3 Replies Latest reply on Nov 19, 2014 11:04 AM by IsakTen

    sign with a smartcard

    okeeweekee

      hello, Following the migration of the acrobat reader version with the 11.0.9 release, we have seen a regression on the ability to sign a pdf document with an integrated smart card certificate. The 11.0.8 version allowed to do this. Are you aware of this regression? The certificate has the key usage attribute: critical digitalSignature

        • 1. Re: sign with a smartcard
          IsakTen Level 4

          I do not know what your regression is. Are you saying that you were able to sign with a certain credential and now you can't? Can you be more specific? What are the symptoms that you observe? Please, be as detailed as you can. 'The key usage attribute: "critical digitalSignature" is not the text that Reader's Certificate Viewer displays. It would be good to know where did you get it from.

          Meanwhile, you have PDFs signed with this credential in 11.0.8 or earlier. Open such PDF, right-click on the signature, click on "Show Signature Properties", in the next dialog click on "Show Signer's Certificate", select "Details"tab. In the list of certificate attributes see if there is "Key Usage". If there is one, click on it, copy its content (from the bottom part) and report it in your reply. Then look for the "Extended Key Usage" in the same list. If there is one, click on it, copy its content and also report in your reply. The list of attributes in the "Details"list can be long, so scroll it and look for these attributes very carefully, so that you do not miss them.

          • 2. Re: sign with a smartcard
            okeeweekee Level 1

            Hi,

             

            You can find somes details about the problem to sign with a certificate embedded in the smartcard.

             

            For your information, find somes details about the properties of the certificate embedded with the command openssl x509 -in file -txt :

                       Netscape Cert Type:

                            SSL Client

                        X509v3 Extended Key Usage:

                            TLS Web Client Authentication, Microsoft Smartcardlogin

                        X509v3 Key Usage: critical

                            Digital Signature

             

             

            In the second point; The return of the information given by the commands CertUtil –SCInfo is :

             

            0: Dell Dell Smart Card Reader Keyboard 0

              1: Gemplus USB Smart Card Reader 0

            --- Lecteur : Dell Dell Smart Card Reader Keyboard 0

            --- Statut : SCARD_STATE_PRESENT | SCARD_STATE_INUSE

            --- Statut : La carte est partagée par un autre processus.

            ---   Carte : Axalto Cryptoflex .NET

            ---    ATR :

                 3b 16 96 41 73 74 72 69  64                        ;..Astrid

             

            --- Lecteur : Gemplus USB Smart Card Reader 0

            --- Statut : SCARD_STATE_EMPTY

            --- Statut : Aucune carte.

            ---   Carte :

             

            And the configuration of the driver of the smartcard is Gemalto minidriver for .NET Smart Card

            Driver provider : Gemalto / Driver Date : 04/06/2011 / Driver version : 8.3.13 / Driver signature : Microsoft Windows Hardware Compatibility Publisher

             

             

            a-   When i Checking the capabilities of the adobe reader XI version 11.0.09 to read the x509 certificate, the adobe reader is able to read the x509 Certificate. It s possible to check that with information about the certificate in the box approved identity.

             

            in a second window confirms that the certificate is able to sign a document. In this way , will to try to sign a test file.

             

            For that, we take a test file and we go on the menu “ File and Sign”. We have a box for draw a square for sign.

             

             

            First problem, a box window don’t present my certificate embedded the SCard. We have only the software certificate which is presented.

             

             

            In this way, we try to register my card in the store of adobe reader by create a ID. A window appear with a peripheral connected to the computer.

             

             

            But the result is no really good and why have a message that adobe is not able to find the hardware token.

             

            "Acrobat None normally found new digital ID. If your digital ID is on a hardware token, verify that it is plugged in and its interface is configured correctly. Contact your system administrator for further assistance."

             

            with the previous version of adobe Reader, we have the capabilities to sign the file and the result is :

             

            Version 9.0.0 - Detail of the signature: The signature is created with Abobe Reader 9.0.0   - the  Hash is SHA1

             

            Version 11.0.7 - Detail of the signature: The signature is created with Abobe Reader 11.0.7   - the  Hash is SHA256

             

            If i resume with the version 11.0.9, the connection with the smartcard driver is not etablish, but it is possible to read the certificat with the windows store.

             

            Thanks of for yours feedback on this problem

             

             

             

            • 3. Re: sign with a smartcard
              IsakTen Level 4

              RFC 5280 that governs the use of certificates for different purposes provides ability for the Certificate Authority that issued a certificate to restrict the use of this certificate. The restrictions are placed in the certificate's "Key Usage" (KU) and "Extended Key Usage" (EKU).

              Prior to version 1.0.09 Acrobat/Reader enforced KU but not EKU extension. Starting with version 11.0.09 Acrobat/Reader enforces both KU and EKU as mandated by RFC 5280. If the certificate contains an EKU extension but the latter does not contain one of the following OIDs: "AnyExtendedKeyUsage", "EmailProtection", "CodeSigning" or "AuthenticDocumentsTrust" then this certificate may not be used for PDF signing. If certificate does not contain EKU extension then only KU restrictions are considered. If the certificate contains neither KU nor EKU extension it may be used for signing.

              You can check the extensions in your certificate in Acrobat's Certificate Viewer. In Acrobat XI you go to Edit->Preferences->Signatures->Identities and Trusted Certificates->More. Then select in the left pane "Digital IDs" and in the list on the right side the certificate that you want to examine. Click on "Certificate Details". In the Certificate Viewer dialog that comes up click on "Details". A list of certificate extensions appears. Scroll this list and look for the "Extended Key Usage". If there is one, select it in the bottom part you'll see which OIDs are included in EKU. If it does not contain one of the OIDs I listed above, then this certificate may not be used for signing. CA that issued your smart card intended it to e used only for the purposes indicated in EKU. The fact that Acrobat/Reader prior to version 11.0.09 allowed you yo use it for signing did not make it right.

              Regretfully, many products that perform signing do not honor RFC 5280.