#3 LTV/OSCP fail

2026-03-06T02:36:58.286000Z

Thanks for this great tool!
BTW, I am unable to download the source code (no Files tab in sourceforge at this moment)

LTV/OSCP fail

2026-03-06T02:15:35.780000Z

Hi! I have been trying to sign with PAdES-LTV But I was unable, Here I provide the most info I have gathered:

Bug Report: PAdES-LTV failure (UNSPECIFIED) and excessive padding (5.1MB file size)

Description

When signing a PDF using a Spanish DNIe (Smartcard) or an FNMT certificate with LTV (Long Term Validation) enabled, the signature process fails to embed the OCSP response correctly. This results in:

An "UNSPECIFIED" certificate chain validation error in the UI.
A massive output file (approx. 5.1MB) filled with 0x30 (ASCII '0') padding.
A signature that validates only as PAdES-T (Timestamp) instead of PAdES-LTV in official validators (e.g., RedSARA Valide).

Environment

OS: Debian GNU/Linux
Software: eMark PDF Signer v1.1.3 (Java 8)
Middleware: OpenSC (/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so)
Certificate Authority: FNMT-RCM / Dirección General de la Policía (DNIe)

Technical Analysis

Following a deep trace of the application using tcpdump and java -Djavax.net.debug=all, the root cause was identified:

Network Layer: The OCSP request to http://ocsp.dnie.es is successful. The server returns HTTP 200 OK with Content-Type: application/ocsp-response and a payload of ~3978 bytes.
Application Layer: The software fails to ingest the response. The log shows:
WARNING: Embedded OCSP response is not byte array, cannot parse
The Bug: It appears the code in com.codemuni.service.SignatureVerificationService (method checkRevocationStatus) expects the HTTP connection content to be a native byte[]. However, the Java 8 URLConnection returns an InputStream.
Padding Issue: Because the OCSP parsing fails, the software aborts the embedding process but fails to shrink the pre-allocated 5MB signature placeholder, leaving it filled with null/zero padding.

Evidence

Application Log excerpt:
```text
INFO: Checking certificate revocation status for [...]
INFO: OCSP: Found embedded OCSP response - parsing for revocation time
WARNING: Embedded OCSP response is not byte array, cannot parse
INFO: Timestamp found - performing RFC 3161 verification

More data from log

~/emark$ grep -i -B3 -A10 "WARNING: Embedded OCSP response|Asn1Exception|MalformedURLException" log04.txt
Mar 06, 2026 2:27:15 AM com.codemuni.service.SignatureVerificationService checkRevocationStatus
INFO: OCSP: Found embedded OCSP response - parsing for revocation time
Mar 06, 2026 2:27:15 AM com.codemuni.service.SignatureVerificationService checkRevocationStatus
WARNING: Embedded OCSP response is not byte array, cannot parse
Mar 06, 2026 2:27:15 AM com.codemuni.service.SignatureVerificationService verifySignature
INFO: Signature Algorithm: Hash=SHA256, Encryption=RSA
Mar 06, 2026 2:27:15 AM com.codemuni.service.SignatureVerificationService verifySignature
INFO: Hash algorithm strength: ACCEPTABLE
Mar 06, 2026 2:27:15 AM com.codemuni.service.SignatureVerificationService verifySignature
INFO: Timestamp found - performing RFC 3161 verification
Mar 06, 2026 2:27:15 AM com.codemuni.service.SignatureVerificationService verifyTimestamp
INFO: === Timestamp Verification (CCA Requirement) ===
Mar 06, 2026 2:27:15 AM com.codemuni.service.SignatureVerificationService verifyTimestamp
INFO: Step 1: Timestamp found - Date: Mar 06, 2026 02:26:57

Packet Capture (tcpdump) excerpt:

in attached file.

Suggested Fix
Update the OCSP response handler to properly consume the InputStream from the HttpURLConnection and convert it to a byte[] before passing it to the Bouncy Castle / OpenPDF parser.
java

// Ensure the stream is fully read into a byte array
InputStream is = connection.getInputStream();
ByteArrayOutputStream buffer = new ByteArrayOutputStream();
int nRead;
byte[] data = new byte[16384];
while ((nRead = is.read(data, 0, data.length)) != -1) {
buffer.write(data, 0, nRead);
}
byte[] ocspBytes = buffer.toByteArray();
// Process ocspBytes...

Ticket #2: watermark removal discussion

2025-10-14T14:18:25.828000Z

Ticket changed by: devcodemuni

status: open --> closed

Ticket #2: watermark removal discussion

2025-10-14T14:18:25.705000Z

assigned_to: devcodemuni

Ticket #2: watermark removal discussion

2025-10-14T14:18:25.204000Z

Originally posted by: devcodemuni

Hi @Aniketc068,

We have removed the watermark overlay from the signature appearance when a custom image is selected.
Your selected signature image will now appear clean and without any background watermark.

Please update to the latest release and confirm. ✅

Ticket #1: text over lapping issue discussion

2025-10-14T14:18:24.697000Z

Ticket changed by: devcodemuni

status: open --> closed

Ticket #1: text over lapping issue discussion

2025-10-14T14:18:24.550000Z

assigned_to: devcodemuni

Ticket #1: text over lapping issue discussion

2025-10-14T14:18:24.018000Z

Originally posted by: devcodemuni

Hi @Aniketc068,

We have fixed the signature appearance text overlapping issue.
Now the signature block renders properly without overlapping text.

Please update to the latest release and check. 🚀

Recent changes to tickets

#3 LTV/OSCP fail

LTV/OSCP fail

Bug Report: PAdES-LTV failure (UNSPECIFIED) and excessive padding (5.1MB file size)

Description

Environment

Technical Analysis

Evidence

More data from log

Packet Capture (tcpdump) excerpt:

Ticket #2: watermark removal discussion

Ticket #2: watermark removal discussion

Ticket #2: watermark removal discussion

Ticket #1: text over lapping issue discussion

Ticket #1: text over lapping issue discussion

Ticket #1: text over lapping issue discussion