IZ80890: DC ATTRIBUTE ENCODINGS AS IA5STRING AND PRINTABLESTRING

APAR status

• Closed as program error.

Error description

• Error Message: While using the Java Security CertPath component
  to validate a certificate chain within which the Subject DN
  contains a "DC" attribute, the customer experiences a
  "certificate chaining error".
  .
  Stack Trace: N/A
  .
  

Local fix

Problem summary

• Some time ago, an error was discovered within the Java Security
  PKCS component where it would incorrectly DER encode the "DC"
  attribute of a distinguished name as a PrintableString.  When
  this error was discovered, a fix was made to PKCS so that it
  would encode the "DC" attribute properly as an IA5String (refer
  to RFC 2253).  Unfortunately, one or more IBM/Tivoli customers
  had already generated certificates which contained distinguished
  names with DC attributes encoded as PrintableString's.  While
  trying to validate these older certificates with the Java
  Security CertPath component (and with the fix to PKCS above),
  these customers experienced a "certificate chaining error"
  because the updated PKCS component was trying to match a DC
  attribute encoded as an IA5String to one encoded as a
  PrintableString.
  

Problem conclusion

• This defect will be fixed in:
  1.4.2 SR14
  5.0.0 SR12
  6.0.0 SR9
  .
  A fix has been made to the Java Security PKCS component which
  enables it to tolerate a "DC" attribute encoded as a
  PrintableString when it is comparing the attribute value pairs
  of a distinguished name.
  .
  To obtain the fix:
  Install build 20100918 or later
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

  PM19056

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  SECURITY

• Fixed component ID

  620700125

Applicable component levels

• R600 PSN

     UP