Skip to content

Signing a PDF in Adobe Acrobat on macOS using the brand new driver for D-TRUST 4.1 Std. Card only works once.  #3030

New issue
New issue
Open
Open
Signing a PDF in Adobe Acrobat on macOS using the brand new driver for D-TRUST 4.1 Std. Card only works once. #3030
@gh47110815

Description

@gh47110815
gh47110815
opened on Feb 15, 2024

Problem Description

Also see: #2943 (comment)

Using the latest master commit ...
OpenSC-, rev: ccdb3cc, commit-time: 2024-02-13 14:05:22 +0100
... it is possible to sign a PDF-Document on macOS (14.3.1) using Adobes Acrobat Pro (23.8.20470.0) with a REINER SCT cyberJack RFID komfort Card-Reader and a D-TRUST 4.1 Std. Card
BUT
without restarting Acrobat it is not possible to sign a second time.
Typically an PKCS#11 Error 0x101 is shown (pkcs11-object.c:745:C_Sign: C_Sign() = CKR_USER_NOT_LOGGED_IN)
.

Proposed Resolution

Seems that the issue is based on PIN Caching

Steps to reproduce

I have been asked to document 4 different step-by-step-use-cases ...
... seems that beginning with step 4) the system was very "unstable". It was nearly impossible to really track the situation ;-( ....

  1. Close Adobe between the signing operations, but keep the card inserted into the reader
  • open acrobat
  • signing 1 ok
  • close acrobat - open acrobat
  • signing 2 ok
  • close acrobat
  1. Close Adobe between the signing operations and remove the card from the reader and reinsert it
  • open acrobat
  • signing 1 ok
  • close adobe - remove card - insert card - open acrobat
  • signing 2 ok
  • close acrobat
  1. Keep Adobe open between the signing operations, but remove the card from the reader an reinsert it
  • open acrobat
  • signing 1 ok
  • remove card - insert card - same document
  • signing 2 - failed - PKCS#11 Fehler, Fehlercode: 0x5
  • close acrobat
  1. Keep Adobe open between the signing operations and keep the card inserted as well
  • open acrobat
  • signing 1 - D-Trust ID not available for signing
  • close acrobat
  • open acrobat
  • signing 1 - ok
  • signing 2 - failed - PKCS#11 Fehler, Fehlercode: 0101
  • remove card - insert card
  • signing 3 - D-Trust ID not available (only T-TRUST Limited Basic CA) - signing with this ID does not respond
  • close acrobat
  • open acrobat
  • signing 4 - No D-Trust ID available
  • close acrobat - remove card - open acrobat - insert card
  • signing 5, 6, 7 8 with "Limited Basic" ok
  • signing 9 with "" - failed - Fehlercode: 0x101
  • close acrobat, remove card, insert card, open acrobat
  • signing 10 - No D-Trust ID available
  • remove card, insert card, refresh IDs "Wähle eine digitale ID aus, die Du zum signieren verwenden möchtest -> Aktualisieren"
  • No D-Trust ID available
  • close acrobat, remove card, disconnect card-reader, connect card-reader, insert card, open acrobat
  • signing not possible - no D-TRUST ID available
  • Setup Acrobat - detach module, attach module, refresh IDs -> no D-TRUST ID
  • Close Acrobat, remove card, disconnect card reader, connect card reader, insert card, open acrobat
  • signing - no D-Trust ID available
  • close all apps, remove card, reboot mac, insert card, open acrobat
  • signing 1 - ok
  • signing 2 (new document) - failed ErrorCode: 0x101

--> my personal workaround for currently satisfying success with signing exactly ONE PDF:

  • Connect card-reader, (optional) Reboot Mac, insert card, open acrobat and Sign ONE PDF - YEAH!
  • Then try closing, opening acrobat, sign document, close, open, sign, close, open, sign .... until system gets unstable
  • Reboot and try again

Logs

Successfully signed ....
9086 P:2912; T:0x140704450545600 21:57:14.835 [opensc-pkcs11] pkcs11-object.c:697:C_SignInit: C_SignInit() = CKR_OK
9092 P:2912; T:0x140704450545600 21:57:14.835 [opensc-pkcs11] pkcs11-object.c:745:C_Sign: C_Sign() = CKR_OK
9225 P:2912; T:0x140704450545600 21:57:15.579 [opensc-pkcs11] framework-pkcs15.c:4438:pkcs15_prkey_sign: Sign complete. Result 384.
9228 P:2912; T:0x140704450545600 21:57:15.579 [opensc-pkcs11] pkcs11-object.c:745:C_Sign: C_Sign() = CKR_OK

Signing fails ...
17800 P:2912; T:0x140704450545600 21:58:49.750 [opensc-pkcs11] pkcs11-object.c:697:C_SignInit: C_SignInit() = CKR_OK
17806 P:2912; T:0x140704450545600 21:58:49.750 [opensc-pkcs11] pkcs11-object.c:745:C_Sign: C_Sign() = CKR_OK
17913 P:2912; T:0x140704450545600 21:58:49.776 [opensc-pkcs11] pkcs15-sec.c:169:use_key: returning with: -1211 (Security status not satisfied)
17918 P:2912; T:0x140704450545600 21:58:49.776 [opensc-pkcs11] framework-pkcs15.c:4438:pkcs15_prkey_sign: Sign complete. Result -1211.
17922 P:2912; T:0x140704450545600 21:58:49.776 [opensc-pkcs11] pkcs11-object.c:745:C_Sign: C_Sign() = CKR_USER_NOT_LOGGED_IN

P.S.:

I also tried different settings in opensc.conf like

framework pkcs15 {
use_pin_caching = false;
pin_cache_counter = 1;
}

    # Parameters for the OpenSC PKCS11 module
    app opensc-pkcs11 {
            pkcs11 {
                    lock_login = true;
                    atomic = true;
            }
    }

.... but also without success.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions