When signing, only authenticate to required tokens (!1313) · Merge requests · poppler / poppler

Tobias Deiminger requested to merge haxtibal/poppler:bugfix/multitokenauth into master Jan 03, 2023

This is a proposal to fix #1330. The strategy is to change SignatureHandler::getAvailableSigningCertificates to optionally narrow certificate search with nickname as hint, and to authenticate only where needed.

PK11_FindCertsFromNickname handles all cases fine:

narrowed search using a nickname or PKCS#11 URI as used by pdfsig
search all available certs as used by QT frontends, by using a hardcoded "pkcs11:type=cert" URI (supported since NSS 3.39, we require NSS >= 3.49 anyways)
implicitly calls PK11_Authenticate when needed

We can now call pdfsig -add-signature -nick 'sc0:mycert1' -nss-pwd 'externalpw' -nssdir 'sql:/tmp/nssdb/' doc.pdf doc_signed.pdf, and it works.

Benefit for Qt frontends: Prior to this MR, users had to answer two password dialogs, one for NSS Cert DB and one for smart card, even if NSS Cert DB was empty. Now the empty NSS Cert DB is skipped and users have to answer only a single dialog.

When signing, only authenticate to required tokens

Merge request reports