From 5cd5f8284229ffd28ae1dfed2137ef194c39e732 Mon Sep 17 00:00:00 2001 From: Menno de Graaf Date: Fri, 15 Mar 2024 10:41:08 +0100 Subject: [PATCH] Mg refactor verify certificate (#59) * Change interface to internal verify_certificate to allow reuse for checking contract certificates * Improve to install certificate result conversion * Prevent use of root certificate from the chain but use the one in the bundle * Update interface of verify_certificate * Add comment * Add method for retrieving OCSP data from a ceritificat chain * Fix return type * Add way of detecting and excluding root certificate * Use hierarchy to retrieve OCSP data * Fix conflict * Fix Lint * Interface adaptations for new result * Removed deprecated provider tests, updated a invalid certificate install test * Added invalid chain error --------- Signed-off-by: Menno de Graaf Signed-off-by: AssemblyJohn Co-authored-by: Menno de Graaf Co-authored-by: AssemblyJohn --- .../crypto/interface/crypto_supplier.hpp | 10 +- .../crypto/interface/crypto_types.hpp | 10 -- .../crypto/openssl/openssl_supplier.hpp | 10 +- include/evse_security/evse_security.hpp | 18 ++- include/evse_security/evse_types.hpp | 15 ++- .../crypto/interface/crypto_supplier.cpp | 4 +- .../crypto/openssl/openssl_supplier.cpp | 33 +++--- lib/evse_security/evse_security.cpp | 103 +++++++++++++----- tests/openssl_supplier_test.cpp | 2 +- tests/tests.cpp | 98 +---------------- 10 files changed, 135 insertions(+), 168 deletions(-) diff --git a/include/evse_security/crypto/interface/crypto_supplier.hpp b/include/evse_security/crypto/interface/crypto_supplier.hpp index 185993d..ca263db 100644 --- a/include/evse_security/crypto/interface/crypto_supplier.hpp +++ b/include/evse_security/crypto/interface/crypto_supplier.hpp @@ -57,11 +57,11 @@ class AbstractCryptoSupplier { /// @param dir_path Optional directory path that can be used for certificate store lookup /// @param file_path Optional certificate file path that can be used for certificate store lookup /// @return - static CertificateValidationError x509_verify_certificate_chain(X509Handle* target, - const std::vector& parents, - bool allow_future_certificates, - const std::optional dir_path, - const std::optional file_path); + static CertificateValidationResult x509_verify_certificate_chain(X509Handle* target, + const std::vector& parents, + bool allow_future_certificates, + const std::optional dir_path, + const std::optional file_path); /// @brief Checks if the private key is consistent with the provided handle static bool x509_check_private_key(X509Handle* handle, std::string private_key, diff --git a/include/evse_security/crypto/interface/crypto_types.hpp b/include/evse_security/crypto/interface/crypto_types.hpp index 4d0ed14..ba51065 100644 --- a/include/evse_security/crypto/interface/crypto_types.hpp +++ b/include/evse_security/crypto/interface/crypto_types.hpp @@ -10,16 +10,6 @@ namespace evse_security { -enum class CertificateValidationError { - NoError, - Expired, - InvalidSignature, - IssuerNotFound, - InvalidLeafSignature, - InvalidChain, - Unknown, -}; - enum class CryptoKeyType { EC_prime256v1, // Default EC. P-256, ~equiv to rsa 3072 EC_secp384r1, // P-384, ~equiv to rsa 7680 diff --git a/include/evse_security/crypto/openssl/openssl_supplier.hpp b/include/evse_security/crypto/openssl/openssl_supplier.hpp index f96b47d..5c553ec 100644 --- a/include/evse_security/crypto/openssl/openssl_supplier.hpp +++ b/include/evse_security/crypto/openssl/openssl_supplier.hpp @@ -31,11 +31,11 @@ class OpenSSLSupplier : public AbstractCryptoSupplier { static bool x509_is_child(X509Handle* child, X509Handle* parent); static bool x509_is_equal(X509Handle* a, X509Handle* b); static X509Handle_ptr x509_duplicate_unique(X509Handle* handle); - static CertificateValidationError x509_verify_certificate_chain(X509Handle* target, - const std::vector& parents, - bool allow_future_certificates, - const std::optional dir_path, - const std::optional file_path); + static CertificateValidationResult x509_verify_certificate_chain(X509Handle* target, + const std::vector& parents, + bool allow_future_certificates, + const std::optional dir_path, + const std::optional file_path); static bool x509_check_private_key(X509Handle* handle, std::string private_key, std::optional password); static bool x509_verify_signature(X509Handle* handle, const std::vector& signature, diff --git a/include/evse_security/evse_security.hpp b/include/evse_security/evse_security.hpp index fb6e833..fd32782 100644 --- a/include/evse_security/evse_security.hpp +++ b/include/evse_security/evse_security.hpp @@ -4,6 +4,7 @@ #include +#include #include #include @@ -86,10 +87,10 @@ class EvseSecurity { /// @brief Verifies the given \p certificate_chain for the given \p certificate_type against the respective CA /// certificates for the leaf. /// @param certificate_chain PEM formatted certificate or certificate chain - /// @param certificate_type type of the leaf certificate + /// @param certificate_type type of the root certificate for which the chain is verified /// @return result of the operation - InstallCertificateResult verify_certificate(const std::string& certificate_chain, - const LeafCertificateType certificate_type); + CertificateValidationResult verify_certificate(const std::string& certificate_chain, + const LeafCertificateType certificate_type); /// @brief Verifies the given \p certificate_chain for the given \p certificate_type against the respective CA /// certificates for the leaf and if valid installs the certificate on the filesystem. Before installing on the @@ -117,6 +118,13 @@ class EvseSecurity { /// @return contains OCSP request data OCSPRequestDataList get_ocsp_request_data(); + /// @brief Retrieves the OCSP request data of the given \p certificate_chain + /// @param certificate_chain PEM formatted certificate or certificate chain + /// @param certificate_type type of the leaf certificate + /// @return contains OCSP request data + OCSPRequestDataList get_ocsp_request_data(const std::string& certificate_chain, + const CaCertificateType certificate_type); + /// @brief Updates the OCSP cache for the given \p certificate_hash_data with the given \p ocsp_response /// @param certificate_hash_data identifies the certificate for which the \p ocsp_response is specified /// @param ocsp_response the actual OCSP data @@ -189,8 +197,8 @@ class EvseSecurity { private: // Internal versions of the functions do not lock the mutex - InstallCertificateResult verify_certificate_internal(const std::string& certificate_chain, - LeafCertificateType certificate_type); + CertificateValidationResult verify_certificate_internal(const std::string& certificate_chain, + LeafCertificateType certificate_type); GetKeyPairResult get_key_pair_internal(LeafCertificateType certificate_type, EncodingFormat encoding); /// @brief Determines if the total filesize of certificates is > than the max_filesystem_usage bytes diff --git a/include/evse_security/evse_types.hpp b/include/evse_security/evse_types.hpp index 3cc6961..360ee90 100644 --- a/include/evse_security/evse_types.hpp +++ b/include/evse_security/evse_types.hpp @@ -25,7 +25,8 @@ enum class CaCertificateType { enum class LeafCertificateType { CSMS, V2G, - MF + MF, + MO, }; enum class CertificateType { @@ -42,7 +43,16 @@ enum class HashAlgorithm { SHA512, }; -// the following 3 enum classes should go into evse_security +enum class CertificateValidationResult { + Valid, + Expired, + InvalidSignature, + IssuerNotFound, + InvalidLeafSignature, + InvalidChain, + Unknown, +}; + enum class InstallCertificateResult { InvalidSignature, InvalidCertificateChain, @@ -61,7 +71,6 @@ enum class DeleteCertificateResult { NotFound, }; -// why Status here and not Result as before? enum class GetInstalledCertificatesStatus { Accepted, NotFound, diff --git a/lib/evse_security/crypto/interface/crypto_supplier.cpp b/lib/evse_security/crypto/interface/crypto_supplier.cpp index 9a1805c..de3d912 100644 --- a/lib/evse_security/crypto/interface/crypto_supplier.cpp +++ b/lib/evse_security/crypto/interface/crypto_supplier.cpp @@ -75,10 +75,10 @@ static X509Handle_ptr x509_duplicate_unique(X509Handle* handle) { default_crypto_supplier_usage_error() return {}; } -CertificateValidationError AbstractCryptoSupplier::x509_verify_certificate_chain( +CertificateValidationResult AbstractCryptoSupplier::x509_verify_certificate_chain( X509Handle* target, const std::vector& parents, bool allow_future_certificates, const std::optional dir_path, const std::optional file_path) { - default_crypto_supplier_usage_error() return CertificateValidationError::Unknown; + default_crypto_supplier_usage_error() return CertificateValidationResult::Unknown; } bool AbstractCryptoSupplier::x509_check_private_key(X509Handle* handle, std::string private_key, diff --git a/lib/evse_security/crypto/openssl/openssl_supplier.cpp b/lib/evse_security/crypto/openssl/openssl_supplier.cpp index af07320..21379aa 100644 --- a/lib/evse_security/crypto/openssl/openssl_supplier.cpp +++ b/lib/evse_security/crypto/openssl/openssl_supplier.cpp @@ -68,19 +68,22 @@ static EVP_PKEY* get(KeyHandle* handle) { return nullptr; } -static CertificateValidationError to_certificate_error(const int ec) { +static CertificateValidationResult to_certificate_error(const int ec) { switch (ec) { case X509_V_ERR_CERT_HAS_EXPIRED: - return CertificateValidationError::Expired; + return CertificateValidationResult::Expired; case X509_V_ERR_CERT_SIGNATURE_FAILURE: - return CertificateValidationError::InvalidSignature; + return CertificateValidationResult::InvalidSignature; case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: - return CertificateValidationError::IssuerNotFound; + return CertificateValidationResult::IssuerNotFound; case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: - return CertificateValidationError::InvalidLeafSignature; + return CertificateValidationResult::InvalidLeafSignature; + case X509_V_ERR_CERT_CHAIN_TOO_LONG: + case X509_V_ERR_CERT_UNTRUSTED: + return CertificateValidationResult::InvalidChain; default: EVLOG_warning << X509_verify_cert_error_string(ec); - return CertificateValidationError::Unknown; + return CertificateValidationResult::Unknown; } } @@ -556,11 +559,11 @@ X509Handle_ptr OpenSSLSupplier::x509_duplicate_unique(X509Handle* handle) { return std::make_unique(X509_dup(get(handle))); } -CertificateValidationError OpenSSLSupplier::x509_verify_certificate_chain(X509Handle* target, - const std::vector& parents, - bool allow_future_certificates, - const std::optional dir_path, - const std::optional file_path) { +CertificateValidationResult OpenSSLSupplier::x509_verify_certificate_chain(X509Handle* target, + const std::vector& parents, + bool allow_future_certificates, + const std::optional dir_path, + const std::optional file_path) { OpenSSLProvider provider; provider.set_global_mode(OpenSSLProvider::mode_t::default_provider); X509_STORE_ptr store_ptr(X509_STORE_new()); @@ -575,12 +578,12 @@ CertificateValidationError OpenSSLSupplier::x509_verify_certificate_chain(X509Ha const char* c_file_path = file_path.has_value() ? file_path.value().c_str() : nullptr; if (1 != X509_STORE_load_locations(store_ptr.get(), c_file_path, c_dir_path)) { - return CertificateValidationError::Unknown; + return CertificateValidationResult::Unknown; } if (dir_path.has_value()) { if (X509_STORE_add_lookup(store_ptr.get(), X509_LOOKUP_file()) == nullptr) { - return CertificateValidationError::Unknown; + return CertificateValidationResult::Unknown; } } } @@ -593,7 +596,7 @@ CertificateValidationError OpenSSLSupplier::x509_verify_certificate_chain(X509Ha ASN1_TIME_diff(&day, &sec, nullptr, X509_get_notAfter(get(target))); if (day < 0 || sec < 0) { // certificate is expired - return CertificateValidationError::Expired; + return CertificateValidationResult::Expired; } // certificate is not expired, but may not be valid yet. Since we allow future certs, disable time checks. X509_STORE_CTX_set_flags(store_ctx_ptr.get(), X509_V_FLAG_NO_CHECK_TIME); @@ -606,7 +609,7 @@ CertificateValidationError OpenSSLSupplier::x509_verify_certificate_chain(X509Ha return to_certificate_error(ec); } - return CertificateValidationError::NoError; + return CertificateValidationResult::Valid; } bool OpenSSLSupplier::x509_check_private_key(X509Handle* handle, std::string private_key, diff --git a/lib/evse_security/evse_security.cpp b/lib/evse_security/evse_security.cpp index e39e7c3..224656b 100644 --- a/lib/evse_security/evse_security.cpp +++ b/lib/evse_security/evse_security.cpp @@ -15,30 +15,32 @@ #include #include #include -#include #include namespace evse_security { -static InstallCertificateResult to_install_certificate_result(CertificateValidationError error) { +static InstallCertificateResult to_install_certificate_result(CertificateValidationResult error) { switch (error) { - case CertificateValidationError::Expired: + case CertificateValidationResult::Valid: + EVLOG_info << "Certificate accepted"; + return InstallCertificateResult::Accepted; + case CertificateValidationResult::Expired: EVLOG_warning << "Certificate has expired"; return InstallCertificateResult::Expired; - case CertificateValidationError::InvalidSignature: + case CertificateValidationResult::InvalidSignature: EVLOG_warning << "Invalid signature"; return InstallCertificateResult::InvalidSignature; - case CertificateValidationError::InvalidChain: + case CertificateValidationResult::InvalidChain: EVLOG_warning << "Invalid certificate chain"; return InstallCertificateResult::InvalidCertificateChain; - case CertificateValidationError::InvalidLeafSignature: + case CertificateValidationResult::InvalidLeafSignature: EVLOG_warning << "Unable to verify leaf signature"; return InstallCertificateResult::InvalidSignature; - case CertificateValidationError::IssuerNotFound: + case CertificateValidationResult::IssuerNotFound: EVLOG_warning << "Issuer not found"; - return InstallCertificateResult::InvalidCertificateChain; + return InstallCertificateResult::NoRootCertificateInstalled; default: - return InstallCertificateResult::InvalidCertificateChain; + return InstallCertificateResult::InvalidFormat; } } @@ -401,9 +403,11 @@ InstallCertificateResult EvseSecurity::update_leaf_certificate(const std::string if (certificate_type == LeafCertificateType::CSMS) { cert_path = this->directories.csms_leaf_cert_directory; key_path = this->directories.csms_leaf_key_directory; - } else { + } else if (certificate_type == LeafCertificateType::V2G) { cert_path = this->directories.secc_leaf_cert_directory; key_path = this->directories.secc_leaf_key_directory; + } else { + throw std::runtime_error("Attempt to update leaf certificate for non CSMS/V2G certificate!"); } try { @@ -415,8 +419,8 @@ InstallCertificateResult EvseSecurity::update_leaf_certificate(const std::string // Internal since we already acquired the lock const auto result = this->verify_certificate_internal(certificate_chain, certificate_type); - if (result != InstallCertificateResult::Accepted) { - return result; + if (result != CertificateValidationResult::Valid) { + return to_install_certificate_result(result); } // First certificate is always the leaf as per the spec @@ -649,6 +653,42 @@ OCSPRequestDataList EvseSecurity::get_ocsp_request_data() { return response; } +OCSPRequestDataList EvseSecurity::get_ocsp_request_data(const std::string& certificate_chain, + const CaCertificateType certificate_type) { + std::lock_guard guard(EvseSecurity::security_mutex); + + OCSPRequestDataList response; + std::vector ocsp_request_data_list; + + try { + X509CertificateBundle leaf_bundle(certificate_chain, EncodingFormat::PEM); + X509CertificateBundle root_bundle(this->ca_bundle_path_map.at(certificate_type), EncodingFormat::PEM); + + auto full_list = root_bundle.split(); + const auto leaf_certificates = leaf_bundle.split(); + for (const auto& certif : leaf_certificates) { + full_list.push_back(std::move(certif)); + } + X509CertificateHierarchy full_hierarchy = X509CertificateHierarchy::build_hierarchy(full_list); + + for (const auto& certificate : leaf_certificates) { + std::string responder_url = certificate.get_responder_url(); + if (!responder_url.empty()) { + auto certificate_hash_data = full_hierarchy.get_certificate_hash(certificate); + OCSPRequestData ocsp_request_data = {certificate_hash_data, responder_url}; + ocsp_request_data_list.push_back(ocsp_request_data); + } + } + + response.ocsp_request_data_list = ocsp_request_data_list; + } catch (const CertificateLoadException& e) { + EVLOG_error << "Could not get ocsp cache, certificate load failure: " << e.what() + << " for chain type: " << conversions::ca_certificate_type_to_string(certificate_type); + } + + return response; +} + void EvseSecurity::update_ocsp_cache(const CertificateHashData& certificate_hash_data, const std::string& ocsp_response) { std::lock_guard guard(EvseSecurity::security_mutex); @@ -1065,39 +1105,52 @@ bool EvseSecurity::verify_file_signature(const fs::path& path, const std::string return false; } -InstallCertificateResult EvseSecurity::verify_certificate(const std::string& certificate_chain, - LeafCertificateType certificate_type) { +CertificateValidationResult EvseSecurity::verify_certificate(const std::string& certificate_chain, + LeafCertificateType certificate_type) { std::lock_guard guard(EvseSecurity::security_mutex); return verify_certificate_internal(certificate_chain, certificate_type); } -InstallCertificateResult EvseSecurity::verify_certificate_internal(const std::string& certificate_chain, - LeafCertificateType certificate_type) { +CertificateValidationResult EvseSecurity::verify_certificate_internal(const std::string& certificate_chain, + LeafCertificateType certificate_type) { try { X509CertificateBundle certificate(certificate_chain, EncodingFormat::PEM); std::vector _certificate_chain = certificate.split(); if (_certificate_chain.empty()) { - return InstallCertificateResult::InvalidFormat; + return CertificateValidationResult::Unknown; } const auto leaf_certificate = _certificate_chain.at(0); std::vector parent_certificates; fs::path store; + // Retrieve the hierarchy in order to check if the chain contains a root certificate + X509CertificateHierarchy& hierarchy = certificate.get_certficate_hierarchy(); + + // Make sure that an added root certificate is excluded and taken from the bundle for (size_t i = 1; i < _certificate_chain.size(); i++) { - parent_certificates.emplace_back(_certificate_chain[i].get()); + const auto& cert = _certificate_chain[i]; + if (hierarchy.is_root(cert)) { + EVLOG_warning << "ignore root certificate: " << cert.get_common_name(); + } else { + parent_certificates.emplace_back(cert.get()); + } } if (certificate_type == LeafCertificateType::CSMS) { store = this->ca_bundle_path_map.at(CaCertificateType::CSMS); } else if (certificate_type == LeafCertificateType::V2G) { store = this->ca_bundle_path_map.at(CaCertificateType::V2G); - } else { + } else if (certificate_type == LeafCertificateType::MF) store = this->ca_bundle_path_map.at(CaCertificateType::MF); + else if (certificate_type == LeafCertificateType::MO) { + store = this->ca_bundle_path_map.at(CaCertificateType::MO); + } else { + throw std::runtime_error("Could not convert LeafCertificateType to CaCertificateType during verification!"); } - CertificateValidationError validated{}; + CertificateValidationResult validated{}; if (fs::is_directory(store)) { // In case of a directory load the certificates manually and add them @@ -1122,14 +1175,10 @@ InstallCertificateResult EvseSecurity::verify_certificate_internal(const std::st std::nullopt, store); } - if (validated != CertificateValidationError::NoError) { - return to_install_certificate_result(validated); - } - - return InstallCertificateResult::Accepted; + return validated; } catch (const CertificateLoadException& e) { - EVLOG_warning << "Could not load update leaf certificate because of invalid format"; - return InstallCertificateResult::InvalidFormat; + EVLOG_warning << "Could not validate certificate chain because of invalid format"; + return CertificateValidationResult::Unknown; } } diff --git a/tests/openssl_supplier_test.cpp b/tests/openssl_supplier_test.cpp index 89cb817..5289a86 100644 --- a/tests/openssl_supplier_test.cpp +++ b/tests/openssl_supplier_test.cpp @@ -98,7 +98,7 @@ TEST_F(OpenSSLSupplierTest, x509_verify_certificate_chain) { auto res = OpenSSLSupplier::x509_verify_certificate_chain(res_leaf[0].get(), parents, true, std::nullopt, "pki/root_cert.pem"); - ASSERT_EQ(res, CertificateValidationError::NoError); + ASSERT_EQ(res, CertificateValidationResult::Valid); } TEST_F(OpenSSLSupplierTest, x509_generate_csr) { diff --git a/tests/tests.cpp b/tests/tests.cpp index 30f4d8f..e34b6eb 100644 --- a/tests/tests.cpp +++ b/tests/tests.cpp @@ -299,7 +299,7 @@ TEST_F(EvseSecurityTests, verify_directory_bundles) { const auto child_cert_str = read_file_to_string(std::filesystem::path("certs/client/csms/CSMS_LEAF.pem")); ASSERT_EQ(this->evse_security->verify_certificate(child_cert_str, LeafCertificateType::CSMS), - InstallCertificateResult::Accepted); + CertificateValidationResult::Valid); // Verifies that directory bundles properly function when verifying a certificate this->evse_security->ca_bundle_path_map[CaCertificateType::CSMS] = fs::path("certs/ca/v2g/"); @@ -307,7 +307,7 @@ TEST_F(EvseSecurityTests, verify_directory_bundles) { // Verify a leaf ASSERT_EQ(this->evse_security->verify_certificate(child_cert_str, LeafCertificateType::CSMS), - InstallCertificateResult::Accepted); + CertificateValidationResult::Valid); } TEST_F(EvseSecurityTests, verify_bundle_management) { @@ -351,98 +351,6 @@ TEST_F(EvseSecurityTests, verify_certificate_counts) { ASSERT_EQ(this->evse_security->get_count_of_installed_certificates({CertificateType::MORootCertificate}), 0); } -#if USING_OPENSSL_3 -TEST_F(EvseSecurityTests, providers_tests) { - if (supports_tpm == false) - return; - - // Unload all current providers for a clean state - std::vector current_providers; - - auto clean_fct = [](OSSL_PROVIDER* provider, void* cbdata) { - static_cast*>(cbdata)->push_back(provider); - return 1; - }; - - OSSL_PROVIDER_do_all(nullptr, clean_fct, ¤t_providers); - - for (auto& provider : current_providers) { - OSSL_PROVIDER_unload(provider); - } - - OSSL_PROVIDER* default_provider = OSSL_PROVIDER_load(nullptr, PROVIDER_DEFAULT); - ASSERT_TRUE(default_provider); - - OSSL_PROVIDER* tpm2_provider = OSSL_PROVIDER_load(nullptr, PROVIDER_TPM); - ASSERT_TRUE(tpm2_provider); - - ASSERT_TRUE(OSSL_PROVIDER_available(nullptr, PROVIDER_DEFAULT)); - ASSERT_TRUE(OSSL_PROVIDER_available(nullptr, PROVIDER_TPM)); - - ASSERT_TRUE(OSSL_PROVIDER_self_test(default_provider)); - ASSERT_TRUE(OSSL_PROVIDER_self_test(tpm2_provider)); - - // Check that we have only 2 providers - ASSERT_TRUE(check_openssl_providers({PROVIDER_DEFAULT, PROVIDER_TPM})); - - auto fct = [](OSSL_PROVIDER* provider, void* cbdata) { - std::cout << "Provider: " << OSSL_PROVIDER_get0_name(provider) << std::endl; - - const char* build = NULL; - const char* name = NULL; - const char* status = NULL; - - OSSL_PARAM request[] = {{"buildinfo", OSSL_PARAM_UTF8_PTR, &build, 0, 0}, - {"name", OSSL_PARAM_UTF8_PTR, &name, 0, 0}, - {"status", OSSL_PARAM_UTF8_PTR, &status, 0, 0}, - {NULL, 0, NULL, 0, 0}}; - - OSSL_PROVIDER_get_params(provider, request); - - std::cout << "Info: " << (build != nullptr ? build : "N/A") << "|" << (name != nullptr ? name : "N/A") << "|" - << (status != nullptr ? status : "N/A") << std::endl; - - return 1; - }; - - OSSL_PROVIDER_do_all(nullptr, fct, nullptr); - - // Unload providers - ASSERT_TRUE(OSSL_PROVIDER_unload(default_provider)); - ASSERT_TRUE(OSSL_PROVIDER_unload(tpm2_provider)); - - // Check that we don't have providers - ASSERT_TRUE(check_openssl_providers({})); - - // Load default again - OSSL_PROVIDER_load(nullptr, PROVIDER_DEFAULT); - - // Check that we have the default provider - ASSERT_TRUE(check_openssl_providers({PROVIDER_DEFAULT})); -} - -TEST_F(EvseSecurityTests, verify_provider_scope) { -#ifdef USING_TPM2 - GTEST_SKIP() << "Skipped: OpenSSLProvider doesn't load and unload providers"; -#endif - if (supports_tpm == false) - return; - - EXPECT_NO_THROW({ TPMScopedProvider provider; }); - - std::cout << "Testing TPM scoped provider" << std::endl; - ASSERT_TRUE(check_openssl_providers({PROVIDER_DEFAULT})); - - { - TPMScopedProvider provider; - ASSERT_TRUE(check_openssl_providers({PROVIDER_TPM})); - } - - ASSERT_TRUE(check_openssl_providers({PROVIDER_DEFAULT})); - std::cout << "Ending test TPM scoped provider" << std::endl; -} -#endif // USING_OPENSSL_3 - TEST_F(EvseSecurityTests, verify_normal_keygen) { KeyGenerationInfo info; KeyHandle_ptr key; @@ -551,7 +459,7 @@ TEST_F(EvseSecurityTests, verify_v2g_cert_01) { TEST_F(EvseSecurityTests, verify_v2g_cert_02) { const auto invalid_certificate = read_file_to_string(fs::path("certs/client/invalid/INVALID_CSMS.pem")); const auto result = this->evse_security->update_leaf_certificate(invalid_certificate, LeafCertificateType::V2G); - ASSERT_TRUE(result == InstallCertificateResult::InvalidCertificateChain); + ASSERT_TRUE(result != InstallCertificateResult::Accepted); } TEST_F(EvseSecurityTests, install_root_ca_01) {