We are writing to report a bug we have identified in Adobe Acrobat related to PKCS#7 digital signatures when signing without attaching the revocation status via CSP.
Issue Summary
When creating a PKCS#7 signature without adding the revocation status, the resulting signature is invalid.
Root Cause Analysis
After thorough investigation, we believe the issue originates in Adobe Acrobat's handling of the CSP calls. We logged that the function CPSetHashParam is called 63 times during the signing process, and an incorrect hash from the file is being passed. This results in an invalid signature being produced.
Workaround
We have identified that the issue does not occur when either of the following conditions is met:
- The default signature format is set to CAdES, or
- Adding the revocation status is enabled.
In both cases, CPSetHashParam is called only once, and the signature is produced correctly.
Steps to Reproduce
1. Configure Adobe Acrobat to use PKCS#7 as the default signature format.
2. Disable adding the revocation status.
3. Sign a document using a CSP-based certificate.
4. Observe that CPSetHashParam is invoked 63 times and the resulting signature is invalid.
Expected Behavior
CPSetHashParam should be called only once with the correct file hash, and the signature should be valid.
Environment
- Windows Adobe Acrobat (64-bit) 26.001.21563
- Signature format: PKCS#7
- Revocation status: not embedded
- Signing method: CSP (Cryptographic Service Provider)
We kindly ask you to investigate this issue and provide a fix or guidance at your earliest convenience. Please let us know if you require any additional logs or information.