Commit 83419a01 authored by Adrien Béraud's avatar Adrien Béraud Committed by Guillaume Roguez

tlsvalidator: support private key password

OpenDHT version also updated to bring decryt error exception.

Refs #76890

Change-Id: Ib9cffb625fc71b573992eb61ea6b0063317514c5
parent ad477a2f
# OPENDHT # OPENDHT
OPENDHT_VERSION := 7729f9e283b19b7b0f2cba67490a6fc985fce57a OPENDHT_VERSION := ac13795db0a606c8d03b609956fd4578411cf7f6
OPENDHT_URL := https://github.com/savoirfairelinux/opendht/archive/$(OPENDHT_VERSION).tar.gz OPENDHT_URL := https://github.com/savoirfairelinux/opendht/archive/$(OPENDHT_VERSION).tar.gz
PKGS += opendht PKGS += opendht
......
...@@ -156,7 +156,7 @@ validateCertificatePath(const std::string&, ...@@ -156,7 +156,7 @@ validateCertificatePath(const std::string&,
{ {
#if HAVE_TLS && HAVE_DHT #if HAVE_TLS && HAVE_DHT
try { try {
return TlsValidator{certificate, privateKey, caList}.getSerializedChecks(); return TlsValidator{certificate, privateKey, "", caList}.getSerializedChecks();
} catch(const std::runtime_error& e) { } catch(const std::runtime_error& e) {
RING_WARN("Certificate loading failed: %s", e.what()); RING_WARN("Certificate loading failed: %s", e.what());
return {{Certificate::ChecksNames::EXIST, Certificate::CheckValuesNames::FAILED}}; return {{Certificate::ChecksNames::EXIST, Certificate::CheckValuesNames::FAILED}};
......
...@@ -219,7 +219,10 @@ TlsValidator::TlsValidator(const std::vector<std::vector<uint8_t>>& crtChain) ...@@ -219,7 +219,10 @@ TlsValidator::TlsValidator(const std::vector<std::vector<uint8_t>>& crtChain)
: TlsValidator(std::make_shared<dht::crypto::Certificate>(crtChain.begin(), crtChain.end())) : TlsValidator(std::make_shared<dht::crypto::Certificate>(crtChain.begin(), crtChain.end()))
{} {}
TlsValidator::TlsValidator(const std::string& certificate, const std::string& privatekey, const std::string& caList) TlsValidator::TlsValidator(const std::string& certificate,
const std::string& privatekey,
const std::string& privatekeyPasswd,
const std::string& caList)
: certificatePath_(certificate) : certificatePath_(certificate)
, privateKeyPath_(privatekey) , privateKeyPath_(privatekey)
, caListPath_(caList) , caListPath_(caList)
...@@ -241,8 +244,14 @@ TlsValidator::TlsValidator(const std::string& certificate, const std::string& pr ...@@ -241,8 +244,14 @@ TlsValidator::TlsValidator(const std::string& certificate, const std::string& pr
try { try {
privateKeyContent_ = fileutils::loadFile(privateKeyPath_); privateKeyContent_ = fileutils::loadFile(privateKeyPath_);
dht::crypto::PrivateKey key_tmp(privateKeyContent_); dht::crypto::PrivateKey key_tmp(privateKeyContent_, privatekeyPasswd);
privateKeyFound_ = true; privateKeyFound_ = true;
privateKeyPassword_ = not privatekeyPasswd.empty();
} catch (const dht::crypto::DecryptError&) {
// If we encounter a DecryptError, it means the private key exists and is encrypted,
// otherwise we would get some other exception.
privateKeyFound_ = true;
privateKeyPassword_ = true;
} catch (const std::exception& e) { } catch (const std::exception& e) {
privateKeyContent_.clear(); privateKeyContent_.clear();
} }
...@@ -933,8 +942,7 @@ TlsValidator::CheckResult TlsValidator::publicKeySelinuxAttributes() ...@@ -933,8 +942,7 @@ TlsValidator::CheckResult TlsValidator::publicKeySelinuxAttributes()
*/ */
TlsValidator::CheckResult TlsValidator::requirePrivateKeyPassword() TlsValidator::CheckResult TlsValidator::requirePrivateKeyPassword()
{ {
// TODO return TlsValidator::CheckResult(privateKeyPassword_ ? CheckValues::PASSED : CheckValues::FAILED, "");
return TlsValidator::CheckResult(CheckValues::UNSUPPORTED, "");
} }
/** /**
* The CA and certificate provide conflicting ownership information * The CA and certificate provide conflicting ownership information
......
...@@ -166,9 +166,13 @@ public: ...@@ -166,9 +166,13 @@ public:
* Create a TlsValidator for a given certificate * Create a TlsValidator for a given certificate
* @param certificate The certificate path * @param certificate The certificate path
* @param privatekey An optional private key file path * @param privatekey An optional private key file path
* @param privatekeyPasswd An optional private key password
* @param caList An optional CA list to use for certificate validation
*/ */
TlsValidator(const std::string& certificate, TlsValidator(const std::string& certificate,
const std::string& privatekey = "", const std::string& caList = ""); const std::string& privatekey = "",
const std::string& privatekeyPasswd = "",
const std::string& caList = "");
TlsValidator(const std::vector<std::vector<uint8_t>>& certificate_chain_raw); TlsValidator(const std::vector<std::vector<uint8_t>>& certificate_chain_raw);
...@@ -271,6 +275,8 @@ private: ...@@ -271,6 +275,8 @@ private:
bool certificateFileFound_ {false}; bool certificateFileFound_ {false};
bool certificateFound_; bool certificateFound_;
bool privateKeyFound_ {false}; bool privateKeyFound_ {false};
bool privateKeyPassword_ {false};
TlsValidator* caCert_ {nullptr}; TlsValidator* caCert_ {nullptr};
bool caChecked_ {false}; bool caChecked_ {false};
unsigned int caValidationOutput_; unsigned int caValidationOutput_;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment