Commit 83419a01 authored by Adrien Béraud's avatar Adrien Béraud Committed by Guillaume Roguez

tlsvalidator: support private key password

OpenDHT version also updated to bring decryt error exception.

Refs #76890

Change-Id: Ib9cffb625fc71b573992eb61ea6b0063317514c5
parent ad477a2f
# OPENDHT
OPENDHT_VERSION := 7729f9e283b19b7b0f2cba67490a6fc985fce57a
OPENDHT_VERSION := ac13795db0a606c8d03b609956fd4578411cf7f6
OPENDHT_URL := https://github.com/savoirfairelinux/opendht/archive/$(OPENDHT_VERSION).tar.gz
PKGS += opendht
......
......@@ -156,7 +156,7 @@ validateCertificatePath(const std::string&,
{
#if HAVE_TLS && HAVE_DHT
try {
return TlsValidator{certificate, privateKey, caList}.getSerializedChecks();
return TlsValidator{certificate, privateKey, "", caList}.getSerializedChecks();
} catch(const std::runtime_error& e) {
RING_WARN("Certificate loading failed: %s", e.what());
return {{Certificate::ChecksNames::EXIST, Certificate::CheckValuesNames::FAILED}};
......
......@@ -219,7 +219,10 @@ TlsValidator::TlsValidator(const std::vector<std::vector<uint8_t>>& crtChain)
: TlsValidator(std::make_shared<dht::crypto::Certificate>(crtChain.begin(), crtChain.end()))
{}
TlsValidator::TlsValidator(const std::string& certificate, const std::string& privatekey, const std::string& caList)
TlsValidator::TlsValidator(const std::string& certificate,
const std::string& privatekey,
const std::string& privatekeyPasswd,
const std::string& caList)
: certificatePath_(certificate)
, privateKeyPath_(privatekey)
, caListPath_(caList)
......@@ -241,8 +244,14 @@ TlsValidator::TlsValidator(const std::string& certificate, const std::string& pr
try {
privateKeyContent_ = fileutils::loadFile(privateKeyPath_);
dht::crypto::PrivateKey key_tmp(privateKeyContent_);
dht::crypto::PrivateKey key_tmp(privateKeyContent_, privatekeyPasswd);
privateKeyFound_ = true;
privateKeyPassword_ = not privatekeyPasswd.empty();
} catch (const dht::crypto::DecryptError&) {
// If we encounter a DecryptError, it means the private key exists and is encrypted,
// otherwise we would get some other exception.
privateKeyFound_ = true;
privateKeyPassword_ = true;
} catch (const std::exception& e) {
privateKeyContent_.clear();
}
......@@ -933,8 +942,7 @@ TlsValidator::CheckResult TlsValidator::publicKeySelinuxAttributes()
*/
TlsValidator::CheckResult TlsValidator::requirePrivateKeyPassword()
{
// TODO
return TlsValidator::CheckResult(CheckValues::UNSUPPORTED, "");
return TlsValidator::CheckResult(privateKeyPassword_ ? CheckValues::PASSED : CheckValues::FAILED, "");
}
/**
* The CA and certificate provide conflicting ownership information
......
......@@ -166,9 +166,13 @@ public:
* Create a TlsValidator for a given certificate
* @param certificate The certificate path
* @param privatekey An optional private key file path
* @param privatekeyPasswd An optional private key password
* @param caList An optional CA list to use for certificate validation
*/
TlsValidator(const std::string& certificate,
const std::string& privatekey = "", const std::string& caList = "");
const std::string& privatekey = "",
const std::string& privatekeyPasswd = "",
const std::string& caList = "");
TlsValidator(const std::vector<std::vector<uint8_t>>& certificate_chain_raw);
......@@ -271,6 +275,8 @@ private:
bool certificateFileFound_ {false};
bool certificateFound_;
bool privateKeyFound_ {false};
bool privateKeyPassword_ {false};
TlsValidator* caCert_ {nullptr};
bool caChecked_ {false};
unsigned int caValidationOutput_;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment