Skip to main content
A
alexperezbarreiro
Participating Frequently
February 19, 2016
Question

LTV and OCSP response using RFC's Local Configuration

  • February 19, 2016
  • 1 reply
  • 2705 views

Hello,

I'm trying to obtain a LTV-compliant signature with Adobe Reader 11.0.12. This is the certificate's chain I am using:

CA --> ICA --> EE

Internal CA --> OCSP Responder

Internal CA --> TSA

I cannot use a OCSP Responder certificate issued by the same CA that the certificate it's been checked, so according to the RFC 2560 4.2.2.2 "Authorized Responders", I would follow case 1 for the signing reponse:

1. Matches a local configuration of OCSP signing authority for the

  certificate in question;

According to Adobe Reader's security documentation acrobat_reader_security_9x.pdf in 5.3.1.1, this "local configuration" is implemented setting the sURL in Adobe_OCSPRevChecker registry keys to authorize responses that come from the URL that is set regardless the response is signed by the same CA or not.

I'm able to set these settings and my internal OCSP server is used instead of the certificate's when signing and validating, the signature is valid, however I can never get a LTV signature and it needs to go online every time I validate the signature.

Enabling the log file for the verification I can see these entries:

OCSP response was not signed by an authorized responder.

Error encountered in processing OCSP responder certificate

Using an embedded CRL I obtain a LTV signature, but I'd rather use OCSP if it were possible. Any help?


This topic has been closed for replies.

1 reply

I
IsakTen-RwIoo2
Inspiring
February 19, 2016

Does the error that you describe occur on the same machine where you set up local configuration? If this is the case then there might be some bug which I suggest you report to Acrobat Support.

If it is on a different machine then it should be expected. Local configuration means that it works only locally, You need to have the same local configuration on each machine where your signature will be validated. My guess is that your OCSP is embedded in the signature but is rejected when the signature is validated on a machine without your local configuration and then Acrobat goes on-line to get OCSP.

I suggest that you perform the following experiment. If you have Acrobat Pro, then uncheck "Include signature's revocation status" in the signature "Creation" preferences and sign your PDF, making sure that it is valid. Then right-click on the signature and select "Add Verification Information" (not available in the free Reader). Save and close signed PDF. Re-open this PDF and check in the Signature Properties Revocation tab whether it says that OCSP embedded in the document was used.

A
alexperezbarreiroAuthor
Participating Frequently
February 20, 2016

Thank you for your answer isakten.

The signature is validated on the same computer where it's been created with the Local Configuration active. To create/validate the signature I override the OCSP address from the AIA extension and it works as expected, from what I read in the Adobe's documentation this is enough to trust the OCSP's certificate as a responder.

I'll give more information to try to find the error, maybe it's my mistake and not Adobe's . This is one of my test configurations I've used, when I change the sURL value, Adobe Reader goes request the OCSP response to the new one successfully.

[HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\11.0\Security\cASPKI\cAdobe_OCSPRevChecker]

"sURL"=hex:68,74,74,70,3a,2f,2f,63,6f,73,69,67,6e,2e,70,6f,76,69,73,61,2e,6e,\

  65,74,3a,38,37,37,37,2f,61,64,73,73,2f,6f,63,73,70,00

"iURLToConsult"=dword:00000001

"iSendNonce"=dword:00000000

sURL is http://cosign.povisa.net:8777/adss/ocsp in binary ending with a null character.

This is a global configuration, in my final settings I'm using cCustomCertPrefs to to target only the specific CA I'm interested in.

I've tried as you suggested adding the verification information not during the signature itself but later, the result is the same. I've been able to do so with the free Adobe Reader 11.0.12 version, I have the option available.

I
IsakTen-RwIoo2
Inspiring
February 24, 2016

Are you saying that sURL works fine when you use a different OCSP server and that you get OCSP included in LTV when you use this other OCSP server?

If this is the case then something's wrong with  http://cosign.povisa.net:8777/adss/ocsp. Can you reach it? When I tried to open this link in a browser I got "Firefox can't find the server at cosign.povisa.net". Is it behind a firewall? It should not matter if the computer where you sign is on the same network.

Please, clarify.

Terms & ConditionsAccessibility statement
Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices