Add passphrase-protected private key support

Wire up QOpcUaClient::passwordForPrivateKeyRequired to a QML dialog,
mirroring the existing certificate trust flow (local QEventLoop + 30s
timeout).

2 files changed, 54 insertions, 0 deletions

diff --git a/src/OpcUaClient.cpp b/src/OpcUaClient.cpp
index a319f29..d212ab2 100644
--- a/src/OpcUaClient.cpp
+++ b/src/OpcUaClient.cpp
@@ -90,6 +90,8 @@ OpcUaClient::setupClient ()
            &OpcUaClient::handleFindServersFinished);
   connect (m_client, &QOpcUaClient::errorChanged, this,
            &OpcUaClient::handleClientError);
+  connect (m_client, &QOpcUaClient::passwordForPrivateKeyRequired, this,
+           &OpcUaClient::handlePasswordRequired);
 }
 
 /* ======================================
@@ -327,6 +329,41 @@ OpcUaClient::handleConnectError (QOpcUaErrorState *errorState)
 }
 
 void
+OpcUaClient::provideKeyPassword (const QString &password)
+{
+  m_keyPassword = password;
+  if (m_keyPassLoop)
+    m_keyPassLoop->quit ();
+}
+
+void
+OpcUaClient::cancelKeyPassword ()
+{
+  m_keyPassword.clear ();
+  if (m_keyPassLoop)
+    m_keyPassLoop->quit ();
+}
+
+void
+OpcUaClient::handlePasswordRequired (QString keyFilePath, QString *password,
+                                     bool previousTryWasInvalid)
+{
+  // passwordForPrivateKeyRequired uses BlockingQueuedConnection — the backend
+  // thread is blocked waiting for us to return.  Spin a local event loop so
+  // QML can show a dialog and call provideKeyPassword() / cancelKeyPassword().
+  m_keyPassword.clear ();
+  emit privateKeyPasswordRequired (keyFilePath, previousTryWasInvalid);
+
+  QEventLoop loop;
+  m_keyPassLoop = &loop;
+  QTimer::singleShot (30000, &loop, &QEventLoop::quit);
+  loop.exec ();
+  m_keyPassLoop = nullptr;
+
+  *password = m_keyPassword;
+}
+
+void
 OpcUaClient::handleClientError (QOpcUaClient::ClientError error)
 {
   if (error == QOpcUaClient::NoError)
diff --git a/src/OpcUaClient.h b/src/OpcUaClient.h
index 1476911..7ecd11b 100644
--- a/src/OpcUaClient.h
+++ b/src/OpcUaClient.h
@@ -88,6 +88,11 @@ public:
   /** @brief Reject the pending server certificate. */
   Q_INVOKABLE void rejectCertificate ();
 
+  /** @brief Provide the password for an encrypted private key. */
+  Q_INVOKABLE void provideKeyPassword (const QString &password);
+  /** @brief Cancel the private-key password prompt (abort connection). */
+  Q_INVOKABLE void cancelKeyPassword ();
+
   /* -- Discovery -- */
 
   QString discoveryUrl () const;
@@ -136,6 +141,14 @@ signals:
   void certificateTrustRequested (const QString &certInfo);
   void connectionError (const QString &message);
   void statusMessage (const QString &message);
+  /**
+   * @brief Emitted when the private key is encrypted.
+   *
+   * The connection blocks until provideKeyPassword() or
+   * cancelKeyPassword() is called (30 s timeout, auto-cancels).
+   */
+  void privateKeyPasswordRequired (const QString &keyFilePath,
+                                   bool previousTryWasInvalid);
 
   /* -- Discovery -- */
   void discoveryUrlChanged ();
@@ -156,6 +169,8 @@ private slots:
                            const QUrl &requestUrl);
   void handleConnectError (QOpcUaErrorState *errorState);
   void handleClientError (QOpcUaClient::ClientError error);
+  void handlePasswordRequired (QString keyFilePath, QString *password,
+                               bool previousTryWasInvalid);
 
   /* -- Discovery -- */
   void handleFindServersFinished (
@@ -174,6 +189,8 @@ private:
   bool m_connected = false;
   QEventLoop *m_certLoop = nullptr;
   bool m_certAccepted = false;
+  QEventLoop *m_keyPassLoop = nullptr;
+  QString m_keyPassword;
 
   /* -- Discovery -- */
   QString m_discoveryUrl;