Commit 401213a4 authored by Adrien Béraud's avatar Adrien Béraud Committed by gerrit2

api: support private key password

WARNING: Public API changes:
- ConfigurationManager::validateCertificatePath()
- ConfigurationManager::getCertificateDetailsPath()

Issue: #76890
Change-Id: I89f0691b9cc21eb853fbe5b4397853c05c5eefd2
parent c382a7e4
......@@ -658,6 +658,11 @@
<p>An optional path a the private key for the certificate</p>
</tp:docstring>
</arg>
<arg type="s" name="privateKeyPasswd" direction="in">
<tp:docstring>
<p>An optional private key password</p>
</tp:docstring>
</arg>
<arg type="s" name="caListPath" direction="in">
<tp:docstring>
<p>An optional path to an assumed valid ca list</p>
......@@ -693,6 +698,16 @@
<p>A certificate path</p>
</tp:docstring>
</arg>
<arg type="s" name="privateKeyPath" direction="in">
<tp:docstring>
<p>An optional path a the private key for the certificate</p>
</tp:docstring>
</arg>
<arg type="s" name="privateKeyPasswd" direction="in">
<tp:docstring>
<p>An optional private key password</p>
</tp:docstring>
</arg>
<annotation name="org.qtproject.QtDBus.QtTypeName.Out0" value="MapStringString"/>
<arg type="a{ss}" name="details" direction="out">
<tp:docstring>
......
......@@ -371,9 +371,9 @@ DBusConfigurationManager::validateCertificate(const std::string& accountId, cons
}
auto
DBusConfigurationManager::validateCertificatePath(const std::string& accountId, const std::string& certificate, const std::string& privateKey, const std::string& caList) -> decltype(DRing::validateCertificatePath(accountId, certificate, privateKey, caList))
DBusConfigurationManager::validateCertificatePath(const std::string& accountId, const std::string& certificate, const std::string& privateKey, const std::string& privateKeyPass, const std::string& caList) -> decltype(DRing::validateCertificatePath(accountId, certificate, privateKey, privateKeyPass, caList))
{
return DRing::validateCertificatePath(accountId, certificate, privateKey, caList);
return DRing::validateCertificatePath(accountId, certificate, privateKey, privateKeyPass, caList);
}
auto
......@@ -383,9 +383,9 @@ DBusConfigurationManager::getCertificateDetails(const std::string& certificate)
}
auto
DBusConfigurationManager::getCertificateDetailsPath(const std::string& certificate) -> decltype(DRing::getCertificateDetailsPath(certificate))
DBusConfigurationManager::getCertificateDetailsPath(const std::string& certificate, const std::string& privateKey, const std::string& privateKeyPass) -> decltype(DRing::getCertificateDetailsPath(certificate, privateKey, privateKeyPass))
{
return DRing::getCertificateDetailsPath(certificate);
return DRing::getCertificateDetailsPath(certificate, privateKey, privateKeyPass);
}
auto
......
......@@ -129,9 +129,9 @@ class DBusConfigurationManager :
void setVolume(const std::string& device, const double& value);
double getVolume(const std::string& device);
std::map<std::string, std::string> validateCertificate(const std::string& accountId, const std::string& certificate);
std::map<std::string, std::string> validateCertificatePath(const std::string& accountId, const std::string& certificatePath, const std::string& privateKey, const std::string& caList);
std::map<std::string, std::string> validateCertificatePath(const std::string& accountId, const std::string& certificatePath, const std::string& privateKey, const std::string& privateKeyPass, const std::string& caList);
std::map<std::string, std::string> getCertificateDetails(const std::string& certificate);
std::map<std::string, std::string> getCertificateDetailsPath(const std::string& certificatePath);
std::map<std::string, std::string> getCertificateDetailsPath(const std::string& certificatePath, const std::string& privateKey, const std::string& privateKeyPass);
std::vector<std::string> getPinnedCertificates();
std::vector<std::string> pinCertificate(const std::vector<uint8_t>& certificate, const bool& local);
bool unpinCertificate(const std::string& certId);
......
......@@ -152,11 +152,12 @@ std::map<std::string, std::string>
validateCertificatePath(const std::string&,
const std::string& certificate,
const std::string& privateKey,
const std::string& privateKeyPass,
const std::string& caList)
{
#if HAVE_TLS && HAVE_DHT
try {
return TlsValidator{certificate, privateKey, "", caList}.getSerializedChecks();
return TlsValidator{certificate, privateKey, privateKeyPass, caList}.getSerializedChecks();
} catch(const std::runtime_error& e) {
RING_WARN("Certificate loading failed: %s", e.what());
return {{Certificate::ChecksNames::EXIST, Certificate::CheckValuesNames::FAILED}};
......@@ -183,13 +184,14 @@ getCertificateDetails(const std::string& certificate)
}
std::map<std::string, std::string>
getCertificateDetailsPath(const std::string& certificate)
getCertificateDetailsPath(const std::string& certificate, const std::string& privateKey, const std::string& privateKeyPassword)
{
#if HAVE_TLS && HAVE_DHT
try {
auto crt = std::make_shared<dht::crypto::Certificate>(ring::fileutils::loadFile(certificate));
CertificateStore::instance().pinCertificate(crt, false);
return TlsValidator{crt}.getSerializedDetails();
TlsValidator validator {certificate, privateKey, privateKeyPassword};
CertificateStore::instance().pinCertificate(validator.getCertificate(), false);
return validator.getSerializedDetails();
} catch(const std::runtime_error& e) {
RING_WARN("Certificate loading failed");
}
......
......@@ -131,13 +131,12 @@ double getVolume(const std::string& device);
/*
* Security
*/
std::map<std::string, std::string> validateCertificate(const std::string& accountId,
const std::string& certificate/*, const std::vector<std::string>& caList*/);
std::map<std::string, std::string> validateCertificate(const std::string& accountId, const std::string& certificate);
std::map<std::string, std::string> validateCertificatePath(const std::string& accountId,
const std::string& certificatePath, const std::string& privateKey, const std::string& caList);
const std::string& certificatePath, const std::string& privateKey, const std::string& privateKeyPassword, const std::string& caList);
std::map<std::string, std::string> getCertificateDetails(const std::string& certificate);
std::map<std::string, std::string> getCertificateDetailsPath(const std::string& certificatePath);
std::map<std::string, std::string> getCertificateDetailsPath(const std::string& certificatePath, const std::string& privateKey, const std::string& privateKeyPassword);
std::vector<std::string> getPinnedCertificates();
......
......@@ -258,11 +258,11 @@ TlsValidator::TlsValidator(const std::string& certificate,
}
TlsValidator::TlsValidator(const std::vector<uint8_t>& certificate_raw)
: certificateFound_(true)
{
try {
x509crt_ = std::make_shared<dht::crypto::Certificate>(certificate_raw);
certificateContent_ = x509crt_->getPacked();
certificateFound_ = true;
} catch (const std::exception& e) {
throw TlsValidatorException("Can't load certificate");
}
......@@ -384,15 +384,6 @@ std::map<std::string,std::string> TlsValidator::getSerializedDetails()
return ret;
}
/**
* Set an authority
*/
void TlsValidator::setCaTlsValidator(const TlsValidator& validator)
{
caChecked_ = false;
caCert_ = (TlsValidator*)(&validator);
}
/**
* Helper method to return UNSUPPORTED when an error is detected
*/
......@@ -977,8 +968,7 @@ TlsValidator::CheckResult TlsValidator::valid()
TlsValidator::CheckResult TlsValidator::validAuthority()
{
// TODO Merge with either above or bellow
return TlsValidator::CheckResult((!caCert_) || (compareToCa() & GNUTLS_CERT_SIGNER_NOT_FOUND)
// ^--- When no authority is present, then it is not invalid, it is not there at all
return TlsValidator::CheckResult((compareToCa() & GNUTLS_CERT_SIGNER_NOT_FOUND)
? CheckValues::FAILED:CheckValues::PASSED, "");
}
......
......@@ -235,6 +235,10 @@ public:
std::map<std::string,std::string> getSerializedDetails();
std::shared_ptr<dht::crypto::Certificate> getCertificate() const {
return x509crt_;
}
private:
// Enum class names
......@@ -273,11 +277,10 @@ private:
std::shared_ptr<dht::crypto::Certificate> x509crt_;
bool certificateFileFound_ {false};
bool certificateFound_;
bool certificateFound_ {false};
bool privateKeyFound_ {false};
bool privateKeyPassword_ {false};
TlsValidator* caCert_ {nullptr};
bool caChecked_ {false};
unsigned int caValidationOutput_;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment