Page MenuHome GnuPG
Create Task
Maniphest T6632

Okular: Highlight / preselect "nonRepudiation" certificates for qualified signatures
Open, NormalPublic
Actions

Description

So for signing digital documents there is a special signature usage in certificates which is called "nonRepudiation" so I have a smartcard with three S/MIME certificates on them. All look pretty much alike and have the same chain etc.

The three certificates have:

keyUsage: digitalSignature
keyUsage: nonRepudiation
keyUsage: keyEncipherment dataEncipherment

But I have seen other cases where keyUsage was both "digitalSignature" and "nonRepudiation"

Now Okular currently shows them in a list, it only shows two of those certificates because only two can sign. But Ideally it would highlight the one with usage "nonRepudiation" and if we change the certificateslection interface to something like a combobox it should also preselect that one. Currently I have no way of seeing the difference in the UI.

The catch is though, GPGME currently both shows them with the same capabilities, so from the GPGME API they are indistinguishable. So a subtask will be opened for that

Event Timeline

aheinecke triaged this task as Normal priority.Aug 3 2023, 3:07 PM
aheinecke created this task.
svuorela added a comment.Aug 3 2023, 4:25 PM

gpgme puts digitalSignature and norRepudiation into canSign. We need them separated at the sources (maybe exposing keyUsage directly in gpgme. That would also make the code in poppler better and more accurate. I'm trying to reconstruct the keyUsages from the canSign&friends functions.

werner added a subscriber: werner.Aug 3 2023, 8:55 PM

Use the is_qualified flag to figure out QES certificates. This is more than just a capability flag.

aheinecke removed a subtask: T6633: GPGME: Add API for extended key usage flags like nonRepudation.Aug 4 2023, 7:58 AM