Handle PIN status in QSigner::decrypt and DDCryptoBackend

Lauris Kaplinski · Lauris Kaplinski · commit b7ff162b8e30 · 2026-02-04T16:36:53.000+02:00
diff --git a/client/CDocSupport.cpp b/client/CDocSupport.cpp
@@ -94,14 +94,32 @@ CDocSupport::getCDocFileList(QString filename)
 	return files;
 }
 
+static libcdoc::result_t
+getDecryptStatus(const std::vector<uint8_t>& result, QCryptoBackend::PinStatus pin_status)
+{
+	switch (pin_status) {
+	case QCryptoBackend::PinOK:
+		return (result.empty()) ? DDCryptoBackend::BACKEND_ERROR : libcdoc::OK;
+	case QCryptoBackend::PinCanceled:
+		return DDCryptoBackend::PIN_CANCELED;
+	case QCryptoBackend::PinIncorrect:
+		return DDCryptoBackend::PIN_INCORRECT;
+	case QCryptoBackend::PinLocked:
+		return DDCryptoBackend::PIN_LOCKED;
+	default:
+		return DDCryptoBackend::BACKEND_ERROR;
+	}
+}
+
 libcdoc::result_t
 DDCryptoBackend::decryptRSA(std::vector<uint8_t>& result, const std::vector<uint8_t> &data, bool oaep, unsigned int idx)
 {
+	QCryptoBackend::PinStatus pin_status;
 	QByteArray qkek = qApp->signer()->decrypt([qdata = toByteArray(data), &oaep](QCryptoBackend *backend) {
 		return backend->decrypt(qdata, oaep);
-	});
+	}, pin_status);
 	result.assign(qkek.cbegin(), qkek.cend());
-	return (result.empty()) ? BACKEND_ERROR : libcdoc::OK;
+	return getDecryptStatus(result, pin_status);
 }
 
 constexpr std::string_view SHA256_MTH {"http://www.w3.org/2001/04/xmlenc#sha256"};
@@ -115,22 +133,24 @@ libcdoc::result_t
 DDCryptoBackend::deriveConcatKDF(std::vector<uint8_t>& dst, const std::vector<uint8_t> &publicKey, const std::string &digest,
 								 const std::vector<uint8_t> &algorithmID, const std::vector<uint8_t> &partyUInfo, const std::vector<uint8_t> &partyVInfo, unsigned int idx)
 {
+	QCryptoBackend::PinStatus pin_status;
 	QByteArray decryptedKey = qApp->signer()->decrypt([&publicKey, &digest, &algorithmID, &partyUInfo, &partyVInfo](QCryptoBackend *backend) {
 		return backend->deriveConcatKDF(toByteArray(publicKey), SHA_MTH[digest],
 			toByteArray(algorithmID), toByteArray(partyUInfo), toByteArray(partyVInfo));
-	});
+	}, pin_status);
 	dst.assign(decryptedKey.cbegin(), decryptedKey.cend());
-	return (dst.empty()) ? BACKEND_ERROR : libcdoc::OK;
+	return getDecryptStatus(dst, pin_status);
 }
 
 libcdoc::result_t
 DDCryptoBackend::deriveHMACExtract(std::vector<uint8_t>& dst, const std::vector<uint8_t> &key_material, const std::vector<uint8_t> &salt, unsigned int idx)
 {
+	QCryptoBackend::PinStatus pin_status;
 	QByteArray qkekpm = qApp->signer()->decrypt([qkey_material = toByteArray(key_material), qsalt = toByteArray(salt)](QCryptoBackend *backend) {
 		return backend->deriveHMACExtract(qkey_material, qsalt, ECC_KEY_LEN);
-	});
+	}, pin_status);
 	dst = std::vector<uint8_t>(qkekpm.cbegin(), qkekpm.cend());
-	return (dst.empty()) ? BACKEND_ERROR : libcdoc::OK;
+	return getDecryptStatus(dst, pin_status);
 }
 
 libcdoc::result_t
@@ -143,8 +163,15 @@ DDCryptoBackend::getSecret(std::vector<uint8_t>& _secret, unsigned int idx)
 std::string
 DDCryptoBackend::getLastErrorStr(libcdoc::result_t code) const
 {
-	if (code == BACKEND_ERROR) {
-		return qApp->signer()->getLastErrorStr().toStdString();
+	switch (code) {
+		case PIN_CANCELED:
+			return "PIN entry canceled";
+		case PIN_INCORRECT:
+			return "PIN incorrect";
+		case PIN_LOCKED:
+			return "PIN locked";
+		case BACKEND_ERROR:
+			return qApp->signer()->getLastErrorStr().toStdString();
 	}
 	return libcdoc::CryptoBackend::getLastErrorStr(code);
 }
diff --git a/client/CDocSupport.h b/client/CDocSupport.h
@@ -54,6 +54,9 @@ struct DDConfiguration : public libcdoc::Configuration {
 
 struct DDCryptoBackend : public libcdoc::CryptoBackend {
 	static constexpr int BACKEND_ERROR = -303;
+	static constexpr int PIN_CANCELED = -304;
+	static constexpr int PIN_INCORRECT = -305;
+	static constexpr int PIN_LOCKED = -306;
 	libcdoc::result_t decryptRSA(std::vector<uint8_t> &result,
 								 const std::vector<uint8_t> &data, bool oaep,
 								 unsigned int idx) override final;
diff --git a/client/QSigner.cpp b/client/QSigner.cpp
@@ -171,36 +171,40 @@ X509Cert QSigner::cert() const
 	return X509Cert((const unsigned char*)der.constData(), size_t(der.size()), X509Cert::Der);
 }
 
-QByteArray QSigner::decrypt(std::function<QByteArray (QCryptoBackend *)> &&func)
+QByteArray QSigner::decrypt(std::function<QByteArray (QCryptoBackend *)> &&func, QCryptoBackend::PinStatus& pin_status)
 {
 	if(!d->lock.tryLockForWrite(10 * 1000))
 	{
 		Q_EMIT error(tr("Failed to decrypt document"), tr("Signing/decrypting is already in progress another window."));
+		pin_status = QCryptoBackend::GeneralError;
 		return {};
 	}
 
 	if( d->auth.cert().isNull() )
 	{
 		Q_EMIT error(tr("Failed to decrypt document"), tr("Authentication certificate is not selected."));
 		d->lock.unlock();
+		pin_status = QCryptoBackend::GeneralError;
 		return {};
 	}
 
-	switch(auto status = QCryptoBackend::PinStatus(login(d->auth)))
+	switch(pin_status = QCryptoBackend::PinStatus(login(d->auth)))
 	{
 	case QCryptoBackend::PinOK: break;
 	case QCryptoBackend::PinCanceled: return {};
 	case QCryptoBackend::PinLocked:
-		Q_EMIT error(tr("Failed to decrypt document"), QCryptoBackend::errorString(status));
+		Q_EMIT error(tr("Failed to decrypt document"), QCryptoBackend::errorString(pin_status));
 		return {};
 	default:
-		Q_EMIT error(tr("Failed to decrypt document"), tr("Failed to login token") + ' ' + QCryptoBackend::errorString(status));
+		Q_EMIT error(tr("Failed to decrypt document"), tr("Failed to login token") + ' ' + QCryptoBackend::errorString(pin_status));
 		return {};
 	}
 	QByteArray result = waitFor(func, d->backend);
 	logout();
-	if(d->backend->lastError() == QCryptoBackend::PinCanceled)
+	if(d->backend->lastError() == QCryptoBackend::PinCanceled) {
+		pin_status = QCryptoBackend::PinCanceled;
 		return {};
+	}
 
 	if(result.isEmpty())
 		Q_EMIT error(tr("Failed to decrypt document"), {});
diff --git a/client/QSigner.h b/client/QSigner.h
@@ -23,10 +23,10 @@
 #include <digidocpp/crypto/Signer.h>
 
 #include <QCryptographicHash>
+#include <QCryptoBackend.h>
 
 #include <functional>
 
-class QCryptoBackend;
 class QSmartCard;
 class QSslKey;
 class TokenData;
@@ -41,7 +41,7 @@ class QSigner final: public QThread, public digidoc::Signer
 
 	QList<TokenData> cache() const;
 	digidoc::X509Cert cert() const final;
-	QByteArray decrypt(std::function<QByteArray (QCryptoBackend *)> &&func);
+	QByteArray decrypt(std::function<QByteArray (QCryptoBackend *)> &&func, QCryptoBackend::PinStatus& pin_status);
 	QSslKey key() const;
 	void logout() const;
 	void selectCard(const TokenData &token);

Original file line number	Diff line number	Diff line change
`@@ -171,36 +171,40 @@ X509Cert QSigner::cert() const`
`171`	`171`	`return X509Cert((const unsigned char*)der.constData(), size_t(der.size()), X509Cert::Der);`
`172`	`172`	`}`
`173`	`173`
`174`		`-QByteArray QSigner::decrypt(std::function<QByteArray (QCryptoBackend *)> &&func)`
	`174`	`+QByteArray QSigner::decrypt(std::function<QByteArray (QCryptoBackend *)> &&func, QCryptoBackend::PinStatus& pin_status)`
`175`	`175`	`{`
`176`	`176`	`if(!d->lock.tryLockForWrite(10 * 1000))`
`177`	`177`	`{`
`178`	`178`	`Q_EMIT error(tr("Failed to decrypt document"), tr("Signing/decrypting is already in progress another window."));`
	`179`	`+ pin_status = QCryptoBackend::GeneralError;`
`179`	`180`	`return {};`
`180`	`181`	`}`
`181`	`182`
`182`	`183`	`if( d->auth.cert().isNull() )`
`183`	`184`	`{`
`184`	`185`	`Q_EMIT error(tr("Failed to decrypt document"), tr("Authentication certificate is not selected."));`
`185`	`186`	`d->lock.unlock();`
	`187`	`+ pin_status = QCryptoBackend::GeneralError;`
`186`	`188`	`return {};`
`187`	`189`	`}`
`188`	`190`
`189`		`- switch(auto status = QCryptoBackend::PinStatus(login(d->auth)))`
	`191`	`+ switch(pin_status = QCryptoBackend::PinStatus(login(d->auth)))`
`190`	`192`	`{`
`191`	`193`	`case QCryptoBackend::PinOK: break;`
`192`	`194`	`case QCryptoBackend::PinCanceled: return {};`
`193`	`195`	`case QCryptoBackend::PinLocked:`
`194`		`- Q_EMIT error(tr("Failed to decrypt document"), QCryptoBackend::errorString(status));`
	`196`	`+ Q_EMIT error(tr("Failed to decrypt document"), QCryptoBackend::errorString(pin_status));`
`195`	`197`	`return {};`
`196`	`198`	`default:`
`197`		`- Q_EMIT error(tr("Failed to decrypt document"), tr("Failed to login token") + ' ' + QCryptoBackend::errorString(status));`
	`199`	`+ Q_EMIT error(tr("Failed to decrypt document"), tr("Failed to login token") + ' ' + QCryptoBackend::errorString(pin_status));`
`198`	`200`	`return {};`
`199`	`201`	`}`
`200`	`202`	`QByteArray result = waitFor(func, d->backend);`
`201`	`203`	`logout();`
`202`		`- if(d->backend->lastError() == QCryptoBackend::PinCanceled)`
	`204`	`+ if(d->backend->lastError() == QCryptoBackend::PinCanceled) {`
	`205`	`+ pin_status = QCryptoBackend::PinCanceled;`
`203`	`206`	`return {};`
	`207`	`+ }`
`204`	`208`
`205`	`209`	`if(result.isEmpty())`
`206`	`210`	`Q_EMIT error(tr("Failed to decrypt document"), {});`