Error parsing OCSP syntax response. Error decoding BER

Question

Error parsing OCSP syntax response. Error decoding BER

I am trying to add an OCSP response to a PDF document I am signing with Bouncy Castle using CmsSignedDataGenerator

I think I am inserting the OCSP answer correctly, but when I open the document in Adobe Reader 11 (offline) and check Signature Properties> Show Subscriber Certificate> Revocation> Problems with Error I see this error:

OCSP response parsing error:

Error decoding BER:

Adobe Reader doesn't give me more information about this error and I don't know where to look. Does anyone know why Adobe is having trouble decrypting the OCSP response, or how can I get more specific information?

This is the PDF I am trying to check.

Any help would be greatly appreciated Thanks

+3

pdf adobe bouncycastle ocsp

Fernando gonzalez 22 Aug 14 at 21:19

source to share

1 answer

mkl · Accepted Answer · 2014-08-24T19:31:39+0000

The OCSP response is embedded in the OP's signature like this:

1705 1920:             SEQUENCE {
1709    9:               OBJECT IDENTIFIER '1 2 840 113583 1 1 8'
1720 1905:               SET {
1724 1901:                 SEQUENCE {
1728 1897:                   [1] {
1732 1893:                     SEQUENCE {
1736 1889:                       SEQUENCE {
1740    1:                         ENUMERATED 0
1743 1882:                         [0] {
1747 1878:                           SEQUENCE {
1751    9:                             OBJECT IDENTIFIER
         :                               ocspBasic (1 3 6 1 5 5 7 48 1 1)
1762 1863:                             OCTET STRING, encapsulates {
1766 1859:                               SET {
1770 1855:                                 SEQUENCE {
1774  286:                                   SEQUENCE {
1778  126:                                     [1] {
1780  124:                                       SEQUENCE {
1782   11:                                         SET {
1784    9:                                           SEQUENCE {
1786    3:                                             OBJECT IDENTIFIER
         :                                               countryName (2 5 4 6)
1791    2:                                             PrintableString 'AU'
         :                                             }
         :                                           }

Contrary to my original idea, the OP didn't just try to include the main OCSP answer, but a really complete answer:

1736 1889:                       SEQUENCE {
1740    1:                         ENUMERATED 0
1743 1882:                         [0] {
1747 1878:                           SEQUENCE {
1751    9:                             OBJECT IDENTIFIER
         :                               ocspBasic (1 3 6 1 5 5 7 48 1 1)
1762 1863:                             OCTET STRING, encapsulates {

Unfortunately the main OCSP answer encapsulated is that OCTET STRING

1766 1859:                               SET {
1770 1855:                                 SEQUENCE {
1774  286:                                   SEQUENCE {
1778  126:                                     [1] {

additionally built into SET, which is contrary to the specification ( RFC 2560 and others):

ResponseBytes     ::= SEQUENCE {
   responseType   OBJECT IDENTIFIER,
   response       OCTET STRING }

The response value MUST be DER encoded BasicOCSPResponse.

BasicOCSPResponse      ::= SEQUENCE {
  tbsResponseData      ResponseData,
  signatureAlgorithm   AlgorithmIdentifier,
  signature            BIT STRING,
  certs                [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }

The OP in the meantime seems to have fixed his way of (re) building the full OCSP answer.

Error parsing OCSP syntax response. Error decoding BER

More articles: