IBM Support

IZ92567: THE EXCEPTION "DERINPUTSTREAM.GETLENGTH(): LENGTHTAG=127, TOO BIG" MIGHT BE THROWN TO SHOW A PROBLEM HAPPENED IN DECODING

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Component: IBM PKCS

Envt: 150 SR11

Description:

When the user attempts to decode the der raw data or Base64
encoded data, an exception like "DerInputStream.getLength():
lengthTag=127, too big" might be thrown to show a problem
happened in decoding. However, such exception may not reflect
the actual problem. The error in der raw data decoding will not
be displayed or logged. This is because the exception thrown
from der raw data decoding will be used to trigger the Base64
data decoding and will not be thrown.


JVMs affected: 1.4.2, 1.5.0, 1.6.0

JARs affected: ibmpkcs.jar

Local fix

  • Level 3 to update

Problem summary

  •  PROBLEM SUMMARY:    PKCSDerObject - Add debug tracing for
internal exception

PROBLEM DESCRIPTION:

The design of the PKCSDerObject.decode( byte[] der ) method
indicates that the byte array being
received may contain either:
- "raw der encoded data", or
- that same "raw der encoded data" encoded as base64
The method first assumes that the data is "raw der encoded data"
and attempts to decode it under that assumption.
If that decoding attempt causes an exception to be thrown "for
any reason", the code blindly assumes that
the exception was caused because the data was actually "base64"
rather than "raw".
It then retries its decoding attempt by first removing the
base64 encoding.

The failure experienced by the customer was caused by an
unanticipated reason.
It was caused by an incorrect PKCS#7 ContentType OID within the
data being decoded which specified
EnvelopedData, rather than SignedData.  This error caused the
EnvelopedData.decode( ) method to get control by accident.
From that point onward, a decoding error of some type was
guaranteed.
The decoding exception experienced internally  is shown below:

java.io.IOException: Invalid EnvelopedData version (must be 0 or
2).
        at
com.ibm.security.pkcs7.EnvelopedData.decode(EnvelopedData.java:4
81)
        at
com.ibm.security.pkcsutil.PKCSDerObject.decode(PKCSDerObject.jav
a:283)
        at
com.ibm.security.pkcsutil.PKCSDerObject.<init>(PKCSDerObject.jav
a:84)
        at
com.ibm.security.pkcs7.Content.<init>(Content.java:68)
        at
com.ibm.security.pkcs7.EnvelopedData.<init>(EnvelopedData.java:1
42)
        at
sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native
Method)
        at
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeCons
tructorAccessorImpl.java:67)
        at
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Delega
tingConstructorAccessorImpl.java:45)
        at
java.lang.reflect.Constructor.newInstance(Constructor.java:522)
        at
com.ibm.security.pkcs7.ContentInfo.createDynamicObject(ContentIn
fo.java:258)
        at
com.ibm.security.pkcs7.ContentInfo.createContent(ContentInfo.jav
a:672)
        at
com.ibm.security.pkcs7.ContentInfo.decode(ContentInfo.java:620)
        at
com.ibm.security.pkcsutil.PKCSDerObject.decode(PKCSDerObject.jav
a:283)
        at
com.ibm.security.pkcsutil.PKCSDerObject.read(PKCSDerObject.java:
371)
        at
com.ibm.security.pkcsutil.PKCSDerObject.<init>(PKCSDerObject.jav
a:135)
        at
com.ibm.security.pkcs7.ContentInfo.<init>(ContentInfo.java:392)
        at pkcs.SignedDataTest.main(SignedDataTest.java:12)

When the decode method catches the exception above, it assumes
that this exception occurred because
the data being decoded was "base64 encoded" der encoded data.
It tries to remove the base64 encoding
before decoding the der encoded data.  This resulted in the
following exception which was meaningless in this case:

java.io.IOException: DerInputStream.getLength(): lengthTag=127,
too big.
 at
com.ibm.security.util.DerInputStream.getLength(DerInputStream.ja
va:
715)
 at
com.ibm.security.util.DerInputStream.getLength(DerInputStream.ja
va:
689)
 at com.ibm.security.util.DerValue.<init>(DerValue.java:254)
 at
com.ibm.security.util.DerInputStream.getDerValue(DerInputStream.
java:490)
 at
com.ibm.security.pkcsutil.PKCSDerObject.decode(PKCSDerObject.jav
a:
258)
 at
com.ibm.security.pkcsutil.PKCSDerObject.read(PKCSDerObject.java:
297)
 at
com.ibm.security.pkcsutil.PKCSDerObject.<init>(PKCSDerObject.jav
a:
129)
 at
com.ibm.security.pkcs7.ContentInfo.<init>(ContentInfo.java:392)
 at pkcs.samples.PKCS7SignedDataUtil.verifySignature
(PKCS7SignedDataUtil.java:83)
 at
pkcs.samples.PKCS7SignedDataUtil.main(PKCS7SignedDataUtil.java:1
75)

Problem conclusion

  • To help debug future occurrences of this problem, additional
debug tracing has been added to the decode method.
It will now trace the internal exception generated by the first
decode attempt (where "raw" der encoded data is assumed).
That exception will be preceded by the following comment within
the debug trace output:

"The exception shown within the trace data below was thrown by
PKCSDerObject.decode( byte[] der ) while trying to decode an
object
that it assumed was in raw der encoded form.  Either, there is
an error within that raw der encoded data which led to this
exception,
or the data itself was actually base64 encoded.
PKCSDerObject.decode( byte[] der ) will now re-attempt the
decoding operation.
This time, however,  it will assume that the data is also base64
encoded, and will attempt to remove the base64 encoding before
trying
to decode the der encoded object.  If a second exception is
thrown, then there is likely either a der encoding problem with
the object being decoded
(most likely) or there is a problem with the base64 encoding
(less likely)."
...... exception stack trace here .............




The associated Hursley CMVC defect is 175556.
The associated Austin CMVC defect is 111799.
The fix is being dropped for   Java 1.4.2 SR14,  Java 5.0 SR13,
and Java 6.0 SR10.

The affected jar is "ibmpkcs.jar".
The build level of this jar for Java 1.4.2 is 20110121.
The build level of this jar for Java 5.0    is 20110121.
The build level of this jar for Java 6.0     is 20110121.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IZ92567
    • 

  • Reported component name
    TIVOLI JAVA PKC
    • 

  • Reported component ID
    TIVSECPKC
    • 

  • Reported release
    100
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt
    • 

  • Submitted date
    2011-01-20
    • 

  • Closed date
    2011-01-21
    • 

  • Last modified date
    2011-04-26
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    TIVOLI JAVA PKC
    • 

  • Fixed component ID
    TIVSECPKC
    • 



Applicable component levels


    

  • R100  PSY
       UP
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSCZL45","label":"PKCS"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"100","Edition":"","Line of Business":{"code":"","label":""}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            26 April 2011
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback