IZ92573: PKCSDEROBJECT - ADD DEBUG TRACING FOR INTERNAL EXCEPTION

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • Error Message: Refer to stack trace.
    .
    Stack Trace: java.io.IOException: DerInputStream.getLength():
    lengthTag=127, too big.
     at
    com.ibm.security.util.DerInputStream.getLength(DerInputStream.ja
    va:
    715)
    
     at
    com.ibm.security.util.DerInputStream.getLength(DerInputStream.ja
    va:
    689)
    
     at com.ibm.security.util.DerValue.<init>(DerValue.java:254)
    
     at
    com.ibm.security.util.DerInputStream.getDerValue(DerInputStream.
    
    java:490)
    
     at
    com.ibm.security.pkcsutil.PKCSDerObject.decode(PKCSDerObject.jav
    a:
    258)
    
     at
    com.ibm.security.pkcsutil.PKCSDerObject.read(PKCSDerObject.java:
    297)
     at
    com.ibm.security.pkcsutil.PKCSDerObject.<init>(PKCSDerObject.jav
    a:
    129)
    
     at
    com.ibm.security.pkcs7.ContentInfo.<init>(ContentInfo.java:392)
    
     at pkcs.samples.PKCS7SignedDataUtil.verifySignature
    
    (PKCS7SignedDataUtil.java:83)
    
     at
    pkcs.samples.PKCS7SignedDataUtil.main(PKCS7SignedDataUtil.java:1
    75)
    .
    

Local fix

Problem summary

  • The design of the PKCSDerObject.decode( byte<OSB><CSB> der )
    method indicates that the byte array being
    received may contain either:
    - "raw der encoded data", or
    - that same "raw der encoded data" encoded as base64
    The method first assumes that the data is "raw der encoded data"
    and attempts to decode it under that assumption.
    If that decoding attempt causes an exception to be thrown "for
    any reason", the code blindly assumes that
    the exception was caused because the data was actually "base64"
    rather than "raw".
    It then retries its decoding attempt by first removing the
    base64 encoding.
    The failure experienced by the customer was caused by an
    unanticipated reason.  It was caused by an incorrect PKCS#7
    ContentType OID within the data being decoded which specified
    EnvelopedData, rather than SignedData.  This error caused the
    EnvelopedData.decode( ) method to get control by accident.  From
    that point onward, a decoding error of some type was guaranteed.
     The decoding exception experienced internally  is shown below:
    java.io.IOException: Invalid EnvelopedData version (must be 0 or
    2).
            at
    com.ibm.security.pkcs7.EnvelopedData.decode(EnvelopedData.java:4
    81)
            at
    com.ibm.security.pkcsutil.PKCSDerObject.decode(PKCSDerObject.jav
    a:283)
            at
    com.ibm.security.pkcsutil.PKCSDerObject.<init>(PKCSDerObject.jav
    a:84)
            at
    com.ibm.security.pkcs7.Content.<init>(Content.java:68)
            at
    com.ibm.security.pkcs7.EnvelopedData.<init>(EnvelopedData.java:1
    42)
            at
    sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
    Method)
            at
    sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeCons
    tructorAccessorImpl.java:67)
            at
    sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Delega
    tingConstructorAccessorImpl.java:45)
            at
    java.lang.reflect.Constructor.newInstance(Constructor.java:522)
            at
    com.ibm.security.pkcs7.ContentInfo.createDynamicObject(ContentIn
    fo.java:258)
            at
    com.ibm.security.pkcs7.ContentInfo.createContent(ContentInfo.jav
    a:672)
            at
    com.ibm.security.pkcs7.ContentInfo.decode(ContentInfo.java:620)
            at
    com.ibm.security.pkcsutil.PKCSDerObject.decode(PKCSDerObject.jav
    a:283)
            at
    com.ibm.security.pkcsutil.PKCSDerObject.read(PKCSDerObject.java:
    371)
            at
    com.ibm.security.pkcsutil.PKCSDerObject.<init>(PKCSDerObject.jav
    a:135)
            at
    com.ibm.security.pkcs7.ContentInfo.<init>(ContentInfo.java:392)
            at pkcs.SignedDataTest.main(SignedDataTest.java:12)
    When the decode method catches the exception above, it assumes
    that this exception occurred because the data being decoded was
    "base64 encoded" der encoded data.  It tries to remove the
    base64 encoding before decoding the der encoded data.  This
    resulted in the following exception which was meaningless in
    this case:
    java.io.IOException: DerInputStream.getLength(): lengthTag=127,
    too big.
     at
    com.ibm.security.util.DerInputStream.getLength(DerInputStream.ja
    va:
    715)
    
     at
    com.ibm.security.util.DerInputStream.getLength(DerInputStream.ja
    va:
    689)
    
     at com.ibm.security.util.DerValue.<init>(DerValue.java:254)
    
     at
    com.ibm.security.util.DerInputStream.getDerValue(DerInputStream.
    
    java:490)
    
     at
    com.ibm.security.pkcsutil.PKCSDerObject.decode(PKCSDerObject.jav
    a:
    258)
    
     at
    com.ibm.security.pkcsutil.PKCSDerObject.read(PKCSDerObject.java:
    297)
     at
    com.ibm.security.pkcsutil.PKCSDerObject.<init>(PKCSDerObject.jav
    a:
    129)
    
     at
    com.ibm.security.pkcs7.ContentInfo.<init>(ContentInfo.java:392)
    
     at pkcs.samples.PKCS7SignedDataUtil.verifySignature
    
    (PKCS7SignedDataUtil.java:83)
    
     at
    pkcs.samples.PKCS7SignedDataUtil.main(PKCS7SignedDataUtil.java:1
    75)
    

Problem conclusion

  • This defect will be fixed in:
    6.0.0 SR10
    5.0.0 SR12 FP5
    1.4.2 SR14
    .
    To help debug future occurrences of this problem, additional
    debug tracing has been added to the decode method.  It will now
    trace the internal exception generated by the first decode
    attempt (where "raw" der encoded data is assumed).  That
    exception will be preceded by the following comment within the
    debug trace output:
    "The exception shown within the trace data below was thrown by
    PKCSDerObject.decode( byte<OSB><CSB> der ) while trying to
    decode an object that it assumed was in raw der encoded form.
    Either, there is an error within that raw der encoded data which
    led to this exception, or the data itself was actually base64
    encoded.   PKCSDerObject.decode( byte<OSB><CSB> der ) will now
    re-attempt the decoding operation.
    This time, however,  it will assume that the data is also base64
    encoded, and will attempt to remove the base64 encoding before
    trying to decode the der encoded object.  If a second exception
    is thrown, then there is likely either a der encoding problem
    with the object being decoded
    (most likely) or there is a problem with the base64 encoding
    (less likely)."
    ...... exception stack trace here .............
    .
    To obtain the fix:
    Install build 20110308 or later
    

Temporary fix

Comments

APAR Information

  • APAR number

    IZ92573

  • Reported component name

    JAVA 5 SECURITY

  • Reported component ID

    620500125

  • Reported release

    500

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2011-01-24

  • Closed date

    2011-03-08

  • Last modified date

    2011-07-14

  • APAR is sysrouted FROM one or more of the following:

    IZ92565

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    JAVA 5 SECURITY

  • Fixed component ID

    620500125

Applicable component levels

  • R500 PSN

       UP



Rate this page:

(0 users)Average rating

Document information


More support for:

Runtimes for Java Technology
Security

Software version:

5.0

Reference #:

IZ92573

Modified date:

2011-07-14

Translate my page

Machine Translation

Content navigation