PDF Reader revocation tab doesn't show OCSP response

1
votes

why PDF Reader doesn’t show the embedded OCSP Response?

I haven't even used crlClient:

MakeSignature.signDetached(sap, new BouncyCastleDigest(), es, chain, null, ocspClient, tsClient, 0, MakeSignature.CryptoStandard.CMS);
// chain[0] - signer certificate
// chain[1] - OperCA certificate (signer's issuer)
// chain[2] - RootCA (OperCA's issuer)

PDF revocation tab details shows:

The selected certificate is considered valid because it does not appear in the Certificate Revocation List (CRL) that is contained in the local cache.

The CRL was signed by "B-Trust Operational CA QES <[hidden email]>" on 2014/02/19 07:53:35 +02'00' and is valid until 2014/03/21 07:53:35 +02'00'.

I want to achieve the Figure 3.8 A digital signature with an embedded OCSP response, from Bruno Lowagie's free White Paper document.

What do I do wrong or miss?

Here is the Certification path and sample pdf.

Best Regards, Valentino

1
itextdigital-signaturex509digital-certificateocsp
I guess you're not getting an answer because there's nothing to test: you didn't use the LoggerFactory that writes all actions taken during the signing process. If you had done so and posted the output, we could have seen if (1) the certificate supports OCSP and (2) if the OCSP server was successfully contacted. We also didn't get a PDF to check if there's actually an OCSP response inside the PDF. As for the message shown by Adobe Reader: it clearly says that the CRL is read from the local cache. This means that the CRL isn't stored in the PDF. It was downloaded and cached by Adobe Reader.Bruno Lowagie
I have edited my post by adding links to PDF sample and certificate chain. When I use LoggerFactory.getInstance().setLogger(new SysoLogger()); I got only: INFO Getting OCSP from ocsp.b-trust.orgValentin Ivanov
The signature contains exactly one OCSP response and no CRL. Interestingly Adobe Readers on my machines say that they used the embedded CRL to check revocation of the CA certificate. I assume there is some mix-up and they actually mean OCSP responses. That all being said, though, don't count on a verifying software to use the information you provide in a PDF. If it (for which reasons ever) prefers other input, it is free to use that.mkl
I have some doubts.That's why I intentionally gave link to overview of the certification chain. RFC6960, which is about OCSP, states in 2.6. OCSP Signature Authority Delegation and 4.2.2.2. Authorized Responders: This certificate MUST be issued directly by the CA that is identified in the request. The CA SHOULD use the same issuing key to issue a delegation certificate as that used to sign the certificate being checked for revocation. In my case OCSP isn't issued by the client Issuer, but by the Root! Could that be the reason? @BrunoValentin Ivanov
I would like to confirm that the problem is due to non-conforming OCSP certificate. As @Mkl suggested me, I create OCSP certificate that conform to OCSP RFC6960, and Acrobat Reader revocation tab shows the embedded OCSP response correctly. Thank Michael and Bruno.Valentin Ivanov

1 Answers

1
votes

The actual issue is that even when PDF has embedded only OCSP response, Acrobat Reader doesn't show it, but shows local CRL instead.

This is caused of non-conforming, to RFC6960 or RFC2560, OCSP certificate.

Wrong OCSP certificate path:

Root CA -> Operational CA -> Client certificates (certificates checked with OCSP)
Root CA -> OCSP

Right OCSP certification path:

Root CA -> Operational CA -> Client certificates (certificates checked with OCSP)
           Operational CA -> OCSP