diff --git a/contrib/src/opendht/rules.mak b/contrib/src/opendht/rules.mak
index 6916be11e07a8c85dc692ac0d294b92878fe1ccb..bd677979a7cf64cc422f8bfe5570dacbb413dc44 100644
--- a/contrib/src/opendht/rules.mak
+++ b/contrib/src/opendht/rules.mak
@@ -1,5 +1,5 @@
# OPENDHT
-OPENDHT_VERSION := 7729f9e283b19b7b0f2cba67490a6fc985fce57a
+OPENDHT_VERSION := ac13795db0a606c8d03b609956fd4578411cf7f6
OPENDHT_URL := https://github.com/savoirfairelinux/opendht/archive/$(OPENDHT_VERSION).tar.gz
PKGS += opendht
diff --git a/src/client/configurationmanager.cpp b/src/client/configurationmanager.cpp
index 41a035cc6030d0bea671ca9aeefb07f8c0122fa9..cba780c1a409e3751e5d0071b173caa3b2006405 100644
--- a/src/client/configurationmanager.cpp
+++ b/src/client/configurationmanager.cpp
@@ -156,7 +156,7 @@ validateCertificatePath(const std::string&,
{
#if HAVE_TLS && HAVE_DHT
try {
- return TlsValidator{certificate, privateKey, caList}.getSerializedChecks();
+ return TlsValidator{certificate, privateKey, "", caList}.getSerializedChecks();
} catch(const std::runtime_error& e) {
RING_WARN("Certificate loading failed: %s", e.what());
return {{Certificate::ChecksNames::EXIST, Certificate::CheckValuesNames::FAILED}};
diff --git a/src/security/tlsvalidator.cpp b/src/security/tlsvalidator.cpp
index 55345b4db860c5e91fdb26d8c55efb3abaed427a..e6d90d3cf4334e2e66e5045f14e97331cf7eb508 100644
--- a/src/security/tlsvalidator.cpp
+++ b/src/security/tlsvalidator.cpp
@@ -219,7 +219,10 @@ TlsValidator::TlsValidator(const std::vector<std::vector<uint8_t>>& crtChain)
: TlsValidator(std::make_shared<dht::crypto::Certificate>(crtChain.begin(), crtChain.end()))
{}
-TlsValidator::TlsValidator(const std::string& certificate, const std::string& privatekey, const std::string& caList)
+TlsValidator::TlsValidator(const std::string& certificate,
+ const std::string& privatekey,
+ const std::string& privatekeyPasswd,
+ const std::string& caList)
: certificatePath_(certificate)
, privateKeyPath_(privatekey)
, caListPath_(caList)
@@ -241,8 +244,14 @@ TlsValidator::TlsValidator(const std::string& certificate, const std::string& pr
try {
privateKeyContent_ = fileutils::loadFile(privateKeyPath_);
- dht::crypto::PrivateKey key_tmp(privateKeyContent_);
+ dht::crypto::PrivateKey key_tmp(privateKeyContent_, privatekeyPasswd);
privateKeyFound_ = true;
+ privateKeyPassword_ = not privatekeyPasswd.empty();
+ } catch (const dht::crypto::DecryptError&) {
+ // If we encounter a DecryptError, it means the private key exists and is encrypted,
+ // otherwise we would get some other exception.
+ privateKeyFound_ = true;
+ privateKeyPassword_ = true;
} catch (const std::exception& e) {
privateKeyContent_.clear();
}
@@ -933,8 +942,7 @@ TlsValidator::CheckResult TlsValidator::publicKeySelinuxAttributes()
*/
TlsValidator::CheckResult TlsValidator::requirePrivateKeyPassword()
{
- // TODO
- return TlsValidator::CheckResult(CheckValues::UNSUPPORTED, "");
+ return TlsValidator::CheckResult(privateKeyPassword_ ? CheckValues::PASSED : CheckValues::FAILED, "");
}
/**
* The CA and certificate provide conflicting ownership information
diff --git a/src/security/tlsvalidator.h b/src/security/tlsvalidator.h
index 9399408b9c6e9a71284055f4c289c606ed003c24..15f9a519094162b496927e95be4e107570c3bb17 100644
--- a/src/security/tlsvalidator.h
+++ b/src/security/tlsvalidator.h
@@ -166,9 +166,13 @@ public:
* Create a TlsValidator for a given certificate
* @param certificate The certificate path
* @param privatekey An optional private key file path
+ * @param privatekeyPasswd An optional private key password
+ * @param caList An optional CA list to use for certificate validation
*/
TlsValidator(const std::string& certificate,
- const std::string& privatekey = "", const std::string& caList = "");
+ const std::string& privatekey = "",
+ const std::string& privatekeyPasswd = "",
+ const std::string& caList = "");
TlsValidator(const std::vector<std::vector<uint8_t>>& certificate_chain_raw);
@@ -271,6 +275,8 @@ private:
bool certificateFileFound_ {false};
bool certificateFound_;
bool privateKeyFound_ {false};
+ bool privateKeyPassword_ {false};
+
TlsValidator* caCert_ {nullptr};
bool caChecked_ {false};
unsigned int caValidationOutput_;