Error parsing OCSP syntax response. Error decoding BER
I am trying to add an OCSP response to a PDF document I am signing with Bouncy Castle using CmsSignedDataGenerator
I think I am inserting the OCSP answer correctly, but when I open the document in Adobe Reader 11 (offline) and check Signature Properties> Show Subscriber Certificate> Revocation> Problems with Error I see this error:
OCSP response parsing error:
Error decoding BER:
Adobe Reader doesn't give me more information about this error and I don't know where to look. Does anyone know why Adobe is having trouble decrypting the OCSP response, or how can I get more specific information?
This is the PDF I am trying to check.
Any help would be greatly appreciated Thanks
source to share
The OCSP response is embedded in the OP's signature like this:
1705 1920: SEQUENCE {
1709 9: OBJECT IDENTIFIER '1 2 840 113583 1 1 8'
1720 1905: SET {
1724 1901: SEQUENCE {
1728 1897: [1] {
1732 1893: SEQUENCE {
1736 1889: SEQUENCE {
1740 1: ENUMERATED 0
1743 1882: [0] {
1747 1878: SEQUENCE {
1751 9: OBJECT IDENTIFIER
: ocspBasic (1 3 6 1 5 5 7 48 1 1)
1762 1863: OCTET STRING, encapsulates {
1766 1859: SET {
1770 1855: SEQUENCE {
1774 286: SEQUENCE {
1778 126: [1] {
1780 124: SEQUENCE {
1782 11: SET {
1784 9: SEQUENCE {
1786 3: OBJECT IDENTIFIER
: countryName (2 5 4 6)
1791 2: PrintableString 'AU'
: }
: }
Contrary to my original idea, the OP didn't just try to include the main OCSP answer, but a really complete answer:
1736 1889: SEQUENCE { 1740 1: ENUMERATED 0 1743 1882: [0] { 1747 1878: SEQUENCE { 1751 9: OBJECT IDENTIFIER : ocspBasic (1 3 6 1 5 5 7 48 1 1) 1762 1863: OCTET STRING, encapsulates {
Unfortunately the main OCSP answer encapsulated is that OCTET STRING
1766 1859: SET {
1770 1855: SEQUENCE {
1774 286: SEQUENCE {
1778 126: [1] {
additionally built into SET, which is contrary to the specification ( RFC 2560 and others):
ResponseBytes ::= SEQUENCE {
responseType OBJECT IDENTIFIER,
response OCTET STRING }
The response value MUST be DER encoded BasicOCSPResponse.
BasicOCSPResponse ::= SEQUENCE {
tbsResponseData ResponseData,
signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
The OP in the meantime seems to have fixed his way of (re) building the full OCSP answer.
source to share