IJ27399: PKCS UPDATES FOR ORACLE RSA-PSS SIGNATURE AND DELAYED PROVIDER SELECTION ISSUE

APAR status

• Closed as program error.

Error description

• Error Message: N/A
  .
  Stack Trace: N/A
  .
  

Local fix

Problem summary

• Modifications are required to the Java 8 PKCS provider as part
  of a larger collection of updates to fix an issue with RSA-PSS
  signatures and delayed provider selection. RSA-PSS signature
  requires Signature.setParameter() to be done prior to
  Signature.initSign(PrivateKey). Signature.setParameter() will
  cause the first provider that accepts RSA-PSS to be chosen which
  may not be acceptable for the privateKey being used in the
  Signature.initSign(PrivateKey).
  

Problem conclusion

• Modifications have been made to the Java 8 PKCS provider to
  replace internal calls to Signature.initSign(PrivateKey) and
  Signature.initVerify(PublicKey) with
  Signature.initSignWithParam(PrivateKey, ParameterSpec) and
  Signature.initVerifyWithParam(PublicKey, ParameterSpec) to match
  the keys and parameters for a given provider selection.
  The jar affected by this apar is ibmpkcs.jar.
  The associated Hursley RTC Problem Report is 144168.
  The associated Austin Git issue is Issue# 68 for PKCS.
  JVMs affected include: Java 8.0.
  The fix was delivered for Java 8.0 SR6 FP25.
  The build level of the ibmpkcs.jar delivered for Java 8.0 is
  build_20200827-235.
  .
  This APAR will be fixed in the following Java Releases:
   8 SR6 FP25 (8.0.6.25)
  .
  Contact your IBM Product's Service Team for these Service
  Refreshes and Fix Packs.
  For those running stand-alone, information about the available
  Service Refreshes and Fix Packs can be found at:
   https://www.ibm.com/developerworks/java/jdk/
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  SECURITY

• Fixed component ID

  620700125

Applicable component levels