APAR status
Closed as program error.
Error description
Error Message: There are 3 separate issues with the IBMPKCS11Impl crypto provider addressed below. 1) A customer observed that he was unable to use the IBMPKCS11Impl provider to compute a SHA256withRSA signature on a system where the crypto adapter hardware supported both the CKM_SHA256 and CKM_RSA_PKCS mechanisms, but not the CKM_SHA256_RSA_PKCS mechanism. 2)The IBMPKCS11Impl provider is capable of handling the Cipher transformation "RSA/ECB/PKCS1Padding", however,it expects the user to supply the cipher transformation string "RSA/ /PKCS1Padding" instead. A customer would like to see support for the transformation string "RSA/ECB/PKCS1Padding" also. 3)For any Cipher transformation that specifies "PKCS5Padding", the IBMPKCS11Impl provider expects the string "Pad" to be supplied instead. "PKCS5Padding" is a standard name, while "Pad" is not. . Stack Trace: N/A .
Local fix
Problem summary
There are 3 separate issues with the IBMPKCS11Impl crypto provider addressed below. 1) A customer observed that he was unable to use the IBMPKCS11Impl provider to compute a SHA256withRSA signature on a system where the crypto adapter hardware supported both the CKM_SHA256 and CKM_RSA_PKCS mechanisms, but not the CKM_SHA256_RSA_PKCS mechanism. 2)The IBMPKCS11Impl provider is capable of handling the Cipher transformation "RSA/ECB/PKCS1Padding", however,it expects the user to supply the cipher transformation string "RSA/ /PKCS1Padding" instead. A customer would like to see support for the transformation string "RSA/ECB/PKCS1Padding" also. 3)For any Cipher transformation that requires "PKCS5Padding", the IBMPKCS11Impl provider expects the string "Pad" to be supplied instead. "PKCS5Padding" is a standard name, while "Pad" is not.
Problem conclusion
This defect will be fixed in: 5.0.0 SR16 FP3 6.0.0 SR14 6.0.1 SR6 7.0.0 SR5 . 1) The IBMPKCS11Impl provider has been enhanced to enable it to compute an RSA signature "piecemeal" using either the CKM_RSA_PKCS mechanism or the CKM_RSA_X_509 mechanism and the appropriate MessageDigest mechanism in the case where no hardware mechanism is available to compute the RSA signature in its "entirety". This enhancement has been applied ONLY to the Java 7 release. 2) The IBMPKCS11Impl provider has been enhanced to accept the cipher transformation string "RSA/ECB/PKCS1Padding", in addition to "RSA/ /PKCS1Padding". Both specify the same Cipher transformation. This enhancement has been applied to the Java 5,6, and 7 releases. 3) The IBMPKCS11Impl provider has been enhanced to accept cipher transformation strings which include the substring "PKCS5Padding". This enhancement has been applied to the Java 5,6, and 7 releases.
Temporary fix
Comments
APAR Information
APAR number
IV41213
Reported component name
SECURITY
Reported component ID
620700125
Reported release
600
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2013-04-30
Closed date
2013-05-15
Last modified date
2013-06-25
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
R600 PSY
UP
R260 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020