pdfsig can't login in presence of multiple tokens
To reproduce, we need a typical smart card setup:
- Init new NSS DB:
mkdir -p /tmp/nssdb && certutil -N -d /tmp/nssdb/
. Enter new password: "internalpw". - Add smart card reader to NSS via OpenSC:
modutil -add "OpenSC" -libfile /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -dbdir sql:/tmp/nssdb/ -mechanisms SHA256
- Ensure pcscd is running and insert your smart card. Assume smart card PIN is "externalpw".
- Now NSS has a "NSS Certificate DB" token plus your smart card token (say "sc0") attached. Check them with
modutil -list -dbdir /tmp/nssdb/
. - Try to sign with a cert from your smart card:
pdfsig -add-signature -nick 'sc0:mycert1' -nss-pwd 'internalpw' -kpw 'externalpw' -nssdir 'sql:/tmp/nssdb/' doc.pdf doc_signed.pdf
pdfsig will fail with "Password was not accepted to open the NSS database.".
It's because prior to signing, SignatureHandler::getAvailableSigningCertificates
is called while a password callback is registered that provides "internalpw" (code comment says "We need to call this otherwise NSS spins forever"). The function actually iterates all available tokens. We have two, and so the password callback is invoked two times. The second call of the callback is wrongly interpreted as a retry of first token, and pdfsig errors out.
Even if we fixed the retry logic, getAvailableSigningCertificates
would still want a specific password per token, whereas the CLI provides only a global one.
MR with possible fix follows...
PS: Folks without crypto hardware can simulate it by adding a SoftHSMv2 module, instead of opensc-pkcs11.so
.