VOOZH about

URL: https://www.ibm.com/support/pages/apar/IJ44075

⇱ IJ44075: PKCS11KEYSTORE.JAVA - DOESPUBLICKEYMATCHPRIVATEKEY( ) METHOD USES SHA1XXXX SIGNATURE ALGORITHMS TO MATCH PRIVATE AND PUBLIC KEYS

IJ44075: PKCS11KEYSTORE.JAVA - DOESPUBLICKEYMATCHPRIVATEKEY( ) METHOD USES SHA1XXXX SIGNATURE ALGORITHMS TO MATCH PRIVATE AND PUBLIC KEYS

APAR status

  • Closed as program error.

Error description

  • Error Message: The customer experienced a "mechanism does not
exist" exception while trying to perform a KeyStore.load( )
operation upon a PKCS11 keystore that contained only a single
RSA PrivateKeyEntry.
.
Stack Trace: N/A
.
The customer was using a Thales Luna 7 HSM configured to operate
in FIPS mode.

Local fix



Problem summary


    

  • The PKCS11KeyStore.doesPublicKeyMatchPrivateKey( ) method within
the IBMPKCS11Impl provider uses SHA1xxxxx signature mechanisms
to match private and public HSM keys. SHA1xxxxx signature
mechanisms are not available when a Luna 7 HSM is configured to
operate in FIPS mode.



Problem conclusion


    

  • The PKCS11KeyStore.doesPublicKeyMatchPrivateKey( ) method has
been updated to use the signature algorithms below instead to
match private and public keys for the following key types:
RSA => SHA256withRSA
DSA => SHA256wthDSA
EC => SHA256withECDSA
The affected jar file is: ibmpkcs11impl.jar
The associated GIT issue is: 61
The associated RTC problem report is:148264
The Java 8 build is: 227
The Java 7 build is: 230
The fixes were delivered for: Java 8.0 sr7 FP25 Java 7.1 sr5
fp25
.
This APAR will be fixed in the following Releases:
.
IBM SDK, Java Technology Edition
 8 SR8 (8.0.8.0)
 7 R1 SR5 FP25 (7.1.5.25) (restricted access)
.
Contact your IBM Product's Service Team for these Service
Refreshes and Fix Packs.
For those running stand-alone, information about the available
maintenance can be found at:
 https://www.ibm.com/support/pages/java-sdk



Temporary fix


    



Comments


    



APAR Information




    

  • APAR number
    IJ44075
    • 

  • Reported component name
    SECURITY
    • 

  • Reported component ID
    620700125
    • 

  • Reported release
    270
    • 

  • Status
    CLOSED PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2022-11-01
    • 

  • Closed date
    2022-11-05
    • 

  • Last modified date
    2023-04-11
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    SECURITY
    • 

  • Fixed component ID
    620700125
    • 



Applicable component levels







 
 
 
 

 [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
 

 

 
 
 

 

 

 

 

 

 
Document Information


 

 

 Modified date:
 

 11 April 2023