0 Replies Latest reply on May 23, 2012 8:26 AM by Jochem van Dieten

    Forcing OCSP instead of CRL

    Jochem van Dieten Level 4

      I need to check the signature status of a signed document. What I need to achieve is check the revocation information of the signing certificate through OCSP and show the result of that check. Optionally I am allowed to also do a CRL check and show the result of that check. The document is signed with a certificate that has an OCSP responder URL and a CRL location. The immediate parent certificate is imported into the LC Trust Store so there are no certificates between the signing certificate and the Trust Anchor.

      No matter what I do, I seem to be unable to get the OCSP response / status in the result, I always get the CRL status / result.


      The sequece of actions I am running is:

      - purge the certificate cache through SOAP;

      - purge the CRL cache through SOAP;

      - invoke the verifyPDFDocument method through SOAP.

      I have attached both the PDF I am verifying, a dump of the SOAP request I am sending and a dump of the SOAP response I am getting. (The SOAP response is stripped of some data in the CRL revocationInformation node since it was about 800KB for each occurence.)


      What I am seeing on the network is that the LC server is doing an OCSP check first (screenshots of the request and response below) and then doing a CRL check (screenshot of the request below, the response is a bit big but is valid). That is something I don't understand, because as you can see from the SOAP request I am explicitly setting the crlOptionSpec to have a checkStyle of NoCheck.


      I believe all these documents together make a self-contained testcase showing the behaviour I am experiencing. I hope somebody can tell me what I need to configure in the SOAP request to get the OCSP response in the verifyPDFDocument output instead of the CRL response.


      OCSP request



      OCSP Response



      CRL request