Skip to content

Commit

Permalink
Added mandatory kept key protection
Browse files Browse the repository at this point in the history 
Signed-off-by: AssemblyJohn <[email protected]>
  • Loading branch information
@AssemblyJohn
AssemblyJohn committed Apr 23, 2024
1 parent ef09630 commit e21294f
Showing 1 changed file with 22 additions and 0 deletions.
22 changes: 22 additions & 0 deletions lib/evse_security/evse_security.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1341,6 +1341,9 @@ void EvseSecurity::garbage_collect() {
// Delete certificates first, give the option to cleanup the dangling keys afterwards
std::set<fs::path> invalid_certificate_files;

// Private keys that are linked to the skipped certificates and that will not be deleted regardless
std::set<fs::path> protected_private_keys;

// Order by latest valid, and keep newest with a safety limit
for (auto const& [cert_dir, key_dir] : leaf_paths) {
X509CertificateBundle expired_certs(cert_dir, EncodingFormat::PEM);
Expand Down Expand Up @@ -1374,6 +1377,20 @@ void EvseSecurity::garbage_collect() {
}
}
}
} else {
// Add to protected certificate list
try {
fs::path key_file = get_private_key_path_of_certificate(chain[0], key_directory,
this->private_key_password);
protected_private_keys.emplace(key_file);

// Erase all protected keys from the managed CRSs
auto it = managed_csr.find(key_file);
if (it != managed_csr.end()) {
managed_csr.erase(it);
}
} catch (NoPrivateKeyException& e) {
}
}

return true;
Expand Down Expand Up @@ -1409,6 +1426,11 @@ void EvseSecurity::garbage_collect() {
for (const auto& key_entry : fs::recursive_directory_iterator(key_path)) {
auto key_file_path = key_entry.path();

// Skip protected keys
if (protected_private_keys.find(key_file_path) != protected_private_keys.end()) {
continue;
}

if (is_keyfile(key_file_path)) {
try {
// Check if we have found any matching certificate
Expand Down

0 comments on commit e21294f

Please sign in to comment.