IZ68636: DSAPKCS11KEYFACTORY.JAVA - ANTICIPATE DSA KEY LENGTH PROBLEMS

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Error Message: This problem was not experienced by an IBM/Tivoli
    customer.
    .
    Stack Trace: N/A
    .
    

Local fix

Problem summary

  • This problem was discovered while performing crypto adapter
    compatability testing with WAS, using the IBMPKCS11Impl
    provider.
    WAS was configured prior to adding the IBMPKCS11Impl provider to
    the provider's list.
    In other words, all crypto processing performed during WAS
    configuration processing was done by IBMJCE.
    The WAS configuration processing causes WAS to generate one or
    more p12 keystore files that contain certificates.
    Prior to runtime, the IBMPKCS11Impl provider was added to
    the providers list on the test system.
    During runtime, the IBMPKCS11Impl provider was unable
    to verify a DSA key signature within one of the p12 files.
    The crypto hardware threw an exception claiming:
    "Key size is out of range".
    

Problem conclusion

  • This defect will be fixed in:
    5.0.0 SR11 FP1
    6.0.0 SR7
    .
    Apparently the IBMJCE provider can generate a DSAPublicKey
    within which the "Y" component is 129 bytes in length.
    (The extra byte is a leading zero which can be trimmed off.) 128
    bytes is the usual length of the "Y" component.
    When the IBMPKCS11Impl provider tried to use this key
    to verify a signature within the p12 file, the hardware
    generated an error stating "Key size is out of range".
    On a signature verify operation, the IBMPKCS11Impl provider
    converts an IBMJCE generated DSA public key to an
    IBMPKCS11Impl DSA public key before performing the verify
    via hardware.
    Logic was added to the DSAPKCS11KeyFactory to check whether
    the IBMJCE DSA public key has a "Y" value that is 129 bytes in
    length,
    and if so, trim the leading byte of zeroes during the conversion
    of the IBMJCE key to an IBMPKCS11Impl key.
    Testing revealed that this fixed the problem.
    .
    To obtain the fix:
    Install build 20091030 or later
    

Temporary fix

Comments

APAR Information

  • APAR number

    IZ68636

  • Reported component name

    JAVA 5 SECURITY

  • Reported component ID

    620500125

  • Reported release

    500

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2010-01-25

  • Closed date

    2010-04-26

  • Last modified date

    2010-04-29

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

    IZ68657

Fix information

  • Fixed component name

    JAVA 5 SECURITY

  • Fixed component ID

    620500125

Applicable component levels

  • R500 PSN

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

Runtimes for Java Technology
Security

Software version:

5.0

Reference #:

IZ68636

Modified date:

2010-04-29

Translate my page

Machine Translation

Content navigation