Bug 459173 - Cannot use USB smartcard to sign document
Summary: Cannot use USB smartcard to sign document
Status: REPORTED
Alias: None
Product: okular
Classification: Applications
Component: PDF backend (show other bugs)
Version: 23.08.5
Platform: Kubuntu Linux
: NOR normal
Target Milestone: ---
Assignee: Okular developers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-09-15 17:10 UTC by Syiad
Modified: 2024-05-21 16:00 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Syiad 2022-09-15 17:10:02 UTC
SUMMARY
***
I have a USB smartcard with my credentials, which I'd like to use to sign pdf files. However, okular keeps asking for the password in an infinite loop, without actually applying a signature.
***


STEPS TO REPRODUCE
1. Open document, select 'digitally sign' and draw a rectangle for the signature.
2. Select the certificate (1 of 2) on the smartcard.
3. Enter password -> enter password -> enter password -> ... 

OBSERVED RESULT
okular needs to be killed to get out of the infinite password prompts.

EXPECTED RESULT
The signature is applied in the drawn rectangle after the password has been entered.

SOFTWARE/OS VERSIONS
Windows: 
macOS: 
Linux/KDE Plasma: Kubuntu 22.04
(available in About System)
KDE Plasma Version: 5.25.5
KDE Frameworks Version: 5.98.0
Qt Version: 5.13.3

ADDITIONAL INFORMATION
Digital signing works OK with a soft certificate (p12 or pfx) imported into the Mozilla certificate store. However, it does not work with the (Gemalto) smartcard, which is also imported into the Mozilla certificate store. The smartcard is using the module /usr/lib/libeTPkcs11.so. Firefox can use the certificate for identification purposes.
Comment 1 George Diamantopoulos 2023-07-11 23:01:42 UTC
Hello,

I seem to be facing a similar issue if not the same. Everything works in the same way the OP described, until after the signature rectangle has been drawn. There, instead of being asked for the signature PIN, the okular window enters a "not responding" state and no popup seems to be produced.

I'm also using NSS from firefox, with Thales (Gemalto) Safenet 5110 CC with Safenet Authentication Client 10.8 R1 (10.8.1050.0). Similarly, it seems to work OK with firefox.

This behaviour is observed under Wayland, I'll try with X11 later and report the result on X11 as well. Thanks!
Comment 2 George Diamantopoulos 2023-07-11 23:47:50 UTC
I can confirm this also happens under X11. Versions:
* KDE Frameworks Version 5.108.0
* plasma-desktop-5.27.6
* okular-23.04.3
* Qt Version 5.15.10 (built against 5.15.10)
* wayland-1.22.0
* xorg-server-21.1.8
* poppler-23.07.0
Comment 3 Robert Riemann 2023-08-13 21:20:15 UTC
I am on Okular Version 23.04.3 (opensuse Tumbleweed with wayland). For me, signing with my Belgium ID card in the smart card reader works.

1) I select digitally sign and draw a box
2)  I choose the signing cert (in a dropbox with also a authorisation cert)
3) I enter the PIN
4) I get asked for a document password and click ok without providing a password
5) I get a file save dialogue and pick a filename
6) I enter the PIN a second time
7) the new signed document is open in Okular with a signature stamp and electronic signature attached to the original PDF.

In my firefox default profile pkcs11.txt, I have at the end:


library=libbeidpkcs11.so.0
name=Belgium eID PKCS#11 module
NSS=slotParams={0x00000000=[slotFlags=PublicCerts ] }  


So with this shared library, it seems to work, even though the PIN has to be entered twice and a document password as well for no obvious reason.
Comment 4 Sune Vuorela 2023-08-14 07:27:35 UTC
(In reply to Robert Riemann from comment #3)
> So with this shared library, it seems to work, even though the PIN has to be
> entered twice and a document password as well for no obvious reason.

What version of poppler (The underlying pdf library) are you using ?

The double-pin should be fixed I think, by poppler 23.04, maybe 23.05.
Comment 5 Robert Riemann 2023-08-14 09:05:52 UTC
> What version of poppler (The underlying pdf library) are you using ?
> 
> The double-pin should be fixed I think, by poppler 23.04, maybe 23.05.

I am using Poppler 23.06.0 with PDF Backend 0.6.5. Do you have a link on the poppler bug report? If it is already merged in 23.06.0 I may reopen it.
Comment 6 Sune Vuorela 2023-08-14 09:29:44 UTC
(In reply to Robert Riemann from comment #5)
> > What version of poppler (The underlying pdf library) are you using ?
> > 
> > The double-pin should be fixed I think, by poppler 23.04, maybe 23.05.
> 
> I am using Poppler 23.06.0 with PDF Backend 0.6.5. Do you have a link on the
> poppler bug report? If it is already merged in 23.06.0 I may reopen it.

There is no bug report on it. I noticed it while doing other stuff.
https://gitlab.freedesktop.org/poppler/poppler/-/merge_requests/1339 is the merge request.
Comment 7 Syiad 2024-03-13 09:15:12 UTC
Still the case with
 - okular 23.08.5
 - KDE framework 5.115.0
 - Qt 5.15.12
 - libpoppler-qt5-1 24.02.0

Could this be caused by the fact that the smart card holds *two* certificates? One is for "Digital Signature, Key Encipherment", the other one for "Non-Repudiation". They are both listed as options to choose from for signature, but then okular goes into the infinite loop of asking for the password again and again.
Thunderbird also has an issue with the certificates on the smart card. It recognises only one for "Non-Repudiation" as useable for signing e-mails, claiming that there is none suitable for encryption.
Comment 8 Syiad 2024-05-21 16:00:49 UTC
It seems to be caused by the fact that there are two certificates on the card. Signing documents with okular suddenly worked as advertised, after I accidentally had deleted the one for "Non-repudiation". It's now been restored by the issuer of the card and signing is not possible anymore with okular; it goes into the endless loop of password requests.