APAR status
Closed as program error.
Error description
Error Message: N/A . Stack Trace: The exception and object identifiers in the stack trace change depending on the provider and the algorithm specified: When IBMJCEPlus or IBMJCEPlusFIPS and IBMJCE crypto providers are in the provider list with IBMJCEPlus or IBMJCEPlusFIPS ahead of IBMJCE, the following exception occurs: java.security.UnrecoverableKeyException: Get Key failed: no such algorithm: 1.2.840.113549.2.9 for provider IBMJCE at com.ibm.crypto.provider.PKCS12KeyStoreOracle.engineGetKey(Unknow n Source) at com.ibm.crypto.provider.PKCS12KeyStoreOracle.engineGetEntry(Unkn own Source) at java.security.KeyStore.getEntry(KeyStore.java:1532) at KeystoreConfigTest.test_B_readKey(KeystoreConfigTest.java:71) at KeystoreConfigTest.main(KeystoreConfigTest.java:95) Caused by: java.security.NoSuchAlgorithmException: no such algorithm: 1.2.840.113549.2.9 for provider IBMJCE at sun.security.jca.GetInstance.getService(GetInstance.java:113) at javax.crypto.b.a(Unknown Source) at javax.crypto.SecretKeyFactory.getInstance(Unknown Source) ... 5 more When only IBMJCE crypto provider is in the provider list, the following exception occurs: java.security.KeyStoreException: Key protection algorithm not found: java.security.NoSuchAlgorithmException: unrecognized algorithm name: HmacSHA256 at com.ibm.crypto.provider.PKCS12KeyStoreOracle.a(Unknown Source) at com.ibm.crypto.provider.PKCS12KeyStoreOracle.engineSetEntry(Unkn own Source) at java.security.KeyStore.setEntry(KeyStore.java:1568) at KeystoreConfigTest.test_A_createKeyStore(KeystoreConfigTest.java :54) at KeystoreConfigTest.main(KeystoreConfigTest.java:94) Caused by: java.security.NoSuchAlgorithmException: unrecognized algorithm name: HmacSHA256 at com.ibm.security.x509.AlgorithmId.get(AlgorithmId.java:398) ... 5 more The following exception occurs when HmacSHA1 is specified: java.security.UnrecoverableKeyException: Get Key failed: no such algorithm: HmacSHA1 for provider IBMJCE at com.ibm.crypto.provider.PKCS12KeyStoreOracle.engineGetKey(Unknow n Source) at com.ibm.crypto.provider.PKCS12KeyStoreOracle.engineGetEntry(Unkn own Source) at java.security.KeyStore.getEntry(KeyStore.java:1532) at KeystoreConfigTest.test_B_readKey(KeystoreConfigTest.java:88) at KeystoreConfigTest.main(KeystoreConfigTest.java:117) Caused by: java.security.NoSuchAlgorithmException: no such algorithm: HmacSHA1 for provider IBMJCE at sun.security.jca.GetInstance.getService(GetInstance.java:113) at javax.crypto.b.a(Unknown Source) at javax.crypto.SecretKeyFactory.getInstance(Unknown Source) .
Local fix
Problem summary
"No such algorithm: 1.2.840.113549.2.9 while storing or retrieving HmacSHAx key material using a PKCS12 key store The algorithm ID in the stack trace/problem summary change if different digest algorithms are specified: HmacSHA224 - 1.2.840.113549.2.8 HmacSHA256 - 1.2.840.113549.2.9 HmacSHA384 - 1.2.840.113549.2.10 HmacSHA384 - 1.2.840.113549.2.11
Problem conclusion
The JVM and crypto providers IBMJCE, IBMJCEPlus and IBMJCEPlusFIPS have been updated to store and retrieve HmacSHAx key material using PKCS12 type key store. The associated Hursley RTC Problem Report is 142264 The associated Austin GitHub tasks are: issue 222 for IBMJCEPlus, issue 43 for IBMJCE8.0 JVMs affected Java 8.0 The fix was delivered for Java 8.0 SR6 The affected jars are: ibmjceplus.jar, ibmpkcs.jar, ibmjceprovider.jar Austin Build levels: : ibmjceplus.jar - 20190823 ibmpkcs.jar - build-110 (22-Aug-2019) ibmjceprovider.jar - build-226(23-Aug-2019) . This APAR will be fixed in the following Java Releases: 8 SR6 (8.0.6.0) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
IJ18632
Reported component name
SECURITY
Reported component ID
620700125
Reported release
270
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2019-08-27
Closed date
2019-09-12
Last modified date
2019-11-12
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"270","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020