IJ45883: IBMJCEPLUSFIPS PROVIDER FAILS DURING SIGNATURE OPERATIONS USING NON FIPS140-2 COMPLIANT EC KEYS.

APAR status

• Closed as program error.

Error description

• Error Message: N/A
  .
  Stack Trace: CC_EVP_SignFinal+0x7c (0x0EA7F00C
  <OSB>libjgsk8iccs.so+0xf00c<CSB>)
  Java_com_ibm_crypto_plus_provider_icc_NativeInterface_SIGNATURE_
  1sign+0x1e8 (0x0EA28BFC <OSB>libjgskit.so+0x18bfc<CSB>)</
  .
  

Local fix

• Do not use non-FIPS140-2 compliant EC curves with IBMJCEPlusFIPS
  provider.
  

Problem summary

• IBMJCEPlusFIPS provider fails during signature operations using
  non FIPS140-2 compliant EC keys.
  

Problem conclusion

• The JVM has been updated so that IBMJCEPlusFIPS provider does
  not fail during EC crypto operations. The updated code, when non
  FIPS140-2 compliant curves are specified, throws an
  InvalidKeyException during signature generation. It also, during
  key pair generation, throws either an InvalidParameterException
  or a providerException with the message ?Curve not supported in
  FIPS? .
  
  The affected file: ibmjceplus.jar
  
  The associated Java Security GIT issues: 511
  
  The associated RTC problem report is: 148863
  
  The Java 8 build dates are:
  
  FIPS140-2 - Build-Date: 20230315
  
  The fix was delivered for: Java 8.0 SR8 FP5
  
  The JVMs affected: Java 8, SR5 FP10 or later.
  .
  This APAR will be fixed in the following Releases:
  .
  IBM SDK, Java Technology Edition
   8 SR8 FP5 (8.0.8.5)
  .
  Contact your IBM Product's Service Team for these Service
  Refreshes and Fix Packs.
  For those running stand-alone, information about the available
  maintenance can be found at:
   https://www.ibm.com/support/pages/java-sdk
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  SECURITY

• Fixed component ID

  620700125

Applicable component levels