Adobe Acrobat

Hi,

I’m stuck on embedding of revocation information during PDF signing. I want to make Acrobat embed the OCSP response related to the digital id that is used for signing. However, the signed PDF doesn’t contain revocation info even though the OCSP checking is successful and result is valid.

I have extracted PCKS7 data from the signed PDF and viewed it with ASN.1 viewer. As I search for value “1 2 840 113583 1 1 8” which is OID for adbe-revocationInfoArchival as specified in PDF 1.7 Reference, it is seen that the PCKS data in signed PDF doesn’t contain revocation info. At this point, I have also tried a signed PDF from Adobe Company (e.g. Acrobat_8_security_admin_guide.pdf) I have seen that it contained adbe-revocationInfoArchival with a valid OCSP response DER encoded as its contents.

When validating the signature later, Acrobat goes online and requests revocation info from OCSP server instead of consulting embedded revocation info. This is expected since there’s no embedded revocation info in signature. The revocation message is as follows which states that OCSP request is sent for validating:
“The selected certificate is considered valid because it has not been revoked, as verified in real-time using the Online Certificate Status Protocol (OCSP)”

My digital ID setup is basically as follows:
-> Karakaya CA (CA root)
-->> KGC CA (ICA, OCSP signer)
--->>> Ahmet ISIK (End Entity)

KGC CA is both ICA and the OCSP response signer here. Certificate of KGC CA is a trusted identity in Acrobat and includes OcspSign in ExtendedKeyUsage field.

The settings and environment is described below:
- Acrobat 8.1.1 EN
- Windows XP Pro – US En locale
- Soft keys, produced with EJBCA
- “Include signer’s revocation info when signing” is set to true.
- Registry:
\cASPKI\cAdobe_LTVProvider\iUseArchivedRevInfo = DWORD:2 (Always)
\cASPKI\cASPKI\cVerify\iReqRevCheck = DWORD:2 (Do a check IF CRLDp or AIA information resides in the certificate or registry; all checks must succeed if there is data and a check occurs)

- The signature field in form is set to require ocsp response embedding

I’ve tried everything I can find in PDF Reference and Security Administration Guide with no success. Any help will be greatly appreciated.

If you need to access our OCSP server, please inform me so I’ll open the server to outside.

Thanks in advance,

Greetings,

Ahmet ISIK
Adobe Partner Consultant

******** End Entity Certificate text dump is as follows ******************

-- message 1 --
SEQUENCE {
SEQUENCE {
CONTEXT_0 {
INTEGER = 2
}
INTEGER = 2130424438578257624
SEQUENCE {
OBJECTIDENTIFIER = 1 2 840 113549 1 1 5
NULL =
}
SEQUENCE {
SET {
SEQUENCE {
OBJECTIDENTIFIER = 2 5 4 3
UTF8STRING = kgc.com.tr
}
}
SET {
SEQUENCE {
OBJECTIDENTIFIER = 2 5 4 10
UTF8STRING = KGC Ltd.
}
}
SET {
SEQUENCE {
OBJECTIDENTIFIER = 2 5 4 7
UTF8STRING = ANKARA
}
}
SET {
SEQUENCE {
OBJECTIDENTIFIER = 2 5 4 6
PRINTABLESTRING = TR
}
}
}
SEQUENCE {
UTCTIME = 071225102422Z
UTCTIME = 091224102422Z
}
SEQUENCE {
SET {
SEQUENCE {
OBJECTIDENTIFIER = 2 5 4 3
UTF8STRING = Ahmet ISIK
}
}
}
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER = 1 2 840 113549 1 1 1
NULL =
}
BIT_STRING = 0011000010000001100010010000001010000001100000010000000010111001110100011111000000010001110110001010110010111111010010000111000111111010010101101000000001110111110000110110001110001010110000110000110010011111010011110000111011100100100000000100101000110011111001100110010101111010010001001100001101100111001000001101101111111100100101101000101000111011111011111001011001001111101011010010101111110001000010110010000100010000001110100101010000101111010001010000100000001101101100100100010110000101000000001001010001101111011011010110111010111101010011111011110011001011111010110100001000001000000011011000101110101011000001011101100110011010000001000010011010010000001101010001101010100111101000001110010110100001100000101101010001001111001100111111110110100101010100000111000110010010100001000011111001001001000011101111010100100000000111111001010000010101001110011000011010110100011011110001010011010101010100101010110010110110000111011011011000010110011000110010000110110100001100011010101100011110111011011100000010001000110111110000100001111101110110101100100000010110110100010000001000000011000000010000000000000001
}
CONTEXT_3 {
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER = 2 5 29 19
BOOLEAN = TRUE
OCTET_STRING = 3000
}
SEQUENCE {
OBJECTIDENTIFIER = 2 5 29 15
BOOLEAN = TRUE
OCTET_STRING = 030206C0
}
SEQUENCE {
OBJECTIDENTIFIER = 2 5 29 14
OCTET_STRING = 0414D064724F60619A6145A22D2E892E9316C6550BF5
}
SEQUENCE {
OBJECTIDENTIFIER = 2 5 29 35
OCTET_STRING = 3016801456A76D0414504A2BE2CCEEEC417C5A6235628850
}
SEQUENCE {
OBJECTIDENTIFIER = 2 5 29 31
OCTET_STRING = 30773075A073A071866F687474703A2F2F61686D65746973696B3A383038302F656A6263612F7075626C69637765622F776562646973742F63657274646973743F636D643D63726C266973737565723D4F3D4B4743204C74642E2C204C3D414E4B4152412C20434E3D6B67632E636F6D2E74722C20433D5452
}
SEQUENCE {
OBJECTIDENTIFIER = 1 3 6 1 5 5 7 1 1
OCTET_STRING = 303F303D06082B060105050730018631687474703A2F2F61686D65746973696B3A383038302F656A6263612F7075626C69637765622F7374617475732F6F637370
}
}
}
}
SEQUENCE {
OBJECTIDENTIFIER = 1 2 840 113549 1 1 5
NULL =
}
BIT_STRING = 00111010110101000010100010000111101011010011001001100011001010111101001111110101001100010100010110101101110111011000010110101010110001011111010000111010011011001100001111100011101110011110111111101011111001011100100101001001001011110100100100010000100000001001010000111011000101000101011000110010000001011111101001011010100010010100010111100011010001010101010101100000010101010111000100110101001111111100101101010001001101001010010000000110111101101111111010110110100111101000011111100011010000011001111011000010010110010100111001100110010100100101011111101001011010110110100011101000011101000101100101010101011010110101010001100111010011000000101111110010111001100100101000111100010100110000010001001010111100100110011001100111100101110111000000101010011011010010010110001100111011011111110011001100110101110100011000010011100110011000110100110011000000010101111011010111001010100100010001111010100111110011011011111011101110100101001111010111010100101111111100101100100111101010011000011111011110011111001110010000101110101101110010000000010100000000010101000010010111110100001110111000101110110101000001010000011000000100111011000101001001011111110101000011010001100110011110100001001101011001101001001001010101001110101111100111011001110001000110000000100101011000011011110001011001000011001111100111010111011011110110110010001011100101100111001000011111100100101100010001001110100101110100111010000011101101011100000010011110011110011111011100110100010101001001011000001101101111010011111001110101010011001011001100010111100001100111011010101111100111100100110001010001111101101111000001100101001101100100000001010011011111011010011101000101000100100101111011000110000000010010101001011101110100001111111101001000010100111100100111100111110111110110111000110000001100111100010111110110001111001000001101010110011001110011011001001101100001010101010010011100111011110011010001000000100100011110011101011111111010011101010101110001010101000100101000100001110111000001111111101101101101111111011111011100110000100111111001100011111111010001101001
}

********** ICA CERTIFICATE *********************
-- message 1 --
SEQUENCE {
SEQUENCE {
CONTEXT_0 {
INTEGER = 2
}
INTEGER = 4029280041362968769
SEQUENCE {
OBJECTIDENTIFIER = 1 2 840 113549 1 1 5
NULL =
}
SEQUENCE {
SET {
SEQUENCE {
OBJECTIDENTIFIER = 2 5 4 3
UTF8STRING = karakaya.com
}
}
SET {
SEQUENCE {
OBJECTIDENTIFIER = 2 5 4 10
UTF8STRING = Karakaya A.S.
}
}
SET {
SEQUENCE {
OBJECTIDENTIFIER = 2 5 4 7
UTF8STRING = ANKARA
}
}
SET {
SEQUENCE {
OBJECTIDENTIFIER = 2 5 4 6
PRINTABLESTRING = TR
}
}
}
SEQUENCE {
UTCTIME = 071225102015Z
UTCTIME = 121223102015Z
}
SEQUENCE {
SET {
SEQUENCE {
OBJECTIDENTIFIER = 2 5 4 3
UTF8STRING = kgc.com.tr
}
}
SET {
SEQUENCE {
OBJECTIDENTIFIER = 2 5 4 10
UTF8STRING = KGC Ltd.
}
}
SET {
SEQUENCE {
OBJECTIDENTIFIER = 2 5 4 7
UTF8STRING = ANKARA
}
}
SET {
SEQUENCE {
OBJECTIDENTIFIER = 2 5 4 6
PRINTABLESTRING = TR
}
}
}
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER = 1 2 840 113549 1 1 1
NULL =
}
BIT_STRING = 001100001000001000000001000010100000001010000010000000010000000100000000110100001000010110010101111110111111010001110001111000000100111110111001001001111100010110001101101000010001011010110011100111100000001110110100001010100000011010110001010101110100100001010000111010110000110110010011010111111100000101111101011110100101010010000000111011000110000011011101010001100110110001000110001100100111100111000011101110000101100110101000110100111101001011110001011100001100111100101000110111110111001011111011001001101010000100100101001011111100010110111011011100000010101000011111100100000010110000001000011100010000110000110100010111111001011111111111011101011001000111100111101101100111111111111011001111010110110011110110000011101101000100110001110000011101110000001000100100100001111100110110001000101000100111110001100011110010111101001100011011100101001100110010000101100001010100101110111101010010001110001000011010010010100011101000100010111011100001001001100101000101110000111010001001000100010110100110111000001001101101110000001000011100110001111101001101111011110011011110010100101101111011111100110010110011111100101111101101011111010001100111111100111101110110110111010111000101110111101110010100000110011101110011000001001011111000010110011111011101001001110000100000010100000000110000100111111000010001100101011100110100111011100101011101001010100000000100110100001110110101111010011100100011001011011001001110100110110010100100111110000110000110000010101010010011000111010101000010011101001111001000101100011000111001100111011001001010111111010011111001000011011000111000010000100000111011110111000001010010101110010011001100111111101100101000001110101110010011010111010111111101111100000000110000001100001111000110110001111000111001100100000011000101011010010111100001111100101101101101000010000011001010110110101010011111010000111101001011000001110110011100000000011101011011110110010100001111001000101100001001000110111000001101110000101011110100011001000110110011010010100110000100100010100000110110010111100010110000111100111101010001110001000110001110001000110000000001011111000001001011010111000001010000001000000011000000010000000000000001
}
CONTEXT_3 {
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER = 2 5 29 19
BOOLEAN = TRUE
OCTET_STRING = 30030101FF
}
SEQUENCE {
OBJECTIDENTIFIER = 2 5 29 15
BOOLEAN = TRUE
OCTET_STRING = 03020106
}
SEQUENCE {
OBJECTIDENTIFIER = 2 5 29 37
OCTET_STRING = 300A06082B06010505070309
}
SEQUENCE {
OBJECTIDENTIFIER = 2 5 29 14
OCTET_STRING = 041456A76D0414504A2BE2CCEEEC417C5A6235628850
}
SEQUENCE {
OBJECTIDENTIFIER = 2 5 29 35
OCTET_STRING = 30168014D52450B36C587B78242B2378A1684D32834F5E6F
}
SEQUENCE {
OBJECTIDENTIFIER = 2 5 29 31
OCTET_STRING = 305C305AA058A0568654687474703A2F2F61686D65746973696B3A383038302F656A6263612F7075626C69637765622F776562646973742F63657274646973743F636D643D63726C266973737565723D4B6172616B6179612047726F7570
}
SEQUENCE {
OBJECTIDENTIFIER = 1 3 6 1 5 5 7 1 1
OCTET_STRING = 303F303D06082B060105050730018631687474703A2F2F61686D65746973696B3A383038302F656A6263612F7075626C69637765622F7374617475732F6F637370
}
}
}
}
SEQUENCE {
OBJECTIDENTIFIER = 1 2 840 113549 1 1 5
NULL =
}
BIT_STRING = 10001110111001011101110001011111111110011010110001010101010101100110010010010110100100101011101111001101100011111000101110110001010011110000111101110001000101100001110110101110000000111110101011101000011011111000111110111100000101111000101011000000010011110011011101001101101010000111011010100001111111001011100110001101001100011100001010100101111011111100001001000011100000111000110010111100101010000000011101110101101010100101110010011101101001000010010000100100100101110101100011010101001011111100001100001000111000100001111001010011100001000010111111001100011111110111111110010000001100111101111000110110000101110010111000001100011100010000101001011110011100000011100011010010011001001011001000001001101101100000000011010101000011001101101101111010000111010110100000011001000100001011001110010100100001010101101101100001100110001110001000111111111011001101100101010000101000100011111000000011011011000011101001001001101100100001001001001111111101110101111100001101111101101100000010011110010110100110001011101001000101111011110100001100000100111010010100011110101111101001101101001111001000111100001010101000010111111010010111010010000001010000110011110111101000010000000001101011100000010111100011100101001001000000100111110001010001001001011010100111011001000000001010011010010111100011101101111001101000010111100011110010001011101100000100011110001100101001110111111111011001011111100010100011111011011101001011011111100111101100110000000111100011011100111101011111001010010110100001111111011000101100110111010101111100010010100100100101011100010000001100110110001101110101101000000110101110101100010011100010110111111010001100010111011011010001110101100111110011010111111110100000010100101010001001011100111011001000011111100000010111110111011011011101101101010001010010101011000111111110001001000001111111010110100101010111110011101010000101110100000011010110111010011111100100101001010100010100110000000100011111000100110001100011000010001111100100000001011110100101111000110001010011111000000011000111100110011011001011100110101000111010
}

************* CA CERTIFICATE ***************
-- message 1 --
SEQUENCE {
SEQUENCE {
CONTEXT_0 {
INTEGER = 2
}
INTEGER = 1926811572986189426
SEQUENCE {
OBJECTIDENTIFIER = 1 2 840 113549 1 1 5
NULL =
}
SEQUENCE {
SET {
SEQUENCE {
OBJECTIDENTIFIER = 2 5 4 3
UTF8STRING = karakaya.com
}
}
SET {
SEQUENCE {
OBJECTIDENTIFIER = 2 5 4 10
UTF8STRING = Karakaya A.S.
}
}
SET {
SEQUENCE {
OBJECTIDENTIFIER = 2 5 4 7
UTF8STRING = ANKARA
}
}
SET {
SEQUENCE {
OBJECTIDENTIFIER = 2 5 4 6
PRINTABLESTRING = TR
}
}
}
SEQUENCE {
UTCTIME = 071225101214Z
UTCTIME = 271220101214Z
}
SEQUENCE {
SET {
SEQUENCE {
OBJECTIDENTIFIER = 2 5 4 3
UTF8STRING = karakaya.com
}
}
SET {
SEQUENCE {
OBJECTIDENTIFIER = 2 5 4 10
UTF8STRING = Karakaya A.S.
}
}
SET {
SEQUENCE {
OBJECTIDENTIFIER = 2 5 4 7
UTF8STRING = ANKARA
}
}
SET {
SEQUENCE {
OBJECTIDENTIFIER = 2 5 4 6
PRINTABLESTRING = TR
}
}
}
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER = 1 2 840 113549 1 1 1
NULL =
}
BIT_STRING = 001100001000001000000001000010100000001010000010000000010000000100000000101011110001001011111000011000001000100010101100000110111010001000001011000101110001111000101100000011100100100101010001100001010011010100111011110110010101000111001111000011010001101111111010010111111011010111111100110101110011010110100000001001101100010010011111011110111101011000001000101101011110101100011100011110011100100000100100110011101001001010110010111000011100101011001011001001100101000100100110000001010001111110010011101100101101110101111011110111110001101001000100010110101100010010011010100011001110001110110001111100100010011111010111110100100111111000010001101110101101001010111010010010000010010101110110001000100010101100101011000010000000000111001101010000011001000000011010010110010110100011111101110010101001111010001001101011111001001111110010001100000001010110111010010011100011101111001000010011010101001001111100111111110001110000110100000011010011011011010001001001110011010010001111001110001101011101000010100000100000010111111101010100101011110110011101010001101000001111100001000100110011010111011101001010110001000001101000000111100000000000111111110010110110101110000110101010010100100100111101110011011001010011010001110110110101101101001100010011111110001111000011100000011110011111010111010110100000011100110011111110001011110110111010111000001101001000001110111110110101010111100101101000011000011110000011110000101110001010000110010010001001111101110000001101010010010110111011100101111010011110011011001101011111111110101110000110010000100110110101010100101110111101000110111100100100010001010110000101010010111000001110010101011111111000010000010101000101111100010010011001101110110011100100101011101011110100001100011110101001000000000000111011110010011110000001000100001100010011100001011001001101001101111000111101111101001010010001111100011100101001001100100110000111110100100110010100111011011011101000010010010111001010001010011100100011010011000010111100101111001001011100001001001101110100011001010000010111110110010111101001110110101001100010100111101101110100000000111000110011100100101011101110010000001000000011000000010000000000000001
}
CONTEXT_3 {
SEQUENCE {
SEQUENCE {
OBJECTIDENTIFIER = 2 5 29 19
BOOLEAN = TRUE
OCTET_STRING = 30030101FF
}
SEQUENCE {
OBJECTIDENTIFIER = 2 5 29 15
BOOLEAN = TRUE
OCTET_STRING = 03020106
}
SEQUENCE {
OBJECTIDENTIFIER = 2 5 29 14
OCTET_STRING = 0414D52450B36C587B78242B2378A1684D32834F5E6F
}
SEQUENCE {
OBJECTIDENTIFIER = 2 5 29 35
OCTET_STRING = 30168014D52450B36C587B78242B2378A1684D32834F5E6F
}
SEQUENCE {
OBJECTIDENTIFIER = 2 5 29 31
OCTET_STRING = 305C305AA058A0568654687474703A2F2F61686D65746973696B3A383038302F656A6263612F7075626C69637765622F776562646973742F63657274646973743F636D643D63726C266973737565723D4B6172616B6179612047726F7570
}
SEQUENCE {
OBJECTIDENTIFIER = 1 3 6 1 5 5 7 1 1
OCTET_STRING = 303F303D06082B060105050730018631687474703A2F2F61686D65746973696B3A383038302F656A6263612F7075626C69637765622F7374617475732F6F637370
}
}
}
}
SEQUENCE {
OBJECTIDENTIFIER = 1 2 840 113549 1 1 5
NULL =
}
BIT_STRING = 00110111001010101001101000011010001111101000010011011111010001011011110101100010100010000010010111000010101001010100011101100000000110011010000111100010001000001000111010010011110110111010101000110010011111011001011000100001111111100101101010001010010100001000001111000011101110000110001011100101000000110111000100001000100110010110111010110011000111100111000010000010000110000101011110110111110110010111000111101000110000001110101111000010011011010100100000000010110001010011100111111000001011101011111110101001011010100001000110110000110001011011011010110010001010010111110011011110111000001011001001000000001111101110100001100100111110101000100100100100111001111100101010011101001101011011010101110000011111101010001000010000011001010011100011000101001010000001110110101010000011101001000011000101101010010010111101101001010011001001110101101001100101011110001101111000101110110101100000011000000101001110011101100100001010000100110101101000100110001111010110100100001111101110100010110101110001110111000100000111111010101011011000000100001111110100010001000001101010101001001001100100001000010101100011000000111011101111100001000001101100100111010001110000000001101110000010010010010110110101000001001000101010001001010000001010000001101100101001110100100000100101111011101101010001110010110000001011110010010100010110011011111000101100101110010001001010011100101101100110000111001100101001100100001011101110011110101011011010011010100010101101100010011100001101100011011101100000000101001000111001101011110100101110110010111010100001001110001001111100111011100000010100100101001010101100110011111011010010110100010011011000011111000001001101000011001101001011110100110110010110010110111111001011101010001101111010111101110101100010000000111101011011011111101010000011000110101011100001011101001111110111000000100101101111011001010111101010111101100111000001111111001001111010000101100110110110011011101100011100100101111111000100010100010001111111101000100011010100011111000111110000110001101010111001010100101101111110000010101010101010111110
}

2007-12-27 00:15:02

Talyas

Registered: Dec 27 2007

Posts: 8

Hi,

When you are trying to work with CRL, you get better results?

Tal

2007-12-27 09:11:41

anarkhos

Registered: Dec 24 2007

Posts: 9

My PKI infrastructure provides both CRL and OCSP.

Besides, I think I've got the problem. It is related with TimeStamp. Without a proper timestamp, there's no meaning of embedded revocation info. When I configured my CA's TS server, Acrobat placed embedded revocation info.

These forums are now Read Only. If you have an Acrobat question, ask questions and get help from one of our experts.

Problem with embedding of revocation info in PDF signatures