macOS signing with mixed RSA/EC cert chain fails in Acrobat

New Here ,
Jun 28, 2022 Jun 28, 2022

Copy link to clipboard

Copied

When using smart cards that have RSA keys and matching leaf certificates, which in turn are signed by EC CA certificates, acrobat reader fails at signing documents with such cards on macOS.

 

On Windows the signing with these cards using acrobat reader goes fine.

On macOS the signing with these cards on acrobat reader when using the matching pkcs#11 library goes fine.

 

But on macOS, when we do not specify a pkcs#11 library, and acrobat using the OS' CTK framework (and the card's CTK Token plugin) to communicate with the card, no supported signing algorithm can be found.

In fact, the only algorithms that the CTK framework presents (checks if the card support it) to the CTK plugin (BEIDToken) are EC algorithms. (which the RSA card of course does not support).

In the call to the BEIDToken, the RSA key is mentioned, so it seems somewhere above a mix have been made (in the key contained in the cert (RSA), and the key that signed the cert (EC)) when selecting the signing algo we are asked to support..

 

I'm interested to know if it is Acrobat Reader who asks if the card supports certain algorithms, or is it Apple's CTK framework?

 

When we use e.g. google chrome to authenticate with such smart card, it uses the CTK framework and the BEIDToken plugin, and these authentications pass.

TOPICS
Security digital signatures and esignatures

Views

31

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Jun 30, 2022 Jun 30, 2022

Copy link to clipboard

Copied

LATEST

The workaround seen here (using the pkcs#11 module) might be related to https://community.adobe.com/t5/acrobat-reader-discussions/niet-ondersteund-algoritme-unsupported-alg... ,where it is seen that acrobat reader cannot sign with EC keys when using the pkcs#11 module. 

Signing in Libre Office with this pkcs#11 module using EC keys works. 

 

So could it be that signing in Acrobat on macOS using pkcs#11 always asks for RSA signatures, and does not support ECDSA?

Likes

Translate

Translate

Report

Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines