Merge branch 'main' into bugfix/interchanged-stacklevel-and-numberphases

config/config-sil-dc-tls.yaml

@@ -4,6 +4,7 @@ active_modules:
     config_module:
       device: auto
       tls_security: force
+      tls_key_logging: true
     connections:
       security:
         - module_id: evse_security

dependencies.yaml

@@ -56,17 +56,17 @@ libcurl:
   cmake_condition: "EVEREST_DEPENDENCY_ENABLED_LIBCURL"
 
 # EvseSecurity
-# This has to appear before libocpp in this file since it is also a direct dependency of libocpp
-# and would otherwise be overwritten by the version used there
+# This has to appear before libocpp in this file since it is also a direct dependency 
+# of libocpp and would otherwise be overwritten by the version used there
 libevse-security:
   git: https://github.com/EVerest/libevse-security.git
-  git_tag: v0.8.0
+  git_tag: v0.9.1
   cmake_condition: "EVEREST_DEPENDENCY_ENABLED_LIBEVSE_SECURITY"
 
 # OCPP
 libocpp:
   git: https://github.com/EVerest/libocpp.git
-  git_tag: 5c7f10cdfd9aa70db80ccf43ace250e3322be00c
+  git_tag: c6a6e01b27c994f170d2b21d2befa13ad5c9ca20
   cmake_condition: "EVEREST_DEPENDENCY_ENABLED_LIBOCPP"
 # Josev
 Josev:

interfaces/evse_manager.yaml

@@ -26,7 +26,7 @@ cmds:
       type: boolean
   authorize_response:
     description: >-
-      Reports the result of an authorization request to the EvseManager. 
+      Reports the result of an authorization request to the EvseManager.
       Contains the provided_token for which authorization was requested and
       the validation_result
     arguments:
@@ -150,6 +150,9 @@ vars:
     description: Measured dataset
     type: object
     $ref: /powermeter#/Powermeter
+  powermeter_public_key_ocmf:
+    description: Powermeter public key
+    type: string
   evse_id:
     description: EVSE ID including the connector number, e.g. DE*PNX*E123456*1
     type: string
@@ -159,7 +162,7 @@ vars:
     $ref: /evse_board_support#/HardwareCapabilities
   iso15118_certificate_request:
     description: >-
-      The vehicle requests the SECC to deliver the certificate that belong 
+      The vehicle requests the SECC to deliver the certificate that belong
       to the currently valid contract of the vehicle.
       Response will be reported async via set_get_certificate_response
     type: object

interfaces/evse_security.yaml

@@ -154,6 +154,26 @@ cmds:
       description: The response to the requested command
       type: object
       $ref: /evse_security#/GetCertificateInfoResult
+  get_all_valid_certificates_info:
+    description:  >-
+        Finds the latest valid leafs, for each root certificate that is present on the filesystem,
+        and returns all the newest valid leafs that are present for different roots
+    arguments:
+      certificate_type: 
+        description: Specifies the leaf certificate type
+        type: string
+        $ref: /evse_security#/LeafCertificateType
+      encoding:
+        description: Specifies the encoding of the key
+        type: string
+        $ref: /evse_security#/EncodingFormat
+      include_ocsp:
+        description: Specifies whether per-certificate OCSP data is also requested
+        type: boolean
+    result:
+      description: The response to the requested command
+      type: object
+      $ref: /evse_security#/GetCertificateFullInfoResult
   get_verify_file:
     description: Command to get the file path of a CA bundle that can be used for verification
     arguments:

lib/staging/evse_security/conversions.cpp

@@ -451,6 +451,7 @@ types::evse_security::OCSPRequestDataList to_everest(evse_security::OCSPRequestD
 types::evse_security::CertificateInfo to_everest(evse_security::CertificateInfo other) {
     types::evse_security::CertificateInfo lhs;
     lhs.key = other.key;
+    lhs.certificate_root = other.certificate_root;
     lhs.certificate = other.certificate;
     lhs.certificate_single = other.certificate_single;
     lhs.password = other.password;

lib/staging/tls/openssl_util.cpp

@@ -6,7 +6,6 @@
 #include <cstdint>
 #include <cstring>
 #include <iostream>
-#include <iterator>
 #include <memory>
 #include <string>
 
@@ -462,6 +461,27 @@ bool signature_to_bn(bn_t& r, bn_t& s, const std::uint8_t* sig_p, std::size_t le
     return bRes;
 };
 
+certificate_list load_certificates_pem(const char* pem_string) {
+    certificate_list result{};
+    if (pem_string != nullptr) {
+        const auto len = std::strlen(pem_string);
+        auto* mem = BIO_new_mem_buf(pem_string, static_cast<int>(len));
+        X509* cert = nullptr;
+
+        while (!BIO_eof(mem)) {
+            if (PEM_read_bio_X509(mem, &cert, nullptr, nullptr) == nullptr) {
+                log_error("PEM_read_bio_X509");
+                break;
+            } else {
+                result.emplace_back(certificate_ptr{cert, &X509_free});
+                cert = nullptr;
+            }
+        }
+        BIO_free(mem);
+    }
+    return result;
+}
+
 certificate_list load_certificates(const char* filename) {
     certificate_list result{};
     if (filename != nullptr) {

lib/staging/tls/openssl_util.hpp

@@ -335,6 +335,14 @@ DER bn_to_signature(const std::uint8_t* r, const std::uint8_t* s);
  */
 bool signature_to_bn(openssl::bn_t& r, openssl::bn_t& s, const std::uint8_t* sig_p, std::size_t len);
 
+/**
+ * \brief load any PEM encoded certificates from a string
+ * \param[in] pem_string
+ * \return a list of 0 or more certificates
+ * \note PEM string only supports certificates and not other PEM types
+ */
+certificate_list load_certificates_pem(const char* pem_string);
+
 /**
  * \brief load any PEM encoded certificates from a file
  * \param[in] filename
@@ -491,6 +499,7 @@ bool certificate_subject_public_key_sha_1(openssl::sha_1_digest_t& digest, const
 
 enum class log_level_t : std::uint8_t {
     debug,
+    info,
     warning,
     error,
 };
@@ -515,6 +524,10 @@ static inline void log_debug(const std::string& str) {
     log(log_level_t::debug, str);
 }
 
+static inline void log_info(const std::string& str) {
+    log(log_level_t::info, str);
+}
+
 using log_handler_t = void (*)(log_level_t level, const std::string& err);
 
 /**

lib/staging/tls/tests/gtest_main.cpp

@@ -17,6 +17,9 @@ void log_handler(openssl::log_level_t level, const std::string& str) {
     case openssl::log_level_t::debug:
         // std::cout << "DEBUG:   " << str << std::endl;
         break;
+    case openssl::log_level_t::info:
+        std::cout << "INFO:    " << str << std::endl;
+        break;
     case openssl::log_level_t::warning:
         std::cout << "WARN:    " << str << std::endl;
         break;

lib/staging/tls/tests/openssl_util_test.cpp

@@ -540,6 +540,36 @@ TEST(certificate, toPem) {
     // std::cout << pem << std::endl;
 }
 
+TEST(certificate, loadPemSingle) {
+    auto certs = ::openssl::load_certificates("client_ca_cert.pem");
+    ASSERT_EQ(certs.size(), 1);
+    auto pem = ::openssl::certificate_to_pem(certs[0].get());
+    EXPECT_FALSE(pem.empty());
+
+    auto pem_certs = ::openssl::load_certificates_pem(pem.c_str());
+    ASSERT_EQ(pem_certs.size(), 1);
+    EXPECT_EQ(certs[0], pem_certs[0]);
+}
+
+TEST(certificate, loadPemMulti) {
+    auto certs = ::openssl::load_certificates("client_chain.pem");
+    ASSERT_GT(certs.size(), 1);
+    std::string pem;
+    for (const auto& cert : certs) {
+        pem += ::openssl::certificate_to_pem(cert.get());
+    }
+    EXPECT_FALSE(pem.empty());
+    // std::cout << pem << std::endl << "Output" << std::endl;
+
+    auto pem_certs = ::openssl::load_certificates_pem(pem.c_str());
+    ASSERT_EQ(pem_certs.size(), certs.size());
+    for (auto i = 0; i < certs.size(); i++) {
+        SCOPED_TRACE(std::to_string(i));
+        // std::cout << ::openssl::certificate_to_pem(pem_certs[i].get()) << std::endl;
+        EXPECT_EQ(certs[i], pem_certs[i]);
+    }
+}
+
 TEST(certificate, verify) {
     auto client = ::openssl::load_certificates("client_cert.pem");
     auto chain = ::openssl::load_certificates("client_chain.pem");

lib/staging/tls/tests/tls_connection_test.cpp

@@ -741,6 +741,51 @@ TEST_F(TlsTest, TCKeysKey) {
     EXPECT_EQ(subject["CN"], alt_server_root_CN);
 }
 
+TEST_F(TlsTest, TCKeysKeyPem) {
+    // same as TCKeysKey but using a PEM string trust anchor rather than file
+    std::map<std::string, std::string> subject;
+
+    client_config.trusted_ca_keys = true;
+    client_config.verify_locations_file = "alt_server_root_cert.pem";
+    add_ta_key_hash("alt_server_root_cert.pem");
+
+    auto client_handler_fn = [this, &subject](tls::Client::ConnectionPtr& connection) {
+        if (connection) {
+            if (connection->connect() == result_t::success) {
+                this->set(ClientTest::flags_t::connected);
+                subject = openssl::certificate_subject(connection->peer_certificate());
+                connection->shutdown();
+            }
+        }
+    };
+
+    // convert file to PEM in config
+    for (auto& cfg : server_config.chains) {
+        const auto certs = ::openssl::load_certificates(cfg.trust_anchor_file);
+        std::string pem;
+        for (const auto& cert : certs) {
+            pem += ::openssl::certificate_to_pem(cert.get());
+        }
+        // std::cout << cfg.trust_anchor_file << ": " << certs.size() << std::endl;
+        ASSERT_FALSE(pem.empty());
+        cfg.trust_anchor_file = nullptr;
+        cfg.trust_anchor_pem = pem.c_str();
+    }
+
+    start();
+    connect(client_handler_fn);
+    EXPECT_TRUE(is_set(flags_t::connected));
+    EXPECT_EQ(subject["CN"], alt_server_root_CN);
+
+    client_config.trusted_ca_keys_data.x509_name.clear();
+    add_ta_key_hash("client_root_cert.pem");
+    add_ta_key_hash("alt_server_root_cert.pem");
+
+    connect(client_handler_fn);
+    EXPECT_TRUE(is_set(flags_t::connected));
+    EXPECT_EQ(subject["CN"], alt_server_root_CN);
+}
+
 TEST_F(TlsTest, TCKeysName) {
     // trusted_ca_keys - subject name matches
     std::map<std::string, std::string> subject;