DSS demonstration tool not recognising OCSP response for signing cert

[IonutCorbu]

Hello! I'm trying to add LTV enable for my signature in PDF so I'm doing OCSP requests for the signing certificate and for the TSA certificate. The signing certificate is emitted by a CA created locally and the OCSP response is provided by a OCSP server which is done with OpenSSL. When I'm trying to verify the signature in DSS, only the response for TSA is recognized (probably, my CA is not in the trusted list). But I don't know why Adobe is not recognizing either the LTV-enable status if I put my CA in their trusted list. Here is the report from DSS: DSS-Detailed-report.pdf and here is my file_signed.pdf

I don't know if I encapsulated ok the Certs and OCSPs in DSS field and I'm afraid that this could be the problem.

Could anyone help me? Thank you a lot!

[bsanchezb]

Hello,

From a quick check, it looks like DSS is not able to find out a complete certificate chain of the signature but the signing-certificate only. Thus, it does not validate the OCSP response.

You have the following options in order to provide the CA certificate:

1. Provide the intermediate CA certificates directly within SignedData.certificates of CMS (next to the signing-certificate on signature creation);
2. Provide the CA certificates within /DSS dictionary in PDF's structure on signature's augmentation; or
3. Define the aia.caIssuers certificate extension (oid: 1.3.6.1.5.5.7.1.1) url, that will return certificate chain for your certificate on GET request.

As you are using a test PKI, the first two options would be preferable.

Provided that the OCSP response is valid, DSS should be able to correctly catch it for the given certificate when it finds its certificate chain.

Best regards, Aleksandr

[IonutCorbu]

So if I have only the signing cert and his root being the self-signed CA, I have to include the CA in the SignedData.certificates? And also, it is needed to add the certs up to the CA certificate for the TSA and an ocsp response for the TSA certificate? Thank you a lot for your response!

[bsanchezb]

You need to provide the cert chain somehow. When a CA or Root CA is present in the trusted list, it is being caught automatically. But in case of test PKI, the certificates are not known to the validation tool. Another option is to provide the self-signed certificate as trusted or adjunct certificate to the DSS validation process explicitly (see Trusted Certificates and Adjunct Certificates in documentation). Same for time-stamp's certificates, but in your case they are already present within /DSS dictionary and within the time-stamps's SignedData itself.

[IonutCorbu]

I included everything including the self-signed ca of the signing certificate and also the TSA certificate and his CA, but the response is still invalid for DSS and Adobe also, Only Foxit Reader is recognizing it, but I think it is much more permissible. I attach here the file_signed_ok.pdf and the DSS-Detailed-report.pdf.

It seems that now I have Basic Building Blocks REVOCATION for both signing certificate and tsa certificate.

I tried to add the certs to Adjunct Certificates, but it didn't change anything.

Do you know why is not full recognized in DSS or Adobe? I attach also photos with Adobe and Foxit state of recognition:

In Foxit it's even recognized as PAdES B-LT, which is not true because I include SigningTime attribute in the signature which is not accepted by PAdES format.

[bsanchezb]

Ok, now certificates are incorporated within the signature and successfully found during the validation process. The missing point is, because you have a self-signed PKI, the certificates in question are not trusted by DSS by default. In case you want to be able to validate the certificate chain successfully, you need to add the self-signed root certificate to the trusted store (for both the signature and the timestamp). Please see F.A.Q., question "When validating a signature I receive INDETERMINATE/NO_CERTIFICATE_CHAIN_FOUND indication" for more information and resolution.

I hope this will help you.

Best regards, Aleksandr

[IonutCorbu]

Thank you! Finally I removed the SigningTime attribute and I was able to obtain B-LT in Adobe, but not LTV-enable. I read that LTV-enable is not clearly defined so I don't know what is wrong there, but in DSS, I'm able to obtain PAdES B-T and probably I can't obtain more because the OCSP response is on localhost so it will not be able to receive a response.

Thank you for all the help and wish a nice day!

Best wishes, Ionut-Daniel Corbu