tlsvalidator: support private key password

OpenDHT version also updated to bring decryt error exception.

Refs #76890

Change-Id: Ib9cffb625fc71b573992eb61ea6b0063317514c5

contrib/src/opendht/rules.mak

 # OPENDHT
-OPENDHT_VERSION := 7729f9e283b19b7b0f2cba67490a6fc985fce57a
+OPENDHT_VERSION := ac13795db0a606c8d03b609956fd4578411cf7f6
 OPENDHT_URL := https://github.com/savoirfairelinux/opendht/archive/$(OPENDHT_VERSION).tar.gz
 
 PKGS += opendht

src/client/configurationmanager.cpp

@@ -156,7 +156,7 @@ validateCertificatePath(const std::string&,
 {
 #if HAVE_TLS && HAVE_DHT
     try {
-        return TlsValidator{certificate, privateKey, caList}.getSerializedChecks();
+        return TlsValidator{certificate, privateKey, "", caList}.getSerializedChecks();
     } catch(const std::runtime_error& e) {
         RING_WARN("Certificate loading failed: %s", e.what());
         return {{Certificate::ChecksNames::EXIST, Certificate::CheckValuesNames::FAILED}};

src/security/tlsvalidator.cpp

@@ -219,7 +219,10 @@ TlsValidator::TlsValidator(const std::vector<std::vector<uint8_t>>& crtChain)
     : TlsValidator(std::make_shared<dht::crypto::Certificate>(crtChain.begin(), crtChain.end()))
 {}
 
-TlsValidator::TlsValidator(const std::string& certificate, const std::string& privatekey, const std::string& caList)
+TlsValidator::TlsValidator(const std::string& certificate,
+                           const std::string& privatekey,
+                           const std::string& privatekeyPasswd,
+                           const std::string& caList)
     : certificatePath_(certificate)
     , privateKeyPath_(privatekey)
     , caListPath_(caList)
@@ -241,8 +244,14 @@ TlsValidator::TlsValidator(const std::string& certificate, const std::string& pr
 
     try {
         privateKeyContent_ = fileutils::loadFile(privateKeyPath_);
-        dht::crypto::PrivateKey key_tmp(privateKeyContent_);
+        dht::crypto::PrivateKey key_tmp(privateKeyContent_, privatekeyPasswd);
         privateKeyFound_ = true;
+        privateKeyPassword_ = not privatekeyPasswd.empty();
+    } catch (const dht::crypto::DecryptError&) {
+        // If we encounter a DecryptError, it means the private key exists and is encrypted,
+        // otherwise we would get some other exception.
+        privateKeyFound_ = true;
+        privateKeyPassword_ = true;
     } catch (const std::exception& e) {
         privateKeyContent_.clear();
     }
@@ -933,8 +942,7 @@ TlsValidator::CheckResult TlsValidator::publicKeySelinuxAttributes()
  */
 TlsValidator::CheckResult TlsValidator::requirePrivateKeyPassword()
 {
-    // TODO
-    return TlsValidator::CheckResult(CheckValues::UNSUPPORTED, "");
+    return TlsValidator::CheckResult(privateKeyPassword_ ? CheckValues::PASSED : CheckValues::FAILED, "");
 }
 /**
  * The CA and certificate provide conflicting ownership information

src/security/tlsvalidator.h

@@ -166,9 +166,13 @@ public:
      * Create a TlsValidator for a given certificate
      * @param certificate The certificate path
      * @param privatekey An optional private key file path
+     * @param privatekeyPasswd An optional private key password
+     * @param caList An optional CA list to use for certificate validation
      */
     TlsValidator(const std::string& certificate,
-                 const std::string& privatekey = "", const std::string& caList = "");
+                 const std::string& privatekey = "",
+                 const std::string& privatekeyPasswd = "",
+                 const std::string& caList = "");
 
     TlsValidator(const std::vector<std::vector<uint8_t>>& certificate_chain_raw);
 
@@ -271,6 +275,8 @@ private:
     bool certificateFileFound_ {false};
     bool certificateFound_;
     bool privateKeyFound_ {false};
+    bool privateKeyPassword_ {false};
+
     TlsValidator* caCert_ {nullptr};
     bool caChecked_ {false};
     unsigned int caValidationOutput_;