Forcing OCSP instead of CRL
I need to check the signature status of a signed document. What I need to achieve is check the revocation information of the signing certificate through OCSP and show the result of that check. Optionally I am allowed to also do a CRL check and show the result of that check. The document is signed with a certificate that has an OCSP responder URL and a CRL location. The immediate parent certificate is imported into the LC Trust Store so there are no certificates between the signing certificate and the Trust Anchor.
No matter what I do, I seem to be unable to get the OCSP response / status in the result, I always get the CRL status / result.
The sequece of actions I am running is:
- purge the certificate cache through SOAP;
- purge the CRL cache through SOAP;
- invoke the verifyPDFDocument method through SOAP.
I have attached both the PDF I am verifying, a dump of the SOAP request I am sending and a dump of the SOAP response I am getting. (The SOAP response is stripped of some data in the CRL revocationInformation node since it was about 800KB for each occurence.)
What I am seeing on the network is that the LC server is doing an OCSP check first (screenshots of the request and response below) and then doing a CRL check (screenshot of the request below, the response is a bit big but is valid). That is something I don't understand, because as you can see from the SOAP request I am explicitly setting the crlOptionSpec to have a checkStyle of NoCheck.
I believe all these documents together make a self-contained testcase showing the behaviour I am experiencing. I hope somebody can tell me what I need to configure in the SOAP request to get the OCSP response in the verifyPDFDocument output instead of the CRL response.
OCSP request
OCSP Response
CRL request
