#3 LTV/OSCP fail

[eli]

Hi! I have been trying to sign with PAdES-LTV But I was unable, Here I provide the most info I have gathered:

Bug Report: PAdES-LTV failure (UNSPECIFIED) and excessive padding (5.1MB file size)

Description

When signing a PDF using a Spanish DNIe (Smartcard) or an FNMT certificate with LTV (Long Term Validation) enabled, the signature process fails to embed the OCSP response correctly. This results in:

1. An "UNSPECIFIED" certificate chain validation error in the UI.
2. A massive output file (approx. 5.1MB) filled with 0x30 (ASCII '0') padding.
3. A signature that validates only as PAdES-T (Timestamp) instead of PAdES-LTV in official validators (e.g., RedSARA Valide).

Environment

• OS: Debian GNU/Linux
• Software: eMark PDF Signer v1.1.3 (Java 8)
• Middleware: OpenSC (/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so)
• Certificate Authority: FNMT-RCM / Dirección General de la Policía (DNIe)

Technical Analysis

Following a deep trace of the application using tcpdump and java -Djavax.net.debug=all, the root cause was identified:

1. Network Layer: The OCSP request to http://ocsp.dnie.es is successful. The server returns HTTP 200 OK with Content-Type: application/ocsp-response and a payload of ~3978 bytes.
2. Application Layer: The software fails to ingest the response. The log shows:
   WARNING: Embedded OCSP response is not byte array, cannot parse
3. The Bug: It appears the code in com.codemuni.service.SignatureVerificationService (method checkRevocationStatus) expects the HTTP connection content to be a native byte[]. However, the Java 8 URLConnection returns an InputStream.
4. Padding Issue: Because the OCSP parsing fails, the software aborts the embedding process but fails to shrink the pre-allocated 5MB signature placeholder, leaving it filled with null/zero padding.

Evidence

Application Log excerpt:
```text
INFO: Checking certificate revocation status for [...]
INFO: OCSP: Found embedded OCSP response - parsing for revocation time
WARNING: Embedded OCSP response is not byte array, cannot parse
INFO: Timestamp found - performing RFC 3161 verification

More data from log

~/emark$ grep -i -B3 -A10 "WARNING: Embedded OCSP response|Asn1Exception|MalformedURLException" log04.txt
Mar 06, 2026 2:27:15 AM com.codemuni.service.SignatureVerificationService checkRevocationStatus
INFO: OCSP: Found embedded OCSP response - parsing for revocation time
Mar 06, 2026 2:27:15 AM com.codemuni.service.SignatureVerificationService checkRevocationStatus
WARNING: Embedded OCSP response is not byte array, cannot parse
Mar 06, 2026 2:27:15 AM com.codemuni.service.SignatureVerificationService verifySignature
INFO: Signature Algorithm: Hash=SHA256, Encryption=RSA
Mar 06, 2026 2:27:15 AM com.codemuni.service.SignatureVerificationService verifySignature
INFO: Hash algorithm strength: ACCEPTABLE
Mar 06, 2026 2:27:15 AM com.codemuni.service.SignatureVerificationService verifySignature
INFO: Timestamp found - performing RFC 3161 verification
Mar 06, 2026 2:27:15 AM com.codemuni.service.SignatureVerificationService verifyTimestamp
INFO: === Timestamp Verification (CCA Requirement) ===
Mar 06, 2026 2:27:15 AM com.codemuni.service.SignatureVerificationService verifyTimestamp
INFO: Step 1: Timestamp found - Date: Mar 06, 2026 02:26:57

Packet Capture (tcpdump) excerpt:

in attached file.

Suggested Fix
Update the OCSP response handler to properly consume the InputStream from the HttpURLConnection and convert it to a byte[] before passing it to the Bouncy Castle / OpenPDF parser.
java

// Ensure the stream is fully read into a byte array
InputStream is = connection.getInputStream();
ByteArrayOutputStream buffer = new ByteArrayOutputStream();
int nRead;
byte[] data = new byte[16384];
while ((nRead = is.read(data, 0, data.length)) != -1) {
buffer.write(data, 0, nRead);
}
byte[] ocspBytes = buffer.toByteArray();
// Process ocspBytes...

[eli]

Hi! @devcodemuni Thanks for this great tool!
BTW, I am unable to download the source code (no Files tab in sourceforge at this moment)