ocsps are not shown but I have in DSS

Question

I've just sign document. and Add LTV too (with Document Secure Story and TSA); but adobe reader tells me that LTV is not enabled.

I found the problem. Adobe reader tells me that OCSP is not embedded in the document.

After adding time stamp I just create DSS dictionary and add certificates and ocsp responses.

        PDDocumentCatalog catalog = template.getDocumentCatalog();
        COSDictionary catalogDictionary = catalog.getCOSDictionary();
        COSDictionary dssDictionary = new COSDictionary();

        COSArray cosOcsps = CertUtils.getOcspResponseCosArray(ocspResp);
        COSArray cosCerts = CertUtils.getCertificateCosArray(certs);

        dssDictionary.setItem(COSName.getPDFName("Certs"), cosCerts);
        dssDictionary.setItem(COSName.getPDFName("OCSPs"), cosOcsps);
        catalogDictionary.setItem(COSName.getPDFName("DSS"), dssDictionary);

is not that enough to add OCSPs?

I sign document like Pades-BES. does it needs VRI? I know that id does not need.

that's sample

PDF Document

Answer 1

The specification ETSI TS 102 778-4 (aka PAdES part 4) in Annex A.1 Document Security Store requires the value of the OCSPs entry in a DSS dictionary to be

An array of (indirect references to) streams, each containing a BER-encoded Online Certificate Status Protocol (OCSP) response (see RFC 2560 [8]). This array contains OCSPs that may be used in the validation of any signatures in the document.

You, on the other hand, only used an array of the BasicOCSPResponse objects which were contained in the original OCSPResponse objects you received.

OCSPResponse ::= SEQUENCE {
  responseStatus OCSPResponseStatus,
  responseBytes  [0] EXPLICIT ResponseBytes OPTIONAL }

ResponseBytes ::= SEQUENCE {
   responseType   OBJECT IDENTIFIER,
   response       OCTET STRING }

For a basic OCSP responder, responseType will be id-pkix-ocsp-basic.

The value for response SHALL be the DER encoding of BasicOCSPResponse.

BasicOCSPResponse ::= SEQUENCE {
  tbsResponseData     ResponseData,
  signatureAlgorithm  AlgorithmIdentifier,
  signature           BIT STRING,
  certs               [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }

(from section 4.2.1 ASN.1 Specification of the OCSP Response of RFC 2560)

Probably you were not aware that you only used this inner object because many security libraries after requesting an OCSP response unwrap the original OCSPResponse, check the contained OCSPResponseStatus, and (if it indicates success) only return the contained BasicOCSPResponse or (otherwise) throw some exception.

If that's the case, you can simply wrap your BasicOCSPResponse in an OCSPResponse using the OCSPResponseStatus value successful (0) before putting it into the document.