Support hashing directories of certificates (#852)

* Support hashing directories Signed-off-by: Ivan Rogach <[email protected]> * Fix after fixes in libevse-security Signed-off-by: Ivan Rogach <[email protected]> * Move hashing directories out of libocpp Signed-off-by: Ivan Rogach <[email protected]> * Update tag to libevse-security Signed-off-by: Ivan Rogach <[email protected]> --------- Signed-off-by: Ivan Rogach <[email protected]>
EVerest · Dec 3, 2024 · 469629c · 469629c
1 parent 270acab
commit 469629c
Show file tree

Hide file tree

Showing 6 changed files with 18 additions and 3 deletions.
diff --git a/dependencies.yaml b/dependencies.yaml
@@ -27,7 +27,7 @@ date:
   options: ["BUILD_TZ_LIB ON", "HAS_REMOTE_API 0", "USE_AUTOLOAD 0", "USE_SYSTEM_TZ_DB ON"]
 libevse-security:
   git: https://github.com/EVerest/libevse-security.git
-  git_tag: v0.9.1
+  git_tag: v0.9.2
 libwebsockets:
   git: https://github.com/warmcat/libwebsockets.git
   git_tag: v4.3.3  

diff --git a/include/ocpp/common/evse_security.hpp b/include/ocpp/common/evse_security.hpp
@@ -110,6 +110,11 @@ class EvseSecurity {
     /// \return CA certificate file
     virtual std::string get_verify_file(const CaCertificateType& certificate_type) = 0;
 
+    /// \brief Retrieves the PEM formatted CA bundle location for the given \p certificate_type
+    /// \param certificate_type
+    /// \return CA certificate file
+    virtual std::string get_verify_location(const CaCertificateType& certificate_type) = 0;
+
     /// \brief Gets the expiry day count for the leaf certificate of the given \p certificate_type
     /// \param certificate_type
     /// \return day count until the leaf certificate expires

diff --git a/include/ocpp/common/evse_security_impl.hpp b/include/ocpp/common/evse_security_impl.hpp
@@ -56,6 +56,7 @@ class EvseSecurityImpl : public EvseSecurity {
                                                        bool include_ocsp = false) override;
     bool update_certificate_links(const CertificateSigningUseEnum& certificate_type) override;
     std::string get_verify_file(const CaCertificateType& certificate_type) override;
+    std::string get_verify_location(const CaCertificateType& certificate_type) override;
     int get_leaf_expiry_days_count(const CertificateSigningUseEnum& certificate_type) override;
 };
 

diff --git a/lib/ocpp/common/evse_security_impl.cpp b/lib/ocpp/common/evse_security_impl.cpp
@@ -134,6 +134,10 @@ std::string EvseSecurityImpl::get_verify_file(const CaCertificateType& certifica
     return this->evse_security->get_verify_file(conversions::from_ocpp(certificate_type));
 }
 
+std::string EvseSecurityImpl::get_verify_location(const CaCertificateType& certificate_type) {
+    return this->evse_security->get_verify_location(conversions::from_ocpp(certificate_type));
+}
+
 int EvseSecurityImpl::get_leaf_expiry_days_count(const CertificateSigningUseEnum& certificate_type) {
     return this->evse_security->get_leaf_expiry_days_count(conversions::from_ocpp(certificate_type));
 }

diff --git a/lib/ocpp/common/websocket/websocket_libwebsockets.cpp b/lib/ocpp/common/websocket/websocket_libwebsockets.cpp
@@ -374,11 +374,15 @@ bool WebsocketLibwebsockets::tls_init(SSL_CTX* ctx, const std::string& path_chai
     }
 
     if (this->evse_security->is_ca_certificate_installed(ocpp::CaCertificateType::CSMS)) {
-        std::string ca_csms = this->evse_security->get_verify_file(ocpp::CaCertificateType::CSMS);
+        std::string ca_csms = this->evse_security->get_verify_location(ocpp::CaCertificateType::CSMS);
 
         EVLOG_info << "Loading CA csms bundle to verify server certificate: " << ca_csms;
 
-        rc = SSL_CTX_load_verify_locations(ctx, ca_csms.c_str(), NULL);
+        if (std::filesystem::is_directory(ca_csms)) {
+            rc = SSL_CTX_load_verify_locations(ctx, NULL, ca_csms.c_str());
+        } else {
+            rc = SSL_CTX_load_verify_locations(ctx, ca_csms.c_str(), NULL);
+        }
 
         if (rc != 1) {
             EVLOG_error << "Could not load CA verify locations, error: " << ERR_error_string(ERR_get_error(), NULL);

diff --git a/tests/lib/ocpp/common/evse_security_mock.hpp b/tests/lib/ocpp/common/evse_security_mock.hpp
@@ -33,6 +33,7 @@ class EvseSecurityMock : public EvseSecurity {
                 (override));
     MOCK_METHOD(bool, update_certificate_links, (const CertificateSigningUseEnum&), (override));
     MOCK_METHOD(std::string, get_verify_file, (const CaCertificateType&), (override));
+    MOCK_METHOD(std::string, get_verify_location, (const CaCertificateType&), (override));
     MOCK_METHOD(int, get_leaf_expiry_days_count, (const CertificateSigningUseEnum&), (override));
 };