APAR status
Closed as program error.
Error description
Error Message: N/A . Stack Trace: N/A .
Local fix
Problem summary
1. Update iKeyman to support PBES2 Add support to PBES2 (Password-Based Encryption Standard-2) encryption algorithm based on AES-256 and Hmac-SHA-384. 2. Fix a Key Identifier issue in iKeyman/iKeycmd AKI/SKI calculation is not compliant with RFC 5280. This caused an interoperability issue between iKeyman and Keytool/KCM. 3. Update default EC keysize for iKeyman Update the default key size in iKeyman/iKeycmd for the SHA256WithECDSA to 256. Currently, the default key size is 192. 4. Update Lets Encrypt intermediate certificate for iKeyman DST Root X3 CA cert and Let's encrypt Authority X3 Cross signed by DST Root X3 CA certificates have expired. 5. Update iKeyman's default signature algorithm and Keysize In iKeyman/iKeycmd,the current default Signature algorithm of the Certificate is SHA1WithRSA and the Keysize is 1024. The new proposal is to modify the default Signature algorithm to SHA256WithRSA and Keysize to 2048. 6. Add Warning when no SAN DNSName is provided Add a warning message when the SAN DNS name is not present. 7. Fix iKeyman to support EC cert generation using IBMPKCS11impl EC Keypair generation fails with iKeyman on HSM. 8. Fix an issue with ikeycmd -cert -receive chain Problem with the "-cert -receive" command adding signers to the Keystore in iKeyman/iKeycmd.
Problem conclusion
1. Update iKeyman to support PBES2 Set the PBES2 encryption algorithm (based on AES-256 and HMAC-SHA-384) as the default encryption algorithm for CMS and PKCS12 Keystore. i.e. by default "-pqc" option is enabled ("-pqc true"). "-pqc false" creates the legacy PBES1-format CMS Keystore (applicable only for CMS while creating a new Keystore). For more information, please refer to the "IKeyman user guide". Please Note: Due to security reasons, we avoid creating an empty PKCS12 Keystore by assigning it a "dummy" certificate entry. 2. Fix a Key Identifier issue in iKeyman/iKeycmd Fix iKeyman's AKI/SKI calculation (for certificate request and certificate generation) according to RFC 5280. 3. Update default EC keysize for iKeyman Set the default key size for SHA256WithECDSA to 256. 4. Update Lets Encrypt intermediate certificate for iKeyman "Let's encrypt X3 CA cert" is replaced with "Let's encrypt R3 CA cert. DST Root X3 CA cert certificate is removed. 5. Update iKeyman's default signature algorithm and Keysize Set the default Signature algorithm to SHA256WithRSA and default Keysize to 2048 6. Add Warning when no SAN DNSName is provided Send a warning message when the SAN DNS name is not present for both CSR and Certificate. This warning will be sent during the creation of the certificate or certificate request. 7. Fix iKeyman to support EC cert generation using IBMPKCS11impl iKeyman/iKeymcmd supports EC keypair generation via the new API class com.ibm.crypto.pkcs11impl.provider.PKCS11ECKeyPairParameterSpec added in IBMPKCS11Impl. 8. Fix an issue with ikeycmd -cert -receive chain Modify "iKeyman/iKeyman" to not explicitly add the signers (intermediate and trust anchors) to the Keystore for the "-cert -receive" command. As we see a security risk in adding a trust point without that being an explicit intention and perhaps an attack vector . This APAR will be fixed in the following Releases: . IBM SDK, Java Technology Edition 8 SR8 FP5 (8.0.8.5) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available maintenance can be found at: https://www.ibm.com/support/pages/java-sdk
Temporary fix
Comments
APAR Information
APAR number
IJ45599
Reported component name
SECURITY
Reported component ID
620700125
Reported release
270
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2023-02-27
Closed date
2023-02-28
Last modified date
2023-02-28
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
01 March 2023