diff --git a/contrib/src/opendht/rules.mak b/contrib/src/opendht/rules.mak index 6916be11e07a8c85dc692ac0d294b92878fe1ccb..bd677979a7cf64cc422f8bfe5570dacbb413dc44 100644 --- a/contrib/src/opendht/rules.mak +++ b/contrib/src/opendht/rules.mak @@ -1,5 +1,5 @@ # OPENDHT -OPENDHT_VERSION := 7729f9e283b19b7b0f2cba67490a6fc985fce57a +OPENDHT_VERSION := ac13795db0a606c8d03b609956fd4578411cf7f6 OPENDHT_URL := https://github.com/savoirfairelinux/opendht/archive/$(OPENDHT_VERSION).tar.gz PKGS += opendht diff --git a/src/client/configurationmanager.cpp b/src/client/configurationmanager.cpp index 41a035cc6030d0bea671ca9aeefb07f8c0122fa9..cba780c1a409e3751e5d0071b173caa3b2006405 100644 --- a/src/client/configurationmanager.cpp +++ b/src/client/configurationmanager.cpp @@ -156,7 +156,7 @@ validateCertificatePath(const std::string&, { #if HAVE_TLS && HAVE_DHT try { - return TlsValidator{certificate, privateKey, caList}.getSerializedChecks(); + return TlsValidator{certificate, privateKey, "", caList}.getSerializedChecks(); } catch(const std::runtime_error& e) { RING_WARN("Certificate loading failed: %s", e.what()); return {{Certificate::ChecksNames::EXIST, Certificate::CheckValuesNames::FAILED}}; diff --git a/src/security/tlsvalidator.cpp b/src/security/tlsvalidator.cpp index 55345b4db860c5e91fdb26d8c55efb3abaed427a..e6d90d3cf4334e2e66e5045f14e97331cf7eb508 100644 --- a/src/security/tlsvalidator.cpp +++ b/src/security/tlsvalidator.cpp @@ -219,7 +219,10 @@ TlsValidator::TlsValidator(const std::vector<std::vector<uint8_t>>& crtChain) : TlsValidator(std::make_shared<dht::crypto::Certificate>(crtChain.begin(), crtChain.end())) {} -TlsValidator::TlsValidator(const std::string& certificate, const std::string& privatekey, const std::string& caList) +TlsValidator::TlsValidator(const std::string& certificate, + const std::string& privatekey, + const std::string& privatekeyPasswd, + const std::string& caList) : certificatePath_(certificate) , privateKeyPath_(privatekey) , caListPath_(caList) @@ -241,8 +244,14 @@ TlsValidator::TlsValidator(const std::string& certificate, const std::string& pr try { privateKeyContent_ = fileutils::loadFile(privateKeyPath_); - dht::crypto::PrivateKey key_tmp(privateKeyContent_); + dht::crypto::PrivateKey key_tmp(privateKeyContent_, privatekeyPasswd); privateKeyFound_ = true; + privateKeyPassword_ = not privatekeyPasswd.empty(); + } catch (const dht::crypto::DecryptError&) { + // If we encounter a DecryptError, it means the private key exists and is encrypted, + // otherwise we would get some other exception. + privateKeyFound_ = true; + privateKeyPassword_ = true; } catch (const std::exception& e) { privateKeyContent_.clear(); } @@ -933,8 +942,7 @@ TlsValidator::CheckResult TlsValidator::publicKeySelinuxAttributes() */ TlsValidator::CheckResult TlsValidator::requirePrivateKeyPassword() { - // TODO - return TlsValidator::CheckResult(CheckValues::UNSUPPORTED, ""); + return TlsValidator::CheckResult(privateKeyPassword_ ? CheckValues::PASSED : CheckValues::FAILED, ""); } /** * The CA and certificate provide conflicting ownership information diff --git a/src/security/tlsvalidator.h b/src/security/tlsvalidator.h index 9399408b9c6e9a71284055f4c289c606ed003c24..15f9a519094162b496927e95be4e107570c3bb17 100644 --- a/src/security/tlsvalidator.h +++ b/src/security/tlsvalidator.h @@ -166,9 +166,13 @@ public: * Create a TlsValidator for a given certificate * @param certificate The certificate path * @param privatekey An optional private key file path + * @param privatekeyPasswd An optional private key password + * @param caList An optional CA list to use for certificate validation */ TlsValidator(const std::string& certificate, - const std::string& privatekey = "", const std::string& caList = ""); + const std::string& privatekey = "", + const std::string& privatekeyPasswd = "", + const std::string& caList = ""); TlsValidator(const std::vector<std::vector<uint8_t>>& certificate_chain_raw); @@ -271,6 +275,8 @@ private: bool certificateFileFound_ {false}; bool certificateFound_; bool privateKeyFound_ {false}; + bool privateKeyPassword_ {false}; + TlsValidator* caCert_ {nullptr}; bool caChecked_ {false}; unsigned int caValidationOutput_;