Skip to main content
F
Fred25041576vv9s
Participant
June 28, 2022
Question

macOS signing with mixed RSA/EC cert chain fails in Acrobat

  • June 28, 2022
  • 2 replies
  • 562 views

When using smart cards that have RSA keys and matching leaf certificates, which in turn are signed by EC CA certificates, acrobat reader fails at signing documents with such cards on macOS.

 

On Windows the signing with these cards using acrobat reader goes fine.

On macOS the signing with these cards on acrobat reader when using the matching pkcs#11 library goes fine.

 

But on macOS, when we do not specify a pkcs#11 library, and acrobat using the OS' CTK framework (and the card's CTK Token plugin) to communicate with the card, no supported signing algorithm can be found.

In fact, the only algorithms that the CTK framework presents (checks if the card support it) to the CTK plugin (BEIDToken) are EC algorithms. (which the RSA card of course does not support).

In the call to the BEIDToken, the RSA key is mentioned, so it seems somewhere above a mix have been made (in the key contained in the cert (RSA), and the key that signed the cert (EC)) when selecting the signing algo we are asked to support..

 

I'm interested to know if it is Acrobat Reader who asks if the card supports certain algorithms, or is it Apple's CTK framework?

 

When we use e.g. google chrome to authenticate with such smart card, it uses the CTK framework and the BEIDToken plugin, and these authentications pass.

    2 replies

    F
    Fred25041576vv9sAuthor
    Participant
    October 16, 2025

    Issue seems to be in Acrobat Reader for macOS, wher Acrobat looks at the "signature algorithm" (used by its parent to sign this certificate) inside the signing certifacte, in stead of looking at the signing key of the certificate itself.

    So it being the same issue as reported here : https://community.adobe.com/t5/acrobat-discussions/signature-with-ecdsa-keys-on-mac-osx-use-always-sha384-hash/m-p/14975927

    F
    Fred25041576vv9sAuthor
    Participant
    June 30, 2022

    The workaround seen here (using the pkcs#11 module) might be related to https://community.adobe.com/t5/acrobat-reader-discussions/niet-ondersteund-algoritme-unsupported-algoritme/m-p/12635530 ,where it is seen that acrobat reader cannot sign with EC keys when using the pkcs#11 module. 

    Signing in Libre Office with this pkcs#11 module using EC keys works. 

     

    So could it be that signing in Acrobat on macOS using pkcs#11 always asks for RSA signatures, and does not support ECDSA?

      Terms & ConditionsAccessibility statement
      Using the community Terms of use Privacy Cookie preferences Do not sell or share my personal information ad choicesAdChoices