Reputation: 148
OCSP response parsing error. Error while BER Decoding
I am trying to add an OCSP Response to a PDF document that I am signing with Bouncy Castle using CmsSignedDataGenerator
I think I'm embedding the OCSP response correctly but when I open the document in Adobe Reader 11 (offline) and check Signature Properties > Show Signer's Certificate > Revocation > Problems Encountered I see this error:
OCSP response parsing error:
Error encountered while BER decoding:
Adobe Reader does not give me any more information on this error and I don't know where to search for. Does anyone know why Adobe is having problems decoding the OCSP response or how can I get more specific information?
This is the PDF I'm trying to validate.
Any kind of help would be greatly appreciated
Thanks
Upvotes: 3
Views: 1412
Answers (1)
Reputation: 96009
The OCSP response is embedded in the OP's signature like this:
1705 1920: SEQUENCE {
1709 9: OBJECT IDENTIFIER '1 2 840 113583 1 1 8'
1720 1905: SET {
1724 1901: SEQUENCE {
1728 1897: [1] {
1732 1893: SEQUENCE {
1736 1889: SEQUENCE {
1740 1: ENUMERATED 0
1743 1882: [0] {
1747 1878: SEQUENCE {
1751 9: OBJECT IDENTIFIER
: ocspBasic (1 3 6 1 5 5 7 48 1 1)
1762 1863: OCTET STRING, encapsulates {
1766 1859: SET {
1770 1855: SEQUENCE {
1774 286: SEQUENCE {
1778 126: [1] {
1780 124: SEQUENCE {
1782 11: SET {
1784 9: SEQUENCE {
1786 3: OBJECT IDENTIFIER
: countryName (2 5 4 6)
1791 2: PrintableString 'AU'
: }
: }
In contrast to my initial idea the OP has not merely tried to include the basic OCSP response but indeed a complete response:
1736 1889: SEQUENCE {
1740 1: ENUMERATED 0
1743 1882: [0] {
1747 1878: SEQUENCE {
1751 9: OBJECT IDENTIFIER
: ocspBasic (1 3 6 1 5 5 7 48 1 1)
1762 1863: OCTET STRING, encapsulates {
Unfortunately the basic OCSP response encapsulated in that OCTET STRING
1766 1859: SET {
1770 1855: SEQUENCE {
1774 286: SEQUENCE {
1778 126: [1] {
is additionally embedded in a SET which is against the specification (RFC 2560 and others):
ResponseBytes ::= SEQUENCE {
responseType OBJECT IDENTIFIER,
response OCTET STRING }
The value for response SHALL be the DER encoding of BasicOCSPResponse.
BasicOCSPResponse ::= SEQUENCE {
tbsResponseData ResponseData,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
The OP meanwhile seems to have corrected his way of (re)constructing the complete OCSP response.
Upvotes: 1
Related Questions
- OCSP response does not give Certificate Status
- BouncyCastle OCSP response in .net
- Problem in decrypting a pdf.p7m file with the Bouncy Castle library c#
- ITextsharp: Error reading a pdf file in Byte[] content (PdfReader)
- Can't get embedded OCSP to validate in Adobe Reader
- Asprise OCR <error: failed to read pdf. error code: ÿ>
- I am getting java.lang.NoClassDefFoundError: org/bouncycastle/asn1/ASN1Primitive error
- Bouncy Castle Error In Itext
- java.lang.ClassNotFoundException: org.bouncycastle.asn1.ASN1Encodable
- class file for org.bouncycastle.cert.ocsp.BasicOCSPResp not found