EldoS | Feel safer!

Software components for data protection, secure storage and transfer

Force OCSP response in PDF PAdES signature

Posted: 01/07/2014 10:59:48
by Lesmes González (Basic support level)
Joined: 01/07/2014
Posts: 3

I am evaluating the SecureBlackBox library in order to use it in a Project and I am stuck in a probably stupid thing...

I need to control the kind of revocation that is included in the PAdES signature. I mean, if my application is configured to use CRL, it should include only CRL information or if my application is configured to use OCSP, it should only include OCSP responses.

I am playing with the provided PAdES example, with a certificate that has 3 elements in its certificate chain, and If I check "Automatically collect revocation information" it includes in the signature the OCSP response of the intermediate certificate and the CRL related to the end user certificate.

Is it possible to force to use only CRL or only OCSP?
Posted: 01/07/2014 11:04:48
by Ken Ivanov (Team)

Hello Lesmes,

Your goal is achievable by configuring the underlying TElX509CertificateValidator component, which is responsible for the actual validation and collection of revocation information. To access the validator object, please handle the OnCertValidator prepared event of the security handler and adjust the following properties:

- MandatoryRevocationCheck: true,
- MandatoryCRLCheck: false,
- MandatoryOCSPCheck: false,
- RevocationCheckPreference: rcpPreferOCSP (or rcpPreferCRL if you wish to only collect CRLs).

Posted: 01/08/2014 05:06:04
by Lesmes González (Basic support level)
Joined: 01/07/2014
Posts: 3

Thank you for the quick response!

That solution works well for the end-user certificate, but for the intermediate certificate it always includes the OCSP response in the signature no matter what I configure in the RevocationCheckPreference or MandatoryCRLCheck/MandatoryOCSPCheck. Is this any workarround to this?

My question might look a Little strange, but our application sometimes is executed in environments that has to pass a firewall to get to the CRL or OCSP servers and sometimes one of them is blocked, so I need to have the control to force one of them.
Posted: 01/08/2014 11:36:52
by Ken Ivanov (Team)

Hello Lesmes,

This means that your intermediate certificate probably only has OCSP as revocation information distribution mechanism. If there's no CRL for certificate, the component (under the 'preferential' configuration) will use the other available revocation information retrieval source (e.g. OCSP service).

BTW, firewalls rarely affect one type of revocation information source and not affect the other at the same time. Both CRLs and OCSP responses are normally exposed via HTTP interface, so any CRL and OCSP requests are generic HTTP (web) requests from a firewall's viewpoint.
Posted: 01/09/2014 04:24:55
by Lesmes González (Basic support level)
Joined: 01/07/2014
Posts: 3

That's is. Thank you very much.



Topic viewed 1602 times

Number of guests: 1, registered members: 0, in total hidden: 0


Back to top

As of July 15, 2016 EldoS business operates as a division of /n software, inc. For more information, please read the announcement.

Got it!