Bug 499158

Created attachment 177694 [details]
NSS database with two similar certificates

When Okular's PDF backend is configured to use signing certificates from an NSS database, it fails to find certain certificates after they are added to the database.  In my case, I was successfully using Okular to sign documents with a certain certificate from the database, but that certificate eventually expired and so I renewed it (by copying the original certificate, applying a new validity date and serial number, and importing it into the NSS database).  Okular's "Configure Backends" dialog still shows only the old, expired certificate in the "Available Certificates" list, whereas other applications that use the same NSS database (e.g., the Chromium browser or the command-line certutil tool) can see both the old, expired certificate and the renewed one.

Attached is an NSS database showing the problem.  It contains two certificates named Foo, one of them with a validity of 2024-12-01 to 2024-12-31, and another one with a validity of 2025-01-01 to 2025-01-31.  When Okular is configured to use this database, it displays only the old, expired certificate.


STEPS TO REPRODUCE
1. Unpack the attached NSS database somewhere in your file system.  (This database has no password; if any application prompts you for one, just press enter.)
2. In Okular, go to Settings -> Configure Backends… -> PDF -> Certificate Database -> Custom and specify the path to the NSS database.
3. Restart Okular.
4. In Okular, go to Settings -> Configure Backends… -> PDF

OBSERVED RESULT
5. "Available Certificates" shows only one certificate, which expired on 2024-12-31.

EXPECTED RESULT
5. "Available Certificates" should show two certificates, one which expired on 2024-12-31 and one which expires on 2025-01-31.

SOFTWARE/OS VERSIONS
KDE Plasma Version: 6.2.5
KDE Frameworks Version:  6.9.0
Qt Version: 6.8.1

ADDITIONAL INFORMATION