Thursday, February 2, 2017

More on eSignature verification in Adobe Readers

This post continues an earlier post on Validation of Indian Digital Signatures in the Acrobat PDF reader.

In an earlier post, we discussed about including the Root certificate of Govt of India as a Trusted Certificate. In this post we will talk about another item dealing with Digital Signatures in India.

Aadhaar-based eSignatures are created using a one-time Digital Signing Certificate issued by the competent issuing authority under Govt of India. Not only is this Digital Signing Certificate for one-time use, but its signing validity is restricted to 30 minutes. This means that the document has to be signed within 30 minutes of the issuance of this certificate. (NOTE: Once signed, the signature is valid for ever. Only the signing process has to be completed within 30 mins).

For applications where Aadhaar-based signatures are used, the above works very well. The signed documents when opened in Adobe PDF readers or Acrobat DC will see the usual blue band at the top with a Green tick that says that the signature is valid.

=======

Some users have recently reported that when they open an Aadhaar eSigned file, they do not see the green tick, but a yellow icon as below...



Question: Why does the signature validate correctly in certain readers, and not in others?


To understand this, we dig a bit deeper and find that the Signature doesnt verify because Adobe Reader does not have access to the CRL files for the corresponding certificates. (CRL = Certification Revocation Lists).





Clicking on the "Check revocation" button does not seem to help.

The reason for this is that Adobe Reader does not access the CRLs if the time on the user's computer is outside the Signing Interval. (This is particularly cumbersome for Aadhaar-type certificates whose signing interval is limited to only 30 mins!)

How then do you get a Signature Valid message with a Green Tick?

Here are two possible solutions:


Option 1) You can include the CRL files in the Adobe cache. Here is how you do that:

Download this zip file crl.zip, and copy its contents (4 files) to the following folder:

On Windows 8 & Above:
 C:\Users\<loginusername>\AppData\Roaming\Adobe\Acrobat\DC\Security\CRLCache

On Windows 7.x & Below:
 C:\Documents And Settings\Adobe\Acrobat\DC\Security\CRLCache

OR

Option 2) You can open one Aadhaar eSigned file within few minutes of it being signed . Then you will be OK even if you open other files after a longer time  😲  (that's because when you open the first file, the Adobe reader fetches the CRLs and also stores them to cache). 






No comments:

Post a Comment