Didier Stevens

Monday 13 May 2013

Adobe Reader and CRLs

Filed under: Encryption,PDF — Didier Stevens @ 18:08

There’s something that I wanted to test out for quite some time, but kept postponing until recently. Adobe Reader will ask confirmation before it retrieves a URL when a PDF document contains an action to do so. But what about the Certificate Revocation List in a signed PDF document?

When you open a signed PDF document with Adobe Reader, the signature gets checked automatically. If the signature is not OK, for example because it doesn’t chain up to a trusted root CA, revocations checks are not performed. In other words, the CRL is not downloaded:


But when I change the settings so that my root CA is trusted, the signature is considered valid and the CRL is retrieved. No warning is given to the user, it happens automatically and silently. Here is the log entry on my server: – – [26/Apr/2013:11:33:35 -0400] “GET /root.crl HTTP/1.1” 200 709 “-” “PPKHandler”

PPKHandler is the User Agent String.



The CRL file can’t be an empty file, and must be signed by the root CA, otherwise the signature is considered invalid.

So when you open a signed PDF document with Adobe Reader, the signature is automatically checked and the CRL is silently downloaded. This is done with a request to the webserver of the commercial CA which issued the certificate (crl.adobe.com, crl.geotrust.com, …). You can change automatic checking with Preferences / Signatures / Verification.

A quick check with Foxit Reader reveals it doesn’t check the signature automatically.

Blog at WordPress.com.