IBM Support

IJ45599: UPDATE IKEYMAN TO SUPPORT PBES2 AND OTHER MINOR FIXES

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Error Message: N/A
.
Stack Trace: N/A
.

Local fix

  • 



Problem summary


    

  • 1. Update iKeyman to support PBES2
Add support to PBES2 (Password-Based Encryption Standard-2)
encryption algorithm based on AES-256 and Hmac-SHA-384.
2. Fix a Key Identifier issue in iKeyman/iKeycmd
AKI/SKI calculation is not compliant with RFC 5280. This caused
an interoperability issue between iKeyman and Keytool/KCM.
3. Update default EC keysize for iKeyman
Update the default key size in iKeyman/iKeycmd for the
SHA256WithECDSA to 256. Currently, the default key size is 192.
4. Update Lets Encrypt intermediate certificate for iKeyman
DST Root X3 CA cert and Let's encrypt Authority X3 Cross signed
by DST Root X3 CA certificates have expired.
5. Update iKeyman's default signature algorithm and Keysize
In iKeyman/iKeycmd,the current default Signature algorithm of
the Certificate is SHA1WithRSA and the Keysize is 1024. The new
proposal is to modify the default Signature algorithm to
SHA256WithRSA and Keysize to 2048.
6. Add Warning when no SAN DNSName is provided
Add a warning message when the SAN DNS name is not present.
7. Fix iKeyman to support EC cert generation using IBMPKCS11impl
EC Keypair generation fails with iKeyman on HSM.
8. Fix an issue with ikeycmd -cert -receive chain
Problem with the "-cert -receive" command adding signers to the
Keystore in iKeyman/iKeycmd.

    



Problem conclusion


    

  • 1. Update iKeyman to support PBES2
Set the PBES2 encryption algorithm (based on AES-256 and
HMAC-SHA-384) as the default encryption algorithm for CMS and
PKCS12 Keystore. i.e. by default "-pqc" option is enabled ("-pqc
true").
"-pqc false" creates the legacy PBES1-format CMS Keystore
(applicable only for CMS while creating a new Keystore). For
more information, please refer to the "IKeyman user guide".
Please Note: Due to security reasons, we avoid creating an empty
PKCS12 Keystore by assigning it a "dummy" certificate entry.
2. Fix a Key Identifier issue in iKeyman/iKeycmd
Fix iKeyman's AKI/SKI calculation (for certificate request and
certificate generation) according to RFC 5280.
3. Update default EC keysize for iKeyman
Set the default key size for SHA256WithECDSA to 256.
4. Update Lets Encrypt intermediate certificate for iKeyman
"Let's encrypt X3 CA cert" is replaced with "Let's encrypt R3 CA
cert. DST Root X3 CA cert certificate is removed.
5. Update iKeyman's default signature algorithm and Keysize
Set the default Signature algorithm to SHA256WithRSA and default
Keysize to 2048
6. Add Warning when no SAN DNSName is provided
Send a warning message when the SAN DNS name is not present for
both CSR and Certificate. This warning will be sent during the
creation of the certificate or certificate request.
7. Fix iKeyman to support EC cert generation using IBMPKCS11impl
iKeyman/iKeymcmd supports EC keypair generation via the new API
class
com.ibm.crypto.pkcs11impl.provider.PKCS11ECKeyPairParameterSpec
added in IBMPKCS11Impl.
8. Fix an issue with ikeycmd -cert -receive chain
Modify "iKeyman/iKeyman" to not explicitly add the signers
(intermediate and trust anchors) to the Keystore for the "-cert
-receive" command. As we see a security risk in adding a trust
point without that being an explicit intention and perhaps an
attack vector
.
This APAR will be fixed in the following Releases:
.
IBM SDK, Java Technology Edition
   8    SR8 FP5   (8.0.8.5)
.
Contact your IBM Product's Service Team for these Service
Refreshes and Fix Packs.
For those running stand-alone, information about the available
maintenance can be found at:
           https://www.ibm.com/support/pages/java-sdk

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IJ45599
    • 

  • Reported component name
    SECURITY
    • 

  • Reported component ID
    620700125
    • 

  • Reported release
    270
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2023-02-27
    • 

  • Closed date
    2023-02-28
    • 

  • Last modified date
    2023-02-28
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    SECURITY
    • 

  • Fixed component ID
    620700125
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            01 March 2023
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback