This isn't a problem (from a security perspective, obviously), I'm just trying to understand what is going on here. I have a US government CAC/smart-card with certificates and private keys for encryption/signatures, and my X.509 certificate clearly specifies SHA1 with RSA as the hash/signature algorithm that it supports. This is confirmed by some specifications from the card manufacturer. But when I apply a signature to a PDF using my card in Acrobat Reader DC, I don't see a "using SHA1 warning," and when I examine the signature with "signature properties," "advanced properties," it shows me that the hash algorithm used was SHA256. How is that possible? Is the hash just being computed by the Adobe software instead of on my card? If that's the case, why does it matter which algorithm is supported or implemented by the card? Why was Adobe software displaying the "SHA1 warning" to users just a few months ago?
Clik here to view.
