APAR status
Closed as program error.
Error description
Error Message: Refer to stack trace. . Stack Trace: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big. at com.ibm.security.util.DerInputStream.getLength(DerInputStream.ja va: 715) at com.ibm.security.util.DerInputStream.getLength(DerInputStream.ja va: 689) at com.ibm.security.util.DerValue.<init>(DerValue.java:254) at com.ibm.security.util.DerInputStream.getDerValue(DerInputStream. java:490) at com.ibm.security.pkcsutil.PKCSDerObject.decode(PKCSDerObject.jav a: 258) at com.ibm.security.pkcsutil.PKCSDerObject.read(PKCSDerObject.java: 297) at com.ibm.security.pkcsutil.PKCSDerObject.<init>(PKCSDerObject.jav a: 129) at com.ibm.security.pkcs7.ContentInfo.<init>(ContentInfo.java:392) at pkcs.samples.PKCS7SignedDataUtil.verifySignature (PKCS7SignedDataUtil.java:83) at pkcs.samples.PKCS7SignedDataUtil.main(PKCS7SignedDataUtil.java:1 75) .
Local fix
Problem summary
The design of the PKCSDerObject.decode( byte<OSB><CSB> der ) method indicates that the byte array being received may contain either: - "raw der encoded data", or - that same "raw der encoded data" encoded as base64 The method first assumes that the data is "raw der encoded data" and attempts to decode it under that assumption. If that decoding attempt causes an exception to be thrown "for any reason", the code blindly assumes that the exception was caused because the data was actually "base64" rather than "raw". It then retries its decoding attempt by first removing the base64 encoding. The failure experienced by the customer was caused by an unanticipated reason. It was caused by an incorrect PKCS#7 ContentType OID within the data being decoded which specified EnvelopedData, rather than SignedData. This error caused the EnvelopedData.decode( ) method to get control by accident. From that point onward, a decoding error of some type was guaranteed. The decoding exception experienced internally is shown below: java.io.IOException: Invalid EnvelopedData version (must be 0 or 2). at com.ibm.security.pkcs7.EnvelopedData.decode(EnvelopedData.java:4 81) at com.ibm.security.pkcsutil.PKCSDerObject.decode(PKCSDerObject.jav a:283) at com.ibm.security.pkcsutil.PKCSDerObject.<init>(PKCSDerObject.jav a:84) at com.ibm.security.pkcs7.Content.<init>(Content.java:68) at com.ibm.security.pkcs7.EnvelopedData.<init>(EnvelopedData.java:1 42) at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeCons tructorAccessorImpl.java:67) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Delega tingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:522) at com.ibm.security.pkcs7.ContentInfo.createDynamicObject(ContentIn fo.java:258) at com.ibm.security.pkcs7.ContentInfo.createContent(ContentInfo.jav a:672) at com.ibm.security.pkcs7.ContentInfo.decode(ContentInfo.java:620) at com.ibm.security.pkcsutil.PKCSDerObject.decode(PKCSDerObject.jav a:283) at com.ibm.security.pkcsutil.PKCSDerObject.read(PKCSDerObject.java: 371) at com.ibm.security.pkcsutil.PKCSDerObject.<init>(PKCSDerObject.jav a:135) at com.ibm.security.pkcs7.ContentInfo.<init>(ContentInfo.java:392) at pkcs.SignedDataTest.main(SignedDataTest.java:12) When the decode method catches the exception above, it assumes that this exception occurred because the data being decoded was "base64 encoded" der encoded data. It tries to remove the base64 encoding before decoding the der encoded data. This resulted in the following exception which was meaningless in this case: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big. at com.ibm.security.util.DerInputStream.getLength(DerInputStream.ja va: 715) at com.ibm.security.util.DerInputStream.getLength(DerInputStream.ja va: 689) at com.ibm.security.util.DerValue.<init>(DerValue.java:254) at com.ibm.security.util.DerInputStream.getDerValue(DerInputStream. java:490) at com.ibm.security.pkcsutil.PKCSDerObject.decode(PKCSDerObject.jav a: 258) at com.ibm.security.pkcsutil.PKCSDerObject.read(PKCSDerObject.java: 297) at com.ibm.security.pkcsutil.PKCSDerObject.<init>(PKCSDerObject.jav a: 129) at com.ibm.security.pkcs7.ContentInfo.<init>(ContentInfo.java:392) at pkcs.samples.PKCS7SignedDataUtil.verifySignature (PKCS7SignedDataUtil.java:83) at pkcs.samples.PKCS7SignedDataUtil.main(PKCS7SignedDataUtil.java:1 75)
Problem conclusion
This defect will be fixed in: 6.0.0 SR10 5.0.0 SR12 FP5 1.4.2 SR14 . To help debug future occurrences of this problem, additional debug tracing has been added to the decode method. It will now trace the internal exception generated by the first decode attempt (where "raw" der encoded data is assumed). That exception will be preceded by the following comment within the debug trace output: "The exception shown within the trace data below was thrown by PKCSDerObject.decode( byte<OSB><CSB> der ) while trying to decode an object that it assumed was in raw der encoded form. Either, there is an error within that raw der encoded data which led to this exception, or the data itself was actually base64 encoded. PKCSDerObject.decode( byte<OSB><CSB> der ) will now re-attempt the decoding operation. This time, however, it will assume that the data is also base64 encoded, and will attempt to remove the base64 encoding before trying to decode the der encoded object. If a second exception is thrown, then there is likely either a der encoding problem with the object being decoded (most likely) or there is a problem with the base64 encoding (less likely)." ...... exception stack trace here ............. . To obtain the fix: Install build 20110308 or later
Temporary fix
Comments
APAR Information
APAR number
IZ92565
Reported component name
SECURITY
Reported component ID
620700125
Reported release
600
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2011-01-24
Closed date
2011-03-08
Last modified date
2011-07-14
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
SECURITY
Fixed component ID
620700125
Applicable component levels
R600 PSN
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSNVBF","label":"Runtimes for Java Technology"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"6.0","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
Document Information
Modified date:
07 December 2020