Fixes for OCSP data cleanup and test updates

Signed-off-by: AssemblyJohn <[email protected]>
EVerest · Apr 29, 2024 · 77d21e4 · 77d21e4
1 parent 4104017
commit 77d21e4
Show file tree

Hide file tree

Showing 5 changed files with 265 additions and 108 deletions.
diff --git a/include/evse_security/evse_security.hpp b/include/evse_security/evse_security.hpp
@@ -142,10 +142,11 @@ class EvseSecurity {
     /// @param ocsp_response the actual OCSP data
     void update_ocsp_cache(const CertificateHashData& certificate_hash_data, const std::string& ocsp_response);
 
+    // TODO: Switch to path
     /// @brief Retrieves from the OCSP cache for the given \p certificate_hash_data
     /// @param certificate_hash_data identifies the certificate for which the \p ocsp_response is specified
     /// @return the actual OCSP data or an empty value
-    std::optional<std::string> retrieve_ocsp_cache(const CertificateHashData& certificate_hash_data);
+    std::optional<fs::path> retrieve_ocsp_cache(const CertificateHashData& certificate_hash_data);
 
     /// @brief Indicates if a CA certificate for the given \p certificate_type is installed on the filesystem
     /// Supports both CA certificate bundles and directories
@@ -247,7 +248,7 @@ class EvseSecurity {
                                                             LeafCertificateType certificate_type);
     GetCertificateInfoResult get_leaf_certificate_info_internal(LeafCertificateType certificate_type,
                                                                 EncodingFormat encoding, bool include_ocsp = false);
-    std::optional<std::string> retrieve_ocsp_cache_internal(const CertificateHashData& certificate_hash_data);
+    std::optional<fs::path> retrieve_ocsp_cache_internal(const CertificateHashData& certificate_hash_data);
     bool is_ca_certificate_installed_internal(CaCertificateType certificate_type);
 
     /// @brief Determines if the total filesize of certificates is > than the max_filesystem_usage bytes
@@ -287,6 +288,7 @@ class EvseSecurity {
     FRIEND_TEST(EvseSecurityTests, verify_full_filesystem_install_reject);
     FRIEND_TEST(EvseSecurityTests, verify_full_filesystem);
     FRIEND_TEST(EvseSecurityTests, verify_expired_csr_deletion);
+    FRIEND_TEST(EvseSecurityTests, verify_ocsp_garbage_collect);
     FRIEND_TEST(EvseSecurityTestsExpired, verify_expired_leaf_deletion);
 #endif
 };

diff --git a/include/evse_security/evse_types.hpp b/include/evse_security/evse_types.hpp
@@ -10,6 +10,12 @@
 
 namespace evse_security {
 
+const fs::path PEM_EXTENSION = ".pem";
+const fs::path DER_EXTENSION = ".der";
+const fs::path KEY_EXTENSION = ".key";
+const fs::path TPM_KEY_EXTENSION = ".tkey";
+const fs::path CERT_HASH_EXTENSION = ".hash";
+
 enum class EncodingFormat {
     DER,
     PEM,
@@ -125,8 +131,8 @@ struct OCSPRequestDataList {
 };
 
 struct CertificateOCSP {
-    CertificateHashData hash;
-    std::optional<std::string> oscsp_data;
+    CertificateHashData hash;          ///< Hash of the certificate for which the OCSP data is held
+    std::optional<fs::path> ocsp_path; ///< Path to the file in which the certificate OCSP data is held
 };
 
 struct CertificateInfo {
@@ -142,13 +148,6 @@ struct GetCertificateInfoResult {
     GetCertificateInfoStatus status;
     std::optional<CertificateInfo> info;
 };
-
-const fs::path PEM_EXTENSION = ".pem";
-const fs::path DER_EXTENSION = ".der";
-const fs::path KEY_EXTENSION = ".key";
-const fs::path TPM_KEY_EXTENSION = ".tkey";
-const fs::path CERT_HASH_EXTENSION = ".hash";
-
 namespace conversions {
 std::string encoding_format_to_string(EncodingFormat e);
 std::string ca_certificate_type_to_string(CaCertificateType e);

diff --git a/lib/evse_security/certificate/x509_bundle.cpp b/lib/evse_security/certificate/x509_bundle.cpp
@@ -3,6 +3,7 @@
 #include <evse_security/certificate/x509_bundle.hpp>
 
 #include <algorithm>
+#include <fstream>
 
 #include <everest/logging.hpp>
 #include <evse_security/crypto/evse_crypto.hpp>
@@ -44,6 +45,20 @@ X509CertificateBundle::X509CertificateBundle(const fs::path& path, const Encodin
     hierarchy_invalidated(true) {
     this->path = path;
 
+    // In case the path is missing, create it
+    if (fs::exists(path) == false) {
+        if (path.has_extension()) {
+            if (path.extension() == PEM_EXTENSION) {
+                // Create file if we have an PEM extension
+                std::ofstream new_file(path.c_str());
+                new_file.close();
+            }
+        } else {
+            // Else create a directory
+            fs::create_directories(path);
+        }
+    }
+
     if (fs::is_directory(path)) {
         source = X509CertificateSource::DIRECTORY;