APAR status
Closed as program error.
Error description
APAR Description : Compare DomainComponent (DC) and EMAILADDRESS of DomainName(X500Name) in case insensitive manner . JDK Affected : JDK 142, 5.0, 6.0 JAR Affected: ibmpkcs.jar Problem Description : Values of DomainComponent(DC) and emailaddress attributes in DomainName(X500Name) are encoded as IA5String . If the values are same but in different case, their DER values don't match causing the equality check to fail. For example, X500Name of following pairs of DNs does not match (equals returns false) currently : CN=GROUP-1,DC=IBM,DC=COM CN=GROUP-1,dc=ibm,dc=com CN=group-1, DC=ibm, DC=com, EMAILADDRESS=abc@xyz.com CN=group-1, DC=ibm, DC=com, EMAILADDRESS=ABC@XYZ.COM RFC 4519 describes DomainComponent (DC) and mentions that "equality matching rule is case insensitive" as below URL : http://tools.ietf.org/html/rfc4519 Also RFC 2985 describes EMAILADDRESS as per below URL and mentions that "When comparing two email addresses, case is irrelevant". http://www.rfc-editor.org/rfc/rfc2985.txt So equality check of two Domain Names (X500Names) having same DC and emailaddress BUT in different case, should be successful.
Local fix
Level 3 to update
Problem summary
IA5String matching. Compare DomainComponent (DC) and EMAILADDRESS of DomainName(X500Name) in case insensitive manner PROBLEM DESCRIPTION: Values of DomainComponent(DC) and emailaddress attributes in DomainName(X500Name) are encoded as IA5String . If the values are same but in different case, their DER values don't match causing the equality check to fail. For example, X500Name of following pairs of DNs does not match (equals returns false) currently : CN=GROUP-1,DC=IBM,DC=COM CN=GROUP-1,dc=ibm,dc=com CN=group-1, DC=ibm, DC=com, EMAILADDRESS=xyz@ibm.com CN=group-1, DC=ibm, DC=com, EMAILADDRESS=XYZ@IBM.COM RFC 4519 describes DomainComponent (DC) and mentions that "equality matching rule is case insensitive" as below URL : http://tools.ietf.org/html/rfc4519 Also RFC 2985 describes EMAILADDRESS as per below URL and mentions that "When comparing two email addresses, case is irrelevant". http://www.rfc-editor.org/rfc/rfc2985.txt So equality check of two Domain Names (X500Names) having same DC and emailaddress BUT in different case, should be successful.
Problem conclusion
The problem can be resolved by converting DC and EMAILADDRESS values to LowerCase before encoding these value in IA5String. This way the DER values will be same and equality check would succeed. The associated Hursley CMVC defect is 163952. The associated Austin CMVC defect is 110191. The fix is being dropped for: 1.4.2 SR13 FP5 5.0.0 SR12 6.0.0 SR8 The build level of this jar for Java 1.4.2, 5.0, and 6.0 is 20100326.
Temporary fix
Comments
APAR Information
APAR number
IZ73340
Reported component name
TIVOLI JAVA PKC
Reported component ID
TIVSECPKC
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2010-03-24
Closed date
2010-04-02
Last modified date
2010-07-01
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TIVOLI JAVA PKC
Fixed component ID
TIVSECPKC
Applicable component levels
R100 PSY
UP
Rate this page:
Average rating
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.