0 Replies Latest reply on Oct 10, 2016 5:44 AM by lupascualex

    Adobe Reader XI - OCSP revocation checker issue

    lupascualex

      Hello,

       

      I have 2 issues regarding the OCSP revocation checker integrated in Adobe Reader XI:

           1. I have encountered a issue when trying to validate a digital signature created with a qualified certificate and without adding LTV data in Document Security Store(DSS), the problem is as follows:  the PDF file contains only the signature without any Long Term Validation data and the local CRL cache was deleted in advance. According to Revocation Checking Quick Key ( http://www.adobe.com/devnet-docs/acrobatetk/tools/QuickKeys/Acrobat_SigRevCheck_KeyAll.pdf )  this scenario would imply that the revocation checking process would be skipped to the moment of online OCSP checking (this can be confirmed by log files), the problem is that OCSP revocation status is "Trouble" because "OCSP response was not signed by an authorized responder.". The OCSP responder's certificate has the same issuer as the certificate used to create the digital signature, and the responder's certificate is designated to sign OCSP responses by containing an ExtendedKeyUsage - OCSP Signing(1.3.6.1.5.5.7.3.9).

      According to http://wwwimages.adobe.com/content/dam/Adobe/en/devnet/reader/pdfs/acrobat_reader_security _9x.pdf  (page 105) the OCSP revocation checker should authorize the responder according to the methods described in RFC2560, which includes the scenario presented in the last sentence.

      To conclude, the Adobe OCSP revocation checker does not authorize the responder even if it is compliant with the RFC2560 (and RFC6960) responder authorization methods. Therefore, I am kindly asking to review the authorization process of the OCSP responder and tell me what could possibly go wrong.

      I mention that this issue occurs on a clean Windows 7 Professional SP1 x64 with Adobe Reader XI (11.0.17) freshly installed. No other configurations were made.

       

           2. I know that the time at which signature validation should occur can be configured as Signing Time or Current Time, and according to http://https://www.adobe.com/devnet-docs/acrobatetk/tools/PrefRef/Windows/Security.html#id keyname_1_15702 the following rule is applied for OCSP revocation checking:  thisUpdate - iMaxClockSkew < validation time < checkTime + iMaxClockSkew where checkTime is the later of the producedAt and thisUpdate, and the iMaxClockSkew is the number of minutes the local machine time can vary from the response's published time(default 5 minutes).

      Now considering this timeline moments: T1 < T2 < T3 < T4 < T5 , let's suppose that a certificate C was issued at T1, then a PDF document was signed with C at T2 without adding Long Term Validation data in DSS resulting signature S, the certificate C was revoked at T3, and the certficate C expires at T5.

      The moment when I'm trying to validate the signature S is T4 and Adobe Reader has it's default signature validation time as Signing Time.

      Omitting the iMaxClockSkew, the first inequality ( thisUpdate < validation time ) would never be satisfied because thisUpdate represents the revocation time namely T4, and the validation time  is signing time namely T2. This scenario leads to verfication if T4 < T2, which will always be false according to the premise T1<T2<T3<T4<T5, resulting in an erroneous revocation checking.

       

      If  the time at which signature validation should occur is configured as Current Time then another problem occurs when the certificate is expired at the moment I want to validate the signature because the Adobe_ChainBuilder stops the signature validation before the revocation process starts  (according to log files).

       

      Can Adobe be configured to consider Signing Time for ChainBuilder and Current Time for OCSP revocation checker ? More specifically, is there any way to configure the OCSP revocation check process to be conducted as follows ?

      1. ALWAYS validation time = current time

      2. Send OCSP request

      3. Receive OCSP response with thisUpdate, nextUpdate, certStatus and optionally revocationTime

      4. If certStatus is Revoked then compare signing time with revocationTime

      5. Else compare validationTime  with thisUpdate and nextUpdate.

       

       

      Best regards,

      Alex