I am trying to add an OCSP Response to a PDF document that I am signing with Bouncy Castle using CmsSignedDataGenerator
I think I'm embedding the OCSP response correctly but when I open the document in Adobe Reader 11 (offline) and check Signature Properties > Show Signer's Certificate > Revocation > Problems Encountered I see this error:
OCSP response parsing error:
Error encountered while BER decoding:
Adobe Reader does not give me any more information on this error and I don't know where to search for. Does anyone know why Adobe is having problems decoding the OCSP response or how can I get more specific information?
This is the PDF I'm trying to validate.
Any kind of help would be greatly appreciated
Thanks
The OCSP response is embedded in the OP's signature like this:
1705 1920: SEQUENCE {
1709 9: OBJECT IDENTIFIER '1 2 840 113583 1 1 8'
1720 1905: SET {
1724 1901: SEQUENCE {
1728 1897: [1] {
1732 1893: SEQUENCE {
1736 1889: SEQUENCE {
1740 1: ENUMERATED 0
1743 1882: [0] {
1747 1878: SEQUENCE {
1751 9: OBJECT IDENTIFIER
: ocspBasic (1 3 6 1 5 5 7 48 1 1)
1762 1863: OCTET STRING, encapsulates {
1766 1859: SET {
1770 1855: SEQUENCE {
1774 286: SEQUENCE {
1778 126: [1] {
1780 124: SEQUENCE {
1782 11: SET {
1784 9: SEQUENCE {
1786 3: OBJECT IDENTIFIER
: countryName (2 5 4 6)
1791 2: PrintableString 'AU'
: }
: }
In contrast to my initial idea the OP has not merely tried to include the basic OCSP response but indeed a complete response:
1736 1889: SEQUENCE {
1740 1: ENUMERATED 0
1743 1882: [0] {
1747 1878: SEQUENCE {
1751 9: OBJECT IDENTIFIER
: ocspBasic (1 3 6 1 5 5 7 48 1 1)
1762 1863: OCTET STRING, encapsulates {
Unfortunately the basic OCSP response encapsulated in that OCTET STRING
1766 1859: SET {
1770 1855: SEQUENCE {
1774 286: SEQUENCE {
1778 126: [1] {
is additionally embedded in a SET which is against the specification (RFC 2560 and others):
ResponseBytes ::= SEQUENCE {
responseType OBJECT IDENTIFIER,
response OCTET STRING }
The value for response SHALL be the DER encoding of BasicOCSPResponse.
BasicOCSPResponse ::= SEQUENCE {
tbsResponseData ResponseData,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
The OP meanwhile seems to have corrected his way of (re)constructing the complete OCSP response.