[Pki-users] Pki-users Digest, Vol 101, Issue 4

Alexander ricardoalx.perez at gmail.com
Wed Sep 21 17:04:34 UTC 2016 

Hi John, thanks for answering...

Yes it is, My CA it's trusted by the Adobe Application.

I solved it partially, but I think the problem is with the certificate of
the OCSP.

*Solution:*

1. Enable LOG for Abode Acrobat or Adobe Reader to see more details of the
error.

Check this info:
http://www.adobe.com/content/dam/Adobe/en/devnet/reader/pdfs/acrobat_reader_security_9x.pdf

Page 127
5.3.4.4 Validation Certificate Data Logging

Example 5.7: Chain building log file settings
*[HKEY_CURRENT_USER\Software\Adobe\Adobe
Acrobat\8.0\Security\cASPKI\cAdobe_ChainBuilder]*
*"ILogLevel" = dword: 00000008*
*"SLogFilePath" = <BINARY path to Existing directory for log file>*

The folder path has to exist, but Acrobat will create the file if it's
missing. For example, if you want to save the file to
C:\LogFile\digSigLog.txt the folder LogFile would have to exist on the C
drive, but the log file itself will get created if it's not there already.

When you type in the file path and name in the Edit Binary Value dialog in
regedit, make sure you null terminate the string by typing a zero at the
end of the hex data on the left side of the dialog. It will look like a dot
on the right side, but it's not really a dot (a dot is 2E in hex).




2.- Signature Validation RevCheck

http://www.adobe.com/devnet-docs/acrobatetk/tools/PrefRef/Windows/Security.html#SignatureValidationRevCheck%28OCSP%29

*[HKEY_CURRENT_USER\Software\Adobe\Adobe
Acrobat\8.0\Security\cASPKI\cAdobe_OCSPRevChecker]*
*"iReqRevCheck" = dword: 1*

*iReqRevCheck:* Indicates whether revocation checks are required to succeed
on the OCSP response.
*Set this value to 1* (1: Do a check IF certificate has AIA extension or
responder info is in registry; don't fail if the check fails.)

After setting these values in the registry, I indicated that the signatures
are valid.

If I leave the default value of 2 (2: Do you have to check IF AIA
certificate extension or respond info is in registry, all checks must
succeed if there is data and to check OCCURS.)
Continued to receive the same error message


*So I think the key to solve completely the problem is:*

The OCSP certificate or certificates used to sign must have: Authority
Information Access (AIA) certificate extension or respond info is in
registry.

Really do not know how this or how to verify that the certificates comply
with this requirement.

2016-09-21 11:00 GMT-05:00 <pki-users-request at redhat.com>:

> Send Pki-users mailing list submissions to
>         pki-users at redhat.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://www.redhat.com/mailman/listinfo/pki-users
> or, via email, send a message with subject or body 'help' to
>         pki-users-request at redhat.com
>
> You can reach the person managing the list at
>         pki-users-owner at redhat.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Pki-users digest..."
>
>
> Today's Topics:
>
>    1. Re: ocsp doesn't work on the client side - "OCSP response
>       signature invalid" (John Magne)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 20 Sep 2016 14:02:37 -0400 (EDT)
> From: John Magne <jmagne at redhat.com>
> To: Ricardo Alexander Perez Ricardez <rperez at osh.com.mx>
> Cc: pki-users at redhat.com
> Subject: Re: [Pki-users] ocsp doesn't work on the client side - "OCSP
>         response signature invalid"
> Message-ID:
>         <1939478162.975581.1474394557729.JavaMail.zimbra at redhat.com>
> Content-Type: text/plain; charset=utf-8
>
> Is your CA being trusted by the Adobe application in question?
>
> ----- Original Message -----
> From: "Ricardo Alexander Perez Ricardez" <rperez at osh.com.mx>
> To: pki-users at redhat.com
> Sent: Thursday, September 15, 2016 1:12:21 PM
> Subject: [Pki-users] ocsp doesn't work on the client side - "OCSP response
> signature invalid"
>
> Error: "OCSP response signature invalid"
>
>
> On the server side I have configured an instance of pki working properly,
> I have two subsystems a CA, and OCSP.
>
> On the client side I have a valid certificate that I use to sign a PDF
> document
>
> In Adobe Reader or Adobe Acrobat I perform the following steps:
>
> 1. Signing a PDF document
> 2. Validate Signature
> 3. I receive the message: "The validity of the signature is unknown"
> 4. Click on: Check the properties of signature
> 5. Click on: Show signer certificate
> 6. Click: Revocation tab
>
> The following message is displayed:
>
> We attempted to determine whether the certificate is valid by performing a
> revocation check using the protocol online certificate status (OCSP Online
> Certificate Status Protocol).
> The OCSP response was signed by "OCSP Signing CA Certificate" on
> 2016/09/15 14:53:06 -05'00 '.
> Click Details signer for more information on the source of the revocation
> information.
> Click trouble seeing the problems encountered when performing this check
> revocation.
>
> 6. Click on: Problems Found
> 7. I get the message: "OCSP response signature invalid"
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
>
>
> ------------------------------
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
> End of Pki-users Digest, Vol 101, Issue 4
> *****************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20160921/0fb0225f/attachment.htm>

More information about the Pki-users mailing list