[
https://issues.apache.org/jira/browse/PDFBOX-6212?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
robo updated PDFBOX-6212:
-------------------------
Description:
The TestCreateSignature.testCreateSignedTimeStamp() test fails when using
DigiCert's TSA ([http://timestamp.digicert.com|http://timestamp.digicert.com/])
because the generated LTV information contains OCSP responses whose
BasicOCSPResp does not include embedded responder certificates.
Test Failure:
{code:java}
org.opentest4j.AssertionFailedError: OCSP should have at least 1 certificate
==>
Expected :true
Actual :false{code}
In RFC 6960 ( [https://datatracker.ietf.org/doc/html/rfc6960] ) it says
certs is optional
{code:java}
certs: [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL
{code}
If I am correct, an OCSP response without embedded certificates should be
standard-compliant. If the BasicOCSPResp is empty, maybe /DSS/Certs should be
checked instead?
was:
The TestCreateSignature.testCreateSignedTimeStamp() test fails when using
DigiCert's TSA (http://timestamp.digicert.com) because the generated LTV
information contains OCSP responses whose BasicOCSPResp does not include
embedded responder certificates.
Test Failure:
{code:java}
org.opentest4j.AssertionFailedError: OCSP should have at least 1 certificate
==>
Expected :true
Actual :false{code}
In RFC 6960 ([https://datatracker.ietf.org/doc/html/rfc6960)] it says certs is
optional
{code:java}
certs: [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL
{code}
If I am correct, an OCSP response without embedded certificates should be
standard-compliant. If the BasicOCSPResp is empty, maybe /DSS/Certs should be
checked instead?
> LTV test assumes OCSP response contains embedded certificate, but e.g.
> DigiCert OCSP responses omit it
> ------------------------------------------------------------------------------------------------------
>
> Key: PDFBOX-6212
> URL: https://issues.apache.org/jira/browse/PDFBOX-6212
> Project: PDFBox
> Issue Type: Bug
> Reporter: robo
> Priority: Minor
>
> The TestCreateSignature.testCreateSignedTimeStamp() test fails when using
> DigiCert's TSA
> ([http://timestamp.digicert.com|http://timestamp.digicert.com/]) because the
> generated LTV information contains OCSP responses whose BasicOCSPResp does
> not include embedded responder certificates.
> Test Failure:
>
> {code:java}
> org.opentest4j.AssertionFailedError: OCSP should have at least 1 certificate
> ==>
> Expected :true
> Actual :false{code}
>
> In RFC 6960 ( [https://datatracker.ietf.org/doc/html/rfc6960] ) it says
> certs is optional
> {code:java}
> certs: [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL
> {code}
>
> If I am correct, an OCSP response without embedded certificates should be
> standard-compliant. If the BasicOCSPResp is empty, maybe /DSS/Certs should be
> checked instead?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]