This question is linked to this other question.

As I would like to fully validate the timestamp added to a PAdES signature (expiration and revocation), I need also to add to the signature the crl file or the ocsp response of the TSA certificate grabbed at the creation of the timestamp.

As far as I understand, iText 5.4.1 doesn't seem to provide this feature. In particular through

• com.itextpdf.text.pdf.security.TSAClientBouncyCastle, and
• com.itextpdf.text.pdf.security.MakeSignature

Am I missing anything ?

Thanks in advance for your help,

Bertrand

Regarding CRLs, you can add a CrlClient that gets the CRL for the TSA Certificate to the CrlList passed to MakeSignature.

Regarding the OCSP response: you're right. It seems that we don't have a means to do this, other then when creating a Document-Level Timestamp.