diff --git a/CMakeLists.txt b/CMakeLists.txt
index b90f520..ec0088b 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -43,7 +43,7 @@ option(LIBEVSE_SECURITY_USE_BOOST_FILESYSTEM "Usage of boost/filesystem.hpp inst
option(LIBEVSE_CRYPTO_SUPPLIER_OPENSSL "Default OpenSSL cryptography supplier" ON)
# dependencies
-find_package(OpenSSL REQUIRED)
+find_package(OpenSSL 3 REQUIRED)
add_subdirectory(lib)
diff --git a/README.md b/README.md
index 2106346..25f3abe 100644
--- a/README.md
+++ b/README.md
@@ -10,7 +10,7 @@ All documentation and the issue tracking can be found in our main repository her
## Prerequisites
-The library requires OpenSSL 1.1.1.
+The library requires OpenSSL 3.
## Build Instructions
@@ -61,7 +61,6 @@ When receiving back a signed CSR, the library will take care to create two files
## TPM
There is a configuration option to configure OpenSSL for use with a TPM.
`cmake` ... `-DUSING_TPM2=ON`
-Note OpenSSL providers are not available for OpenSSL v1, OpenSSL v3 is required.
The library will use the `UseTPM` flag and the PEM private key file to
configure whether to use the `default` provider or the `tpm2` provider.
diff --git a/include/evse_security/crypto/interface/crypto_types.hpp b/include/evse_security/crypto/interface/crypto_types.hpp
index 604d67d..a29e4b4 100644
--- a/include/evse_security/crypto/interface/crypto_types.hpp
+++ b/include/evse_security/crypto/interface/crypto_types.hpp
@@ -13,9 +13,10 @@ namespace evse_security {
enum class CryptoKeyType {
EC_prime256v1, // Default EC. P-256, ~equiv to rsa 3072
EC_secp384r1, // P-384, ~equiv to rsa 7680
- RSA_TPM20, // Default TPM RSA, only option allowed for TPM (universal support), 2048 bits
- RSA_3072, // Default RSA. Protection lifetime: ~2030
- RSA_7680, // Protection lifetime: >2031. Very long generation time 8-40s on 16 core PC
+ RSA_2048,
+ RSA_TPM20 = RSA_2048, // Default TPM RSA, only option allowed for TPM (universal support), 2048 bits
+ RSA_3072, // Default RSA. Protection lifetime: ~2030
+ RSA_7680, // Protection lifetime: >2031. Very long generation time 8-40s on 16 core PC
};
enum class KeyValidationResult {
diff --git a/include/evse_security/detail/openssl/openssl_providers.hpp b/include/evse_security/detail/openssl/openssl_providers.hpp
deleted file mode 100644
index 65a0321..0000000
--- a/include/evse_security/detail/openssl/openssl_providers.hpp
+++ /dev/null
@@ -1,205 +0,0 @@
-// SPDX-License-Identifier: Apache-2.0
-// Copyright Pionix GmbH and Contributors to EVerest
-#pragma once
-
-#include
-#include
-#include
-#include
-#include
-
-#include
-#include
-
-namespace evse_security {
-
-static constexpr const char* PROVIDER_NULL = "null";
-static constexpr const char* PROVIDER_DEFAULT = "default";
-static constexpr const char* PROVIDER_TPM = "tpm2";
-
-enum class Provider {
- SSL_NULL,
- DEFAULT,
- TPM2,
- CUSTOM,
-};
-
-template struct ProviderResolver {};
-
-template <> struct ProviderResolver {
- static constexpr const char* name() {
- return PROVIDER_NULL;
- }
-};
-
-template <> struct ProviderResolver {
- static constexpr const char* name() {
- return PROVIDER_DEFAULT;
- }
-};
-
-template <> struct ProviderResolver {
- static constexpr const char* name() {
- return PROVIDER_TPM;
- }
-};
-
-template static void foreach_provider(F func) {
- auto iter = [](OSSL_PROVIDER* provider, void* cbdata) {
- F* fc = (F*)cbdata;
- (*fc)(provider);
-
- return 1;
- };
-
- OSSL_PROVIDER_do_all(nullptr, iter, &func);
-}
-
-static std::vector get_current_provider_names() {
- std::vector providers;
- foreach_provider(
- [&providers](OSSL_PROVIDER* provider) { providers.emplace_back(OSSL_PROVIDER_get0_name(provider)); });
-
- return providers;
-}
-
-static std::vector get_current_providers() {
- std::vector providers;
- foreach_provider([&providers](OSSL_PROVIDER* provider) { providers.emplace_back(provider); });
-
- return providers;
-}
-
-class ProviderLoadException : public std::runtime_error {
-public:
- using std::runtime_error::runtime_error;
-};
-
-template struct OptionalMember {
- type data;
-};
-
-template struct OptionalMember {};
-
-template struct OSSLProvider {
- std::string get_required_provider() {
- return provider_required;
- }
-
- OSSL_PROVIDER* get_scope_provider_raw() {
- return provider_loaded;
- }
-
-protected:
- OSSLProvider(const std::string& provider) {
- provider_required = provider;
- }
-
- virtual ~OSSLProvider() noexcept(false) {
- }
-
-public: // Utilities for loading/unloading
- void load_provider() {
- persist_providers();
-
- if constexpr (!use_fallback)
- provider_loaded = OSSL_PROVIDER_load(nullptr, provider_required.c_str());
- else
- provider_loaded = OSSL_PROVIDER_try_load(nullptr, provider_required.c_str(), 1);
-
- if (!provider_loaded) {
- std::string error = "Failed to load provider: [" + provider_required + "] all operations reverting!";
- throw new ProviderLoadException(error);
- }
-
- EVLOG_debug << "[PROV] Provider loaded: " << provider_required;
- }
-
- void unload_provider() {
- if (OSSL_PROVIDER_unload(provider_loaded) != 1) {
- std::string error = "Failed to unload provider: [" + provider_required + "]";
- throw new ProviderLoadException(error);
- }
-
- // Invalidate
- provider_loaded = nullptr;
- restore_providers();
-
- EVLOG_debug << "[PROV] Provider unloaded: " << provider_required;
- }
-
-private:
- template typename std::enable_if::type persist_providers() {
- old_providers.data = get_current_provider_names();
-
- // No internal OSSL iteration while unloading
- std::vector providers = get_current_providers();
- for (auto& provider : providers) {
- if (!OSSL_PROVIDER_unload(provider)) {
- std::string error = "Failed to unload old provider!";
- throw new ProviderLoadException(error);
- }
- }
- }
-
- template typename std::enable_if::type restore_providers() {
- for (auto& provider : old_providers.data) {
- if (!OSSL_PROVIDER_load(nullptr, provider.c_str())) {
- std::string error = "Failed to load old provider: " + provider;
- throw new ProviderLoadException(error);
- }
- }
- }
-
- template typename std::enable_if::type persist_providers() {
- }
- template typename std::enable_if::type restore_providers() {
- }
-
-private:
- std::string provider_required;
- OSSL_PROVIDER* provider_loaded;
-
- OptionalMember, !use_fallback> old_providers;
-};
-
-template struct OSSLScopedProvider : public OSSLProvider {
-protected:
- OSSLScopedProvider(const std::string& provider) : OSSLProvider(provider) {
- this->load_provider();
- }
-
- virtual ~OSSLScopedProvider() noexcept(false) {
- this->unload_provider();
- }
-};
-
-template
-struct OSSLAutoresolvedScopedProvider : OSSLScopedProvider {
- OSSLAutoresolvedScopedProvider() : OSSLScopedProvider(ProviderResolver::name()) {
- }
-};
-
-template struct OSSLAutoresolvedProvider : OSSLProvider {
- OSSLAutoresolvedProvider() : OSSLProvider(ProviderResolver::name()) {
- }
-};
-
-// NULL provider to test certain operations
-typedef OSSLAutoresolvedScopedProvider NullScopedProvider;
-
-/// @brief Scoped TPM provider. In order to use the TPM for a certain operation simply
-/// declare an object of this type within a scope. Example usage:
-/// {
-/// TPMScopedProvider TPM();
-/// ... do TPM operations here normally ...
-/// }
-typedef OSSLAutoresolvedScopedProvider TPMScopedProvider;
-
-/// @brief Same as above, but with manual locking and unlocking
-typedef OSSLAutoresolvedProvider TPMProvider;
-
-/// @brief Same as the above but with the currently loaded provider as fallback
-typedef OSSLAutoresolvedScopedProvider TPMScopedProviderFallback;
-
-} // namespace evse_security
\ No newline at end of file
diff --git a/include/evse_security/detail/openssl/openssl_types.hpp b/include/evse_security/detail/openssl/openssl_types.hpp
index b97b0f3..554e63b 100644
--- a/include/evse_security/detail/openssl/openssl_types.hpp
+++ b/include/evse_security/detail/openssl/openssl_types.hpp
@@ -5,8 +5,6 @@
#include
#include
-#define EVSE_OPENSSL_VER_3 (OPENSSL_VERSION_NUMBER >= 0x30000000L)
-
template <> class std::default_delete {
public:
void operator()(X509* ptr) const {
@@ -77,22 +75,6 @@ template <> class std::default_delete {
}
};
-#if !EVSE_OPENSSL_VER_3
-template <> class std::default_delete {
-public:
- void operator()(EC_KEY* ptr) const {
- ::EC_KEY_free(ptr);
- }
-};
-
-template <> class std::default_delete {
-public:
- void operator()(RSA* ptr) const {
- ::RSA_free(ptr);
- }
-};
-#endif
-
namespace evse_security {
using X509_ptr = std::unique_ptr;
@@ -108,9 +90,4 @@ using BIO_ptr = std::unique_ptr;
using EVP_MD_CTX_ptr = std::unique_ptr;
using EVP_ENCODE_CTX_ptr = std::unique_ptr;
-#if !EVSE_OPENSSL_VER_3
-using EC_KEY_ptr = std::unique_ptr;
-using RSA_ptr = std::unique_ptr;
-#endif
-
} // namespace evse_security
diff --git a/lib/evse_security/crypto/openssl/openssl_supplier.cpp b/lib/evse_security/crypto/openssl/openssl_supplier.cpp
index 3347b88..72f82bb 100644
--- a/lib/evse_security/crypto/openssl/openssl_supplier.cpp
+++ b/lib/evse_security/crypto/openssl/openssl_supplier.cpp
@@ -140,7 +140,6 @@ constexpr const char* kt_rsa = "RSA";
constexpr const char* kt_ec = "EC";
static bool s_generate_key(const KeyGenerationInfo& key_info, KeyHandle_ptr& out_key, EVP_PKEY_CTX_ptr& ctx) {
-
unsigned int bits = 0;
char group_256[] = "P-256";
char group_384[] = "P-384";
@@ -180,7 +179,6 @@ static bool s_generate_key(const KeyGenerationInfo& key_info, KeyHandle_ptr& out
break;
}
-#if EVSE_OPENSSL_VER_3
OSSL_PARAM params[2];
std::memset(¶ms[0], 0, sizeof(params));
@@ -227,54 +225,6 @@ static bool s_generate_key(const KeyGenerationInfo& key_info, KeyHandle_ptr& out
auto evp_key = EVP_PKEY_ptr(pkey);
-#else
- constexpr unsigned long RSA_PRIME = 65537;
- EVP_PKEY_ptr evp_key = EVP_PKEY_ptr(EVP_PKEY_new());
-
- if (bEC) {
- // Ignore deprecation warnings on the EC gen functions since we need OpenSSL 1.1 support
- EC_KEY_ptr ec_key(EC_KEY_new_by_curve_name(nid));
-
- if (ec_key.get() == nullptr) {
- EVLOG_error << "Failed create EC key by curve!";
- bResult = false;
- }
-
- if (bResult) {
- // generate ec key pair
- if (EC_KEY_generate_key(ec_key.get()) != 1) {
- EVLOG_error << "Failed to generate EC key!";
- bResult = false;
- }
- }
-
- if (bResult) {
- // Not auto-released since on assign the ec_key will be released with the owner evp_pkey
- EC_KEY* key = ec_key.release();
-
- // Assigns the key, we must not release it here, since it is 'owned' by the evp_key
- EVP_PKEY_assign_EC_KEY(evp_key.get(), key);
- }
- } else {
- RSA_ptr rsa_key(RSA_generate_key(bits, RSA_PRIME, nullptr, nullptr));
-
- if (rsa_key.get() == nullptr) {
- EVLOG_error << "Failed create RSA key!";
- ERR_print_errors_fp(stderr);
- bResult = false;
- }
-
- if (bResult) {
- // Not auto-released since on assign the ec_key will be released with the owner evp_pkey
- RSA* key = rsa_key.release();
-
- // Assigns the key, we must not release it here, since it is 'owned' by the evp_key
- EVP_PKEY_assign_RSA(evp_key.get(), key);
- }
- }
-
-#endif
-
if (bResult) {
EVLOG_info << "Key export";
// Export keys too
@@ -545,12 +495,7 @@ bool OpenSSLSupplier::x509_is_selfsigned(X509Handle* handle) {
if (x509 == nullptr)
return false;
-// X509_self_signed() was added in OpenSSL 3.0, use a workaround for earlier versions
-#if EVSE_OPENSSL_VER_3
return (X509_self_signed(x509, 0) == 1);
-#else
- return (X509_verify(x509, X509_get_pubkey(x509)));
-#endif
}
bool OpenSSLSupplier::x509_is_equal(X509Handle* a, X509Handle* b) {
@@ -729,7 +674,6 @@ CertificateSignRequestResult OpenSSLSupplier::x509_generate_csr(const Certificat
if (csr_info.key_info.generate_on_tpm) {
provider.set_global_mode(OpenSSLProvider::mode_t::tpm2_provider);
-
} else {
provider.set_global_mode(OpenSSLProvider::mode_t::default_provider);
}
@@ -743,17 +687,28 @@ CertificateSignRequestResult OpenSSLSupplier::x509_generate_csr(const Certificat
// X509 CSR request
X509_REQ_ptr x509_req_ptr(X509_REQ_new());
+ if (nullptr == x509_req_ptr.get()) {
+ EVLOG_error << "Failed to create CSR request!";
+ ERR_print_errors_fp(stderr);
+
+ return CertificateSignRequestResult::Unknown;
+ }
+
// set version of x509 req
int n_version = csr_info.n_version;
if (false == X509_REQ_set_version(x509_req_ptr.get(), n_version)) {
EVLOG_error << "Failed to set csr version!";
+ ERR_print_errors_fp(stderr);
+
return CertificateSignRequestResult::VersioningError;
}
// set public key of x509 req
if (false == X509_REQ_set_pubkey(x509_req_ptr.get(), key)) {
EVLOG_error << "Failed to set csr pubkey!";
+ ERR_print_errors_fp(stderr);
+
return CertificateSignRequestResult::PubkeyError;
}
@@ -798,16 +753,18 @@ CertificateSignRequestResult OpenSSLSupplier::x509_generate_csr(const Certificat
if (!result) {
EVLOG_error << "Failed to add csr extensions!";
+ ERR_print_errors_fp(stderr);
+
return CertificateSignRequestResult::ExtensionsError;
}
// sign the certificate with the private key
- bool x509_signed = false;
-
- x509_signed = X509_REQ_sign(x509_req_ptr.get(), key, EVP_sha256());
+ bool x509_signed = X509_REQ_sign(x509_req_ptr.get(), key, EVP_sha256());
if (x509_signed == false) {
- EVLOG_error << "Failed to sign csr!";
+ EVLOG_error << "Failed to sign csr with error!";
+ ERR_print_errors_fp(stderr);
+
return CertificateSignRequestResult::SigningError;
}
diff --git a/lib/evse_security/crypto/openssl/openssl_tpm.cpp b/lib/evse_security/crypto/openssl/openssl_tpm.cpp
index 233f2b1..c4edb0d 100644
--- a/lib/evse_security/crypto/openssl/openssl_tpm.cpp
+++ b/lib/evse_security/crypto/openssl/openssl_tpm.cpp
@@ -5,9 +5,7 @@
#include
-#define USING_OPENSSL_3 (OPENSSL_VERSION_NUMBER >= 0x30000000L)
-
-#if USING_OPENSSL_3 && defined(USING_TPM2)
+#if USING_TPM2
// OpenSSL3 without TPM will use the default provider anyway
#include
#include
diff --git a/tests/openssl_supplier_test_tpm.cpp b/tests/openssl_supplier_test_tpm.cpp
index 952044d..0315317 100644
--- a/tests/openssl_supplier_test_tpm.cpp
+++ b/tests/openssl_supplier_test_tpm.cpp
@@ -23,6 +23,22 @@ class OpenSSLSupplierTpmTest : public testing::Test {
}
};
+TEST_F(OpenSSLSupplierTpmTest, supports_tpm) {
+ OpenSSLProvider::cleanup();
+ ASSERT_FALSE(OpenSSLProvider::supports_tpm());
+ // calculates
+ OpenSSLProvider provider;
+ // returns cached
+ ASSERT_TRUE(OpenSSLProvider::supports_tpm());
+}
+
+TEST_F(OpenSSLSupplierTpmTest, supports_tpm_key_creation) {
+ OpenSSLProvider::cleanup();
+ ASSERT_FALSE(OpenSSLProvider::supports_tpm());
+ // should calculate
+ ASSERT_TRUE(OpenSSLSupplier::supports_tpm_key_creation());
+}
+
TEST_F(OpenSSLSupplierTpmTest, generate_key_RSA_TPM20) {
KeyGenerationInfo info = {
CryptoKeyType::RSA_TPM20, true, std::nullopt, std::nullopt, std::nullopt,
@@ -33,6 +49,10 @@ TEST_F(OpenSSLSupplierTpmTest, generate_key_RSA_TPM20) {
}
TEST_F(OpenSSLSupplierTpmTest, generate_key_RSA_3072) {
+ // Enable this test manually only if your platform supports 3072 TPM keys
+ GTEST_SKIP() << "Skipping TPM2.0 GEN_RSA_3072 test since it is a non-spec value"
+ "which probably will not be supported on many platforms!";
+
KeyGenerationInfo info = {
CryptoKeyType::RSA_3072, true, std::nullopt, std::nullopt, std::nullopt,
};
@@ -71,7 +91,7 @@ TEST_F(OpenSSLSupplierTpmTest, x509_check_private_key) {
auto cert = res_leaf[0].get();
auto key = getFile("tpm_pki/server_priv.pem");
auto res = OpenSSLSupplier::x509_check_private_key(cert, key, std::nullopt);
- ASSERT_TRUE(res);
+ ASSERT_EQ(res, KeyValidationResult::Valid);
}
TEST_F(OpenSSLSupplierTpmTest, x509_verify_certificate_chain) {
@@ -87,9 +107,9 @@ TEST_F(OpenSSLSupplierTpmTest, x509_verify_certificate_chain) {
parents.push_back(i.get());
}
- auto res = OpenSSLSupplier::x509_verify_certificate_chain(res_leaf[0].get(), parents, true, std::nullopt,
+ auto res = OpenSSLSupplier::x509_verify_certificate_chain(res_leaf[0].get(), parents, {}, true, std::nullopt,
"tpm_pki/root_cert.pem");
- ASSERT_EQ(res, CertificateValidationError::NoError);
+ ASSERT_EQ(res, CertificateValidationResult::Valid);
}
TEST_F(OpenSSLSupplierTpmTest, x509_generate_csr) {
@@ -101,7 +121,7 @@ TEST_F(OpenSSLSupplierTpmTest, x509_generate_csr) {
"0123456789",
.dns_name = std::nullopt,
.ip_address = std::nullopt,
- {CryptoKeyType::EC_prime256v1, true, std::nullopt, "tpm_pki/csr_key.pem", std::nullopt}};
+ {CryptoKeyType::EC_prime256v1, true, std::nullopt, "tpm_pki/csr_key.tkey", std::nullopt}};
// std::cout << "tpm2 pre: " << OSSL_PROVIDER_available(nullptr, "tpm2") << std::endl;
// std::cout << "base pre: " << OSSL_PROVIDER_available(nullptr, "base") << std::endl;
@@ -109,24 +129,25 @@ TEST_F(OpenSSLSupplierTpmTest, x509_generate_csr) {
// std::cout << "tpm2 post: " << OSSL_PROVIDER_available(nullptr, "tpm2") << std::endl;
// std::cout << "base post: " << OSSL_PROVIDER_available(nullptr, "base") << std::endl;
- ASSERT_TRUE(res);
+ ASSERT_EQ(res, CertificateSignRequestResult::Valid);
ASSERT_GT(csr.size(), 0);
}
-TEST_F(OpenSSLSupplierTpmTest, supports_tpm) {
- OpenSSLProvider::cleanup();
- ASSERT_FALSE(OpenSSLProvider::supports_tpm());
- // calculates
- OpenSSLProvider provider;
- // returns cached
- ASSERT_TRUE(OpenSSLProvider::supports_tpm());
-}
+TEST_F(OpenSSLSupplierTpmTest, x509_generate_csr2) {
+ std::string csr;
+ CertificateSigningRequestInfo csr_info = {
+ 0,
+ "UK",
+ "Pionix",
+ "0123456789",
+ .dns_name = std::nullopt,
+ .ip_address = std::nullopt,
+ {CryptoKeyType::RSA_TPM20, true, std::nullopt, "tpm_pki/csr_key.tkey", std::nullopt}};
-TEST_F(OpenSSLSupplierTpmTest, supports_tpm_key_creation) {
- OpenSSLProvider::cleanup();
- ASSERT_FALSE(OpenSSLProvider::supports_tpm());
- // should calculate
- ASSERT_TRUE(OpenSSLSupplier::supports_tpm_key_creation());
+ auto res = OpenSSLSupplier::x509_generate_csr(csr_info, csr);
+
+ ASSERT_EQ(res, CertificateSignRequestResult::Valid);
+ ASSERT_GT(csr.size(), 0);
}
} // namespace
diff --git a/tests/tests.cpp b/tests/tests.cpp
index 4c4c286..efb6d53 100644
--- a/tests/tests.cpp
+++ b/tests/tests.cpp
@@ -17,14 +17,8 @@
#include
#include
-#define USING_OPENSSL_3 (OPENSSL_VERSION_NUMBER >= 0x30000000L)
-#if USING_OPENSSL_3
-// provider management has changed - ensure tests still work
-#ifndef USING_TPM2
-
-#include
-#else
+#ifdef USING_TPM2
// updates so that existing tests run with the OpenSSLProvider
#include
@@ -38,19 +32,6 @@ typedef OpenSSLProvider TPMScopedProvider;
} // namespace evse_security
#endif // USING_TPM2
-#else
-
-// updates so that tests run under OpenSSL v1
-namespace evse_security {
-const char* PROVIDER_TPM = "tpm2";
-const char* PROVIDER_DEFAULT = "default";
-} // namespace evse_security
-constexpr bool check_openssl_providers(const std::vector&) {
- return true;
-}
-
-#endif // USING_OPENSSL_3
-
std::string read_file_to_string(const fs::path filepath) {
fsstd::ifstream t(filepath.string());
std::stringstream buffer;
@@ -69,61 +50,6 @@ bool equal_certificate_strings(const std::string& cert1, const std::string& cert
return true;
}
-#if USING_OPENSSL_3
-bool supports_tpm_usage() {
- bool supports_tpm = false;
- auto libctx = OSSL_LIB_CTX_new();
-
- OSSL_PROVIDER* tpm2_provider = OSSL_PROVIDER_load(libctx, evse_security::PROVIDER_TPM);
-
- if (tpm2_provider != nullptr) {
- supports_tpm =
- OSSL_PROVIDER_available(libctx, evse_security::PROVIDER_TPM) && OSSL_PROVIDER_self_test(tpm2_provider);
- OSSL_PROVIDER_unload(tpm2_provider);
- } else {
- supports_tpm = false;
- }
-
- // Load default again (removed - not needed and causes a memory leak)
- // OSSL_PROVIDER_load(nullptr, evse_security::PROVIDER_DEFAULT);
-
- OSSL_LIB_CTX_free(libctx);
-
- std::cout << "Supports TPM usage: " << supports_tpm << std::endl;
- return supports_tpm;
-}
-
-// Checks if we have the following providers active
-bool check_openssl_providers(const std::vector& required_providers) {
- struct Info {
- std::set providers;
- };
-
- auto collector = [](OSSL_PROVIDER* provider, void* cbdata) {
- Info* info = (Info*)cbdata;
- info->providers.emplace(OSSL_PROVIDER_get0_name(provider));
- return 1;
- };
-
- Info info;
- OSSL_PROVIDER_do_all(nullptr, collector, &info);
-
- if (info.providers.size() != required_providers.size())
- return false;
-
- for (auto& required : required_providers) {
- if (info.providers.find(required) == info.providers.end())
- return false;
- }
-
- return true;
-}
-
-static bool supports_tpm = supports_tpm_usage();
-#else
-static bool supports_tpm = false;
-#endif // USING_OPENSSL_3
-
void install_certs() {
std::system("./generate_test_certs.sh");
}
@@ -248,9 +174,6 @@ class EvseSecurityTestsExpired : public EvseSecurityTests {
};
TEST_F(EvseSecurityTests, verify_basics) {
- // Check that we have the default provider
- ASSERT_TRUE(check_openssl_providers({PROVIDER_DEFAULT}));
-
const char* bundle_path = "certs/ca/v2g/V2G_CA_BUNDLE.pem";
fsstd::ifstream file(bundle_path, std::ios::binary);
@@ -312,9 +235,6 @@ TEST_F(EvseSecurityTests, verify_directory_bundles) {
}
TEST_F(EvseSecurityTests, verify_bundle_management) {
- // Check that we have the default provider
- ASSERT_TRUE(check_openssl_providers({PROVIDER_DEFAULT}));
-
const char* directory_path = "certs/ca/csms/";
X509CertificateBundle bundle(fs::path(directory_path), EncodingFormat::PEM);
ASSERT_TRUE(bundle.split().size() == 2);
@@ -366,18 +286,15 @@ TEST_F(EvseSecurityTests, verify_normal_keygen) {
ASSERT_TRUE(gen);
}
-TEST_F(EvseSecurityTests, verify_tpm_keygen_csr) {
- if (supports_tpm == false)
- return;
-
+TEST_F(EvseSecurityTests, verify_keygen_csr) {
KeyGenerationInfo info;
KeyHandle_ptr key;
info.key_type = CryptoKeyType::EC_prime256v1;
- info.generate_on_tpm = true;
+ info.generate_on_tpm = false;
- info.public_key_file = fs::path("key/tpm_pubkey.tkey");
- info.private_key_file = fs::path("key/tpm_privkey.tkey");
+ info.public_key_file = fs::path("key/pubkey.key");
+ info.private_key_file = fs::path("key/privkey.key");
bool gen = CryptoSupplier::generate_key(info, key);
ASSERT_TRUE(gen);
@@ -388,9 +305,9 @@ TEST_F(EvseSecurityTests, verify_tpm_keygen_csr) {
csr_info.organization = "PionixDE";
csr_info.country = "DE";
- info.public_key_file = fs::path("key/csr_tpm_pubkey.tkey");
- info.private_key_file = fs::path("key/csr_tpm_privkey.tkey");
- info.key_type = CryptoKeyType::RSA_TPM20;
+ info.public_key_file = fs::path("key/csr_pubkey.tkey");
+ info.private_key_file = fs::path("key/csr_privkey.tkey");
+ info.key_type = CryptoKeyType::RSA_2048;
csr_info.key_info = info;
@@ -399,19 +316,7 @@ TEST_F(EvseSecurityTests, verify_tpm_keygen_csr) {
auto csr_gen = CryptoSupplier::x509_generate_csr(csr_info, csr);
ASSERT_EQ(csr_gen, CertificateSignRequestResult::Valid);
- std::cout << "TPM csr: " << std::endl << csr << std::endl;
-
- info.public_key_file = fs::path("key/csr_nrm_pubkey.tkey");
- info.private_key_file = fs::path("key/csr_nrm_privkey.tkey");
- info.generate_on_tpm = false;
- info.key_type = CryptoKeyType::RSA_3072;
-
- csr_info.key_info = info;
-
- csr_gen = CryptoSupplier::x509_generate_csr(csr_info, csr);
- ASSERT_EQ(csr_gen, CertificateSignRequestResult::Valid);
-
- std::cout << "normal csr: " << std::endl << csr << std::endl;
+ std::cout << "Csr: " << std::endl << csr << std::endl;
}
/// \brief get_certificate_hash_data() throws exception if called with no issuer and a non-self-signed cert
@@ -1052,7 +957,7 @@ TEST_F(EvseSecurityTestsExpired, verify_expired_leaf_deletion) {
}
// Check their respective keys exist
- EVLOG_info << key_file;
+ std::cout << key_file;
ASSERT_TRUE(fs::exists(key_file));
X509Wrapper cert = X509CertificateBundle(not_deleted, EncodingFormat::PEM).split().at(0);