Develop Reference

SAML Toolkit Java, samltest.id, SLO does not work

I try to login and logout java-saml-toolkit-jpsample
https://github.com/onelogin/java-saml
to the IdP of samltest.id.
It's metadata is hosted here:
https://samltest.id/saml/idp
Here is a summary:
https://samltest.id/download/
If it is important: Its on Windows 10 (latest), Java 11 and Tomcat 9. No errors during build and no thrown errors during execution.
For the configuration of onelogin, I set the configuration to:
# If 'strict' is True, then the Java Toolkit will reject unsigned
# or unencrypted messages if it expects them signed or encrypted
# Also will reject the messages if not strictly follow the SAML
onelogin.saml2.strict = false
# Enable debug mode (to print errors)
onelogin.saml2.debug = true
# Service Provider Data that we are deploying
#
# Identifier of the SP entity (must be a URI)
onelogin.saml2.sp.entityid = https://mysuperssoservice.de
# Specifies info about where and how the <AuthnResponse> message MUST be
# returned to the requester, in this case our SP.
# URL Location where the <Response> from the IdP will be returned
onelogin.saml2.sp.assertion_consumer_service.url = http://localhost/java-saml-tookit-jspsample/acs.jsp
# SAML protocol binding to be used when returning the <Response>
# message. Onelogin Toolkit supports for this endpoint the
# HTTP-POST binding only
onelogin.saml2.sp.assertion_consumer_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
# Specifies info about where and how the <Logout Response> message MUST be
# returned to the requester, in this case our SP.
onelogin.saml2.sp.single_logout_service.url = http://localhost/java-saml-tookit-jspsample/sls.jsp
# SAML protocol binding to be used when returning the <LogoutResponse> or sending the <LogoutRequest>
# message. Onelogin Toolkit supports for this endpoint the
# HTTP-Redirect binding only
onelogin.saml2.sp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
# Specifies constraints on the name identifier to be used to
# represent the requested subject.
# Take a look on lib/Saml2/Constants.php to see the NameIdFormat supported
onelogin.saml2.sp.nameidformat = urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
# Usually x509cert and privateKey of the SP are provided by files placed at
# the certs folder. But we can also provide them with the following parameters
onelogin.saml2.sp.x509cert = -----BEGIN CERTIFICATE-----\nMIIDMTCCAhmgAwIBAgIUMarw5sgqqA9vAQgQR5bPMNSSzCwwDQYJKoZIhvcNAQELBQAwKDEmMCQGA1UEAwwdemV1cy10ZXN0LnBhc3MtY29uc3VsdGluZy5jb20wHhcNMjExMDE5MjI0NTA4WhcNMzExMDE3MjI0NTA4WjAoMSYwJAYDVQQDDB16ZXVzLXRlc3QucGFzcy1jb25zdWx0aW5nLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL0lvG5Kupq2viAnKJ8xkiOFLHMX5Ubz7OtYvWalcItc6UC9ddfiaAGMNPzhAUXqMKZ1OAR9KKldCeQcXamKJFeJ49lEySjDku0oOy/mvcKudmWbxdf6EtcPLclIXapOlhl5IXnhFMYfBvfFET5La4aQVo5UjBAp1hVVksA8My950hP+Yewh7wFzZwYgYWxauveNvxG+j1wZpIzB9cbeyXDL5K5mjAITnxhwxLDwk46aLWm9LT9uUaFlYiej7crxYvdbilQrxaX/cp92zW2mqp6tWiQ7y6Y/bqEC961Pmgbbobz68W1X21c5Q6OMn9NKaSH9Gbus/2xv1uLkbReyHM8CAwEAAaNTMFEwHQYDVR0OBBYEFG4qExM6HLQAE0fKZJGzvUR8JdwaMB8GA1UdIwQYMBaAFG4qExM6HLQAE0fKZJGzvUR8JdwaMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALg0NjnrcPU4+GurgWtUBZ31CHeEsC4HKdlYNpPSgOQzgAaFyQjixJ/Za8ItyPEWFUODpZveDRnCxnrexS3KY9CNunVChqDV69vH2wpV/F6sag+REONMDt+MRZdO0TqQWN5SNT1O/mFg2uQlgEMOrziU95miagXSnRzBZh0YyxWON2YaEepT2fc5OKjtvTC/B6LKKz/fVIc3UZngNB0FRM3zR1uqTJj90cdl3TtvpkC/vxj10zZqQTPq1wmHBUPOJJENBzg4yM+wvNqPg6RBCm/zYzIfu2PiQHbejwIYI3p1bQuYavXGfGMd8vgf17ewjCYRBVr3OxA04JGFEizby8U=\n-----END CERTIFICATE-----
# Requires Format PKCS#8 BEGIN PRIVATE KEY
# If you have PKCS#1 BEGIN RSA PRIVATE KEY convert it by openssl pkcs8 -topk8 -inform pem -nocrypt -in sp.rsa_key -outform pem -out sp.pem
onelogin.saml2.sp.privatekey = -----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC9JbxuSrqatr4gJyifMZIjhSxzF+VG8+zrWL1mpXCLXOlAvXXX4mgBjDT84QFF6jCmdTgEfSipXQnkHF2piiRXiePZRMkow5LtKDsv5r3CrnZlm8XX+hLXDy3JSF2qTpYZeSF54RTGHwb3xRE+S2uGkFaOVIwQKdYVVZLAPDMvedIT/mHsIe8Bc2cGIGFsWrr3jb8Rvo9cGaSMwfXG3slwy+SuZowCE58YcMSw8JOOmi1pvS0/blGhZWIno+3K8WL3W4pUK8Wl/3Kfds1tpqqerVokO8umP26hAvetT5oG26G8+vFtV9tXOUOjjJ/TSmkh/Rm7rP9sb9bi5G0XshzPAgMBAAECggEAdnO1Z5Sg+9bJhjU/uUI/9MKnrYQfb6m+izxNkIS20G/lG0gLDqGY5K87V8pJE9Gvme76n8UJu9aqJRKmjVAXpkKSUDRFjaO81YxGVJ854zuCpetBoRnYxpmY4N7S2Z7RXS6AimUsr04q/OuK+uoccm7d5dCIzm6ExWOLvZt1qpqYVo9DvHoaJhZeKFHfnM/1wq7WvWe6wPQzTKiSHO0d9h4Vzi9UwoVn+TpeFspUzK2IbtslI+gr8GgJNdOtWMzbBGi7abuvDBWsiHCaAqNhKOM2nkq8OaCZbGRZ5E1k/3KaeFUljryOg4KBOwQIAg2yDbh3Vy+yEI6G4MSMn9ebEQKBgQD2Zvy+G8owLi7GsVCimjc5r/u+ElFgTPLcMNv4zQqjNJ3ZYC3tpwYw6ht4AqtXOypmPcDEucVOKVqeLAVddeCKqmhFar+YNm5kWE8BURP5rxKrVdyEORnfgOP+qzAQgMmSBtLLuWhizpKPg3eMea7G124LXJl4X1xyBjlzSW24owKBgQDEg9Qt1tF8O35iVq68pVsj2Z/K2sjP2HR87ftUATswAf79JQvm9hQdKgonfEfIef6vWsUbRSsqnKgKZI3D3Rebht+Vr0g4NzZiKMi/TfP1zxRa1v8X5O1As4b82LXnLlLeoQOYnG6InRqXjEuY+DE72Zgebc2FuiaL810PgoRx5QKBgDMGAoJPeN/fQFpur1bsflEYyxWB7430gTnteC+eLfy70ZAI5ZnXw2VvpP6F9vsaSl5fnUJfgab800H7taSz2yp7vRna0A/x/YwT6VBJfMxwX3pRTlenB1+L7ip3Qn24XYU6mn4LR71mL10+iQvyyqlsROJfa3xMqvUFqvHfm7PnAoGBAJSauB3936ZZewY0VKj1RkmC7VJCRi7emaBLeo4Y7EAukjuuAyUhmy4+tzUKx2Gz10OVmY44rR7pHi3VwlqF269Ru8v+o9dW8Toja0M3WK/ea58SDA9un3cZC5Ay9MOghSwziHukd/W5D/3gKt6/eMOwlVcVY6CnlzSn0QzEfxF9AoGBAI3LIHg3Yw2RzM6u6LzXEsbaxB8arDuCKWTlUqP8i7GdVnU3+CYkutBbGIIj1cWuSAWCB2svtLicjm4i2thd+wLkckGLaAtcZN/Ccd4LIjW/e/Qtl7QKf96cH96CZJd44K3XaLg0mzo+1RJFB8wrRlNFZQNcxUSbJ1AdMs6W6zNB\n-----END PRIVATE KEY-----
# Identity Provider Data that we want connect with our SP
#
# Identifier of the IdP entity (must be a URI)
onelogin.saml2.idp.entityid = https://samltest.id/saml/idp
# SSO endpoint info of the IdP. (Authentication Request protocol)
# URL Target of the IdP where the SP will send the Authentication Request Message
onelogin.saml2.idp.single_sign_on_service.url = https://samltest.id/idp/profile/SAML2/Redirect/SSO
# SAML protocol binding to be used to deliver the <AuthnRequest> message
# to the IdP. Onelogin Toolkit supports for this endpoint the
# HTTP-Redirect binding only
onelogin.saml2.idp.single_sign_on_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
# SLO endpoint info of the IdP.
# URL Location of the IdP where the SP will send the SLO Request
onelogin.saml2.idp.single_logout_service.url = https://samltest.id/idp/profile/SAML2/Redirect/SLO
# Optional SLO Response endpoint info of the IdP.
# URL Location of the IdP where the SP will send the SLO Response. If left blank, same URL as onelogin.saml2.idp.single_logout_service.url will be used.
# Some IdPs use a separate URL for sending a logout request and response, use this property to set the separate response url
onelogin.saml2.idp.single_logout_service.response.url =
# SAML protocol binding to be used when returning the <Response>
# message. Onelogin Toolkit supports for this endpoint the
# HTTP-Redirect binding only
onelogin.saml2.idp.single_logout_service.binding = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
# Public x509 certificate of the IdP
onelogin.saml2.idp.x509cert = -----BEGIN CERTIFICATE-----\nMIIDEjCCAfqgAwIBAgIVAMECQ1tjghafm5OxWDh9hwZfxthWMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNVBAMMC3NhbWx0ZXN0LmlkMB4XDTE4MDgyNDIxMTQwOVoXDTM4MDgyNDIxMTQwOVowFjEUMBIGA1UEAwwLc2FtbHRlc3QuaWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0Z4QX1NFKs71ufbQwoQoW7qkNAJRIANGA4iM0ThYghul3pC+FwrGv37aTxWXfA1UG9njKbbDreiDAZKngCgyjxj0uJ4lArgkr4AOEjj5zXA81uGHARfUBctvQcsZpBIxDOvUUImAl+3NqLgMGF2fktxMG7kX3GEVNc1klbN3dfYsaw5dUrw25DheL9np7G/+28GwHPvLb4aptOiONbCaVvh9UMHEA9F7c0zfF/cL5fOpdVa54wTI0u12CsFKt78h6lEGG5jUs/qX9clZncJM7EFkN3imPPy+0HC8nspXiH/MZW8o2cqWRkrw3MzBZW3Ojk5nQj40V6NUbjb7kfejzAgMBAAGjVzBVMB0GA1UdDgQWBBQT6Y9J3Tw/hOGc8PNV7JEE4k2ZNTA0BgNVHREELTArggtzYW1sdGVzdC5pZIYcaHR0cHM6Ly9zYW1sdGVzdC5pZC9zYW1sL2lkcDANBgkqhkiG9w0BAQsFAAOCAQEASk3guKfTkVhEaIVvxEPNR2w3vWt3fwmwJCccW98XXLWgNbu3YaMb2RSn7Th4p3h+mfyk2don6au7Uyzc1Jd39RNv80TG5iQoxfCgphy1FYmmdaSfO8wvDtHTTNiLArAxOYtzfYbzb5QrNNH/gQEN8RJaEf/g/1GTw9x/103dSMK0RXtl+fRs2nblD1JJKSQ3AdhxK/weP3aUPtLxVVJ9wMOQOfcy02l+hHMb6uAjsPOpOVKqi3M8XmcUZOpx4swtgGdeoSpeRyrtMvRwdcciNBp9UZome44qZAYH1iqrpmmjsfI9pJItsgWu3kXPjhSfj1AJGR1l9JGvJrHki1iHTA==\n-----END CERTIFICATE-----
#onelogin.saml2.idp.x509cert = -----BEGIN CERTIFICATE-----\nMIIDETCCAfmgAwIBAgIUZRpDhkNKl5eWtJqk0Bu1BgTTargwDQYJKoZIhvcNAQELBQAwFjEUMBIGA1UEAwwLc2FtbHRlc3QuaWQwHhcNMTgwODI0MjExNDEwWhcNMzgwODI0MjExNDEwWjAWMRQwEgYDVQQDDAtzYW1sdGVzdC5pZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJrh9/PcDsiv3UeL8Iv9rf4WfLPxuOm9W6aCntEA8l6c1LQ1Zyrz+Xa/40ZgP29ENf3oKKbPCzDcc6zooHMji2fBmgXp6Li3fQUzu7yd+nIC2teejijVtrNLjn1WUTwmqjLtuzrKC/ePoZyIRjpoUxyEMJopAd4dJmAcCq/Kk2eYX9GYRlqvIjLFoGNgy2R4dWwAKwljyh6pdnPUgyO/WjRDrqUBRFrLQJorR2kDc4seZUbmpZZfp4MjmWMDgyGM1ZnR0XvNLtYeWAyt0KkSvFoOMjZUeVK/4xR74F8e8ToPqLmZEg9ZUx+4z2KjVK00LpdRkH9Uxhh03RQ0FabHW6UCAwEAAaNXMFUwHQYDVR0OBBYEFJDbe6uSmYQScxpVJhmt7PsCG4IeMDQGA1UdEQQtMCuCC3NhbWx0ZXN0LmlkhhxodHRwczovL3NhbWx0ZXN0LmlkL3NhbWwvaWRwMA0GCSqGSIb3DQEBCwUAA4IBAQBNcF3zkw/g51q26uxgyuy4gQwnSr01Mhvix3Dj/Gak4tc4XwvxUdLQq+jCcxr2Pie96klWhY/v/JiHDU2FJo9/VWxmc/YOk83whvNd7mWaNMUsX3xGv6AlZtCOL3JhCpHjiN+kBcMgS5jrtGgV1Lz3/1zpGxykdvS0B4sPnFOcaCwHe2B9SOCWbDANJXpTjz1DmJO4ImyWPJpN1xsYKtm67Pefxmn0ax0uE2uuzq25h0xbTkqIQgJzyoE/DPkBFK1vDkMfAW11dQ0BXatEnW7Gtkc0lh2/PIbHWj4AzxYMyBf5Gy6HSVOftwjCvoQR2qr2xJBixsg+MIORKtmKHLfU\n-----END CERTIFICATE-----
#onelogin.saml2.idp.x509cert = -----BEGIN CERTIFICATE-----\nMIIDEjCCAfqgAwIBAgIVAPVbodo8Su7/BaHXUHykx0Pi5CFaMA0GCSqGSIb3DQEBCwUAMBYxFDASBgNVBAMMC3NhbWx0ZXN0LmlkMB4XDTE4MDgyNDIxMTQwOVoXDTM4MDgyNDIxMTQwOVowFjEUMBIGA1UEAwwLc2FtbHRlc3QuaWQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCQb+1a7uDdTTBBFfwOUun3IQ9nEuKM98SmJDWaMwM877elswKUTIBVh5gB2RIXAPZt7J/KGqypmgw9UNXFnoslpeZbA9fcAqqu28Z4sSb2YSajV1ZgEYPUKvXwQEmLWN6aDhkn8HnEZNrmeXihTFdyr7wjsLj0JpQ+VUlc4/J+hNuU7rGYZ1rKY8AA34qDVd4DiJ+DXW2PESfOu8lJSOteEaNtbmnvH8KlwkDs1NvPTsI0W/m4SK0UdXo6LLaV8saIpJfnkVC/FwpBolBrRC/Em64UlBsRZm2T89cauzDee2yPUvbBd5kLErw+sC7i4xXa2rGmsQLYcBPhsRwnmBmlAgMBAAGjVzBVMB0GA1UdDgQWBBRZ3exEu6rCwRe5C7f5QrPcAKRPUjA0BgNVHREELTArggtzYW1sdGVzdC5pZIYcaHR0cHM6Ly9zYW1sdGVzdC5pZC9zYW1sL2lkcDANBgkqhkiG9w0BAQsFAAOCAQEABZDFRNtcbvIRmblnZItoWCFhVUlq81ceSQddLYs8DqK340//hWNAbYdjWcP85HhIZnrw6NGCO4bUipxZXhiqTA/A9d1BUll0vYB8qckYDEdPDduYCOYemKkDdmnHMQWs9Y6zWiYuNKEJ9mf3+1N8knN/PK0TYVjVjXAf2CnOETDbLtlj6Nqb8La3sQkYmU+aUdopbjd5JFFwbZRaj6KiHXHtnIRgu8sUXNPrgipUgZUOVhP0C0N5OfE4JW8ZBrKgQC/6vJ2rSa9TlzI6JAa5Ww7gMXMP9M+cJUNQklcq+SBnTK8G+uBHgPKRzBDsMIEzRtQZm4GIoHJae4zmnCekkQ==-----END CERTIFICATE-----
# Instead of use the whole x509cert you can use a fingerprint
# (openssl x509 -noout -fingerprint -in "idp.crt" to generate it,
# or add for example the -sha256 , -sha384 or -sha512 parameter)
#
# If a fingerprint is provided, then the certFingerprintAlgorithm is required in order to
# let the toolkit know which Algorithm was used. Possible values: sha1, sha256, sha384 or sha512
# 'sha1' is the default value.
# onelogin.saml2.idp.certfingerprint =
# onelogin.saml2.idp.certfingerprint_algorithm = sha256
# Security settings
#
# Indicates that the nameID of the <samlp:logoutRequest> sent by this SP
# will be encrypted.
onelogin.saml2.security.nameid_encrypted = true
# Indicates whether the <samlp:AuthnRequest> messages sent by this SP
# will be signed. [The Metadata of the SP will offer this info]
onelogin.saml2.security.authnrequest_signed = true
# Indicates whether the <samlp:logoutRequest> messages sent by this SP
# will be signed.
onelogin.saml2.security.logoutrequest_signed = true
# Indicates whether the <samlp:logoutResponse> messages sent by this SP
# will be signed.
onelogin.saml2.security.logoutresponse_signed = true
# Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and
# <samlp:LogoutResponse> elements received by this SP to be signed.
onelogin.saml2.security.want_messages_signed = true
# Indicates a requirement for the <saml:Assertion> elements received by this SP to be signed.
onelogin.saml2.security.want_assertions_signed = true
# Indicates a requirement for the Metadata of this SP to be signed.
# Right now supported null (in order to not sign) or true (sign using SP private key)
onelogin.saml2.security.sign_metadata =
# Indicates a requirement for the Assertions received by this SP to be encrypted
onelogin.saml2.security.want_assertions_encrypted = true
# Indicates a requirement for the NameID received by this SP to be encrypted
onelogin.saml2.security.want_nameid_encrypted = true
# Authentication context.
# Set Empty and no AuthContext will be sent in the AuthNRequest
# You can set multiple values (comma separated them)
onelogin.saml2.security.requested_authncontext = urn:oasis:names:tc:SAML:2.0:ac:classes:Password
# Allows the authn comparison parameter to be set, defaults to 'exact'
onelogin.saml2.security.onelogin.saml2.security.requested_authncontextcomparison = exact
# Allows duplicated names in the attribute statement
onelogin.saml2.security.allow_duplicated_attribute_name = false
# Indicates if the SP will validate all received xmls.
# (In order to validate the xml, 'strict' and 'wantXMLValidation' must be true).
onelogin.saml2.security.want_xml_validation = true
# Algorithm that the toolkit will use on signing process. Options:
# 'http://www.w3.org/2000/09/xmldsig#rsa-sha1'
# 'http://www.w3.org/2000/09/xmldsig#dsa-sha1'
# 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256'
# 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha384'
# 'http://www.w3.org/2001/04/xmldsig-more#rsa-sha512'
onelogin.saml2.security.signature_algorithm = http://www.w3.org/2001/04/xmldsig-more#rsa-sha256
# Algorithm that the toolkit will use on digest process. Options:
# 'http://www.w3.org/2000/09/xmldsig#sha1'
# 'http://www.w3.org/2001/04/xmlenc#sha256'
# 'http://www.w3.org/2001/04/xmldsig-more#sha384'
# 'http://www.w3.org/2001/04/xmlenc#sha512'
onelogin.saml2.security.digest_algorithm = http://www.w3.org/2001/04/xmlenc#sha256
# Reject Signatures with deprecated algorithms (sha1)
onelogin.saml2.security.reject_deprecated_alg = true
# Organization
#onelogin.saml2.organization.name = SP Java
#onelogin.saml2.organization.displayname = SP Java Example
#onelogin.saml2.organization.url = http://sp.example.com
#onelogin.saml2.organization.lang =
# Contacts
onelogin.saml2.contacts.technical.given_name = Andreas Andreas
onelogin.saml2.contacts.technical.email_address = andreas.andreas#andreas.com
onelogin.saml2.contacts.support.given_name = Olaf Olaf
onelogin.saml2.contacts.support.email_address = olaf.olaf#Olaf.de
The metadata I shared is:
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2031-10-17T22:45:08Z" cacheDuration="PT604800S" entityID="https://mysuperssoservice.de">
<md:SPSSODescriptor AuthnRequestsSigned="true" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDMTCCAhmgAwIBAgIUMarw5sgqqA9vAQgQR5bPMNSSzCwwDQYJKoZIhvcNAQELBQAwKDEmMCQGA1UEAwwdemV1cy10ZXN0LnBhc3MtY29uc3VsdGluZy5jb20wHhcNMjExMDE5MjI0NTA4WhcNMzExMDE3MjI0NTA4WjAoMSYwJAYDVQQDDB16ZXVzLXRlc3QucGFzcy1jb25zdWx0aW5nLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL0lvG5Kupq2viAnKJ8xkiOFLHMX5Ubz7OtYvWalcItc6UC9ddfiaAGMNPzhAUXqMKZ1OAR9KKldCeQcXamKJFeJ49lEySjDku0oOy/mvcKudmWbxdf6EtcPLclIXapOlhl5IXnhFMYfBvfFET5La4aQVo5UjBAp1hVVksA8My950hP+Yewh7wFzZwYgYWxauveNvxG+j1wZpIzB9cbeyXDL5K5mjAITnxhwxLDwk46aLWm9LT9uUaFlYiej7crxYvdbilQrxaX/cp92zW2mqp6tWiQ7y6Y/bqEC961Pmgbbobz68W1X21c5Q6OMn9NKaSH9Gbus/2xv1uLkbReyHM8CAwEAAaNTMFEwHQYDVR0OBBYEFG4qExM6HLQAE0fKZJGzvUR8JdwaMB8GA1UdIwQYMBaAFG4qExM6HLQAE0fKZJGzvUR8JdwaMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALg0NjnrcPU4+GurgWtUBZ31CHeEsC4HKdlYNpPSgOQzgAaFyQjixJ/Za8ItyPEWFUODpZveDRnCxnrexS3KY9CNunVChqDV69vH2wpV/F6sag+REONMDt+MRZdO0TqQWN5SNT1O/mFg2uQlgEMOrziU95miagXSnRzBZh0YyxWON2YaEepT2fc5OKjtvTC/B6LKKz/fVIc3UZngNB0FRM3zR1uqTJj90cdl3TtvpkC/vxj10zZqQTPq1wmHBUPOJJENBzg4yM+wvNqPg6RBCm/zYzIfu2PiQHbejwIYI3p1bQuYavXGfGMd8vgf17ewjCYRBVr3OxA04JGFEizby8U=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDMTCCAhmgAwIBAgIUMarw5sgqqA9vAQgQR5bPMNSSzCwwDQYJKoZIhvcNAQELBQAwKDEmMCQGA1UEAwwdemV1cy10ZXN0LnBhc3MtY29uc3VsdGluZy5jb20wHhcNMjExMDE5MjI0NTA4WhcNMzExMDE3MjI0NTA4WjAoMSYwJAYDVQQDDB16ZXVzLXRlc3QucGFzcy1jb25zdWx0aW5nLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL0lvG5Kupq2viAnKJ8xkiOFLHMX5Ubz7OtYvWalcItc6UC9ddfiaAGMNPzhAUXqMKZ1OAR9KKldCeQcXamKJFeJ49lEySjDku0oOy/mvcKudmWbxdf6EtcPLclIXapOlhl5IXnhFMYfBvfFET5La4aQVo5UjBAp1hVVksA8My950hP+Yewh7wFzZwYgYWxauveNvxG+j1wZpIzB9cbeyXDL5K5mjAITnxhwxLDwk46aLWm9LT9uUaFlYiej7crxYvdbilQrxaX/cp92zW2mqp6tWiQ7y6Y/bqEC961Pmgbbobz68W1X21c5Q6OMn9NKaSH9Gbus/2xv1uLkbReyHM8CAwEAAaNTMFEwHQYDVR0OBBYEFG4qExM6HLQAE0fKZJGzvUR8JdwaMB8GA1UdIwQYMBaAFG4qExM6HLQAE0fKZJGzvUR8JdwaMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBALg0NjnrcPU4+GurgWtUBZ31CHeEsC4HKdlYNpPSgOQzgAaFyQjixJ/Za8ItyPEWFUODpZveDRnCxnrexS3KY9CNunVChqDV69vH2wpV/F6sag+REONMDt+MRZdO0TqQWN5SNT1O/mFg2uQlgEMOrziU95miagXSnRzBZh0YyxWON2YaEepT2fc5OKjtvTC/B6LKKz/fVIc3UZngNB0FRM3zR1uqTJj90cdl3TtvpkC/vxj10zZqQTPq1wmHBUPOJJENBzg4yM+wvNqPg6RBCm/zYzIfu2PiQHbejwIYI3p1bQuYavXGfGMd8vgf17ewjCYRBVr3OxA04JGFEizby8U=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="http://localhost/java-saml-tookit-jspsample/sls.jsp"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="http://localhost/java-saml-tookit-jspsample/acs.jsp" index="1"/>
</md:SPSSODescriptor>
<md:ContactPerson contactType="technical">
<md:GivenName>Andreas Andreas</md:GivenName>
<md:EmailAddress>andreas.andreas#andreas.com</md:EmailAddress>
</md:ContactPerson>
<md:ContactPerson contactType="support">
<md:GivenName>Olaf Olaf </md:GivenName>
<md:EmailAddress>olaf.olaf#olaf</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
When I start the samples project, the login works perfectly and I receive all data about the user I log in.
However, when I try to logout, the SAML Toolkit Auth-object gives the error:
logout_not_success.urn:oasis:names:tc:SAML:2.0:status:Responder.
And when I look into the log of the IdP, I see the message:
2022-01-27 06:43:18,000 - ERROR
[org.opensaml.xmlsec.encryption.support.Decrypter:?] - Error
decrypting encrypted key
org.apache.xml.security.encryption.XMLEncryptionException: Unwrapping
failed at
org.apache.xml.security.encryption.XMLCipher.decryptKey(XMLCipher.java:1533)
Caused by: java.security.InvalidKeyException: Unwrapping failed at
com.sun.crypto.provider.RSACipher.engineUnwrap(RSACipher.java:447)
Caused by: javax.crypto.BadPaddingException: Decryption error at
sun.security.rsa.RSAPadding.unpadV15(RSAPadding.java:379) 2022-01-27
06:43:18,001 - ERROR
[org.opensaml.xmlsec.encryption.support.Decrypter:?] - Failed to
decrypt EncryptedKey, valid decryption key could not be resolved
2022-01-27 06:43:18,001 - ERROR
[org.opensaml.xmlsec.encryption.support.Decrypter:?] - Failed to
decrypt EncryptedData using either EncryptedData
KeyInfoCredentialResolver or EncryptedKeyResolver + EncryptedKey
KeyInfoCredentialResolver 2022-01-27 06:43:18,002 - ERROR
[org.opensaml.saml.saml2.encryption.Decrypter:?] - SAML Decrypter
encountered an error decrypting element content
org.opensaml.xmlsec.encryption.support.DecryptionException: Failed to
decrypt EncryptedData at
org.opensaml.xmlsec.encryption.support.Decrypter.decryptDataToDOM(Decrypter.java:548)
2022-01-27 06:43:18,002 - WARN
[org.opensaml.saml.saml2.profile.impl.DecryptNameIDs:?] - Profile
Action DecryptNameIDs: Failure performing decryption
org.opensaml.xmlsec.encryption.support.DecryptionException: Failed to
decrypt EncryptedData at
org.opensaml.xmlsec.encryption.support.Decrypter.decryptDataToDOM(Decrypter.java:548)
2022-01-27 06:43:18,002 - WARN
[org.opensaml.profile.action.impl.LogEvent:?] - A non-proceed event
occurred while processing the request: DecryptNameIDFailed 2022-01-27
06:43:18,002 - DEBUG
[org.opensaml.saml.common.profile.logic.DefaultLocalErrorPredicate:?]
Error event DecryptNameIDFailed will be handled with response
Do I miss something? Can you see an error in my setup?
Appreciate any kind of help! Thanks in advance.

Problems with grpc connection using ssl

I am currently new in grpc.
I wanted to provide ssl for my grpc server
the javav code for starting looks like this:
InputStream publicKey = ServerStarter.class.getResourceAsStream("/my-public-key-cert.pem");
InputStream privateKey = ServerStarter.class.getResourceAsStream("/my-private-key.pem");
SslContext sslContext = GrpcSslContexts.forServer(publicKey, privateKey).build();
Server server = NettyServerBuilder.forPort(5555)
.sslContext(sslContext)
.addService(new RedirectService())
.intercept(new AuthorizationInterceptor())
.build();
server.start();
SSL certificates were generated with openssl. And here how openssl command looks like:
openssl req -x509 -newkey rsa:4096 -keyout ./grpc-server/src/main/resources/my-private-key.pem -out ./grpc-server/src/main/resources/my-public-key-cert.pem -days 365 -nodes -subj "/CN=192.168.88.132" -addext "subjectAltName = DNS.1:192.168.88.132, DNS.2:localhost"
Server runs fine.
But I can't connect to server.
My clients code looks like this:
InputStream certificate = GalamatClient.class.getResourceAsStream("/my-public-key-cert.pem");
SslContext context = GrpcSslContexts.forClient().trustManager(certificate).build();
ManagedChannel channel = NettyChannelBuilder.forTarget("192.168.88.132:5555")
.sslContext(context)
.build();
GreetingServiceGrpc.GreetingServiceBlockingStub stub = GreetingServiceGrpc.newBlockingStub(channel)
GreetingService.GreetingRequest request = GreetingService.GreetingRequest.newBuilder().setMessage("Hi").build();
GreetingService.GreetingResponse response = stub.greet(request);
channel.shutdownNow();
And when I try to run client next Error occurs:
Exception in thread "main" io.grpc.StatusRuntimeException: UNAVAILABLE: io exception
Channel Pipeline: [SslHandler#0, ProtocolNegotiators$ClientTlsHandler#0, WriteBufferingAndExceptionHandler#0, DefaultChannelPipeline$TailContext#0]
at io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:262)
at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:243)
at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:156)
at com.example.GreetingServiceGrpc$GreetingServiceBlockingStub.recognize(SpeechRecognitionGrpc.java:246)
at com.example.main(Client.java:59)
Caused by: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
at io.grpc.netty.shaded.io.netty.handler.ssl.ReferenceCountedOpenSslEngine.handshakeException(ReferenceCountedOpenSslEngine.java:1772)
at io.grpc.netty.shaded.io.netty.handler.ssl.ReferenceCountedOpenSslEngine.wrap(ReferenceCountedOpenSslEngine.java:777)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:509)
at io.grpc.netty.shaded.io.netty.handler.ssl.SslHandler.wrap(SslHandler.java:1079)
at io.grpc.netty.shaded.io.netty.handler.ssl.SslHandler.wrapNonAppData(SslHandler.java:970)
at io.grpc.netty.shaded.io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1443)
at io.grpc.netty.shaded.io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1275)
at io.grpc.netty.shaded.io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1322)
at io.grpc.netty.shaded.io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501)
at io.grpc.netty.shaded.io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440)
at io.grpc.netty.shaded.io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
at io.grpc.netty.shaded.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.grpc.netty.shaded.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.grpc.netty.shaded.io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at io.grpc.netty.shaded.io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.grpc.netty.shaded.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.grpc.netty.shaded.io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.grpc.netty.shaded.io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.grpc.netty.shaded.io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
at io.grpc.netty.shaded.io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714)
at io.grpc.netty.shaded.io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650)
at io.grpc.netty.shaded.io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576)
at io.grpc.netty.shaded.io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
at io.grpc.netty.shaded.io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at io.grpc.netty.shaded.io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at io.grpc.netty.shaded.io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 192.168.88.132 found
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:168)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:94)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:459)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:440)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:261)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
at io.grpc.netty.shaded.io.netty.handler.ssl.OpenSslTlsv13X509ExtendedTrustManager.checkServerTrusted(OpenSslTlsv13X509ExtendedTrustManager.java:223)
at io.grpc.netty.shaded.io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:261)
at io.grpc.netty.shaded.io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:698)
at io.grpc.netty.shaded.io.netty.internal.tcnative.SSL.readFromSSL(Native Method)
at io.grpc.netty.shaded.io.netty.handler.ssl.ReferenceCountedOpenSslEngine.readPlaintextData(ReferenceCountedOpenSslEngine.java:596)
at io.grpc.netty.shaded.io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1203)
at io.grpc.netty.shaded.io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1325)
at io.grpc.netty.shaded.io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:201)
at io.grpc.netty.shaded.io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1380)
... 21 more
Suppressed: javax.net.ssl.SSLHandshakeException: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
at io.grpc.netty.shaded.io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:1288)
at io.grpc.netty.shaded.io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1249)
... 24 more
Error says that I don't provide needed Ip in subject alternative names:
No subject alternative names matching IP address 192.168.88.132 found
but I provided it in command of creation certificate.
I will apreciate if you could help with that.

Use overrideAuthority(String authority) to match what the certificate has in its SAN. Use an OpenSsl command to display what you have in your server cert.

java mail program doesn't send mails anymore [duplicate]

This question already has answers here:
Why does SSL handshake give 'Could not generate DH keypair' exception?
(22 answers)
Closed 4 years ago.
I have a java program and it send mails to the users. Since 1 week the mails doesn't been send anymore. I didn't change anything, but now I get this error:
connexion failed: Exception reading response;
nested exception is:
javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
Exception in thread "main" java.lang.RuntimeException: javax.mail.MessagingException: Exception reading response;
nested exception is:
javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
at Launcher$Connexion.<init>(Launcher.java:33)
at Launcher.main(Launcher.java:52)
Caused by: javax.mail.MessagingException: Exception reading response;
nested exception is:
javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair
at com.sun.mail.smtp.SMTPTransport.readServerResponse(SMTPTransport.java:1407)
at com.sun.mail.smtp.SMTPTransport.openServer(SMTPTransport.java:1205)
at com.sun.mail.smtp.SMTPTransport.protocolConnect(SMTPTransport.java:322)
at javax.mail.Service.connect(Service.java:236)
at javax.mail.Service.connect(Service.java:137)
at Launcher$Connexion.<init>(Launcher.java:28)
I contacted fastmail (mailing server) and they say that the insecure cert is self-signed, and does not expire until 2021.
So I don't know what the problem is.

Please add DH parameter limits to the certificate of target server. Custom DH parameters by using openssl dhparam command should be generated and applied with the SSLCertificateFile directive. Please note that the custom DH parameters with a 1024-bit prime will always have precedence over any of the built-in DH parameters.
You should update your Java version to at least version 8 as the 1024-bit restriction should have been lifted to accept 2048-bit parameters.
Please see: Java: Why does SSL handshake give 'Could not generate DH keypair' exception?

AWS SignatureDoesNotMatch exception when URLEncoding UTF-8 filename with ContentDisposition in Java

I am trying to upload a file to S3 and urlencode the filename with Amazon SDK's ObjectMetadata.setContentDisposition(). The filename can contain any UTF-8 character and spaces. Right now the filename breaks on spaces and I get an error when using special case characters.
The code snippet where I use it is as follows:
ObjectMetadata fileMetadata = new ObjectMetadata();
fileMetadata.setContentLength(file.length());
fileMetadata.setContentType(metaContentType);
fileMetadata.addUserMetadata("Filename", metaFileName);
fileMetadata.setContentDisposition("attachment; filename*=UTF-8 " + URLEncoder.encode(metaFileName,"UTF-8"));
Unfortunately this does not work as excpected as I am getting the exception: "AmazonS3Exception: Status Code: 403, AWS Service: Amazon S3, AWS Request ID: 3F2C3AE3420561BA, AWS Error Code: SignatureDoesNotMatch, AWS Error Message: The request signature we calculated does not match the signature you provided. Check your key and signing method.".
The full stacktrace:
at services.AWS_S3_Uploader.AWS_S3_Upload.service(AWS_S3_Upload.java:281)
at com.sonicsw.xqimpl.service.ServiceMessageHandler.callService(ServiceMessageHandler.java:461)
at com.sonicsw.xqimpl.service.ServiceMessageHandler.handleMessageCommon(ServiceMessageHandler.java:273)
at com.sonicsw.xqimpl.service.ServiceMessageHandler.handleMessage(ServiceMessageHandler.java:136)
at com.sonicsw.xqimpl.service.XQDispatcher.onMessage(XQDispatcher.java:460)
at com.sonicsw.esb.itinerary.model.EsbStepNode.doExecute(EsbStepNode.java:296)
at com.sonicsw.esb.itinerary.model.EsbStepNode.execute(EsbStepNode.java:180)
at com.sonicsw.esb.process.model.impl.DefaultActivityNode.offerIncoming(DefaultActivityNode.java:140)
at com.sonicsw.esb.itinerary.engine.ItineraryEngine.executeProcess(ItineraryEngine.java:338)
at com.sonicsw.esb.itinerary.engine.ItineraryEngine.handleToken(ItineraryEngine.java:181)
at com.sonicsw.esb.itinerary.engine.ItineraryEngine.handleMessage(ItineraryEngine.java:171)
at com.sonicsw.xqimpl.endpoint.container.EndpointContextContainer.onMessage(EndpointContextContainer.java:116)
at com.sonicsw.xq.connector.jms.JMSEndpointMessageListener.onMessage(JMSEndpointMessageListener.java:259)
at progress.message.jimpl.Session.deliver(Session.java:3086)
at progress.message.jimpl.Session.run(Session.java:2489)
at progress.message.jimpl.Session$SessionThread.run(Session.java:2881)
Caused by: java.lang.Exception: AmazonServiceException
at services.AWS_S3_Uploader.AWS_S3.logAmazonServiceException(AWS_S3.java:340)
at services.AWS_S3_Uploader.AWS_S3.uploadObject(AWS_S3.java:280)
at services.AWS_S3_Uploader.AWS_S3_Upload.service(AWS_S3_Upload.java:263)
... 15 more
Caused by: AmazonS3Exception: Status Code: 403, AWS Service: Amazon S3, AWS Request ID: 3F2C3AE3420561BA, AWS Error Code: SignatureDoesNotMatch, AWS Error Message: The request signature we calculated does not match the signature you provided. Check your key and signing method., S3 Extended Request ID: 0AlM9giKI8hRMWG0Xc84lxXSJ8ZwUPB2DjHKddwa1oVZ4AWUzlyko7jEko9MEtwkd5Tc7xocFJw=
at com.amazonaws.http.AmazonHttpClient.handleErrorResponse(AmazonHttpClient.java:644)
at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:338)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:190)
at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:2979)
at com.amazonaws.services.s3.AmazonS3Client.putObject(AmazonS3Client.java:1159)
at com.amazonaws.services.s3.transfer.internal.UploadCallable.uploadInOneChunk(UploadCallable.java:97)
at com.amazonaws.services.s3.transfer.internal.UploadCallable.call(UploadCallable.java:89)
at com.amazonaws.services.s3.transfer.internal.UploadMonitor.upload(UploadMonitor.java:179)
at com.amazonaws.services.s3.transfer.internal.UploadMonitor.call(UploadMonitor.java:137)
at com.amazonaws.services.s3.transfer.internal.UploadMonitor.call(UploadMonitor.java:48)
at java.util.concurrent.FutureTask.run(FutureTask.java:262)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:745)
I am using:
Java 1.6
aws-java-sdk-1.10.2.jar
All help and suggestions are welcome.
If more information is needed, then just ask.
Br.

I don't know whether that's the reason, but the encoding used for filename* is incorrect. See http://greenbytes.de/tech/webdav/rfc6266.html#disposition.parameter.filename for the specification.

Java APNS (Apple Push Notification Service) error

I am trying to use Java APNS - an open source project - to send push notifications to iPhones.
I am getting an error, though.
I have used a .pem file as certificate. Should this have been a .p12 file? I am not sure what the difference is, but I read somewhere online that there is a difference between these file formats.
Here is the code:
ApnsService service =
APNS.newService()
.withCert("gpk.pem", "XXXX")
.withSandboxDestination()
.build();
String payload = APNS.newPayload().alertBody("Can't be simpler than this!").build();
String token = "theTokenIsRemoveHere";
service.push(token, payload);
And here is the error:
Exception in thread "main" com.notnoop.exceptions.InvalidSSLConfig: java.io.IOException: toDerInputStream rejects tag type 45
at com.notnoop.apns.internal.Utilities.newSSLContext(Utilities.java:102)
at com.notnoop.apns.ApnsServiceBuilder.withCert(ApnsServiceBuilder.java:161)
at com.notnoop.apns.ApnsServiceBuilder.withCert(ApnsServiceBuilder.java:124)
at com.geomobsters.cli.ApnsClient.main(ApnsClient.java:12)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:120)
Caused by: java.io.IOException: toDerInputStream rejects tag type 45
at sun.security.util.DerValue.toDerInputStream(DerValue.java:806)
at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1201)
at java.security.KeyStore.load(KeyStore.java:1185)
at com.notnoop.apns.internal.Utilities.newSSLContext(Utilities.java:87)
... 8 more

Java APNS is expecting the cert as .p12 file.
You have to check both privatekey and certificate in your keychain.
then right click-> "export 2 files"
and export them
you have to give it a password, this password you have to type here
.withCert("gpk.pem", "XXXX")
as your XXXX
good luck
EDIT:
.P12 – PKCS#12, contains certificates an private keys saved with a password
.PEM – is Base64-encoded certificate, lockedby „-----BEGIN CERTIFICATE-----“ and „-----END CERTIFICATE-----“