Skip to main content

No Matching Certificate for... error

Please note these java.net forums are being decommissioned and use the new and improved forums at https://community.oracle.com/community/java.
1 reply [Last post]
Anonymous

Greetings.

I am running into the following error while receiving a message:
[#|2012-07-09T17:28:55.249-0400|SEVERE|sun-appserver2.1|javax.enterprise.resource.xml.webservices.security|_ThreadID=60;_ThreadName=httpSSLWorkerThread-8181-1;SunPKCS11-NSS
RSA public key, 2048 bits (id 561,
session object)
modulus:
1793039115094325872463565428993449869478031886395856577330373281720735432838391787480702451236932300779695172807110553543101450009839524492225256651115916381008482967557045588096160793677184064056
274759095863466725627326473911038543970929512586759650975513813925919649373939567355227055070439838187353413705914909739692371460341055402099876413401914064788774702494095210835126922513300031656931658132204
288543599160850801692286012107194255329928661964181719779342121826251399779487166706440208028168501742876629778053085552257727628420434136977294215967198048210766827747890155657124530610499764188205366203647
1420969
public exponent:
65537;_RequestID=2ec6e609-9fb8-4647-8891-33f1c1b372d6;|WSS0706: Error: No
Matching Certificate for : SunPKCS11-NSS RSA public key, 2048 bits (id 561,
session object)
modulus:
1793039115094325872463565428993449869478031886395856577330373281720735432838391787480702451236932300779695172807110553543101450009839524492225256651115916381008482967557045588096160793677184064056
274759095863466725627326473911038543970929512586759650975513813925919649373939567355227055070439838187353413705914909739692371460341055402099876413401914064788774702494095210835126922513300031656931658132204
288543599160850801692286012107194255329928661964181719779342121826251399779487166706440208028168501742876629778053085552257727628420434136977294215967198048210766827747890155657124530610499764188205366203647
1420969
public exponent: 65537 found in KeyStore or TrustStore.|#]

My environment can be described as the following:
Metro 2.0
Glassfish 2.1.1
TLS
Receiving a message with a SAML 2.0 Assertion with holder-of-key
confirmation method.
This same message also has the Endorsing Supporting Tokens policy.

I believe metro is validating both the signature of the SAML 2.0 Assertion
as well as the signature of the timestamp (endorsing supporting token with
TLS) per the XML Digital Signature specification. Can anyone confirm that
this is the case and point me to the java packages/classes/methods which do
this signature verification? I has search a little on my own but have not
yet been successful. I believe if the verification of the signature(s) had
failed, then metro would have stopped processing the message and reported
an error, however I am trying to confirm this belief.

If I am correct in believing that the metro stack is not throwing the above
error in response to a signature verification failure, I suspect the error
is in response to an additional check above and beyond that required by the
XMLDSig spec. Can anyone confirm this suspicion? I suspect metro is
searching the truststore for the key provided in the keyinfo element of the
signature(s) and when it cannot find the certificate, the above error is
thrown. I would be curious to hear from a functional perspective what the
stack will do with the certificate if it finds it. Does it check the cert's
expiration date? Does it check the extensions to verify the chain of trust
to a CA cert?

I believe if I can get a handle to either of these pieces of logic in java
I can find my way to the other, however I would appreciate any context in
english (as well as java:))

Please let me know if any of these questions don't make sense or require
additional information - I am all wrapped up in this investigation and
sometimes I forget to set basic and important contextual elements when
explaining it to others. Thank you for your time!

Reply viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Glen Mazza

You might wish to debug Metro within an Eclipse/Tomcat environment to
get your answers:
http://www.jroller.com/gmazza/entry/eclipse_debug_web_services, and
submit Metro patches, if necessary, to: http://java.net/jira/browse/wsit.

Glen

On 07/30/2012 10:42 AM, matthew weaver wrote:
> Greetings.
>
> I am running into the following error while receiving a message:
> [#|2012-07-09T17:28:55.249-0400|SEVERE|sun-appserver2.1|javax.enterprise.resource.xml.webservices.security|_ThreadID=60;_ThreadName=httpSSLWorkerThread-8181-1;SunPKCS11-NSS
> RSA public key, 2048 bits (id 561,
> session object)
> modulus:
> 1793039115094325872463565428993449869478031886395856577330373281720735432838391787480702451236932300779695172807110553543101450009839524492225256651115916381008482967557045588096160793677184064056
>
> 274759095863466725627326473911038543970929512586759650975513813925919649373939567355227055070439838187353413705914909739692371460341055402099876413401914064788774702494095210835126922513300031656931658132204
>
> 288543599160850801692286012107194255329928661964181719779342121826251399779487166706440208028168501742876629778053085552257727628420434136977294215967198048210766827747890155657124530610499764188205366203647
>
> 1420969
> public exponent:
> 65537;_RequestID=2ec6e609-9fb8-4647-8891-33f1c1b372d6;|WSS0706: Error:
> No Matching Certificate for : SunPKCS11-NSS RSA public key, 2048 bits
> (id 561, session object)
> modulus:
> 1793039115094325872463565428993449869478031886395856577330373281720735432838391787480702451236932300779695172807110553543101450009839524492225256651115916381008482967557045588096160793677184064056
>
> 274759095863466725627326473911038543970929512586759650975513813925919649373939567355227055070439838187353413705914909739692371460341055402099876413401914064788774702494095210835126922513300031656931658132204
>
> 288543599160850801692286012107194255329928661964181719779342121826251399779487166706440208028168501742876629778053085552257727628420434136977294215967198048210766827747890155657124530610499764188205366203647
>
> 1420969
> public exponent: 65537 found in KeyStore or TrustStore.|#]
>
> My environment can be described as the following:
> Metro 2.0
> Glassfish 2.1.1
> TLS
> Receiving a message with a SAML 2.0 Assertion with holder-of-key
> confirmation method.
> This same message also has the Endorsing Supporting Tokens policy.
>
> I believe metro is validating both the signature of the SAML 2.0
> Assertion as well as the signature of the timestamp (endorsing
> supporting token with TLS) per the XML Digital Signature
> specification. Can anyone confirm that this is the case and point me
> to the java packages/classes/methods which do this signature
> verification? I has search a little on my own but have not yet been
> successful. I believe if the verification of the signature(s) had
> failed, then metro would have stopped processing the message and
> reported an error, however I am trying to confirm this belief.
>
> If I am correct in believing that the metro stack is not throwing the
> above error in response to a signature verification failure, I suspect
> the error is in response to an additional check above and beyond that
> required by the XMLDSig spec. Can anyone confirm this suspicion? I
> suspect metro is searching the truststore for the key provided in the
> keyinfo element of the signature(s) and when it cannot find the
> certificate, the above error is thrown. I would be curious to hear
> from a functional perspective what the stack will do with the
> certificate if it finds it. Does it check the cert's expiration date?
> Does it check the extensions to verify the chain of trust to a CA cert?
>
> I believe if I can get a handle to either of these pieces of logic in
> java I can find my way to the other, however I would appreciate any
> context in english (as well as java:))
>
> Please let me know if any of these questions don't make sense or
> require additional information - I am all wrapped up in this
> investigation and sometimes I forget to set basic and important
> contextual elements when explaining it to others. Thank you for your
> time!