Add revocation info (ocsp response) in the signatures
I'm doing an application to sign pdfs in java.
I already have successfully sign pdfs, but I want to add also the revocation info embedded into the file. I have no problems with CRLs, but I can't add the other revocation method like a ocsp response.
To get a fully signed pdf I have downloaded adobe pro 9 trial version, and I'm trying to sign a pdf with revocation info. For that I selected the "add revocation info when signing" in security preferences. So I sign a pdf with revocation info activated and another one without it. Comparing both files there is a file size difference of 300 KB, so I suppose something has added. But when I validate the pdf with the adobe reader I can't get a valid signature in offline mode. Really I'm not sure if the acrobat reader don't understands correctly the revocation info embedded in the pdf or if the signature itself is not correct.
If I use my program to sign the pdf and I add the crls the acrobat reader validate correctly the signature in offline mode.
Anyone have manage to sign a pdf with adobe pro 9 including revocation info? or anyone know where I cat get a sample pdf with an ocsp response embedded? or anyone knows something to help me?
thanks.
Hola Alfredo,
"So if I trust directly in the ocsp responder it would be a valid ocsp response, right?"
Wrong. Although nothing happens in Acrobat without trust being established, it's not enough to just assign a certificate in the chain "trust anchor" status. All of the other rules must be followed as well. As an example, although we have been discussing OCSP responses, similar rules apply to indirect CRLs. If a CA is using an indirect CRL the correct extensions in both the CRL itself and the certificate under test would need to be present. It wouldn't be enough to just trust the signer of the CRL.
"Is there any possibility in adobe to trust in the responder, the same way as I can do with the timestamp?"
It's a little more complicated than that, but Acrobat does allow for a user to establish local trust in accordance with RFC 2560, Section 4.2.2.2. You are asking about adding "a local configuration of OCSP signing authority for the certificate in question". It can be done using the registry keys defined in the Acrobat Security Administration Guide (location noted in the first reply above), Section 5.4.1.1. You need to define the iURLToConsult and the sURL (which tells Acrobat to accept any OCSP response that comes from this URL). That's the effect you are looking for. However, these are global settings and will overwrite any other certificates, so you might want to set up a Custom Cert Preference as described in Section 3.4.6.
"Adobe have any type of utility or log to show more details about the signature verification?"
Yes, check out section 5.4.4.4 of the Acrobat Security Administration Guide.
"In that last case with the nextUpdate problem it were not giving me any type of error about the ocsp, but anyway It didn't consider valid the response as you say."
With apologies, I wasn't clear enough on this issue. It's not that Acrobat doesn't consider the response valid, but rather it's doesn't consider the response usable for other than "real time" usage. An OCSP response downloaded in real time that doesn't contain the nextUpdate extension is valid (assuming all other checks are okay). It's only when you are trying to use a cached OCSP response without the nextUpdate extension that Acrobat won't accept it. The lack of the nextUpdate extension is a tool that the CAs have at their disposal to force requesting applications (in this case Acrobat) to always ask for the latest information and not rely on older data.
"And the last question, where can I get a sample pdf with an embedded valid ocsp response? do you have any sample one?"
The Acrobat Security Administration Guide has an embedded OCSP response covering the end-entity in the signing chain.
Steve
Similar Messages
-
Strange OCSP response by the Online Responder
Hi,
When I run certutil -verify -urlfetch on two different certificates that are issued by the same Issuing CA, the response is quite different and that raised my concern for the Online responder not working as it should. Here is the two outputs..
Output nr1.
CRL (null):
Issuer: CN=Server FQDN
ThisUpdate: 2015-04-14 21:05
NextUpdate: 2015-04-22 09:25
39c5508bc895eef3e97d8b611d1fa1fc17d3db19
Issuance[0] = 1.2.752.113.10.1.1.1.1 VGC-PKI CPS
Application[0] = 1.3.6.1.5.5.7.3.2 Client Authentication
Application[1] = 1.3.6.1.5.5.7.3.1 Server Authentication
Output nr2.
CRL 323e:
Issuer: CN=CA Logical name
ThisUpdate: 2015-04-14 22:05
NextUpdate: 2015-04-22 10:25
222195864225835a025a52015d5dca5fc2c71f30
Issuance[0] = 1.2.752.113.10.1.1.1.1 VGC-PKI CPS
Application[0] = 1.3.6.1.4.1.311.54.1.2 Remote Desktop Authentication
Why is the first output missing CRL number and why does it produce a response with the server FQDN and not the CA logical name?
By the way, we are running 2012 R2 on the and Online Responder.
Please help me understand.
Kind regards
MikaelHi Mark
Thanks for the help. Here is the response that Mark gave.
Mikaels question:
Hi Mark,
Please, look through them and see if there is any clue in them to my issue. To be honest, I don’t know if it is really a problem or not with the Online Responder.
When I produced the two outputs I started first with running certutil –verify –urlfetch against the certificate for vgwb0195 and then I moved on to the certificate for vgts0034.
Like you can see in the output the first certificate vgwb0195, has no CRL version number and the Issuer is the FQDN of the OSCP responder. The second certificate vgts0034 has a CRL version number and the CA name In the Issuer field.
When I later run the Certutil –urlcache * delete to clear my cache and do the opposite order then vgwb0195 Is the one that has CRL version number and and the CA name as the Issuer.
Can you explain? Is it a bug?
Marks answer:
This is normal, you are just seeing the effects of the local caching mechanism. Also, delete the urlcache is ineffective and was replaced many years ago with this syntax: -
I am one of thousands of Acrobat users in a US Federal Agency. I am introducing digital signatures using smart card credentials (FIPS-201 PIV card) on a Windows 7 machine using Acrobat to add the signature field to an existing Form.
We need to embed the signature verification information in the Form. The CRL embeds and adds 3MB to the 240KB document size. The second signature adds another 3MB. This is unsustainable and we need to use OCSP for certificate revocation checking and embed the OCSP Response into the form. We are trying to determine why Acrobat is not using the OCSP response. The CRL cache is cleared and the signature applied. The OCSP Response is apparently ignored or fails some part of Acrobat processing. I did find a previous note ( http://forums.adobe.com/message/2752534 ) that indicates that
"...If OCSP response signing certificate contains CRL distribution point (in my case CDP (CRL) and AIA (OCSP)), online OCSP check executes, but after getting all chain certificate OCSP responses, validating signature against CRL (it’s looks from Local cache). It means you never get OCSP validation data in Adobe Acrobat or Reader signature revocation tab..."
From the PKI Shared Service Provider I rec'd the following:
"...when we generated the OCSP signing cert that it populated the CDP and OCSP info in the AIA which it was not supposed to. So it looks like the combination of the Adobe problem mentioned in the article and the issue with the OCSP signing cert may be causing it to ignore the OCSP info and to continue on to process the CRL."
Can you confirm that Acrobat will fail to use the OCSP Response in our case?
Can you offer a work-around for the issue?
Thanks and regards, DaveThis issue was put into Adobe support. They have identified it as a bug in crl/ocsp
processing and have escalated it into engineering. There is no estimate of when the
bug will be fixed. -
Enable Multiple Stapled OCSP Responses in IIS
I would like to configure IIS to send multiple stapled OCSP responses when sending its certificate chain to a web client at the start of an SSL/TLS connection. Currently, IIS only sends the OCSP response (signed indication from the issuing CA
that the certificate is still valid and not revoked) for the server certificate, but doesn't send it for the intermediate certificates.
For instance, if my IIS web server certificate is issued by the Entrust CA, it may be signed by the Entrust intermediate certificate "Entrust L1C", which is then signed by the Entrust root CA certificate "Entrust 2048". In that
circumstance, IIS is only sending the client the OCSP status for the server certificate, but not the OCSP validation status for the "Entrust L1C" certificate. So, the web client doesn't have to currently do an OCSP query to the Entrust
CA for the server certificate (since the web server sends that OCSP response to the web client), but does have to do an OCSP query to the Entrust CA for "Entrust L1C" to verify the intermediate certificate also isn't revoked. If the web client
is behind a tight firewall that doesn't allow browsing to random Internet IPs for OCSP, the web client is unable to know if the certificate is still valid. The response from the IIS forum http://forums.iis.net/post/2097704.aspx was that
I should post the question here.
How can I configure IIS to send OCSP responses (OCSP stapling) to web clients for the intermediate certificates in its certificate's chain as well? Multiple Certificate Status Request Extension is an Internet standard documented in RFC 6961 at
http://tools.ietf.org/html/rfc6961. Is there a way to configure IIS to do this?It is working as designed. Currently OCSP Stapling only includes the revocation status for the leaf/server certificate. The assumption is that the offline CA certificates use CRLs, the CRLs are cached and should not need to be included in the stapled responses.
Brian -
How do you add an image in the signature
Hi,
How do you add an image to the signature area.
The Insert/edit image is not available when in My Settings | Personnel Info | Signature
Regards
Ray FarmerYou need to link the image. See the example for the Canada flag below.
<img src="http://forums.ni.com/ni/attachments/ni/130/6908/1/Canada-small.PNG" border=0>
Replace with the image you like. This goes into the signature box within the profile tab of the personal settings.
RayR -
OCSP response signature is invalid--ALC-DSS-111-005
Hi All,
I am using "verify pdf signature" process for signature verification for pdf having signed signature field.
I am getting an error in status message of pdfSignatureVerificationResult as "ALC-DSS-111-005--OCSP response signature is invalid".
Kindly provide any information to resolve this issue.
Regards
AbhishekThe OCSP protocol has an option for accepting only signed requests, where the signer of the OCSP request has to be trusted by the OCSP Responder.
LiveCycle Digital Signatures ES2 and or Acrobat can be configured to sign OCSP requests.
In LiveCycle, it is part of the Digital Signatures service configuration, see attached screen shots. Acrobat\Reader supports it through a registry entry... I have attached the relevant page from the Digital Signatures and Document Security administration guide.
Regards
Steve -
In Yosemite Mail, there is an issue where the signatures no longer toggle as in the past. If you change the existing signature, it just adds the new one vs replacing it within the body of the message. Thoughts?
Hi howe.sc,
When I checked for how signatures in Yosemite work, I found this.
Mail (Yosemite): Include signatures in messages
Delete a signature from a message: Select the signature, then press the Delete key.
Replace a signature in a message: Delete the existing signature, then add a different signature.
That sounds similar to what you are describing.
Take care,
Nubz -
Why can't I add text in the signature panel in firefox?
why can't I add text in the signature panel in firefox? I have adobe acrobat pro XI. I can open a pdf in acrobat pro and am able to add text to a pdf, but when I open a pdf in firefox, the "add text" option is not available.
When you install Acrobat XI you are also installing Reader for use in the browser. Reader is "sandboxed", or as it says in the Preferences, it is in "Protected Mode". Acrobat does not understand the concept of running in sandboxed memory (sandbox is a security feature to prevent the bad guy from exploiting a memory error and getting into a memory address where they can do damage to your computer) so to help protect Acrobat users the same way Reader users are protected we just install Reader along with Acrobat, but it is only used in the browser (part of this is because the bad guys use web sites as their primary method of distributing corrupted PDF files that can cause problems).
That said, because you are in Reader the file needs to be Reader Enabled prior to being posted to the web site (or opened in the browser). Once the file is Reader Enabled you should be able to add the text annotations.
Steve -
How to add multiple presets to responsive design view without having to resize the screen each time
I want to be able to add multiple screen size presets to the responsive design view capability but don't want to have to resize the screen and add each one individually via the custom preset function.
Have seen that some posts on the internet (http://g-liu.com/blog/2013/08/firefox-rdm-presets/) that say this can be done but cannot find where the config is held in ver 26.0?You can also do the opposite and create custom settings in the responsive design mode window.
You can hold down the Shift key and drag the borders via the (right border, bottom border, bottom right corner) resize icons to get specific dimensions and give the current custom setting a name to add them as a preset.
This will add the preset to the devtools.responsiveUI.presets pref.
See also my post here for a bookmarklet.
*[[/questions/957590]]
You can paste the current value of the pref in the prompt to see a list of currently defined presets.<br />
You can add a new preset by entering the width,height,name values in the prompt.<br />
Copy the new preset list to the pref.
<pre><nowiki>javascript:(function(){
function rdObj(w,h,n){with(this){key=w+"x"+h;if(n)name=n;width=w;height=h;}}
rdObj.prototype={key:"",name:"",width:"",height:""};
var n={},p='<width>x<height> <name> OR width,height,name',rd=[];
while(p!=null){
p=prompt(p,JSON.stringify(rd));
if(/^(\d{3,4})[,x](\d{3,4})([, ](.+))?$/.test(p)){
n=new rdObj(RegExp.$1,RegExp.$2,RegExp.$4);rd.push(n);
}else{try{rd=JSON.parse(p);}catch(e){}}
}})()</nowiki></pre> -
ave an issue from my auto response email, it showing the "MIME This is a multi-part message in MIME format. " and the signature message disappeared and replaced with some unreadable message
Hi msnyder1112,
Thank you for posting in MSDN forum.
Since this issue is related to the VB.NET, so we will move this case to VB forum:
https://social.msdn.microsoft.com/Forums/vstudio/en-US/home?forum=vbgeneral , you will get better support.
Thanks for your understanding.
Best Regards,
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey. -
Impossible to edit or add the signature in a freshly installed convergence
we are using directory server 6.3
messaging server 7.0
convergence patch 3
in the convergence web interface is not possible to edit or add the signature the text box doesn't react to my input, click or mouse
is there something that need to be added to the ds in order to be able to edit the signature?
thank you for your help
regards
Mariog.mario_garcia wrote:
is convergence patch-04 already released.Patch -04 has not yet been released to sunsolve.
i can still not find it on sunsolve however i noticed that there are some deployment of convergence that already have it installed. is there an alternative way to obtain the patch?Yes, you can upgrade to patch -04 by using the Comms 6 update 1 installer which is available here:
http://wikis.sun.com/display/CommSuite6U1/Get+the+Software
Run the "commpkg upgrade" command to upgrade to patch -04 of Convergence (and also upgrade other components such as Messaging Server if desired).
Regards,
Shane. -
When I go to get add-ons (7.0.1), nothing shows up, except the "what are add-ons" info bubble. How do I make this work?. The rest of the functions in that section seem to work. And I can search MY add-ons, but not Available Add-ons.
Click on Extensions on the left-side.
-
I created Add Signature but it Encrypt the signature and I can't unlock it. Help
After I created the signature it was Locked so it does not show in Annontation. Does any body has this problem?
ashweenicole wrote:
servers are not down
How can you actually say that but provide no evidence?
Look at it this way. All of a sudden people all over the place are having problems with Siri, not everyone granted. Also it is a spontaneous issue, not presenting after new installs or jailbreaking etc etc it has just happened to lots of people.
What country do you reside in and what makes you 100% sure the servers are not down? -
NextUpdate, embedding OCSP response
Hi,
I am trying to understand revocation info and relevant processes in the PDF signature...
"If nextUpdate is not set, the responder is indicating that newer revocation information is available all the time".
I have a situation where my OCSP response doesn't have nextUpdate set. This means that Reader should always
check whether certificate is revoked or not, right ?
Here is what I do right now:
1) include signing certificate and PKCS#12 cert chain(my digital id for OCSP) in PDF signature appearance
2) sign PDF byterange on SmartCard and set external digest on PKCS7
3) include OCSP response in PKCS7
QUESTION 1:
But for some reason I don't see that OCSP is embedded in PDF any way. Although I see it exists in Byterange content.
Any explanation ?
I have 2 signing certificates which I can use in step #1. Their intended usage:
1) Sign transaction, Encrypt keys, Encrypt document, Client Authentication, Email Protection
2) Sign document
Here is the revocation info that is shown on Revocation Info Tab:
1) ... The selected certificate is considered valid because it does not appear in a Certificate Revocation List (CRL).
2) ... No revocation checks are done for such certificates, they are inherently considered trustworthy.
QUESTION 2:
Can't I use certificate #2 for embedding OCSP in PDF ?I am currently reading "Long-Term Digital Signatures" that states: "Revocation responses from an OCSP server are usually time stamped by the server that creates them". What does time stamped mean in the thisUpdate/nextUpdate context?
p.s. The topic I raised is based on custom solution that signs PDF using iTextSharp. I am embedding OCSP response myself, how does Reader behaves when there is no nextUpdate entry ?
Regards,
M. -
I am trying to figure out whether it is possible to add OCSP response bytes into PDF when using external signature ?
Currenltly here is what I do:
1) calculate hash based on PDF bytes
2) sign that hash on smartcard
3) create PKCS7 enveloped data based on above and update ByteRange
When I try to add OCSP response bytes after step 3 then I ruin signed data ?Hi,
The document at http://learn.adobe.com/wiki/download/attachments/52658564/digital_signatures_in_PDF_9x.pdf ?version=1 may be helpful for you. You need to build a hole for the signature that is large enough to contain the revocation responses as noted in Figure 2. Once you estimate the size of the hole it has to stay fixed (to keep the hashed byte range constant), so you will need to zero-pad the unused portion of the unsigned contents dictionary.
Steve
Maybe you are looking for
-
GL Account/BAPI_ACC_DOCUMENT_POST
Hi all, I am using BAPI_ACC_DOCUMENT_POST to post a document. The document gets successfully posted and uploaded in SAP. My input flat file has posting key 06 40 11 50 depending on whether it is a debit or credit line item. But in the BAPI there i
-
Skype WiFi is a very annoying (and potentially expensive) feature and I do not want it. To start with, I am in hotel and every time WiFi is connected, popup appears asking me to use Skype WiFi. How does one completely disables it? There is no option
-
If I am in Cs6 and want to open my image in Lightroom is it possible ?
Do I need to add any more to my question ?
-
Can anyone help please?
-
Need FM to Archive Open Purch Req in 3.1i
Hi Friends, Can U please let me know what is the FUNCTION MODULE to archive the Open Purchase Requisitions in version 3.1 i system. thanks is advance. Urs, Anu.