IZ53404: ARRAYINDEXOUTOFBOUNDSEXCEPTION WHILE QUERYING ATTRIBUTES OF NETSCAPECERTTYPEEXTENSION.

APAR status

• Closed as program error.

Error description

• Component: IBM PKCS
  
  APAR Description : ArrayIndexOutOfBoundsException while querying
  attributes of  NetscapeCertTypeExtension.
  
  JVM Affected:  JDK 142, 50, 60
  

Local fix

• Level 3 to update
  

Problem summary

• ArrayIndexOutOfBoundsException happens in isSet() method of
  NetscapeCertTypeExtension.java. The exception occurs if  value
  of  "position" is greater than or equal to length of bitString
  array.
  
      private boolean isSet(int position) {
          if (debug != null) {
              debug.entry(Debug.TYPE_PRIVATE, className, "isSet",
  new Integer(position));
              debug.exit(Debug.TYPE_PRIVATE, className, "isSet",
  bitString[position]);
          }
          return bitString[position];
  
  bitString is a boolean array obtained from DER encoded value of
  the NetscapeCertType extension present in the certificate.
  
  bitString represents the status of the attributes of
  NetscapeCertType extension. The various attributes of
  NetscapeCertType extension and their positions  are listed
  below:
  
  SSL_CLIENT,   0
  SSL_SERVER,   1
  S_MIME,    2
  OBJECT_SIGNING,  3
  bit 4 is reserved
  SSL_CA,    5
  S_MIME_CA,  6
  OBJECT_SIGNING_CA,  7
  
  
  The DER value for NetscapeCertType extension of our certificate
  is   { 3, 2, 6, 64)
  
  3 -> Tag which indicates BitString
  2 -> length of the value
  6 -> Number of bits to be ignored starting from least
  significant
  64 (0x40)-> decimal representation of the binary BITSTRING
  (0100 0000) :  Here each bit represents the Status of
  attributes of NetscapeCertType extension. The first bit being 0
  indicates that SSL_CLIENT is not set.  The second bit being 1
  indicates that SSL_SERVER attribute is set.
  
  While converting the DerValue to Bitstring, the length of the
  BitString would be 2 (as  6 bits towards right are ignored). So
  the BitString would be (0,1)which is appropriate.
  
  ---------------------------------------------
  
  Now in isSet() routine,  while querying for an attribute, it
  returns bitString[position].   If position of the attributes
  exceeds the length of the bitString, it results in
  ArrayIndexOutofBoundsException. For our certificate, the
  exception would be thrown, while querying for all the attributes
  from S_MIME to OBJECT_SIGNING_CA.
  

Problem conclusion

• Following fix (in green below) resolves this problem. Here
  isSet()  returns "false" for all 'position' values which are
  greater than or equal to length of bitString :
  
      private boolean isSet(int position) {
       if (debug != null) {
              debug.entry(Debug.TYPE_PRIVATE, className, "isSet",
  new Integer(position));
              debug.exit(Debug.TYPE_PRIVATE, className, "isSet",
  bitString.length > position ? bitString[position] : false);
          }
          return bitString.length > position ? bitString[position]
  : false;
      }
  
  
  
  
  Fixes for this APAR have been dropped for:
  - 1.4.2 SR14
  - 5.0 SR11
  - 6.0 SR6
  
  The affected Java Security component is "PKCS".  The affected
  jar is "ibmpkcs.jar".
  The Austin CMVC build level associated with this jar is
  20090617.
  The associated Hursley CMVC defect is 152366.
  The associated Austin CMVC defect is 10694
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  TIVOLI JAVA PKC

• Fixed component ID

  TIVSECPKC

Applicable component levels

• R100 PSY

     UP