Looking at the code at http://fisheye.primekey.se/browse/SignServer/branches/Branch_4_0/signserver/modules/SignServer-Module-TSA/src/main/java/org/signserver/module/tsa/TimeStampSigner.java?hb=true#to681 it seems that if there is a TSPException a few lines up a rejection response is being generated (i.e. without a time-stamp token). This should be fine except that looking in our branch of Bouncy Castle the getEncoded(String) method assumes there to be a time-stamp token: http://fisheye.primekey.se/browse/SignServer/branches/Branch_4_0/signserver/modules/SignServer-Module-TSA/src/main/java/org/signserver/module/tsa/bc/TimeStampResponse.java?r=8460#to224
- Check if this issue is also in upstream Bouncy Castle or if it has already been fixed there after our patch for this was merged.
- Initially it looks like the fix would be to in the BC method have a case for when there is no token.
- Posted upstream PR: https://github.com/bcgit/bc-java/pull/574
- Check if this is an issue in version 5 as well.
- Note that the issue only happens as a consequence of an other issue. Too see the real/first issue check the debug log for "Got exception generating response" or temporarily set legacy encoding to false.