From 469629c615e369f4bb77b3b2f861e0d56b550d15 Mon Sep 17 00:00:00 2001 From: jannejy <36619180+jannejy@users.noreply.github.com> Date: Tue, 3 Dec 2024 11:01:28 +0100 Subject: [PATCH] Support hashing directories of certificates (#852) * Support hashing directories Signed-off-by: Ivan Rogach * Fix after fixes in libevse-security Signed-off-by: Ivan Rogach * Move hashing directories out of libocpp Signed-off-by: Ivan Rogach * Update tag to libevse-security Signed-off-by: Ivan Rogach --------- Signed-off-by: Ivan Rogach --- dependencies.yaml | 2 +- include/ocpp/common/evse_security.hpp | 5 +++++ include/ocpp/common/evse_security_impl.hpp | 1 + lib/ocpp/common/evse_security_impl.cpp | 4 ++++ lib/ocpp/common/websocket/websocket_libwebsockets.cpp | 8 ++++++-- tests/lib/ocpp/common/evse_security_mock.hpp | 1 + 6 files changed, 18 insertions(+), 3 deletions(-) diff --git a/dependencies.yaml b/dependencies.yaml index 6c5af9883..93d7cdae7 100644 --- a/dependencies.yaml +++ b/dependencies.yaml @@ -27,7 +27,7 @@ date: options: ["BUILD_TZ_LIB ON", "HAS_REMOTE_API 0", "USE_AUTOLOAD 0", "USE_SYSTEM_TZ_DB ON"] libevse-security: git: https://github.com/EVerest/libevse-security.git - git_tag: v0.9.1 + git_tag: v0.9.2 libwebsockets: git: https://github.com/warmcat/libwebsockets.git git_tag: v4.3.3 diff --git a/include/ocpp/common/evse_security.hpp b/include/ocpp/common/evse_security.hpp index 042ee738b..ef00d965b 100644 --- a/include/ocpp/common/evse_security.hpp +++ b/include/ocpp/common/evse_security.hpp @@ -110,6 +110,11 @@ class EvseSecurity { /// \return CA certificate file virtual std::string get_verify_file(const CaCertificateType& certificate_type) = 0; + /// \brief Retrieves the PEM formatted CA bundle location for the given \p certificate_type + /// \param certificate_type + /// \return CA certificate file + virtual std::string get_verify_location(const CaCertificateType& certificate_type) = 0; + /// \brief Gets the expiry day count for the leaf certificate of the given \p certificate_type /// \param certificate_type /// \return day count until the leaf certificate expires diff --git a/include/ocpp/common/evse_security_impl.hpp b/include/ocpp/common/evse_security_impl.hpp index 173b68a3d..05c59a6a7 100644 --- a/include/ocpp/common/evse_security_impl.hpp +++ b/include/ocpp/common/evse_security_impl.hpp @@ -56,6 +56,7 @@ class EvseSecurityImpl : public EvseSecurity { bool include_ocsp = false) override; bool update_certificate_links(const CertificateSigningUseEnum& certificate_type) override; std::string get_verify_file(const CaCertificateType& certificate_type) override; + std::string get_verify_location(const CaCertificateType& certificate_type) override; int get_leaf_expiry_days_count(const CertificateSigningUseEnum& certificate_type) override; }; diff --git a/lib/ocpp/common/evse_security_impl.cpp b/lib/ocpp/common/evse_security_impl.cpp index ef3df8628..cd717f7a3 100644 --- a/lib/ocpp/common/evse_security_impl.cpp +++ b/lib/ocpp/common/evse_security_impl.cpp @@ -134,6 +134,10 @@ std::string EvseSecurityImpl::get_verify_file(const CaCertificateType& certifica return this->evse_security->get_verify_file(conversions::from_ocpp(certificate_type)); } +std::string EvseSecurityImpl::get_verify_location(const CaCertificateType& certificate_type) { + return this->evse_security->get_verify_location(conversions::from_ocpp(certificate_type)); +} + int EvseSecurityImpl::get_leaf_expiry_days_count(const CertificateSigningUseEnum& certificate_type) { return this->evse_security->get_leaf_expiry_days_count(conversions::from_ocpp(certificate_type)); } diff --git a/lib/ocpp/common/websocket/websocket_libwebsockets.cpp b/lib/ocpp/common/websocket/websocket_libwebsockets.cpp index 879e9a317..7a474ab36 100644 --- a/lib/ocpp/common/websocket/websocket_libwebsockets.cpp +++ b/lib/ocpp/common/websocket/websocket_libwebsockets.cpp @@ -374,11 +374,15 @@ bool WebsocketLibwebsockets::tls_init(SSL_CTX* ctx, const std::string& path_chai } if (this->evse_security->is_ca_certificate_installed(ocpp::CaCertificateType::CSMS)) { - std::string ca_csms = this->evse_security->get_verify_file(ocpp::CaCertificateType::CSMS); + std::string ca_csms = this->evse_security->get_verify_location(ocpp::CaCertificateType::CSMS); EVLOG_info << "Loading CA csms bundle to verify server certificate: " << ca_csms; - rc = SSL_CTX_load_verify_locations(ctx, ca_csms.c_str(), NULL); + if (std::filesystem::is_directory(ca_csms)) { + rc = SSL_CTX_load_verify_locations(ctx, NULL, ca_csms.c_str()); + } else { + rc = SSL_CTX_load_verify_locations(ctx, ca_csms.c_str(), NULL); + } if (rc != 1) { EVLOG_error << "Could not load CA verify locations, error: " << ERR_error_string(ERR_get_error(), NULL); diff --git a/tests/lib/ocpp/common/evse_security_mock.hpp b/tests/lib/ocpp/common/evse_security_mock.hpp index b9b206876..50568360a 100644 --- a/tests/lib/ocpp/common/evse_security_mock.hpp +++ b/tests/lib/ocpp/common/evse_security_mock.hpp @@ -33,6 +33,7 @@ class EvseSecurityMock : public EvseSecurity { (override)); MOCK_METHOD(bool, update_certificate_links, (const CertificateSigningUseEnum&), (override)); MOCK_METHOD(std::string, get_verify_file, (const CaCertificateType&), (override)); + MOCK_METHOD(std::string, get_verify_location, (const CaCertificateType&), (override)); MOCK_METHOD(int, get_leaf_expiry_days_count, (const CertificateSigningUseEnum&), (override)); };