IV93534: XML DIGITAL SIGNATURE TESTS FAILING WITH SIGNATUREEXCEPTION

APAR status

• Closed as program error.

Error description

• Error Message: A java.security.SignatureException with an
  associated message of Invalid encoding for signature is
  sometimes encountered when validating a XMLSignature with a DSA
  key. The stack trace of the exception shows that is caused by a
  java.io.IOException: Invalid encoding: redundant leading 0s.
  .
  Stack Trace: Exception in thread "main"
  javax.xml.crypto.dsig.XMLSignatureException:
  java.security.SignatureException: Invalid encoding for signature
   at
  com.ibm.xml.crypto.dsig.dom.SignedInfoImpl.validate(SignedInfoIm
  pl.java:262)
   at
  com.ibm.xml.crypto.dsig.dom.XMLSignatureImpl.validateSignedInfo(
  XMLSignatureImpl.java:331)
   at
  com.ibm.xml.crypto.dsig.dom.XMLSignatureImpl.validate(XMLSignatu
  reImpl.java:323)
  Caused by: java.security.SignatureException: Invalid encoding
  for signature
   at com.ibm.crypto.provider.a7.engineVerify(Unknown Source)
   at com.ibm.crypto.provider.a7.engineVerify(Unknown Source)
   at
  java.security.Signature$Delegate.engineVerify(Signature.java:122
  8)
   at java.security.Signature.verify(Signature.java:658)
   at
  com.ibm.xml.crypto.dsig.SignatureEngineDSA.verify(SignatureEngin
  eDSA.java:101)
   at
  com.ibm.xml.crypto.dsig.dom.SignedInfoImpl.validate(SignedInfoIm
  pl.java:258)
   ... 3 more
  Caused by: java.io.IOException: Invalid encoding: redundant
  leading 0s
   at
  com.ibm.security.util.DerInputBuffer.getBigInteger(DerInputBuffe
  r.java:192)
   at
  com.ibm.security.util.DerValue.getBigInteger(DerValue.java:523)
   ... 9 more
  java.security.SignatureException: Invalid encoding for signature
   at com.ibm.crypto.provider.a7.engineVerify(Unknown Source)
   at com.ibm.crypto.provider.a7.engineVerify(Unknown Source)
   at
  java.security.Signature$Delegate.engineVerify(Signature.java:122
  8)
   at java.security.Signature.verify(Signature.java:658)
   at
  com.ibm.xml.crypto.dsig.SignatureEngineDSA.verify(SignatureEngin
  eDSA.java:101)
   at
  com.ibm.xml.crypto.dsig.dom.SignedInfoImpl.validate(SignedInfoIm
  pl.java:258)
   at
  com.ibm.xml.crypto.dsig.dom.XMLSignatureImpl.validateSignedInfo(
  XMLSignatureImpl.java:331)
   at
  com.ibm.xml.crypto.dsig.dom.XMLSignatureImpl.validate(XMLSignatu
  reImpl.java:323)
  Caused by: java.io.IOException: Invalid encoding: redundant
  leading 0s
   at
  com.ibm.security.util.DerInputBuffer.getBigInteger(DerInputBuffe
  r.java:192)
   at
  com.ibm.security.util.DerValue.getBigInteger(DerValue.java:523)
   ... 9 more
  .
  

Local fix

Problem summary

• A java.security.SignatureException with an associated message of
  Invalid encoding for signature is sometimes encountered when
  verifying a XMLSignature with a DSA key.
  

Problem conclusion

• A fix is made to IBMXMLCryptoProvider provider
  The associated Hursley RTC Problem Report is 123520
  The associated Austin CMVC defect is 117595
  JVMs affected: Java 6, 626, 7, 727, and 8
  The fix was delivered for Java 8 SR4FP5, Java 7 SR10FP5, Java
  727 SR4FP5, Java 6 SR16FP45, Java 626 SR8FP45
  The affected jar is "ibmxmlcrypto.jar".
  The build level of this jar for the affected releases is
  "20170203"
  .
  This APAR will be fixed in the following Java Releases:
   8 SR4 FP5 (8.0.4.5)
   6 SR16 FP45 (6.0.16.45)
   7 SR10 FP5 (7.0.10.5)
   6 R1 SR8 FP45 (6.1.8.45)
   7 R1 SR4 FP5 (7.1.4.5)
  .
  Contact your IBM Product's Service Team for these Service
  Refreshes and Fix Packs.
  For those running stand-alone, information about the available
  Service Refreshes and Fix Packs can be found at:
   https://www.ibm.com/developerworks/java/jdk/
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

• Fixed component name

  SECURITY

• Fixed component ID

  620700125

Applicable component levels

• R270 PSY

     UP

• R600 PSY

     UP

• R260 PSY

     UP