IBM Support

IZ92573: PKCSDEROBJECT - ADD DEBUG TRACING FOR INTERNAL EXCEPTION

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: Refer to stack trace.
.
Stack Trace: java.io.IOException: DerInputStream.getLength():
lengthTag=127, too big.
 at
com.ibm.security.util.DerInputStream.getLength(DerInputStream.ja
va:
715)

 at
com.ibm.security.util.DerInputStream.getLength(DerInputStream.ja
va:
689)

 at com.ibm.security.util.DerValue.<init>(DerValue.java:254)

 at
com.ibm.security.util.DerInputStream.getDerValue(DerInputStream.

java:490)

 at
com.ibm.security.pkcsutil.PKCSDerObject.decode(PKCSDerObject.jav
a:
258)

 at
com.ibm.security.pkcsutil.PKCSDerObject.read(PKCSDerObject.java:
297)
 at
com.ibm.security.pkcsutil.PKCSDerObject.<init>(PKCSDerObject.jav
a:
129)

 at
com.ibm.security.pkcs7.ContentInfo.<init>(ContentInfo.java:392)

 at pkcs.samples.PKCS7SignedDataUtil.verifySignature

(PKCS7SignedDataUtil.java:83)

 at
pkcs.samples.PKCS7SignedDataUtil.main(PKCS7SignedDataUtil.java:1
75)
.

Local fix

  • 



Problem summary


    

  • The design of the PKCSDerObject.decode( byte<OSB><CSB> der )
method indicates that the byte array being
received may contain either:
- "raw der encoded data", or
- that same "raw der encoded data" encoded as base64
The method first assumes that the data is "raw der encoded data"
and attempts to decode it under that assumption.
If that decoding attempt causes an exception to be thrown "for
any reason", the code blindly assumes that
the exception was caused because the data was actually "base64"
rather than "raw".
It then retries its decoding attempt by first removing the
base64 encoding.
The failure experienced by the customer was caused by an
unanticipated reason.  It was caused by an incorrect PKCS#7
ContentType OID within the data being decoded which specified
EnvelopedData, rather than SignedData.  This error caused the
EnvelopedData.decode( ) method to get control by accident.  From
that point onward, a decoding error of some type was guaranteed.
 The decoding exception experienced internally  is shown below:
java.io.IOException: Invalid EnvelopedData version (must be 0 or
2).
        at
com.ibm.security.pkcs7.EnvelopedData.decode(EnvelopedData.java:4
81)
        at
com.ibm.security.pkcsutil.PKCSDerObject.decode(PKCSDerObject.jav
a:283)
        at
com.ibm.security.pkcsutil.PKCSDerObject.<init>(PKCSDerObject.jav
a:84)
        at
com.ibm.security.pkcs7.Content.<init>(Content.java:68)
        at
com.ibm.security.pkcs7.EnvelopedData.<init>(EnvelopedData.java:1
42)
        at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
        at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeCons
tructorAccessorImpl.java:67)
        at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Delega
tingConstructorAccessorImpl.java:45)
        at
java.lang.reflect.Constructor.newInstance(Constructor.java:522)
        at
com.ibm.security.pkcs7.ContentInfo.createDynamicObject(ContentIn
fo.java:258)
        at
com.ibm.security.pkcs7.ContentInfo.createContent(ContentInfo.jav
a:672)
        at
com.ibm.security.pkcs7.ContentInfo.decode(ContentInfo.java:620)
        at
com.ibm.security.pkcsutil.PKCSDerObject.decode(PKCSDerObject.jav
a:283)
        at
com.ibm.security.pkcsutil.PKCSDerObject.read(PKCSDerObject.java:
371)
        at
com.ibm.security.pkcsutil.PKCSDerObject.<init>(PKCSDerObject.jav
a:135)
        at
com.ibm.security.pkcs7.ContentInfo.<init>(ContentInfo.java:392)
        at pkcs.SignedDataTest.main(SignedDataTest.java:12)
When the decode method catches the exception above, it assumes
that this exception occurred because the data being decoded was
"base64 encoded" der encoded data.  It tries to remove the
base64 encoding before decoding the der encoded data.  This
resulted in the following exception which was meaningless in
this case:
java.io.IOException: DerInputStream.getLength(): lengthTag=127,
too big.
 at
com.ibm.security.util.DerInputStream.getLength(DerInputStream.ja
va:
715)

 at
com.ibm.security.util.DerInputStream.getLength(DerInputStream.ja
va:
689)

 at com.ibm.security.util.DerValue.<init>(DerValue.java:254)

 at
com.ibm.security.util.DerInputStream.getDerValue(DerInputStream.

java:490)

 at
com.ibm.security.pkcsutil.PKCSDerObject.decode(PKCSDerObject.jav
a:
258)

 at
com.ibm.security.pkcsutil.PKCSDerObject.read(PKCSDerObject.java:
297)
 at
com.ibm.security.pkcsutil.PKCSDerObject.<init>(PKCSDerObject.jav
a:
129)

 at
com.ibm.security.pkcs7.ContentInfo.<init>(ContentInfo.java:392)

 at pkcs.samples.PKCS7SignedDataUtil.verifySignature

(PKCS7SignedDataUtil.java:83)

 at
pkcs.samples.PKCS7SignedDataUtil.main(PKCS7SignedDataUtil.java:1
75)

    



Problem conclusion


    

  • This defect will be fixed in:
6.0.0 SR10
5.0.0 SR12 FP5
1.4.2 SR14
.
To help debug future occurrences of this problem, additional
debug tracing has been added to the decode method.  It will now
trace the internal exception generated by the first decode
attempt (where "raw" der encoded data is assumed).  That
exception will be preceded by the following comment within the
debug trace output:
"The exception shown within the trace data below was thrown by
PKCSDerObject.decode( byte<OSB><CSB> der ) while trying to
decode an object that it assumed was in raw der encoded form.
Either, there is an error within that raw der encoded data which
led to this exception, or the data itself was actually base64
encoded.   PKCSDerObject.decode( byte<OSB><CSB> der ) will now
re-attempt the decoding operation.
This time, however,  it will assume that the data is also base64
encoded, and will attempt to remove the base64 encoding before
trying to decode the der encoded object.  If a second exception
is thrown, then there is likely either a der encoding problem
with the object being decoded
(most likely) or there is a problem with the base64 encoding
(less likely)."
...... exception stack trace here .............
.
To obtain the fix:
Install build 20110308 or later

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IZ92573
    • 

  • Reported component name
    JAVA 5 SECURITY
    • 

  • Reported component ID
    620500125
    • 

  • Reported release
    500
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2011-01-24
    • 

  • Closed date
    2011-03-08
    • 

  • Last modified date
    2011-07-14
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    
IZ92565
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    JAVA 5 SECURITY
    • 

  • Fixed component ID
    620500125
    • 



Applicable component levels


    

  • R500  PSN
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            07 December 2020
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback