APAR status
Closed as program error.
Error description
Error Message: N/A . Stack Trace: N/A .
Local fix
Edit JRE_HOME/lib/security/java.security and place IBMJCE ahead of IBMJCEPlus, IBMJCEPlusFIPS in the provider list.
Problem summary
IBMJCEPlus, IBMJCEPlusFIPS providers' RSA Signature verification does not verify signatures when AlgorithmIdentifier's optional parameter is not available. In accordance with RFC8017, in RSA Signature scheme, AlgorithmIdentifier?s parameter is optional. Parameter can be omitted or encoded as NULL in generated signatures. IBMJCEPlus fails to verify when AlgorithmIdentifier's parameter field is not present in the encoded signature.
Problem conclusion
The JVM has been updated so that IBMJCEPlus RSA signature verification is in conformance with RFC8017 and verifies signatures correctly when optional parameter is not present. IBMJCEPlusFIPS provider?s RSA Signature Verification still does not verify signatures when AlgorithmIdentifier?s optional parameters are not present. Binary affected: libjgskit.so jgskit.dll, GSKIT Crypto for C libraries at 8.9.6.x. RTC - 150622, 151377 JVM to be delivered in - JDK 8, SR8FP30 . This APAR will be fixed in the following Releases: . IBM SDK, Java Technology Edition 8 SR8 FP30 (8.0.8.30) . Downloads and supplementary documentation can be found at the following locations: - For non z/OS operating systems: - IBM Semeru Runtimes, Version 11 and later https://www.ibm.com/semeru-runtimes/downloads/ - IBM SDK, Java Technology Edition, Version 8 https://www.ibm.com/support/pages/java-sdk-downloads/ - For the z/OS operating system: - Java SDK Products on z/OS https://www.ibm.com/support/pages/java-sdk-products-zos
Temporary fix
Comments
APAR Information
APAR number
IJ51819
Reported component name
SECURITY
Reported component ID
620700125
Reported release
270
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2024-07-17
Closed date
2024-07-17
Last modified date
2024-07-17
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
[{"Business Unit":{"code":"BU054","label":"Systems w\/TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]
Document Information
Modified date:
17 July 2024