Skip to main content

IZ68636: DSAPKCS11KEYFACTORY.JAVA - ANTICIPATE DSA KEY LENGTH PROBLEMS


Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: This problem was not experienced by an IBM/Tivoli
customer.
.
Stack Trace: N/A
.

Local fix

  •  
    • 
  
 
  
Problem summary
 
  
     
   
  • This problem was discovered while performing crypto adapter
compatability testing with WAS, using the IBMPKCS11Impl
provider.
WAS was configured prior to adding the IBMPKCS11Impl provider to
the provider's list.
In other words, all crypto processing performed during WAS
configuration processing was done by IBMJCE.
The WAS configuration processing causes WAS to generate one or
more p12 keystore files that contain certificates.
Prior to runtime, the IBMPKCS11Impl provider was added to
the providers list on the test system.
During runtime, the IBMPKCS11Impl provider was unable
to verify a DSA key signature within one of the p12 files.
The crypto hardware threw an exception claiming:
"Key size is out of range".

     
    • 
  
 
  
Problem conclusion
 
  
     
   
  • This defect will be fixed in:
5.0.0 SR11 FP1
6.0.0 SR7
.
Apparently the IBMJCE provider can generate a DSAPublicKey
within which the "Y" component is 129 bytes in length.
(The extra byte is a leading zero which can be trimmed off.) 128
bytes is the usual length of the "Y" component.
When the IBMPKCS11Impl provider tried to use this key
to verify a signature within the p12 file, the hardware
generated an error stating "Key size is out of range".
On a signature verify operation, the IBMPKCS11Impl provider
converts an IBMJCE generated DSA public key to an
IBMPKCS11Impl DSA public key before performing the verify
via hardware.
Logic was added to the DSAPKCS11KeyFactory to check whether
the IBMJCE DSA public key has a "Y" value that is 129 bytes in
length,
and if so, trim the leading byte of zeroes during the conversion
of the IBMJCE key to an IBMPKCS11Impl key.
Testing revealed that this fixed the problem.
.
To obtain the fix:
Install build 20091030 or later

     
    • 
  
 
  
Temporary fix
 
  
     
   
  •  
    • 
  
 
  
Comments
 
  
     
   
  •  
    • 
  
 
  
APAR Information
 
  
 
   
     
    
  • APAR number
    IZ68636
    •  
    
  • Reported component name
    JAVA 5 SECURITY
    •  
    
  • Reported component ID
    620500125
    •  
    
  • Reported release
    500
    •  
    
  • Status
    CLOSED PER
    •  
    
  • PE
    NoPE
    •  
    
  • HIPER
    NoHIPER
    •  
    
  • Special Attention
    NoSpecatt
    •  
    
  • Submitted date
    2010-01-25
    •  
    
  • Closed date
    2010-04-26
    •  
    
  • Last modified date
    2010-04-29
    •  
   
 
  
 
  
     
   
  • APAR is sysrouted FROM one or more of the following:
     
    •  
   
  • APAR is sysrouted TO one or more of the following:
     
     IZ68657
     
    •  
  
 
  
Fix information
 
  
     
   
  • Fixed component name
    JAVA 5 SECURITY
    •  
   
  • Fixed component ID
    620500125
    •  
  
 
  
Applicable component levels
 
  
     
   
  • R500 PSN
       UP
    •  
  
 
 
 

 









Rate this page:



(0 users)Average rating 





















	
	
	
	
	









	



























Copyright and trademark information



	
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide.  Other product and service names might be trademarks of IBM or other companies.  A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.































Rate this page:






(0 users)Average rating









Add comments














Document information





	
Runtimes for Java Technology


	
Security


	




	
Software version:

	5.0

	





	
Reference #:

IZ68636






Modified date:

2010-04-29








Translate my page














































 



Content navigation