APAR status
Closed as program error.
Error description
Error Message: java.io.IOException: Sequence tag error . Stack Trace: java.io.IOException: Sequence tag error at com.ibm.security.util.DerInputStream.getSequence(DerInputStream. java:415) at com.ibm.crypto.provider.PSSParameters.decodePSSParameters(Unknow n Source) at com.ibm.crypto.provider.PSSParameters.engineInit(Unknown Source) at java.security.AlgorithmParameters.init(AlgorithmParameters.java: 304) at com.ibm.security.x509.X509CertImpl.verify(X509CertImpl.java:788) at com.ibm.security.x509.X509CertImpl.verify(X509CertImpl.java:652) at com.ibm.security.cert.BasicChecker.verifySignature(BasicChecker. java:182) at com.ibm.security.cert.BasicChecker.check(BasicChecker.java:163) at com.ibm.security.cert.PKIXMasterCertPathValidator.validate(PKIXM asterCertPathValidator.java:120) at com.ibm.security.cert.PKIXCertPathValidator.validate(PKIXCertPat hValidator.java:232) at com.ibm.security.cert.PKIXCertPathValidator.validate(PKIXCertPat hValidator.java:136) at com.ibm.security.cert.PKIXCertPathValidator.engineValidate(PKIXC ertPathValidator.java:75) at java.security.cert.CertPathValidator.validate(CertPathValidator. java:304) at TestVerifyCertificate.(TestVerifyCertificate.java:70) at TestVerifyCertificate.main(TestVerifyCertificate.java:81) Exception in thread "main" java.security.cert.CertPathValidatorException: signature check failed at com.ibm.security.cert.PKIXMasterCertPathValidator.validate(PKIXM asterCertPathValidator.java:130) at com.ibm.security.cert.PKIXCertPathValidator.validate(PKIXCertPat hValidator.java:232) at com.ibm.security.cert.PKIXCertPathValidator.validate(PKIXCertPat hValidator.java:136) at com.ibm.security.cert.PKIXCertPathValidator.engineValidate(PKIXC ertPathValidator.java:75) at java.security.cert.CertPathValidator.validate(CertPathValidator. java:304) at TestVerifyCertificate.(TestVerifyCertificate.java:70) at TestVerifyCertificate.main(TestVerifyCertificate.java:81) Caused by: java.security.SignatureException: Signature does not match at com.ibm.security.x509.X509CertImpl.verify(X509CertImpl.java:664) at com.ibm.security.cert.BasicChecker.verifySignature(BasicChecker. java:182) at com.ibm.security.cert.BasicChecker.check(BasicChecker.java:163) at com.ibm.security.cert.PKIXMasterCertPathValidator.validate(PKIXM asterCertPathValidator.java:120) ... 6 more .
Local fix
Problem summary
This problem is caused by logic added to both of the X509CertImpl.verify( ) methods shown below which incorrectly presumed that the sigAlgParams argument always represented PSSParameters. public synchronized void verify(PublicKey key, Provider sigProvider, byte <OSB><CSB> sigAlgParams) public synchronized void verify(PublicKey key, String sigProvider, byte<OSB><CSB> sigAlgParams) In the failing scenario, each of the certificates whose signature was being validated carried an elliptic curve public key and an elliptic curve signature. No RSA keys or RSAPSS signatures were present within any of them. The java.io.IOException: Sequence tag error occurred when an X509CertImpl. verify() method incorrectly attempted to interpret the sigAlgParams bytes as PSSParameters.
Problem conclusion
The X509CertImpl.verify( ) methods have been modified to interpret the sigAlgParams as PSSParameters only if an RSAPSS signature is being verified. The jar affected by this apar is ibmpkcs.jar. The associated Hursley RTC Problem Report is 142957. The associated Austin Git issue is Issue#37 for PKCS. The associated Austin APAR is IJ22037. JVMs affected include: Java 7.0, 7.1, and 8. The fix was delivered for Java 7.0 sr10fp65, 7.1 sr4fp65, and 8.0 sr6fp6. The build level of the ibmpkcs.jar delivered for Java 7.0 and 7.1 is 20200115-172. The build level of the ibmpkcs.jar delivered for Java 8.0 is 20200115-173. . This APAR will be fixed in the following Java Releases: 7 SR10 FP65 (7.0.10.65) 7 R1 SR4 FP65 (7.1.4.65) 8 SR6 FP6 (8.0.6.6) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
IJ22143
Reported component name
SECURITY
Reported component ID
620700125
Reported release
260
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2020-01-17
Closed date
2020-01-23
Last modified date
2020-01-23
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"260","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020