Close #531: XCA cannot properly access a YubiHSM2

(login issues maybe) Extend token management dialog. If no key and certificate were found, offer to retry with PIN.
chris2511 · Mar 7, 2024 · 3457454 · 3457454
1 parent 1199d77
commit 3457454
Showing 1 changed file with 74 additions and 45 deletions.
diff --git a/widgets/MainWindow.cpp b/widgets/MainWindow.cpp
@@ -351,62 +351,91 @@ void MainWindow::manageToken()
 	pki_x509 *cert = NULL;
 	ImportMulti *dlgi = NULL;
 
+	enum logintype { none, userlogin, sologin } login = none;
+
 	if (!pkcs11::libraries.loaded())
 		return;
 
 	try {
 		if (!p11.selectToken(&slot, this))
 			return;
 
+		tkInfo ti(p11.tokenInfo(slot));
+
 		ImportMulti *dlgi = new ImportMulti(this);
 
-		dlgi->tokenInfo(slot);
-		QList<CK_OBJECT_HANDLE> objects;
-
-		QList<CK_MECHANISM_TYPE> ml = p11.mechanismList(slot);
-		if (ml.count() == 0)
-			ml << CKM_SHA1_RSA_PKCS;
-		pk11_attlist atts(pk11_attr_ulong(CKA_CLASS,
-				CKO_PUBLIC_KEY));
-
-		p11.startSession(slot);
-		p11.getRandom();
-		objects = p11.objectList(atts);
-
-		for (int j=0; j< objects.count(); j++) {
-			card = new pki_scard("");
-			try {
-				card->load_token(p11, objects[j]);
-				card->setMech_list(ml);
-				dlgi->addItem(card);
-			} catch (errorEx &err) {
-				XCA_ERROR(err);
-				delete card;
+		while (true) {
+			dlgi->tokenInfo(slot);
+			QList<CK_OBJECT_HANDLE> objects;
+
+			QList<CK_MECHANISM_TYPE> ml = p11.mechanismList(slot);
+			if (ml.count() == 0)
+				ml << CKM_SHA1_RSA_PKCS;
+			pk11_attlist atts(pk11_attr_ulong(CKA_CLASS,
+					CKO_PUBLIC_KEY));
+
+			p11.startSession(slot);
+			p11.getRandom();
+			if (login != none) {
+				if (p11.tokenLogin(ti.label(), login == sologin).isNull())
+					break;
 			}
-			card = NULL;
-		}
-		atts.reset();
-		atts << pk11_attr_ulong(CKA_CLASS, CKO_CERTIFICATE) <<
-			pk11_attr_ulong(CKA_CERTIFICATE_TYPE,CKC_X_509);
-		objects = p11.objectList(atts);
-
-		for (int j=0; j< objects.count(); j++) {
-			cert = new pki_x509("");
-			try {
-				cert->load_token(p11, objects[j]);
-				dlgi->addItem(cert);
-			} catch (errorEx &err) {
-				XCA_ERROR(err);
-				delete cert;
+			objects = p11.objectList(atts);
+
+			for (int j=0; j< objects.count(); j++) {
+				card = new pki_scard("");
+				try {
+					card->load_token(p11, objects[j]);
+					card->setMech_list(ml);
+					dlgi->addItem(card);
+				} catch (errorEx &err) {
+					XCA_ERROR(err);
+					delete card;
+				}
+				card = NULL;
 			}
-			cert = NULL;
-		}
-		if (dlgi->entries() == 0) {
-			tkInfo ti = p11.tokenInfo();
-			XCA_INFO(tr("The token '%1' did not contain any keys or certificates").arg(ti.label()));
-		} else {
-			p11.closeSession(slot);
-			dlgi->execute(true);
+			atts.reset();
+			atts << pk11_attr_ulong(CKA_CLASS, CKO_CERTIFICATE) <<
+				pk11_attr_ulong(CKA_CERTIFICATE_TYPE,CKC_X_509);
+			objects = p11.objectList(atts);
+
+			for (int j=0; j< objects.count(); j++) {
+				cert = new pki_x509("");
+				try {
+					cert->load_token(p11, objects[j]);
+					dlgi->addItem(cert);
+				} catch (errorEx &err) {
+					XCA_ERROR(err);
+					delete cert;
+				}
+				cert = NULL;
+			}
+			if (dlgi->entries() == 0) {
+				p11.closeSession(slot);
+				QString txt = tr("The token '%1' did not contain any keys or certificates")
+								.arg(ti.label());
+				xcaWarningBox msg(this, txt);
+				msg.addButton(QMessageBox::Ok);
+				msg.addButton(QMessageBox::Retry, tr("Retry with PIN"));
+				msg.addButton(QMessageBox::Apply, tr("Retry with SO PIN"));
+				switch (msg.exec())
+				{
+					case QMessageBox::Retry:
+						login = userlogin;
+						continue;
+					case QMessageBox::Apply:
+						login = sologin;
+						continue;
+					case QMessageBox::Ok:
+						// fall
+					default:
+						break;
+				}
+			} else {
+				p11.closeSession(slot);
+				dlgi->execute(true);
+			}
+			break;
 		}
 	} catch (errorEx &err) {
 		XCA_ERROR(err);