Skip to content

Commit

Permalink
Fixes for OCSP data cleanup and test updates
Browse files Browse the repository at this point in the history
Signed-off-by: AssemblyJohn <[email protected]>
  • Loading branch information
AssemblyJohn committed Apr 29, 2024
1 parent 4104017 commit 57ba46d
Show file tree
Hide file tree
Showing 6 changed files with 269 additions and 112 deletions.
6 changes: 4 additions & 2 deletions include/evse_security/evse_security.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -142,10 +142,11 @@ class EvseSecurity {
/// @param ocsp_response the actual OCSP data
void update_ocsp_cache(const CertificateHashData& certificate_hash_data, const std::string& ocsp_response);

// TODO: Switch to path
/// @brief Retrieves from the OCSP cache for the given \p certificate_hash_data
/// @param certificate_hash_data identifies the certificate for which the \p ocsp_response is specified
/// @return the actual OCSP data or an empty value
std::optional<std::string> retrieve_ocsp_cache(const CertificateHashData& certificate_hash_data);
std::optional<fs::path> retrieve_ocsp_cache(const CertificateHashData& certificate_hash_data);

/// @brief Indicates if a CA certificate for the given \p certificate_type is installed on the filesystem
/// Supports both CA certificate bundles and directories
Expand Down Expand Up @@ -247,7 +248,7 @@ class EvseSecurity {
LeafCertificateType certificate_type);
GetCertificateInfoResult get_leaf_certificate_info_internal(LeafCertificateType certificate_type,
EncodingFormat encoding, bool include_ocsp = false);
std::optional<std::string> retrieve_ocsp_cache_internal(const CertificateHashData& certificate_hash_data);
std::optional<fs::path> retrieve_ocsp_cache_internal(const CertificateHashData& certificate_hash_data);
bool is_ca_certificate_installed_internal(CaCertificateType certificate_type);

/// @brief Determines if the total filesize of certificates is > than the max_filesystem_usage bytes
Expand Down Expand Up @@ -287,6 +288,7 @@ class EvseSecurity {
FRIEND_TEST(EvseSecurityTests, verify_full_filesystem_install_reject);
FRIEND_TEST(EvseSecurityTests, verify_full_filesystem);
FRIEND_TEST(EvseSecurityTests, verify_expired_csr_deletion);
FRIEND_TEST(EvseSecurityTests, verify_ocsp_garbage_collect);
FRIEND_TEST(EvseSecurityTestsExpired, verify_expired_leaf_deletion);
#endif
};
Expand Down
19 changes: 9 additions & 10 deletions include/evse_security/evse_types.hpp
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,12 @@

namespace evse_security {

const fs::path PEM_EXTENSION = ".pem";
const fs::path DER_EXTENSION = ".der";
const fs::path KEY_EXTENSION = ".key";
const fs::path TPM_KEY_EXTENSION = ".tkey";
const fs::path CERT_HASH_EXTENSION = ".hash";

enum class EncodingFormat {
DER,
PEM,
Expand Down Expand Up @@ -125,8 +131,8 @@ struct OCSPRequestDataList {
};

struct CertificateOCSP {
CertificateHashData hash;
std::optional<std::string> oscsp_data;
CertificateHashData hash; ///< Hash of the certificate for which the OCSP data is held

Check notice on line 134 in include/evse_security/evse_types.hpp

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

include/evse_security/evse_types.hpp#L134

struct member 'CertificateOCSP::hash' is never used.
std::optional<fs::path> ocsp_path; ///< Path to the file in which the certificate OCSP data is held
};

struct CertificateInfo {
Expand All @@ -142,21 +148,14 @@ struct GetCertificateInfoResult {
GetCertificateInfoStatus status;

Check notice on line 148 in include/evse_security/evse_types.hpp

View check run for this annotation

Codacy Production / Codacy Static Code Analysis

include/evse_security/evse_types.hpp#L148

struct member 'GetCertificateInfoResult::status' is never used.
std::optional<CertificateInfo> info;
};

const fs::path PEM_EXTENSION = ".pem";
const fs::path DER_EXTENSION = ".der";
const fs::path KEY_EXTENSION = ".key";
const fs::path TPM_KEY_EXTENSION = ".tkey";
const fs::path CERT_HASH_EXTENSION = ".hash";

namespace conversions {
std::string encoding_format_to_string(EncodingFormat e);
std::string ca_certificate_type_to_string(CaCertificateType e);
std::string leaf_certificate_type_to_string(LeafCertificateType e);
std::string leaf_certificate_type_to_filename(LeafCertificateType e);
std::string certificate_type_to_string(CertificateType e);
std::string hash_algorithm_to_string(HashAlgorithm e);
HashAlgorithm string_to_hash_algorithm(std::string s);
HashAlgorithm string_to_hash_algorithm(const std::string& s);
std::string install_certificate_result_to_string(InstallCertificateResult e);
std::string delete_certificate_result_to_string(DeleteCertificateResult e);
std::string get_installed_certificates_status_to_string(GetInstalledCertificatesStatus e);
Expand Down
15 changes: 15 additions & 0 deletions lib/evse_security/certificate/x509_bundle.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@
#include <evse_security/certificate/x509_bundle.hpp>

#include <algorithm>
#include <fstream>

#include <everest/logging.hpp>
#include <evse_security/crypto/evse_crypto.hpp>
Expand Down Expand Up @@ -44,6 +45,20 @@ X509CertificateBundle::X509CertificateBundle(const fs::path& path, const Encodin
hierarchy_invalidated(true) {
this->path = path;

// In case the path is missing, create it
if (fs::exists(path) == false) {
if (path.has_extension()) {
if (path.extension() == PEM_EXTENSION) {
// Create file if we have an PEM extension
std::ofstream new_file(path.c_str());
new_file.close();
}
} else {
// Else create a directory
fs::create_directories(path);
}
}

if (fs::is_directory(path)) {
source = X509CertificateSource::DIRECTORY;

Expand Down
Loading

0 comments on commit 57ba46d

Please sign in to comment.