Jetty 9 - Enable OCSP Stapling for domain-validated certificate

See also questions close to this topic

• Alternating sum Competitive programming challenge Send Help pls

  I can not do this problem, can you please help me coding it please. I am trying to practice for the ACM contest and the research did not help me much.

  The instructions of the problem are in this link: http://codeforces.com/problemset/problem/963/A

  Please help.
• java return a list containing every other element of the original list

  /**
   * Returns a list consisting of the initial item in the parameter
   * followed by every other item in the parameter.
   * For example, if the original list was ["my", "dog", "has", "fleas", "!"]
   * then the list returned would be ["my", "has", "!"].
   * 
   * @param  original   the list from which the returned list is constructed
   * @return a list containing every other element of the original list
   */
  public ArrayList<String> everyOtherItem(ArrayList<String> original) {
      // I'm not even sure where to begin
  }
  

  } Every time I try to add a code it only gives me the entire string array instead of returning only every other element.
• recursively reverse a string using three recursive calls using java

  I know how to reverse a string using one recursive call but for fun I am trying to do it using three different recursive calls and three different base cases. Each recursive call should be passed a String whose length is roughly str.length() / 3. the issue I seem to be having is that every time the method calls itself it also does the math needed to split the string into three separate parts. my output looks like this:

  Enter String: 
  helloworldtodayisanicedaywouldntyousay
  First: helloworldto
  Second: dayisaniceday
  Third: wouldntyousay
  First: hel      //helloworldt  first second and third combined all coming
  Second: lowo    // from the first string.
  Third: rldt     // the words from second and third are missing?
  The reversed string is: ol
  

  to make things simpler I am only testing the first string and trying to flip that. So the first time the method is called it seams to split the string up perfectly and then takes the last character and returns it. For the second time around it divides the string a second time and takes the last character. How do I get the string not to divide a second time? also I noticed that for the second time around First:, Second:, and Third: are storing the hole first string. Why is this happening can someone please help me?

  import java.util.Scanner;
  public class recursion {
  
  //driver method
  public static void main(String[] args) {
      String str;
      System.out.println("Enter String: ");
      Scanner sc = new Scanner(System.in);
      str = sc.nextLine();
      String res = revRec3(str);
      System.out.println("The reversed string is: " + res);
  
  }
  
  public static String revRec3(String str)
  {
      String first = str.substring(0,str.length() / 3 );   
      String second = str.substring(str.length() / 3, ((2 * str.length()) / 3));
      String third =  str.substring((2 * str.length()) / 3, str.length());
  
      if (first.isEmpty())
          return first;
      if (second.isEmpty())
          return second;
      if (third.isEmpty())
          return third;
  
      System.out.println("First: " + first);
      System.out.println("Second: " + second);
      System.out.println("Third: " + third);
  
      char last = first.charAt(first.length() - 1 );
      char last2 = second.charAt(second.length() - 1  );
      char last3 = third.charAt(third.length() - 1);
  
      return last + revRec3(first.substring(0, (first.length() - 1 )));
      // + last2 + str.substring(str.length() / 3, ((2 * str.length()) / 3) - 1 )
      // + last3 + str.substring((2 * str.length()) / 3, str.length() - 1 );
  
  }
  }
  
• Ignore ssl certs for easy install python

  I have my lib which has setup as

  setup.py

  from setuptools import setup
  
  setup(
      setup_requires=['pbr>=0.11.0'],
      pbr=True
  )
  

  setup.cfg

  [metadata]
  name = MyLib
  
  [options]
  zip_safe = False
  include_package_data = True
  install_requires =
      cython
      pyrex
      pymssql
      elementtree
      bleach
      BeautifulSoup4
      pytz
      MySQL_python
      retry
      elementtree
      Pyrex
  dependency_links =
      https://pypi.mydomain.com/packages/
  
  [files]
  packages =
      MyLib
      MyLib.package1
      MyLib.package1.new1
  
  [tool:wheel]
  universal = 1
  
  [flake8]
  exclude =
      venv,
      .tox,
      .git,
      __pycache__,
      *.pyc,
      *.egg-info,
      .cache,
      .eggs,
  max-line-length = 80
  
  [tool:pytest]
  testpaths=MyLib/tests
  ignore=
      .tox
      .cache
      docs
      config.py
      venv
  
  [coverage:run]
  omit=
      MyLib/config.py
  

  I am using this MyLib in my application requirements.txt

  myapp/requirements.txt ... ... MyLib==1.2.3 ... ...

  When I installed, with /usr/local/pyenv/versions/myapp/bin/pip install -i https://pypi.mydomain.com --trusted-host pypi.mydomain.com -r /opt/school/apps/myapp/requirements.txt, it was redirecting to pypi.python.org. Then I get that easy_install is using another config as ~/.pydistutils.cfg. I added as

  ~/.pydistutils.cfg

  [easy_install]
  index_url=https://pypi.mydomain.com/
  find_links = https://pypi.mydomain.com/simple/
  allow_hosts = pypi.mydomain.com
  

  Now its not redirecting to pypi.python.org but it gives error for SSL.

  /usr/local/pyenv/versions/myapp/bin/pip install -i https://pypi.mydomain.com --trusted-host pypi.mydomain.com -r /opt/school/apps/myapp/requirements.txt
  Requirement already satisfied: appdirs==1.4.3 in /usr/local/pyenv/versions/2.7.13/envs/myapp/lib/python2.7/site-packages (from -r /opt/school/apps/myapp/requirements.txt (line 1))
  Requirement already satisfied: beautifulsoup4 in /usr/local/pyenv/versions/2.7.13/envs/myapp/lib/python2.7/site-packages (from -r /opt/school/apps/myapp/requirements.txt (line 2))
  Requirement already satisfied: bleach==2.0.0 in /usr/local/pyenv/versions/2.7.13/envs/myapp/lib/python2.7/site-packages (from -r /opt/school/apps/myapp/requirements.txt (line 3))
  Requirement already satisfied: click==6.7 in /usr/local/pyenv/versions/2.7.13/envs/myapp/lib/python2.7/site-packages (from -r /opt/school/apps/myapp/requirements.txt (line 4))
  Collecting MyLib==1.2.3 (from -r /opt/school/apps/myapp/requirements.txt (line 5))
    Downloading https://pypi.mydomain.com/packages/MyLib-1.2.3.tar.gz (221kB)
      100% |████████████████████████████████| 225kB 31.8MB/s
      Complete output from command python setup.py egg_info:
      Download error on https://pypi.mydomain.com/simple/: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661) -- Some packages may not be found!
      Download error on https://pypi.mydomain.com/pbr/: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661) -- Some packages may not be found!
      Couldn't find index page for 'pbr' (maybe misspelled?)
      Download error on https://pypi.mydomain.com/: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:661) -- Some packages may not be found!
      No local packages or working download links found for pbr>=0.11.0
      Traceback (most recent call last):
        File "<string>", line 1, in <module>
        File "/tmp/pip-build-Lsc4UJ/MyLib/setup.py", line 5, in <module>
          pbr=True
        File "/usr/local/pyenv/versions/2.7.13/lib/python2.7/distutils/core.py", line 111, in setup
          _setup_distribution = dist = klass(attrs)
        File "/usr/local/pyenv/versions/2.7.13/envs/myapp/lib/python2.7/site-packages/setuptools/dist.py", line 315, in __init__
          self.fetch_build_eggs(attrs['setup_requires'])
        File "/usr/local/pyenv/versions/2.7.13/envs/myapp/lib/python2.7/site-packages/setuptools/dist.py", line 361, in fetch_build_eggs
          replace_conflicting=True,
        File "/usr/local/pyenv/versions/2.7.13/envs/myapp/lib/python2.7/site-packages/pkg_resources/__init__.py", line 850, in resolve
          dist = best[req.key] = env.best_match(req, ws, installer)
        File "/usr/local/pyenv/versions/2.7.13/envs/myapp/lib/python2.7/site-packages/pkg_resources/__init__.py", line 1122, in best_match
          return self.obtain(req, installer)
        File "/usr/local/pyenv/versions/2.7.13/envs/myapp/lib/python2.7/site-packages/pkg_resources/__init__.py", line 1134, in obtain
          return installer(requirement)
        File "/usr/local/pyenv/versions/2.7.13/envs/myapp/lib/python2.7/site-packages/setuptools/dist.py", line 429, in fetch_build_egg
          return cmd.easy_install(req)
        File "/usr/local/pyenv/versions/2.7.13/envs/myapp/lib/python2.7/site-packages/setuptools/command/easy_install.py", line 659, in easy_install
          raise DistutilsError(msg)
      distutils.errors.DistutilsError: Could not find suitable distribution for Requirement.parse('pbr>=0.11.0')
  
      ----------------------------------------
  Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-Lsc4UJ/MyLib/
  

  1. Is there any way to force dependency_links not to use ~/.pydistutils.cfg ?

  If answer of 1 is NO, then how to ignore SSL for my pypi server?
• Include intermediate chain in keystore for mutual SSL

  I've been at this way too long and have searched high and low for a solution.

  I am trying to do mutual SSL. The target is using a certificate signed by an intermediate that is valid and trusted. My side, a Java web service client using httpclient 4.3.6, is also using a certificate signed by the intermediate.

  The intermediate is in a JKS format keystore and has the full chain. My certificate is also in a JSK keystore.

  I am also running Wireshark to follow the SSL process, since the Java exceptions are very unhelpful. I can see that the Server Hello finishes (a line in Wireshark called "Server Hello, Certificate, Server Key Exchange, Certificate Request, Server Hello Done"). A couple of packets later, there is a "Certificate, Client Key Exchange" line that seems to run ok. Two packets later, there is an alert about a handshake failure (40). When I go backward two packets to the "Certificate, Client Key Exchange" line and inspect it closely, I can see that while the key was sent off, there is a line that says "Certificates Length: 0" in the packet inspection window.

  So it appears that my certificate is not even being sent? I saw on another question here that it may be because my side doesn't see a valid path to my cert, and so doesn't bother including it? (The answer here https://stackoverflow.com/a/14876605/5136448). I do include the trust store that has my intermediate in it when using SSLContext and SSLConnectionSocketFactory.

  A colleague of mine got a successful connection using openssl when including my keystore and intermediate together, so I'm trying to add the certificate chain from the intermediate keystore to my own keystore to see if that will solve it. I have no found any successful way of doing this (openssl, keytool, Keystore Explorer), so I may not have the right idea as to properly solve this.

  To sum up, using Apache http-client 4.3.6, I need to do mutual SSL to a server where the server is trusted, but the client doesn't seem to be sending its certificate (which was signed by the same entity that signed the server's certificate).

  Should it be relevant, here is the client-side code:

  KeyStore keystore = KeyStore.getInstance("PKCS12");
  keystore.load(new FileInputStream(new File("/path/to/test.keystore")), "abc123".toCharArray());
  
  KeyStore trustStore = KeyStore.getInstance("PKCS12");
  trustStore.load(new FileInputStream(new File("/path/to/test.truststore")), "123abc".toCharArray());
  
  SSLContext sslContext = SSLContexts
  .custom()
  .loadKeyMaterial(keystore, "abc123".toCharArray(), null)
  .loadTrustMaterial(trustStore, null)
  .build();
  
  SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext,
  new String[]{"TLSv1.2"},
  null,
  SSLConnectionSocketFactory.STRICT_HOSTNAME_VERIFIER);
  
  
  CloseableHttpClient httpclient1 = HttpClients.custom().setSSLSocketFactory(sslConnectionSocketFactory).build();
  
• Implementing X509TrustManager

  I'm currently trying to transfer data over the internet via SSL/TLS in java and I want both parties to authenticate themselves. I have implemented the KeyManager myself to load the key pair and present the other party the appropriate certificate.

  Now, I'm trying to check the certificate and I'm doing that by implementing my own TrustManager (both parties hold the cert of the other party, everything is self-signed). However, getAcceptedIssuers doesn't work like I want it to, because even when I return none the connection still gets established without problem.

  Why doesn't the certificate get refused?

  protected static class SelectingTrustManager implements X509TrustManager{
      final X509TrustManager delegate;
  
      private String[] trustedAliases;
      private final KeyStore keystore;
  
      public SelectingTrustManager(X509TrustManager delegate, KeyStore keystore, String[] trustedAliases) {
          this.trustedAliases = trustedAliases;
          this.keystore = keystore;
          this.delegate = delegate;
      }
  
      public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException{
          delegate.checkClientTrusted(chain, authType);
      }
  
      public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException{
          delegate.checkServerTrusted(chain, authType);
      }
  
      public X509Certificate[] getAcceptedIssuers(){
          return new X509Certificate[0];
      }
  
  }
  
• Authenticate Service Principal with certificate stored in Azure Key Vault

  I am trying to authenticate a local hadoop cluster to Azure using a service principal and certificate authentication. I have created a service principal, and put had the key vault create the certificate. I know how to get that information once I am authenticated, but I am trying to figure out how I would re-authenticate automatically once the certificate expires.
• Calculating SSL Certificate Depth (How Many Certs in the Chain)

  I am working with nginx which has an ssl_verify_depth option. Given a root certificate and the server certificate, I would like to find a programmatic or scripted way to find the depth of the current certificate so I can dynamically update the value of ssl_verify_depth. The default value is 1, meaning the server will fail to start if the certificate was signed by an intermediate certificate. A sample chain would be:

  Root CA Certificate -> Intermediate CA Certificate -> Intermediate 2 CA Certificate -> Server certificate (www.example.com).

  In this case I would need to set the ssl_verify_depth to 4.

  My question is, not requiring actual certificate verification, what's the best way to come up with "4" using either command line tools or a programming language (e.g. python)?
• Problem with Client Certificate using REST

  I have a test console-application that is listening for Requests using REST:

  Main Method:

  static void Main(string[] args)
      {
          var config = new HttpSelfHostConfiguration("https://localhost:8030");
  
          config.Routes.MapHttpRoute(
              "API Default", "api/{controller}/{id}",
              new { id = RouteParameter.Optional });
  
          using (HttpSelfHostServer server = new HttpSelfHostServer(config))
          {
              server.OpenAsync().Wait();
              Console.WriteLine("Press Enter to quit.");
              Console.ReadLine();
          }
      }
  

  Controller:

  public class RestController : ApiController
  {
      [RequireHttps]
      public string Get(int id)
      {
          return "value";
      }
  }
  

  And the Overridden RequireHttpsAttribute class. Taken from here

  This the code of the application that is listening for requests. So far its working well, but I have some issues with the application that is sending the requests:

  Here is the code of the app that calls the hosted REST-Controller:

  public class Program
  {
      static HttpClient client = new HttpClient();
      static void Main(string[] args)
      {
          SEND();
      }
  
      public static async void SEND()
      {
          HttpClient lClient = null;
  
          try
          {
  
              WebRequestHandler lHandler = new WebRequestHandler();
              X509Certificate lCertificate = GetCert2("localhost");
              lHandler.ClientCertificates.Add(lCertificate);
              lHandler.ServerCertificateValidationCallback = new RemoteCertificateValidationCallback(ValidateServerCertificate);
              lHandler.ClientCertificateOptions = ClientCertificateOption.Manual;
  
              lClient = new HttpClient(lHandler);
  
              Uri lWebService = new Uri("https://localhost:8030/api/rest/get");
  
              var requestMessage = new HttpRequestMessage(HttpMethod.Get, lWebService);
  
              Task<HttpResponseMessage> lRequest = lClient.SendAsync(requestMessage, HttpCompletionOption.ResponseContentRead, CancellationToken.None);
              HttpResponseMessage lResponse = lRequest.Result;
  
              HttpStatusCode lStatusCode = lResponse.StatusCode;
              HttpContent lResponseContent = lResponse.Content;
  
              string lResponseText = await lResponseContent.ReadAsStringAsync();
  
              if (!lResponse.IsSuccessStatusCode)
              {
                  Console.WriteLine("Your Request failed : " + lResponse.ReasonPhrase + ":" + lResponseText);
              }
              else
              {
                  Console.WriteLine("Request successful : " + lResponseText);
              }
          }
          catch (Exception pEx)
          {
              Console.WriteLine("Exception occured : " + pEx.Message + " ; " + pEx.InnerException);
          }
      }
  
      public static bool ValidateServerCertificate(
        object sender,
        X509Certificate certificate,
        X509Chain chain,
        SslPolicyErrors sslPolicyErrors)
      {
          Console.WriteLine("Validating certificate {0}", certificate.Issuer);
          if (sslPolicyErrors == SslPolicyErrors.None)
              return true;
  
          Console.WriteLine("Certificate error: {0}", sslPolicyErrors);
  
          // Do not allow this client to communicate with unauthenticated servers.
          return false;
      }
      private static X509Certificate2 GetCert2(string hostname)
      {
          X509Store myX509Store = new X509Store(StoreName.My, StoreLocation.LocalMachine);
          myX509Store.Open(OpenFlags.ReadWrite);
          X509Certificate2 myCertificate = myX509Store.Certificates.OfType<X509Certificate2>().FirstOrDefault(cert => cert.GetNameInfo(X509NameType.SimpleName, false) == hostname);
          return myCertificate;
      }
  

  Unfortunately on the line HttpContent lResponseContent = lResponse.Content; the code stops and tells me that the connection has been closed. No further exception details. I suspect that the request is not formatted correctly.

  The Code that is getting the certificate is working properly and returns the certificate that I have installed on port 8030...

  What am I missing here?

  Thank you for your help
• How to access static content through servlet in KARAF

  We are trying to access static content through servlet in OSGI KARAF. We don't have option to use spring here so we are forced to use servlets only. we are trying to do it by using default servlet of jetty.

    <servlet>
        <servlet-name>DefaultServlet</servlet-name>
        <servlet-class>org.eclipse.jetty.servlet.DefaultServlet
  </servlet-class>    
    </servlet>
  
    <servlet-mapping>
              <servlet-name>DefaultServlet</servlet-name>
              <url-pattern>/resources/*</url-pattern>
    </servlet-mapping>
  

  but i am facing an exception in logs while containers invokes defaultServlet object.

  Caused by: java.lang.IllegalArgumentException: The servletContext ServletContext@HttpServiceContext{httpContext=WebAppHttpContext{dashboard - 423}} org.ops4j.pax.web.service.jetty.internal.HttpServiceContext$SContext is not org.eclipse.jetty.server.handler.ContextHandler$Context
  
  at org.eclipse.jetty.servlet.DefaultServlet.initContextHandler(DefaultServlet.java:366) ~[?:?]
  
  at org.eclipse.jetty.servlet.DefaultServlet.init(DefaultServlet.java:174) ~[?:?]
  
  at javax.servlet.GenericServlet.init(GenericServlet.java:244) ~[?:?]
  
  at org.eclipse.jetty.servlet.ServletHolder.initServlet(ServletHolder.java:637) ~[?:?]
  

  Can I get any suggestions about how to access static resources on Jetty webserver on OSGI KARAF
• Issue in producing a Partial Content(206) as output for chunked download of a zip file using rest web services

  I have written a rest web service to produce a zip file in chunks using the mime type application_octet_stream using spring boot(2.0.5.RELEASE) but I am unable to get the partial_content(206) as output when i specify the range using the curl command as below but i get a 200(OK) as response i.e. iam not unable to retrieve the file in terms of chunks.

  curl http://localhost:8080/resource/getlist -i -H  "Range: bytes=0-100"
  

  PS:The spring boot application is deployed on an external jetty server and iam not using the embedded tomcat and jetty server where the exclusions are done in pom.xml.This is due to various design reasons.

  Is there any configuration additions/modifications i need to do on the external jetty server?

  The code is as below

  @RestController
  @RequestMapping("/resource")
  public class ListResource {
  
      /* Logger **/
      private static final Logger _LOG = LoggerFactory.getLogger(ListResource.class);
  
      @Autowired
      private AppContext appContext;
  
      private static final String DATE_FORMAT_FOR_ETAG = "yyyy-MM-dd HH:mm:ss'Z'";
      private static final DateFormat eTagDateFormat = new SimpleDateFormat(DATE_FORMAT_FOR_ETAG, Locale.US);
      private static final String ACCEPT_RANGES_BYTES = "bytes";
  
      @RequestMapping(path = "/getlist", method = RequestMethod.HEAD)
      public ResponseEntity<?> fetchListHead() throws IOException {
          return fetchList(true);
      }
  
      @RequestMapping(path = "/getlist", method = RequestMethod.GET,produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
      public ResponseEntity<?> fetchListGet() throws IOException {
          return fetchList(false);
      }
  
      private ResponseEntity<?> fetchList(final boolean justHead) throws IOException {
          File file = null;
          try {
                  file = new File("/home/resource/hello.zip");
                  byte[] readBytes = Files.readAllBytes(file.toPath());
                  ByteArrayResource resource = new ByteArrayResource(readBytes);
                  ResponseEntity.BodyBuilder responseBuilder = ResponseEntity.ok()
                                .header(HttpHeaders.CONTENT_DISPOSITION, "attachment; filename=\"" + file.getName() + "\"")
                                .header(HttpHeaders.ACCEPT_RANGES, ACCEPT_RANGES_BYTES)
                                .lastModified(new Date().getTime())
                                .eTag(getETag(file))
                                .cacheControl(CacheControl.maxAge(3600, TimeUnit.SECONDS).cachePublic().mustRevalidate())
                                .contentLength(file.length())
                      .contentType(MediaType.parseMediaType(MediaType.APPLICATION_OCTET_STREAM_VALUE));
  
              return justHead ? responseBuilder.build() : responseBuilder.body(resource);
  
          } catch (Exception e) {
              _LOG.error("Error in gettingResource:{}", e.getMessage());
              return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).build();
          }
      }
  
      private String getETag(File file) {
          String tag = "";
          if (file != null) {
              tag = eTagDateFormat.format(new Date(file.getAbsoluteFile().lastModified()));
          }
          return tag;
      }
  }
  
• Connection impossible at SERPOSCOPE

  I installed on my SERPOSCOPE server following this tutorial :

  https://freedif.org/serposcope-opensource-seo-rank-tracker

  SERPOSCOPE is accessible from ip-server:7134

  I want it to be accessible from a domain, I modified my server like this :

  <VirtualHost *:80>
          ServerAdmin webmaster@domain.tld
          ServerName seo.domain.tld
  
          ProxyRequests Off
          <Proxy *>
          Order deny,allow
          Allow from all
          </Proxy>
          ProxyPass / http://localhost:7134/
          ProxyPassReverse / http://localhost:7134/
  </VirtualHost>
  

  Now SERPOSCOPE is accessible from my domain.

  It's perfect, it works.

  MY PROBLEM :

  When I'm on the login page, I enter my credentials. The login page is charging, but you can not connect.

  Here are the SERPOSCOPE logs. How to connect ?

  If I connect since ip-server:7134 it works.

  [2018-09-21 18:16:40,834] [pool-1-thread-1] INFO  s.s.Scheduler - last version 2.9.0 | current version 2.9.0
  [2018-09-21 20:57:37,803] [qtp127618319-11] ERROR n.AssetsController - error streaming file
  org.eclipse.jetty.io.EofException: null
      at org.eclipse.jetty.io.ChannelEndPoint.flush(ChannelEndPoint.java:192) ~[serposcope.jar:na]
      at org.eclipse.jetty.io.WriteFlusher.flush(WriteFlusher.java:408) ~[serposcope.jar:na]
      at org.eclipse.jetty.io.WriteFlusher.completeWrite(WriteFlusher.java:364) ~[serposcope.jar:na]
      at org.eclipse.jetty.io.SelectChannelEndPoint.onSelected(SelectChannelEndPoint.java:111) ~[serposcope.jar:na]
      at org.eclipse.jetty.io.SelectorManager$ManagedSelector.processKey(SelectorManager.java:636) ~[serposcope.jar:na]
      at org.eclipse.jetty.io.SelectorManager$ManagedSelector.select(SelectorManager.java:607) ~[serposcope.jar:na]
      at org.eclipse.jetty.io.SelectorManager$ManagedSelector.run(SelectorManager.java:545) ~[serposcope.jar:na]
      at org.eclipse.jetty.util.thread.NonBlockingThread.run(NonBlockingThread.java:52) ~[serposcope.jar:na]
      at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) [serposcope.jar:na]
      at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) [serposcope.jar:na]
      at java.lang.Thread.run(Thread.java:748) [na:1.8.0_181]
  Caused by: java.io.IOException: Broken pipe
      at sun.nio.ch.FileDispatcherImpl.write0(Native Method) ~[na:1.8.0_181]
      at sun.nio.ch.SocketDispatcher.write(SocketDispatcher.java:47) ~[na:1.8.0_181]
      at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.java:93) ~[na:1.8.0_181]
      at sun.nio.ch.IOUtil.write(IOUtil.java:65) ~[na:1.8.0_181]
      at sun.nio.ch.SocketChannelImpl.write(SocketChannelImpl.java:471) ~[na:1.8.0_181]
      at org.eclipse.jetty.io.ChannelEndPoint.flush(ChannelEndPoint.java:170) ~[serposcope.jar:na]
      ... 10 common frames omitted
  [2018-09-21 21:30:54,818] [qtp127618319-13] ERROR n.AssetsController - error streaming file
  org.eclipse.jetty.io.EofException: null
      at org.eclipse.jetty.io.ChannelEndPoint.flush(ChannelEndPoint.java:192) ~[serposcope.jar:na]
      at org.eclipse.jetty.io.WriteFlusher.flush(WriteFlusher.java:408) ~[serposcope.jar:na]
      at org.eclipse.jetty.io.WriteFlusher.completeWrite(WriteFlusher.java:364) ~[serposcope.jar:na]
      at org.eclipse.jetty.io.SelectChannelEndPoint.onSelected(SelectChannelEndPoint.java:111) ~[serposcope.jar:na]
      at org.eclipse.jetty.io.SelectorManager$ManagedSelector.processKey(SelectorManager.java:636) ~[serposcope.jar:na]
      at org.eclipse.jetty.io.SelectorManager$ManagedSelector.select(SelectorManager.java:607) ~[serposcope.jar:na]
      at org.eclipse.jetty.io.SelectorManager$ManagedSelector.run(SelectorManager.java:545) ~[serposcope.jar:na]
      at org.eclipse.jetty.util.thread.NonBlockingThread.run(NonBlockingThread.java:52) ~[serposcope.jar:na]
      at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) [serposcope.jar:na]
      at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) [serposcope.jar:na]
      at java.lang.Thread.run(Thread.java:748) [na:1.8.0_181]
  Caused by: java.io.IOException: Broken pipe
      at sun.nio.ch.FileDispatcherImpl.write0(Native Method) ~[na:1.8.0_181]
      at sun.nio.ch.SocketDispatcher.write(SocketDispatcher.java:47) ~[na:1.8.0_181]
      at sun.nio.ch.IOUtil.writeFromNativeBuffer(IOUtil.java:93) ~[na:1.8.0_181]
      at sun.nio.ch.IOUtil.write(IOUtil.java:65) ~[na:1.8.0_181]
      at sun.nio.ch.SocketChannelImpl.write(SocketChannelImpl.java:471) ~[na:1.8.0_181]
      at org.eclipse.jetty.io.ChannelEndPoint.flush(ChannelEndPoint.java:170) ~[serposcope.jar:na]
      ... 10 common frames omitted
  
• How to get OCSP responses through openssl apis in cms signed data

  I've been developing some logic to get certificates and its revocation list in cms signed data. The format of certificates is X509v3 and revocation list is OCSP responses.

  According to RFC 5652: "Online Certificate Status Protocol (OCSP) Responses can be supported using the OtherRevocationInfoFormat."

  So I #include <openssl/cms.h> and get x509v3 certificates through:

  STACK_OF(X509) *CMS_get1_certs(CMS_ContentInfo *cms);
  

  (See: https://www.openssl.org/docs/man1.1.0/crypto/CMS_get1_certs.html)

  But, I do not know how to get OCSP responses via openssl in C++. There is only:

  STACK_OF(X509_CRL) *CMS_get1_crls(CMS_ContentInfo *cms);
  

  But that gets a revocation info list as crls, not OCSP response.

  I found that in the cms_lcl.h, revocation info is included in CMS_RevocationInfoChoice as an union type:

  struct CMS_RevocationInfoChoice_st {
      int type;
      union {
          X509_CRL *crl;
          CMS_OtherRevocationInfoFormat *other;
      } d;
  };
  

  But, I can't find the way to get it. Do I need to import other libraries?
• How to create PADES using offline signature and OCSP response

  I'm stumped trying to figure out Esig DSS java suite just from docs and source. (eu.europa.esig.dss.* tree)

  We connect to Swedish BankID to sign PDF's and simple plain texts. Response is a SOAP XML with fields for the signature and an OCSP response.

  The end goal is to combine these two parts into a single object "a valid signature" that can be embedded in a PDF (using DSS and PDFbox).

  The contents of the BankID Soap fields seems to have the right format for DSS tools:

  The signature can be loaded with

  DSSDocument sigDoc = new InMemoryDocument(xmlSignature)
  SignedDocumentValidator documentValidator = SignedDocumentValidator.fromDocument(sigDoc);
  // ...
  AdvancedSignature advancedSignature = documentValidator.getSignatures().get(0);
  

  and the OCSP response can be read with

  ExternalResourcesOCSPSource source = new ExternalResourcesOCSPSource(ocspBytes);
  BasicOCSPResp basicOCSPResp = source.getContainedOCSPResponses().get(0);
  

  I can print out various info from the objects, find embedded certificates etc, so the format seems legit.

  Question: How do I get a valid OCSPToken from the ExternalResourcesOCSPSource?

  I keep running in circles trying to combining the two into a single AdvancedSignature (if that's what I can use to embed into a PDF).
• AWS OCSP Stapling

  After creating an OCSP server via Python3.6 + Lambda + Serverless + DynamoDB + S3 and OpenSSL it has become necessary to support OpenSSL --version of 1.1 which supports the multiple -cert options, thus reducing overhead and network requests.

  With print('Openssl version in lambda:', ssl.OPENSSL_VERSION) I can see that the installed version is: OpenSSL 1.0.0-fips 29 Mar 2010. How feasible it is to upgrade the version on AWS Lambda?

  Also can OCSP Stapling disussed here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html#request-custom-ocsp-stapling be used in the set up above to reduce network requests and load?