IZ91964: FIPS PROVIDER FAILURE SEEN FOR SIMPLE TEST CASE IN NEWER SRS

PM40694: CREATE APAR TO DELIVER IZ91964 IN 1.6.0_SR9-FP1

APAR status

• Closed as program error.

Error description

• Error Message: The IBMJCEFIPS security provider is activated by
  specifying it in the configuration file
  "JAVADIR/jre/lib/security/java.security". The section in the
  file will then look like (notice the IBMJCEFIPS provider listed
  as the first in the list):
  security.provider.1=com.ibm.crypto.fips.provider.IBMJCEFIPS
  security.provider.2=com.ibm.jsse2.IBMJSSEProvider2
  security.provider.3=com.ibm.crypto.provider.IBMJCE
  security.provider.4=com.ibm.security.jgss.IBMJGSSProvider
  security.provider.5=com.ibm.security.cert.IBMCertPath
  security.provider.6=com.ibm.security.sasl.IBMSASL
  security.provider.7=com.ibm.xml.crypto.IBMXMLCryptoProvider
  security.provider.8=com.ibm.xml.enc.IBMXMLEncProvider
  security.provider.9=org.apache.harmony.security.provider.PolicyP
  rovider
  security.provider.10=com.ibm.security.jgss.mech.spnego.IBMSPNEGO
  
  When this is activated, some encryption algorithms such as AES,
  will use the IBMJCEFIPS provider and execute normally.
  However, the code below (provided as an illustration) does not
  execute well in this configuration and produces an exception:
  
     byte[] data = ...; // the data to be encrypted
     SecretSpecKey key = ...;
     Cipher cipher = Cipher.getInstance("AES");
     cipher.init(Cipher.ENCRYPT_MODE, key);
     byte[] encrypted = cipher.doFinal(data);
  Stack Trace:
   Exception in thread "main" java.lang.StackOverflowError
   at sun.misc.FloatingDecimal.dtoa(FloatingDecimal.java:562)
   at sun.misc.FloatingDecimal.<init>(FloatingDecimal.java:489)
   at java.lang.Double.toString(Double.java:190)
   at java.lang.String.valueOf(String.java:1470)
   at java.security.Provider.<init>(Provider.java:105)
   at com.ibm.crypto.fips.provider.IBMJCEFIPS.<init>(Unknown
  Source)
  
  The exact stack may vary slightly, but it is always in the
  IBMJCEFIPS constructor.
  

Local fix

Problem summary

• The problem is caused by the security lazy-loading, and the
  provider called get provider list operation in its constructor
  which caused the endless loop.
  

Problem conclusion

• This defect will be fixed in:
  6.0.0 SR9 FP2
  .
  A condition has been added in the code logic in order to avoid
  this endless loop.
  .
  To obtain the fix:
  Install build 20110111 or later
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  JAVA CLASS LIBS

• Fixed component ID

  620700130

Applicable component levels

• R600 PSN

     UP