Extremely slow verification of digital signatures on MAC
When Acrobat tries to verify digital signatures, it checks validity of all certificates included in the signed .pdf document. During this operation, it consults well-known Root CA authorities, locally trusted certificates, but also fetches all certificates from PKCS#11 Digital-ID token (if attached).
Since PKCS#11 Digital-ID tokens might be very slow, fetching certificates from it multiple times during each signature verification takes excessive amounts of time. No caching seems to be used in Acrobat: if the .pdf document contains 6 certificates, all certificates from Digital-ID token are fetched 6 times and this process might take 2.5 minutes.
This is a bug - first of all, Digital-ID tokens hold personal certificates and not Root certificates, so validity of document received from other party could not be verified using my personal Digital-ID token. Fetching all certificates multiple times in a row from a slow device doesn't make much sense either.
PKCS#11 modules should not be queried for certificates by default - and if there's any specific use-case, users should have an option in "Signature Verification Preferences" to include/exclude PKCS#11 modules from the verification process.
Attached please find a log showing PKCS#11 operations initiated by Acrobat towards Digital-ID token during Digital Signing operation and consecutive verification of signature.
This problem doesn't happen on Windows version of Acrobat.
Marian Ďurkovič commented
For Slovak eID we now have a workaround, since eID application ver. 3.5 includes CryptoTokenKit support. When Acrobat/Reader is configured according to manual supplied with eID application to use CryptoTokenKit, caching is done there and the signing process completes in a few seconds.
This however doesn't help with any Digital-ID tokens which don't support CryptoTokenKit.
Boris Sebosik commented
This is still an open issue, Mac OS 11.2.1, Acrobat Reader 2021.001.20145, build 21.1.20145.425325
Marian Ďurkovič commented
we've just recently started using Digital Signature functionality at our University.
We tested multiple versions of Acrobat and Acrobat Reader DC. The problem is still present even in the latest version of Acrobat Reader DC: 2020.006.20034.
We tested on both MAC OS 10.13.6 and 10.14.6 - same problem everywhere.
Thanks & kind regards,
Adminabsethi (Admin, Adobe) commented
Has this started happening recently for you.
What is the version of Acrobat you are using. Also could please share the version of Mac OS you are using.