APAR status
Closed as program error.
Error description
Error Message, as reported by customer: ======================================== 1. Encrypting symmetric key using public key of certificate present in the HSM and the algorithm used is "RSA/ECB/NoPadding" & RSA/ECB/PKCS1Padding" but it has failed with "No such algorithm" exception. 2. Generated symmetric encrypted content using "DESede/CBC/NoPadding" & "DESede/CBC/Pad" using the provider "IBMPKCS11Impl". However, we are not able to use PKCS5Pad parameter. Stack Trace, if applicable: ============================ 1. java.security.NoSuchAlgorithmException: No such algorithm: RSA/ECB/PKCS1Padding at javax.crypto.Cipher.getInstance(Unknown Source) at SFMS_Encryption_LatestBC.encrypt (SFMS_Encryption_LatestBC.java:159) at SFMS_Encryption_LatestBC.run(SFMS_Encryption_LatestBC.java:125) at SFMS_Encryption_LatestBC.main(SFMS_Encryption_LatestBC.java:96) Caused by: java.security.NoSuchAlgorithmException: Mode: ECB not implemented at com.ibm.crypto.pkcs11impl.provider.RSACipher.engineSetMode (RSACipher.java:116) at javax.crypto.Cipher$a_.a(Unknown Source) ... 4 more 2. Caused by: javax.crypto.NoSuchPaddingException: Padding: PKCS5Padding can not be verified for DESede in CBC mode. Use Pad instead. at com.ibm.crypto.pkcs11impl.provider.MechanismBuilderImpl.setPadd ing (MechanismBuilder.java:189) at com.ibm.crypto.pkcs11impl.provider.GeneralPKCS11Cipher.engineSe tPadding (GeneralPKCS11Cipher.java:127) at javax.crypto.Cipher$a_.a(Unknown Source) at javax.crypto.Cipher.getInstance(Unknown Source) Other Error Information, as reported by customer: N/A
Local fix
1. Use the string "RSA/ /PKCS1Padding" 2. Use the string "DESede/CBC/Pad" to specify PKCS5Padding
Problem summary
RSA/ /PKCS1Padding, and other cipher transformations with "PKCS5Padding" PROBLEM DESCRIPTION: 1) The IBMPKCS11Impl provider is capable of handling the Cipher transformation "RSA/ECB/PKCS1Padding", however,it expects the user to supply the cipher transformation string "RSA/ /PKCS1Padding" instead. A customer would like to see support for the transformation string "RSA/ECB/PKCS1Padding" also. 2) For any Cipher transformation that specifies "PKCS5Padding", the IBMPKCS11Impl provider expects the string "Pad" to be supplied instead. "PKCS5Padding" is a standard name, while "Pad" is not.
Problem conclusion
1) The IBMPKCS11Impl provider has been enhanced to accept the cipher transformation string "RSA/ECB/PKCS1Padding". 2) The IBMPKCS11Impl provider has been enhanced to accept cipher transformation strings which include the substring "PKCS5Padding". The associated Hursley CMVC defect is 197663. The associated Austin CMVC defect is 113792. These enhancements have been delivered for Java 5.0 SR16 FP3, Java 6.0 SR14, Java 626 SR6, and Java 7.0 SR5. The affected jar is "ibmpkcs11impl.jar". The build level of this jar for the affected releases is "20130429"
Temporary fix
Comments
APAR Information
APAR number
IV41167
Reported component name
TIVOLI JAVA PKC
Reported component ID
TIVSECPKC
Reported release
100
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2013-04-30
Closed date
2013-04-30
Last modified date
2013-04-30
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
TIVOLI JAVA PKC
Fixed component ID
TIVSECPKC
Applicable component levels
R100 PSY
UP
[{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCZL45","label":"PKCS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"100","Edition":"","Line of Business":{"code":"","label":""}}]
Document Information
Modified date:
30 April 2013