes from S_MIME to OBJECT_SIGNING_CA.
Problem conclusion
Following fix (in green below) resolves this problem. Here isSet() returns "false" for all 'position' values which are greater than or equal to length of bitString : private boolean isSet(int position) { if (debug != null) { debug.entry(Debug.TYPE_PRIVATE, className, "isSet", new Integer(position)); debug.exit(Debug.TYPE_PRIVATE, className, "isSet", bitString.length > position ? bitString[position] : false); } return bitString.length > position ? bitString[position] : false; } Fixes for this APAR have been dropped for: - 1.4.2 SR14 - 5.0 SR11 - 6.0 SR6 The affected Java Security component is "PKCS". The affected jar is "ibmpkcs.jar". The Austin CMVC build level associated with this jar is 20090617. The associated Hursley CMVC defect is 152366. The associated Austin CMVC defect is 10694
Temporary fix
Comments
APAR Information
APAR number
IZ53404
Reported component name
TIVOLI JAVA PKC
Reported component ID
TIVSECPKC
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2009-06-16
Closed date
2009-06-24
Last modified date
2009-06-24
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TIVOLI JAVA PKC
Fixed component ID
TIVSECPKC
Applicable component levels
R100 PSY
UP
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCZL45","label":"PKCS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"100","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
24 June 2009