Skip to content
← Acrobat for Windows and Mac

Feature request / Bug report

Acrobat for Windows and Mac: Security & Digital signatures

Categories

JUMP TO ANOTHER FORUM

(thinking…)

Extremely slow verification of digital signatures on MAC

When Acrobat tries to verify digital signatures, it checks validity of all certificates included in the signed .pdf document. During this operation, it consults well-known Root CA authorities, locally trusted certificates, but also fetches all certificates from PKCS#11 Digital-ID token (if attached).

Since PKCS#11 Digital-ID tokens might be very slow, fetching certificates from it multiple times during each signature verification takes excessive amounts of time. No caching seems to be used in Acrobat: if the .pdf document contains 6 certificates, all certificates from Digital-ID token are fetched 6 times and this process might take 2.5 minutes.

This is a bug - first of all, Digital-ID tokens hold personal certificates and not Root certificates, so validity of document received from other party could not be verified using my personal Digital-ID token. Fetching all certificates multiple times in a row from a slow device doesn't make much sense either.

PKCS#11 modules should not be queried for certificates by default - and if there's any specific use-case, users should have an option in "Signature Verification Preferences" to include/exclude PKCS#11 modules from the verification process.

Attached please find a log showing PKCS#11 operations initiated by Acrobat towards Digital-ID token during Digital Signing operation and consecutive verification of signature.

This problem doesn't happen on Windows version of Acrobat.

4 votes

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We’ll send you updates on this idea

Marian Ďurkovič shared this idea  ·   ·  Report…  ·  Admin →
How important is this to you?

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close

We're glad you're here

Please sign in to leave feedback
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • Marian Ďurkovič commented  ·   ·  Report

    For Slovak eID we now have a workaround, since eID application ver. 3.5 includes CryptoTokenKit support. When Acrobat/Reader is configured according to manual supplied with eID application to use CryptoTokenKit, caching is done there and the signing process completes in a few seconds.

    This however doesn't help with any Digital-ID tokens which don't support CryptoTokenKit.

  • Boris Sebosik commented  ·   ·  Report

    This is still an open issue, Mac OS 11.2.1, Acrobat Reader 2021.001.20145, build 21.1.20145.425325

  • Marian Ďurkovič commented  ·   ·  Report

    Hi Abhinav,

    we've just recently started using Digital Signature functionality at our University.
    We tested multiple versions of Acrobat and Acrobat Reader DC. The problem is still present even in the latest version of Acrobat Reader DC: 2020.006.20034.

    We tested on both MAC OS 10.13.6 and 10.14.6 - same problem everywhere.

    Thanks & kind regards,
    Marian

  • Adminabsethi (Admin, Adobe) commented  ·   ·  Report

    Hi Marian,

    Has this started happening recently for you.
    What is the version of Acrobat you are using. Also could please share the version of Mac OS you are using.

    Thanks,
    Abhinav Sethi