When signing, only authenticate to required tokens
This is a proposal to fix #1330. The strategy is to change SignatureHandler::getAvailableSigningCertificates
to optionally narrow certificate search with nickname as hint, and to authenticate only where needed.
PK11_FindCertsFromNickname handles all cases fine:
- narrowed search using a nickname or PKCS#11 URI as used by pdfsig
- search all available certs as used by QT frontends, by using a hardcoded "pkcs11:type=cert" URI (supported since NSS 3.39, we require NSS >= 3.49 anyways)
- implicitly calls
PK11_Authenticate
when needed
We can now call pdfsig -add-signature -nick 'sc0:mycert1' -nss-pwd 'externalpw' -nssdir 'sql:/tmp/nssdb/' doc.pdf doc_signed.pdf
, and it works.
Benefit for Qt frontends: Prior to this MR, users had to answer two password dialogs, one for NSS Cert DB and one for smart card, even if NSS Cert DB was empty. Now the empty NSS Cert DB is skipped and users have to answer only a single dialog.