Hello, I have solved the problem myself. The ocsp bytes that need to be included in the DSS field need to be the Full OCSP Response, not just the Basic OCSP Response Bytes. Now, even when I include the revocation info in both locations, offline revocation still works.
Francisco --- Original message -- Hello, I am trying to implement the ETSI TS 102 778-Part 4, related to the extension of Long Term Validation of Signatures using iText. It consists of adding a Document Security Store (DSS) to the catalog. I THINK I've successfully added DSS and related members by modifying iText's source code. But I have found the following strange behavior. Here are the steps I've performed: 1. I've signed a blank PDF and embedded OCSP information in the signature (without adding DSS). I call this file B1. 2. I revoke the cert. I can still validate the file if I set "Use the time at which the signature was created" option. 3. If I set "Use Current Time" option, the file will not validate because the cert has been revoked. So far, so good. 4. I undo the revocation and I've signed the same PDF file and embedded the same OCSP response bytes BOTH in the signature and the DSS. I call this file B2. 5. I think I may have done something wrong, but this B2 file ALWAYS leads to ONLINE verification of the file regardless of the verification options I've set. Acrobat Reader 9.2 refuses to do off-line verification of the signature, despite having the embedded revocation information. I suspect I may not have embedded the right OCSP bytes in the DSS. The OCSP bytes are the OCSP response bytes I've obtained from the OcspClientBouncyCastle class that comes with iText 2.1.7. These bytes are passed to PdfPKCS7.getAuthenticatedAttributeBytes to embed the OCSP revocation info in the signature. They are also reused and put in the Signature VRI dictionary's OCSP entry as described in the ETSI document. Have I done anything wrong? Thanks. Francisco ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ iText-questions mailing list iText-questions@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/itext-questions Buy the iText book: http://www.1t3xt.com/docs/book.php Check the site with examples before you ask questions: http://www.1t3xt.info/examples/ You can also search the keywords list: http://1t3xt.info/tutorials/keywords/
