IZ68636: DSAPKCS11KEYFACTORY.JAVA - ANTICIPATE DSA KEY LENGTH PROBLEMS
Closed as program error.
Error Message: This problem was not experienced by an IBM/Tivoli customer. . Stack Trace: N/A .
This problem was discovered while performing crypto adapter compatability testing with WAS, using the IBMPKCS11Impl provider. WAS was configured prior to adding the IBMPKCS11Impl provider to the provider's list. In other words, all crypto processing performed during WAS configuration processing was done by IBMJCE. The WAS configuration processing causes WAS to generate one or more p12 keystore files that contain certificates. Prior to runtime, the IBMPKCS11Impl provider was added to the providers list on the test system. During runtime, the IBMPKCS11Impl provider was unable to verify a DSA key signature within one of the p12 files. The crypto hardware threw an exception claiming: "Key size is out of range".
This defect will be fixed in: 5.0.0 SR11 FP1 6.0.0 SR7 . Apparently the IBMJCE provider can generate a DSAPublicKey within which the "Y" component is 129 bytes in length. (The extra byte is a leading zero which can be trimmed off.) 128 bytes is the usual length of the "Y" component. When the IBMPKCS11Impl provider tried to use this key to verify a signature within the p12 file, the hardware generated an error stating "Key size is out of range". On a signature verify operation, the IBMPKCS11Impl provider converts an IBMJCE generated DSA public key to an IBMPKCS11Impl DSA public key before performing the verify via hardware. Logic was added to the DSAPKCS11KeyFactory to check whether the IBMJCE DSA public key has a "Y" value that is 129 bytes in length, and if so, trim the leading byte of zeroes during the conversion of the IBMJCE key to an IBMPKCS11Impl key. Testing revealed that this fixed the problem. . To obtain the fix: Install build 20091030 or later
Reported component name
JAVA 5 SECURITY
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
JAVA 5 SECURITY
Fixed component ID
Applicable component levels