IBM Support

IZ68636: DSAPKCS11KEYFACTORY.JAVA - ANTICIPATE DSA KEY LENGTH PROBLEMS

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: This problem was not experienced by an IBM/Tivoli
customer.
.
Stack Trace: N/A
.

Local fix

  • 



Problem summary


    

  • This problem was discovered while performing crypto adapter
compatability testing with WAS, using the IBMPKCS11Impl
provider.
WAS was configured prior to adding the IBMPKCS11Impl provider to
the provider's list.
In other words, all crypto processing performed during WAS
configuration processing was done by IBMJCE.
The WAS configuration processing causes WAS to generate one or
more p12 keystore files that contain certificates.
Prior to runtime, the IBMPKCS11Impl provider was added to
the providers list on the test system.
During runtime, the IBMPKCS11Impl provider was unable
to verify a DSA key signature within one of the p12 files.
The crypto hardware threw an exception claiming:
"Key size is out of range".

    



Problem conclusion


    

  • This defect will be fixed in:
5.0.0 SR11 FP1
6.0.0 SR7
.
Apparently the IBMJCE provider can generate a DSAPublicKey
within which the "Y" component is 129 bytes in length.
(The extra byte is a leading zero which can be trimmed off.) 128
bytes is the usual length of the "Y" component.
When the IBMPKCS11Impl provider tried to use this key
to verify a signature within the p12 file, the hardware
generated an error stating "Key size is out of range".
On a signature verify operation, the IBMPKCS11Impl provider
converts an IBMJCE generated DSA public key to an
IBMPKCS11Impl DSA public key before performing the verify
via hardware.
Logic was added to the DSAPKCS11KeyFactory to check whether
the IBMJCE DSA public key has a "Y" value that is 129 bytes in
length,
and if so, trim the leading byte of zeroes during the conversion
of the IBMJCE key to an IBMPKCS11Impl key.
Testing revealed that this fixed the problem.
.
To obtain the fix:
Install build 20091030 or later

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IZ68636
    • 

  • Reported component name
    JAVA 5 SECURITY
    • 

  • Reported component ID
    620500125
    • 

  • Reported release
    500
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2010-01-25
    • 

  • Closed date
    2010-04-26
    • 

  • Last modified date
    2010-04-29
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
IZ68657
    

    • 



Fix information


    

  • Fixed component name
    JAVA 5 SECURITY
    • 

  • Fixed component ID
    620500125
    • 



Applicable component levels


    

  • R500  PSN
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            07 December 2020
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback