APAR status
Closed as program error.
Error description
Error Message: PFX/PKCS imports fails in JDK 8 release with java.lang.UnsupportedOperationException error. 2. Issue with duplicate public key support: When import different certificate (with same public key) and same label, iKeyman silently overwrites the first cert with the second. Ideally it should reject the second request with duplicate label error. 3. New stash File format: A new requirement to support a more secured stash file. 4. Exception while sorting Sorting on keystore entries randomly fails with 'java.lang.IllegalArgumentException: Comparison method violates its general contract!' 5. Password that starts with hyphen '-' iKeyman does not support password that starts with hyphen . Stack Trace: N/A .
Local fix
Work around for PFX/PKCS12 import failure: PFX/PKCS12 file import is successful with JDK7 release. The issue is only with JDK8 release. Work around for Illegal argument exception while sorting: Execute ikeyman/ikeycmd with system property -Djava.util.Arrays.useLegacyMergeSort=true.
Problem summary
1. PFX/PKCS12 import failure: PFX/PKCS12 file import fails with cause java.lang.UnsupportedOperationException in iKeyman 8.0.4.x version and JDK8 release 2. Issue with duplicate public key support: When different certificate (with same public key) and same label is added, iKeyman silently overwrites the first cert with second one. 3. New stash File format: Requirement for a more secured stash file and additionally the older stash format should still be supported. 4. An exception occurred while converting cms keystore (kdb format) to java keystore(jks format). 5. iKeyman considers password that starts with hyphen as a command tag parameter.
Problem conclusion
1. PFX/PKCS12 import failure: iKeyman constructs the keystore list as listed in Java 7 release to avoid java.lang.UnsupportedOperationException i.e In JDK7 a separate certificate entry is created for each signer certificate. 2. Issue with duplicate public key support: When different cert and same public key and same label is added to keystore, iKeyman will throw Keystore Exception with cause "Entry exists for label" 3. New stash File format: 1. A more secured stash file will be generated. 2. A new parameter tag -v1stash is used, to generate stash file in its legacy format (legacy stash file format is less secured and not recommended) 3. -v1stash can also be set using the new system property DEFAULT_PASSWORD_V1STASHING_STATE. 4. The comparison algorithm in iKeyman violated the contract sgn(compare(x, y)) == -sgn(compare(y, x)) and is fixed. 5. iKeyman should consider password that starts with hyphen "-". . This APAR will be fixed in the following Java Releases: 7 R1 SR3 FP60 (7.1.3.60) 7 SR9 FP60 (7.0.9.60) 8 SR3 FP20 (8.0.3.20) 6 R1 SR8 FP35 (6.1.8.35) 6 SR16 FP35 (6.0.16.35) . Contact your IBM Product's Service Team for these Service Refreshes and Fix Packs. For those running stand-alone, information about the available Service Refreshes and Fix Packs can be found at: https://www.ibm.com/developerworks/java/jdk/
Temporary fix
Comments
APAR Information
APAR number
IV89826
Reported component name
SECURITY
Reported component ID
620700125
Reported release
260
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2016-10-07
Closed date
2016-10-10
Last modified date
2016-10-10
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
R260 PSY
UP
R270 PSY
UP
R600 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"260","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020