ZXPSignCmd PKCS#11 support

[Alexey-I]

There were numerous queries on Adobe forums. The problem is big, it deserves a ticket.

The issue is two-fold.

Main problem is that ZXPSignCmd requires a .p12 file to sign the extension. It's not just another container format, the .p12 file contains a key along with the signing certificate. The key is mandatory, without it you can't sign. Certificate Authorities (CA) don't seem to export signing keys anymore.

For this reason: https://knowledge.digicert.com/alerts/code-signing-changes-in-2023

What CAs offer in return is signing with HSM (Hardware Security Module) or with Cloud solutions. Both these approaches have one thing in common: signing happens externally. Application utilizes a pkcs11 library call to sign. Library call returns signature. Actual signing happens in a hardware module or on CA signing server. Application never sees the key. There is no such operation mode in ZXPSignCmd. When the last old-fashioned .p12 key expires out there, it won't be able to sign with paid certificates any more. And many are already affected, hence the Forum questions.

The second layer of this problem is that if you have a look at META-INF/signatures.xml file, you can see that <SignedInfo> section advertises and requires <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>.

That's SHA-1. Everything else: file Digests, SignedInfo DigestValue, EncapsulatedTimeStamp are SHA-256. But this one is still SHA-1. For compatibility issues maybe. The gist of this problem is that when PKCS#11 support is added, ZXPSignCmd won't be able to produce such a signature as Certificate Authoritiy server won't allow to do that. DigiCert won't at the very least. This is what their support says about this:

Thank you for reaching out. Based on the information provided, it is correct that SHA-1 is not permitted for signing with KeyLocker. DigiCert has updated its private key storage requirements and no longer supports SHA-1 due to security concerns.

For the sake of complete clarity: changes introduced in #541 do not add complete SHA2 support.

XML document is signed in a complicated way. It is not signed whole but in sections. First section is created which lists file hashes (SHA-256). Next canonicalised string of this section is hashed (SHA-256) and inserted into <SignedInfo> section. And this section is signed with http://www.w3.org/2000/09/xmldsig#rsa-sha1, which is SHA-1. And a problem.

EncapsulatedTimeStamp is added last. #541 is solely about this operation issues. It doesn't cover anything else.

I'll be glad to provide more details if required. Thank you!

[unneuron]

I am really looking forward to seeing a resolution to this issue. This is a real pain for us, not being able to sign using HSM.

[TristofCuber]

Thank you for the very detailed question. I have exactly the same issue. My old-fashioned certificate will expire in a few months and I can't get a new one from any provider (GlobalSign, DigiCert,...), I'm forced to switch to a physical key or HSM, which is not supported by the signing tool. Adobe support keeps replying to us that they do not plan on updating their signing tool, claiming that paid certificates are still supported but no certificate authority is willing to give us a new valid certificate, so we're stuck and soon, our customers won't be able to use our Adobe ZXP panels.