Question - Acrobat Reader : unsupported algorithm

[kmillet]

While trying to use the eid middleware on Mac (Big Sur) I experience the same issue as described on https://community.adobe.com/t5/acrobat-reader-discussions/niet-ondersteund-algoritme-unsupported-algoritme/m-p/12635530. The adobe support team on that forum points to the issuing authority of the signature profile.

I wonder now what is causing this issue? Based on that forum, it seems to work on Windows by just not using the pkcs#11 module. However, in Mac there doesn't seem to be another option. Any ideas on how to solve it?

[MatthiasValvekens]

Possibly Acrobat doesn't support ECDSA signing using generic PKCS#11 modules. I know they support validation (for NIST curves, at least), but I never bothered to test signing.

If you're not afraid of some CLI and/or Python experimentation, you could try signing with this tool of mine. I never tested ECDSA with eID cards (mine is still an old one), but a couple months ago I did do some testing with ECDSA against a YubiKey over PKCS#11, and that worked fine. If you can sign using pyHanko then the problem is almost certainly on Acrobat's end.

Maybe I should try using my YubiKey to produce some ECDSA signatures in Acrobat at some point...

[kmillet]

@MatthiasValvekens thanks a lot for the info. I tried with your tool and it works with my eID card. (just finding the correct coordinates for the signature field was a bit cumbersome, probably there is a more efficient way than using Skim) So, this probably confirms your idea that acrobat is not supporting ECDSA signing using generic PKCS#11 modules. I guess it would be better that the Belgian government puts in their FAQ that currently signing in acrobat on mac only works for older eid cards?

[MatthiasValvekens]

Yeah, Adobe has historically been pretty slow about adopting new cryptographic standards. You could try raising an issue on their UserVoice platform, but be aware that it's mostly a black hole.

There's an extension to the PDF spec in the final stages of the ISO process that clarifies some things related to ECDSA support (among other things). Hopefully that'll give a boost to adoption to the point that Adobe actually starts caring, but who knows...

Anyway, I think we've established that the problem is not in the middleware. That's already something :).

[Frederikus]

Does the solution/workaround that is presented in your link https://community.adobe.com/t5/acrobat-reader-discussions/niet-ondersteund-algoritme-unsupported-algoritme/m-p/12635530. work for you? Basically it means removing the link to the pkcs#11 module from within Acrobat. Then you are sure that Acrobat will use the BEIDToken to access the eID card and not go via pkcs#11

[kmillet]

I am using a Mac. If I don't use the pkcs#11 module, my certificates are just not visible in Acrobat. I can imagine that in Windows that works. However I don't have Windows anywhere installed on my personal devices at the moment.

[Frederikus]

That solution is specifically for macOS. In the past, Acrobat didn't worked with the apple frameworks to communicate with the eID card, but the current Acrobat versions do. All that neeeds to be done, is that the BEIDToken.app (in Applciations folder) is launched once (this should happen duting the installation of the middleware).

[kmillet]

I tried yesterday also that but it just doesn't work (even if the beid token app says that configuration is completed). Maybe it only works with specific eid readers? I use Acrobat v 2022.001.20141 (on MacOS 11.2.1, M1 processor) and no card reader or certificates are found when not configuring pkcs#11. I always get the following message if I don't enable pkcs#11 module:

Adobe Acrobat kan geen nieuwe digitale id's vinden. Als uw digitale id zich op een hardware-token bevindt, moet u ervoor zorgen dat deze is aangesloten en dat de tokeninterface correct is geconfigureerd. Neem contact op met de systeembeheerder voor ondersteuning.

Also in the FAQ on https://eid.belgium.be/en/digital-signatures#7604 I only see the option to use the pkcs#11 module described for Mac.

[Frederikus]

It should work with any CCID card reader. I just retested here on a mac mini, M1 and signing goes fine. When you open Apple's "System Information" app. (in /Applications/Utilities), do you see your cards certificates? (in Software -> Smart Cards) They should be shown in a keychain name "be.fedict.BEIDTokenApp.BEIDToken,....."

If they are there, then the eID middleware is operational and the certificates are present. (note that they are no longer visible under Keychain Access since Apple introduced the CTK framework).

I'm informed that you already checked with the service desk, could you post your findings there, then we'll continue there?

[Frederikus]

closing this, should anyone have further info or a similar issue, feel free to re-open