We use iText.Signatures.PdfPadesSigner class in a .net project to sign Baseline-LT and this class enforce to verify OCSP first then optionally CRL. If the Certificate doesn’t have an OCSP url then the class will verify LTV using crls. But if the certificate has an OCSP it will verify OCSP first. The issue happens when we try to block OCSP url on our local machine as a test case, the signing process stopped completely and throws exception that it can’t get neither OCSPs or CRLs.
Is there a solution to overcome that or shall we use another library?
I found another way to over come that. I used PdfSigner class instead of PdfPadesSigner to sign timestamp basically and send LTV data separately.
I used this method from it SignDetached(IExternalSignature externalSignature, IX509Certificate[] chain, ICollection<ICrlClient> crlList, IOcspClient ocspClient, ITSAClient tsaClient, int estimatedSize, CryptoStandard sigtype)
set crlList = null, ocspClient = null and sigtype = CADES and send the other values as normal.
Then, I added LTV data using class LtvVerification specifically this method AddVerification(string signatureName, IOcspClient ocsp, ICrlClient crl, CertificateOption certOption, Level level, CertificateInclusion certInclude), so I can control which level I need instead of being forced to use PdfPadesSigner choosed level.
I set level = OCSP_CRL
When the OCSP is blocked this level will enable checking CRL without throwing exceptions