APAR status
Closed as program error.
Error description
Error Message: This problem was not experienced by an IBM/Tivoli customer. . Stack Trace: N/A .
Local fix
Problem summary
This problem was discovered while performing crypto adapter compatability testing with WAS, using the IBMPKCS11Impl provider. WAS was configured prior to adding the IBMPKCS11Impl provider to the provider's list. In other words, all crypto processing performed during WAS configuration processing was done by IBMJCE. The WAS configuration processing causes WAS to generate one or more p12 keystore files that contain certificates. Prior to runtime, the IBMPKCS11Impl provider was added to the providers list on the test system. During runtime, the IBMPKCS11Impl provider was unable to verify a DSA key signature within one of the p12 files. The crypto hardware threw an exception claiming: "Key size is out of range".
Problem conclusion
This defect will be fixed in: 5.0.0 SR11 FP1 6.0.0 SR7 . Apparently the IBMJCE provider can generate a DSAPublicKey within which the "Y" component is 129 bytes in length. (The extra byte is a leading zero which can be trimmed off.) 128 bytes is the usual length of the "Y" component. When the IBMPKCS11Impl provider tried to use this key to verify a signature within the p12 file, the hardware generated an error stating "Key size is out of range". On a signature verify operation, the IBMPKCS11Impl provider converts an IBMJCE generated DSA public key to an IBMPKCS11Impl DSA public key before performing the verify via hardware. Logic was added to the DSAPKCS11KeyFactory to check whether the IBMJCE DSA public key has a "Y" value that is 129 bytes in length, and if so, trim the leading byte of zeroes during the conversion of the IBMJCE key to an IBMPKCS11Impl key. Testing revealed that this fixed the problem. . To obtain the fix: Install build 20091030 or later
Temporary fix
Comments
APAR Information
APAR number
IZ68636
Reported component name
JAVA 5 SECURITY
Reported component ID
620500125
Reported release
500
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-01-25
Closed date
2010-04-26
Last modified date
2010-04-29
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
JAVA 5 SECURITY
Fixed component ID
620500125
Applicable component levels
R500 PSN
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020