9 Replies Latest reply on Apr 16, 2018 12:08 AM by m.prajwal

    Adobe Reader X doesn't even try to validate expired user certificate used in digital signature

    capitanvancram

      Verifying a file signed with an expired certificate (timestamped or not) causes Adobe Reader to raise strange CRL parsing error:

      Note:

      • the CRL is currently valid
      • the errors "propagates" also on the OCSP responses
      • the file is timestamped before the certificate revocation.
      • the error is reproducible everytime and with different signature/CAs: personally I've tried with Frenc, Italian and Spanish signed evidences.

       

      Below the exceprt from the CertificateViewer-->ErrorInformation window

       

       

       

      CRL processing error

      Issuer: serialNumber=4, cn=Certigna ID, ou=0002 481463081, o=Dhimyotis, c=FR

      This update: 20120123110005Z

      Next update: 20120124110005Z              

      CRL has expired or is not yet valid____________________________________________________________

       

      CRL processing error

      Issuer: serialNumber=4, cn=Certigna ID, ou=0002 481463081, o=Dhimyotis, c=FR

      This update: 20120123110005Z

      Next update: 20120124110005Z

      CRL has expired or is not yet valid____________________________________________________________

       

      CRL processing error

      Issuer: serialNumber=4, cn=Certigna ID, ou=0002 481463081, o=Dhimyotis, c=FR

      This update: 20120123110005Z

      Next update: 20120124110005Z

      CRL has expired or is not yet valid____________________________________________________________

       

      CRL processing error

      Issuer: serialNumber=4, cn=Certigna ID, ou=0002 481463081, o=Dhimyotis, c=FR

      This update: 20120123110005Z

      Next update: 20120124110005Z

      CRL has expired or is not yet valid____________________________________________________________

       

      OCSP response has expired or is not yet valid____________________________________________________________

       

      CRL processing error

      Issuer: serialNumber=4, cn=Certigna ID, ou=0002 481463081, o=Dhimyotis, c=FR

      This update: 20120123110005Z

      Next update: 20120124110005Z

      CRL has expired or is not yet valid____________________________________________________________

       

      CRL processing error

      Issuer: serialNumber=4, cn=Certigna ID, ou=0002 481463081, o=Dhimyotis, c=FR

      This update: 20120123110005Z

      Next update: 20120124110005Z

      CRL has expired or is not yet valid____________________________________________________________

       

       

       

      or, for example

       

      CRL processing error

      Issuer: cn=InfoCert Firma Qualificata, ou=Certificatore Accreditato, serialNumber=07945211006, o=INFOCERT SPA, c=IT

      This update: 20120305161509Z

      Next update: 20120305172400Z

      CRL has expired or is not yet valid____________________________________________________________

       

      OCSP response has expired or is not yet valid____________________________________________________________

       

      CRL processing error

      Issuer: cn=InfoCert Firma Qualificata, ou=Certificatore Accreditato, serialNumber=07945211006, o=INFOCERT SPA, c=IT

      This update: 20120305161509Z

      Next update: 20120305172400Z

      CRL has expired or is not yet valid____________________________________________________________

       

      CRL processing error

      Issuer: cn=InfoCert Firma Qualificata, ou=Certificatore Accreditato, serialNumber=07945211006, o=INFOCERT SPA, c=IT

      This update: 20120305161509Z

      Next update: 20120305172400Z

      CRL has expired or is not yet valid

        • 1. Re: Adobe Reader X doesn't even try to validate expired user certificate used in digital signature
          Mathieu Fortin Level 1

          Hello

          This issue dates back from 2012 and is still in Adobe Reader XI and DC. The behaviour seems to happen when a certificate has expired, there are no embedded CRL/OCSP responses and Reader is configured to validate at the time the signature was made. It goes online to check revocation based on the currently available CRL which is evidently NOT the CRL that was used at the time of signature, and fails with the "...not yet valid..." error message. If the certificate is not in the CRL, it should just forget about it and check if the signature date is between the certificate notBefore and notAfter dates.

           

          Can someone from Adobe just confirm if this is an actual bug or the intended behaviour ?

           

          Thank you.

          • 2. Re: Adobe Reader X doesn't even try to validate expired user certificate used in digital signature
            IsakTen Level 4

            The Certificate Authority (CA) that issued a certificate does not include expired certificates information in its CRLs. Each CRL covers a certain valid time range for certificates it covers. This time range usually starts after the latest expiration date of the certificates it issued.  When you try to validate a signature at the signing time and revocation info (OCSP/CRL) is not embedded in the PDF (signature itself or DSS) then Reader goes online to find an applicable CRL. But the valid time range in the CRL that the CA sends back today starts after the time the latest certificate it issued has expired. So, the expiration date on the signing certificate is before the starting time for all still valid certificates that this CA issued and that's why this CRL is not time-valid for the expired signing certificate. This is what the "CRL processing error" that you see tells you. This is not a bug. This the information for those who know PKI.

            The presence of a certificate in a CRL means that this certificate has been revoked (at the revocation time). The absence of a certificate in a CRL has a meaning only if the certificate's expiration time is later than the CRL's starting valid time and certificate's valid start time is before CRL's ending valid time. Otherwise, the absence of a certificate in a CRL does not mean anything. You suggestion "If the certificate is not in the CRL, it should just forget about it and check if the signature date is between the certificate notBefore and notAfter dates" is improper one. Acrobat cannot flag a signature as Valid if it cannot ascertain the validity of the signing certificate. This is because if a signing certificate was stolen and revoked, one could use the stolen certificate to sign a document at some forged date before the certificate's expiration, and your suggestion would result in flagging this signature as Valid. It defeats the purpose of revocation checking.

            The bottom line is this: if you have not included revocation information in the PDF, you cannot validate a signature after the signing certificate has expired.

            • 3. Re: Adobe Reader X doesn't even try to validate expired user certificate used in digital signature
              capitanvancram Level 1

              I don't agree!!

               

              To be exact, the RootCA above DOES includes the expired certificate information in the CRL and THIS IS an (historic) Adobe Reader/Professional bug in signature verification.

               

              As in ITU-T currently in-force document for the X509 T-REC-X.509-201210, both the above CRLs includes the CRL extension OID 2.5.29.60 defined by ITU-T at 8.5.2.9 of the cited doc, ExpiredCertOnCRL (OID repository - {joint-iso-itu-t(2) ds(5) certificateExtension(29) id-ce-expiredCertsOnCRL(60)}).

              In short, if a CRL contains this extension, the RootCA is telling you that the revoked certificate records are kept on the CRL also AFTER the expiration date of the certificate itself.


              So, from my point of view (but ITU-T should agree with me......):

                  IF

              • the signature is timestamped BEFORE the expiration date of the certificate by means of a trusted timestamp server (that is, the signature has been produced during the validity period of the signing certificate)
                • AND
              • the CRL against which revocation status checks are done contains the above extension (and is valid!)
                • THEN
              • the signature IS "validable" also without any embedded CADES attributes/DSS/VRI and still remaing ABSOLUTELY in the X509 PKI "standard perimeter".


              Still from my point of view, ignoring such extension as Adobe does IS a bug...

              • 4. Re: Adobe Reader X doesn't even try to validate expired user certificate used in digital signature
                ar12617569

                Hi All and Adobe overall... The validity verification must be done on the CURRENT crl issued by a CA.

                The unique requirement for a CA is to mantain a CRL updated. Not to provided a validity information into the Certificate or embedded in the signature.

                Moreover: current european laws indicate that a CA MUST INCLUDE the expired certificates in the CRL.

                This Adobe validity verification process causes a lot of troubles with documents signed with a certificate that is already expired.

                thanks to consider that a bug.

                • 5. Re: Adobe Reader X doesn't even try to validate expired user certificate used in digital signature
                  Mathieu Fortin Level 1

                  Do you know if the Archive Cutoff extension in the OCSP Response (which seems to serve the same purpose as the ExpiredCertsOnCrl extension) is also ignored by Adobe Reader/Acrobat ?

                  • 6. Re: Adobe Reader X doesn't even try to validate expired user certificate used in digital signature
                    IsakTen Level 4

                    According to RFC 5280 that governs CRLs "A complete CRL lists all unexpired certificates, within its scope, that have been revoked for one of the revocation reasons covered by the CRL scope" Some CAs do include expired certs in their CRLs . Some countries, like Italy, even have laws that mandate that national CAs include expired certs in their CRLs. But this contradicts the standard (RFC 5280). Acrobat behaves in this regard according to the standards, not what some CAs may or may not do and does not even attempt to check revocation for expired certs. This behavior is consistent with the standards and is not a bug.

                    AFAIK  T-REC-X.509-201210 is a proposal which has not yet reached approved standards status. When it does Acrobat may consider to support it. I doubt it will be done in Acrobat versions prior to Acrobat DC.

                    • 7. Re: Adobe Reader X doesn't even try to validate expired user certificate used in digital signature
                      IsakTen Level 4

                      Acrobat does support the Archive Cutoff extension in the OCSP Response. If I recall correctly there are preferences that control its use. I do not remember the specifics.

                      • 8. Re: Adobe Reader X doesn't even try to validate expired user certificate used in digital signature
                        ar12617569 Level 1

                        Why "But this contradicts the standard (RFC 5280)" ?


                        RFC5280 says that a CRL lists all unexpired (revoked) certs, that's a definition, but the RFC doesn't forbid the CRLs to contain the expired (revoked) certs.


                        In July 2010, the Italian Gouvernement,(via his Agency DigitPA) asked the CAs to valorize the extension ExpiredCertOnCRL.


                        I do not believe that DigitPA (currently AgID) asked something against the standards, but I will ask them about these problems we have on Acrobat in verifying expired-revoked certs.

                        • 9. Re: Adobe Reader X doesn't even try to validate expired user certificate used in digital signature
                          m.prajwal Level 1

                          Hi,

                           

                          Can anyone suggest how to validate such signatures with expired certificates apart from Adobe Reader?