Expand my Community achievements bar.

Forcing OCSP instead of CRL

Avatar

Level 2

I need to check the signature status of a signed document. What I need to achieve is check the revocation information of the signing certificate through OCSP and show the result of that check. Optionally I am allowed to also do a CRL check and show the result of that check. The document is signed with a certificate that has an OCSP responder URL and a CRL location. The immediate parent certificate is imported into the LC Trust Store so there are no certificates between the signing certificate and the Trust Anchor.

No matter what I do, I seem to be unable to get the OCSP response / status in the result, I always get the CRL status / result.

The sequece of actions I am running is:

- purge the certificate cache through SOAP;

- purge the CRL cache through SOAP;

- invoke the verifyPDFDocument method through SOAP.

I have attached both the PDF I am verifying, a dump of the SOAP request I am sending and a dump of the SOAP response I am getting. (The SOAP response is stripped of some data in the CRL revocationInformation node since it was about 800KB for each occurence.)

What I am seeing on the network is that the LC server is doing an OCSP check first (screenshots of the request and response below) and then doing a CRL check (screenshot of the request below, the response is a bit big but is valid). That is something I don't understand, because as you can see from the SOAP request I am explicitly setting the crlOptionSpec to have a checkStyle of NoCheck.

I believe all these documents together make a self-contained testcase showing the behaviour I am experiencing. I hope somebody can tell me what I need to configure in the SOAP request to get the OCSP response in the verifyPDFDocument output instead of the CRL response.

OCSP request

OCSP-request.png

OCSP Response

OCSP-response.png

CRL request

CRL-request.png

0 Replies