I'm currently facing some problems when we try to add a DSS to a timestamped document. Afterwards the timestamp is not marked as LTV in Acrobat and if we try to re-add the verification data via Acrobat it crashes. You can find the document in question here.
If I add the verification data to the initial version of the file via Acrobat, there's no problem.
I compared the DSS structure (actually I didn't left the Certs in the VRI entry which is done by Acrobat but this didn't makes a difference to the actual situation) and the OCSP response in detail and noticed that there's only a single strange difference:
This part represents the nonce extension in two ocsp responses (left by Acrobat - working, right by a webservice - not working). The extnValue isn't a valid ASN.1 structure which makes me thinks that this is the problem? The webservice/nonce in the request is out of our scope so I cannot play with this. I just want to ask if anybody can confirm that this little nonce value will let Acrobat crash and will ignore the response completely?
Any comment is welcome!
I do not get a crash when I open your PDF (which I downloaded from the URL you provided) in my copy of Acrobat DC. Acrobat validates the signature fine but looks for OCSP on-line. It rejects the OCSP in DSS because it is malformed. The service that created this signature is at fault.
I'm actually still on Acrobat XI which doesn't crash at opening time but if I "Add Verification Information".
So you can confirm that the OCSP is malformed, great. Could you also confirm that it is because of the nonce value?