VOOZH about

URL: https://www.ibm.com/support/pages/apar/IV71019

⇱ IV71019: FAILURE OF 'KEYTOOL -GENKEYPAIR' WHILE CREATING EC KEYS WITH THE PKCS11IMPLKS

IV71019: FAILURE OF 'KEYTOOL -GENKEYPAIR' WHILE CREATING EC KEYS WITH THE PKCS11IMPLKS

APAR status

  • Closed as program error.

Error description

  • Error Message: N/A
.
Stack Trace: This customer was experiencing two similar
failures.In BOTH cases, the IBMJCE provider was ahead of
thePKCS#11 provider. The HSM was Luna SA 5.0.The first was the
following keytool failure:keytool -genkey -keyalg EC -alias
alice -dname "CN=alice,C=GB" -keystore NONE -storetype
PKCS11IMPLKSJVMDUMP039I Processing dump event "throw", detail
"java/lang/NullPointerException" at 2015/03/10 12:43:12 - please
wait.Thread=main (0000010010142740) Status=Runningat
java/math/BigInteger.multiply(Ljava/math/BigInteger;)Ljava/math/
BigInteger; (BigInteger.java:1136)at
com/ibm/crypto/provider/SHA2withECDSA.a(Ljava/security/SecureRan
dom;)<OSB>B (Bytecode PC: 180)at
com/ibm/crypto/provider/SHA2withECDSA.engineSign()<OSB>B
(Bytecode PC: 10)at
java/security/Signature$Delegate.engineSign()<OSB>B
(Signature.java:1189)at java/security/Signature.sign()<OSB>B
(Signature.java:559)at
com/ibm/security/x509/X509CertImpl.sign(Ljava/security/PrivateKe
y;Ljava/lang/String;Ljava/lang/String;)V
(X509CertImpl.java:665)at
com/ibm/security/x509/X509CertImpl.sign(Ljava/security/PrivateKe
y;Ljava/lang/String;)V (X509CertImpl.java:595)at
com/ibm/security/x509/CertAndKeyGen.getSelfCertificate(Lcom/ibm/
security/x509/X500Name;Ljava/util/Date;J)Ljava/security/cert/X50
9Certificate; (CertAndKeyGen.java:588)at
com/ibm/crypto/tools/KeyTool.a(Ljava/lang/String;Ljava/lang/Stri
ng;Ljava/lang/String;ILjava/lang/String;)V (Bytecode PC: 387)at
com/ibm/crypto/tools/KeyTool.a(Ljava/io/PrintStream;)V (Bytecode
PC: 3359)at
com/ibm/crypto/tools/KeyTool.a(<OSB>Ljava/lang/String;Ljava/io/P
rintStream;)V (Bytecode PC: 14)at
com/ibm/crypto/tools/KeyTool.main(<OSB>Ljava/lang/String;)V
(Bytecode PC: 13)The second failure was experienced by a
JSR105test case which was passing PKCS#11 Luna SA keysto JSR105.
 The following error was seen:java.lang.NullPointerExceptionat
java.math.BigInteger.multiply(BigInteger.java:1136)at
com.ibm.crypto.provider.SHA2withECDSA.a(Unknown Source)at
com.ibm.crypto.provider.SHA2withECDSA.engineSign(Unknown
Source)at
java.security.Signature$Delegate.engineSign(Signature.java:1189)
at java.security.Signature.sign(Signature.java:559)at
com.ibm.xml.crypto.dsig.SignatureEngineECDSA.sign(SignatureEngin
eECDSA.java:104)at
com.ibm.xml.crypto.dsig.dom.SignedInfoImpl.sign(SignedInfoImpl.j
ava:187)at
com.ibm.xml.crypto.dsig.dom.XMLSignatureImpl.sign(XMLSignatureIm
pl.java:168)at
IbmDugidsXmlSignatureExample.a(IbmDugidsXmlSignatureExample.java
:119)at
IbmDugidsXmlSignatureExample.<init>(IbmDugidsXmlSignatureExample
.java:62)at
IbmDugidsXmlSignatureExample.main(IbmDugidsXmlSignatureExample.j
ava:174)In both cases, IBMJCE is being invoked to performa
signing operation using a Luna SA PrivateKey.The first is the
signing of the self signed certwithin the KeyStore
PrivateKeyEntry being created.The second is the signing of XML
data withinthe JSR105 test case.
.

Local fix



Problem summary


    

  • This customer was experiencing two similar failures.In BOTH
cases, the IBMJCE provider was ahead of thePKCS#11 provider.
The HSM was Luna SA 5.0.The first was the following keytool
failure:keytool -genkey -keyalg EC -alias alice -dname
"CN=alice,C=GB" -keystore NONE -storetype
PKCS11IMPLKSJVMDUMP039I Processing dump event "throw", detail
"java/lang/NullPointerException" at 2015/03/10 12:43:12 - please
wait.Thread=main (0000010010142740) Status=Runningat
java/math/BigInteger.multiply(Ljava/math/BigInteger;)Ljava/math/
BigInteger; (BigInteger.java:1136)at
com/ibm/crypto/provider/SHA2withECDSA.a(Ljava/security/SecureRan
dom;)<OSB>B (Bytecode PC: 180)at
com/ibm/crypto/provider/SHA2withECDSA.engineSign()<OSB>B
(Bytecode PC: 10)at
java/security/Signature$Delegate.engineSign()<OSB>B
(Signature.java:1189)at java/security/Signature.sign()<OSB>B
(Signature.java:559)at
com/ibm/security/x509/X509CertImpl.sign(Ljava/security/PrivateKe
y;Ljava/lang/String;Ljava/lang/String;)V
(X509CertImpl.java:665)at
com/ibm/security/x509/X509CertImpl.sign(Ljava/security/PrivateKe
y;Ljava/lang/String;)V (X509CertImpl.java:595)at
com/ibm/security/x509/CertAndKeyGen.getSelfCertificate(Lcom/ibm/
security/x509/X500Name;Ljava/util/Date;J)Ljava/security/cert/X50
9Certificate; (CertAndKeyGen.java:588)at
com/ibm/crypto/tools/KeyTool.a(Ljava/lang/String;Ljava/lang/Stri
ng;Ljava/lang/String;ILjava/lang/String;)V (Bytecode PC: 387)at
com/ibm/crypto/tools/KeyTool.a(Ljava/io/PrintStream;)V (Bytecode
PC: 3359)at
com/ibm/crypto/tools/KeyTool.a(<OSB>Ljava/lang/String;Ljava/io/P
rintStream;)V (Bytecode PC: 14)at
com/ibm/crypto/tools/KeyTool.main(<OSB>Ljava/lang/String;)V
(Bytecode PC: 13)The second failure was experienced by a
JSR105test case which was passing PKCS#11 Luna SA keysto JSR105.
 The following error was seen:java.lang.NullPointerExceptionat
java.math.BigInteger.multiply(BigInteger.java:1136)at
com.ibm.crypto.provider.SHA2withECDSA.a(Unknown Source)at
com.ibm.crypto.provider.SHA2withECDSA.engineSign(Unknown
Source)at
java.security.Signature$Delegate.engineSign(Signature.java:1189)
at java.security.Signature.sign(Signature.java:559)at
com.ibm.xml.crypto.dsig.SignatureEngineECDSA.sign(SignatureEngin
eECDSA.java:104)at
com.ibm.xml.crypto.dsig.dom.SignedInfoImpl.sign(SignedInfoImpl.j
ava:187)at
com.ibm.xml.crypto.dsig.dom.XMLSignatureImpl.sign(XMLSignatureIm
pl.java:168)at
IbmDugidsXmlSignatureExample.a(IbmDugidsXmlSignatureExample.java
:119)at
IbmDugidsXmlSignatureExample.<init>(IbmDugidsXmlSignatureExample
.java:62)at
IbmDugidsXmlSignatureExample.main(IbmDugidsXmlSignatureExample.j
ava:174)In both cases, IBMJCE is being invoked to performa
signing operation using a Luna SA PrivateKey.The first is the
signing of the self signed certwithin the KeyStore
PrivateKeyEntry being created.The second is the signing of XML
data withinthe JSR105 test case.



Problem conclusion


    

  • There was a problem within the "delayed provider selection"
logic. PKCS11ECPrivateKey.getFormat()was reporting the wrong
key type (that is "PKCS#8").This led the IBMJCEService class
(Within IBMJCE.java) to erroneously report that it "could
support" a PKCS#11 EC Private Key for a data signing operation.
It would have returned "false" if the key type reported by
thePKCS11ECPrivateKey.getKeyType( ) has been correct.
.
This APAR will be fixed in the following Java Releases:
 7 SR9 (7.0.9.0)
 6 R1 SR8 FP4 (6.1.8.4)
 6 SR16 FP4 (6.0.16.4)
 8 SR1 (8.0.1.0)
 7 R1 SR3 (7.1.3.0)
.
Contact your IBM Product's Service Team for these Service
Refreshes and Fix Packs.
For those running stand-alone, information about the Service
Refreshes and Fix Packs can be found at:
 https://www.ibm.com/developerworks/java/jdk/



Temporary fix


    



Comments


    



APAR Information




    

  • APAR number
    IV71019
    • 

  • Reported component name
    SECURITY
    • 

  • Reported component ID
    620700125
    • 

  • Reported release
    260
    • 

  • Status
    CLOSED PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2015-03-13
    • 

  • Closed date
    2015-03-19
    • 

  • Last modified date
    2015-03-19
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 




    

  • Fixed component name
    SECURITY
    • 

  • Fixed component ID
    620700125
    • 



Applicable component levels


    

  • R260 PSY
       UP
    • 

  • R600 PSY
       UP
    • 

  • R270 PSY
       UP
    • 







 
 
 
 

 [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"260","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
 

 

 
 
 

 

 

 

 

 

 
Document Information


 

 

 Modified date:
 

 07 December 2020