When using smart cards that have RSA keys and matching leaf certificates, which in turn are signed by EC CA certificates, acrobat reader fails at signing documents with such cards on macOS.
On Windows the signing with these cards using acrobat reader goes fine.
On macOS the signing with these cards on acrobat reader when using the matching pkcs#11 library goes fine.
But on macOS, when we do not specify a pkcs#11 library, and acrobat using the OS' CTK framework (and the card's CTK Token plugin) to communicate with the card, no supported signing algorithm can be found.
In fact, the only algorithms that the CTK framework presents (checks if the card support it) to the CTK plugin (BEIDToken) are EC algorithms. (which the RSA card of course does not support).
In the call to the BEIDToken, the RSA key is mentioned, so it seems somewhere above a mix have been made (in the key contained in the cert (RSA), and the key that signed the cert (EC)) when selecting the signing algo we are asked to support..
I'm interested to know if it is Acrobat Reader who asks if the card supports certain algorithms, or is it Apple's CTK framework?
When we use e.g. google chrome to authenticate with such smart card, it uses the CTK framework and the BEIDToken plugin, and these authentications pass.
2
Replies
AdChoices