Garbage collect routines with:

CMakeLists.txt

@@ -21,6 +21,7 @@ if (NOT DISABLE_EDM)
     set(EVSE_SECURITY_INSTALL OFF)
 else()
     find_package(everest-log REQUIRED)
+    find_package(everest-timer REQUIRED)
 endif()
 
 option(LIBEVSE_SECURITY_USE_BOOST_FILESYSTEM "Usage of boost/filesystem.hpp instead of std::filesystem" OFF)

dependencies.yaml

@@ -3,7 +3,10 @@ liblog:
   git: https://github.com/EVerest/liblog.git
   git_tag: v0.2.1
   options: ["BUILD_EXAMPLES OFF"]
-
+libtimer:
+  git: https://github.com/EVerest/libtimer.git
+  git_tag: v0.1.1
+  options: ["BUILD_EXAMPLES OFF"]
 gtest:
   # GoogleTest now follows the Abseil Live at Head philosophy. We recommend updating to the latest commit in the main branch as often as possible.
   git: https://github.com/google/googletest.git

include/evse_security/evse_security.hpp

@@ -2,6 +2,8 @@
 // Copyright Pionix GmbH and Contributors to EVerest
 #pragma once
 
+#include <everest/timer.hpp>
+
 #include <evse_security/evse_types.hpp>
 #include <evse_security/utils/evse_filesystem_types.hpp>
 
@@ -44,8 +46,11 @@ static constexpr std::uintmax_t DEFAULT_MAX_FILESYSTEM_SIZE = 1024 * 1024 * 50;
 // Default maximum 2000 certificate entries
 static constexpr std::uintmax_t DEFAULT_MAX_CERTIFICATE_ENTRIES = 2000;
 
-// Expiry for CSRs that did not receive a response CSR, 10 minutes or reboot
-static std::chrono::seconds DEFAULT_CSR_EXPIRY(10 * 60);
+// Expiry for CSRs that did not receive a response CSR, 60 minutes
+static std::chrono::seconds DEFAULT_CSR_EXPIRY(3600);
+
+// Garbage collect default time, 20 minutes
+static std::chrono::seconds DEFAULT_GARBAGE_COLLECT_TIME(20 * 60);
 
 /// @brief This class holds filesystem paths to CA bundle file locations and directories for leaf certificates
 class EvseSecurity {
@@ -59,7 +64,8 @@ class EvseSecurity {
     EvseSecurity(const FilePaths& file_paths, const std::optional<std::string>& private_key_password = std::nullopt,
                  const std::optional<std::uintmax_t>& max_fs_usage_bytes = std::nullopt,
                  const std::optional<std::uintmax_t>& max_fs_certificate_store_entries = std::nullopt,
-                 const std::optional<std::chrono::seconds>& csr_expiry = std::nullopt);
+                 const std::optional<std::chrono::seconds>& csr_expiry = std::nullopt,
+                 const std::optional<std::chrono::seconds>& garbage_collect_time = std::nullopt);
 
     /// @brief Destructor
     ~EvseSecurity();
@@ -121,6 +127,10 @@ class EvseSecurity {
     /// @return true if CA certificate is present, else false
     bool is_ca_certificate_installed(CaCertificateType certificate_type);
 
+    /// @brief Should be invoked when a certificate CSR was not properly generated by the CSMS
+    /// and that the pairing key that was generated should be deleted
+    void certificate_signing_request_failed(const std::string& csr, LeafCertificateType certificate_type);
+
     /// @brief Generates a certificate signing request for the given \p certificate_type , \p country , \p organization
     /// and \p common , uses the TPM if \p use_tpm is true
     /// @param certificate_type
@@ -167,8 +177,7 @@ class EvseSecurity {
 
     /// @brief Collects and deletes unfulfilled CSR private keys. If also deleting the expired
     /// certificates, make sure the system clock is properly set for detecting expired certificates
-    /// @param delete_expired if the expired certificates should be deleted
-    void garbage_collect(bool delete_expired_certificates);
+    void garbage_collect();
 
     /// @brief Verifies the file at the given \p path using the provided \p signing_certificate and \p signature
     /// @param path
@@ -179,12 +188,16 @@ class EvseSecurity {
                                       const std::string signature);
 
 private:
+    // Internal versions of the functions do not lock the mutex
+    InstallCertificateResult verify_certificate_internal(const std::string& certificate_chain,
+                                                         LeafCertificateType certificate_type);
+    GetKeyPairResult get_key_pair_internal(LeafCertificateType certificate_type, EncodingFormat encoding);
+
     /// @brief Determines if the total filesize of certificates is > than the max_filesystem_usage bytes
     bool is_filesystem_full();
 
 private:
-    // TODO(ioan): implement library thread-safety
-    std::mutex security_mutex;
+    static std::mutex security_mutex;
 
     // why not reusing the FilePaths here directly (storage duplication)
     std::map<CaCertificateType, fs::path> ca_bundle_path_map;
@@ -200,6 +213,11 @@ class EvseSecurity {
     std::uintmax_t max_fs_certificate_store_entries;
     // Default csr expiry in seconds
     std::chrono::seconds csr_expiry;
+    // Default time to garbage collect
+    std::chrono::seconds garbage_collect_time;
+
+    // GC timer
+    Everest::SteadyTimer garbage_collect_timer;
 
     // FIXME(piet): map passwords to encrypted private key files
     // is there only one password for all private keys?

lib/evse_security/CMakeLists.txt

@@ -52,6 +52,8 @@ endif()
 #############
 
 target_link_libraries(evse_security
+    PUBLIC
+        everest::timer
     PRIVATE
         OpenSSL::SSL
         OpenSSL::Crypto