Skip to content

Add OCPP TLS certificate configuration and SNI support #1011

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Add OCPP TLS certificate configuration and SNI support #1011

wants to merge 2 commits into from
+99 −5

Conversation

@0xStuart
Copy link

@0xStuart 0xStuart commented Oct 14, 2025

Required for complaint WSS support. I haven't the hardware to test this right now.

@jeremypoulter jeremypoulter requested a review from Copilot October 14, 2025 15:54
Copilot AI reviewed Oct 14, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds TLS certificate configuration and SNI (Server Name Indication) support for OCPP WebSocket connections to enable compliant WSS (WebSocket Secure) support. The changes introduce certificate management functionality with configurable security policies for OCPP connections.

Key Changes

  • Added TLS configuration structure and methods to manage certificates and security policies
  • Introduced certificate ID configuration parameter for selecting specific certificates
  • Added flag-based configuration for rejecting unauthorized certificates

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
src/ocpp.h Added TLS configuration structure, certificate management methods, and state tracking fields
src/ocpp.cpp Implemented TLS configuration logic, certificate resolution, and security policy application
src/app_config.h Added certificate ID configuration variable and security flag definitions
src/app_config.cpp Added configuration options for certificate ID and certificate validation settings

src/ocpp.cpp Outdated
}

TlsConfig desired = resolveTlsConfig();
bool changed = !tlsConfigApplied || desired.rejectUnauthorized != appliedRejectUnauthorized || desired.caCert != appliedCaCert;
Copy link

Copilot AI Oct 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pointer comparison for desired.caCert != appliedCaCert compares memory addresses rather than string content. This will incorrectly detect changes when the same certificate content is stored at different memory locations. Use strcmp() or similar string comparison instead.

Copilot uses AI. Check for mistakes.
src/ocpp.cpp Outdated
#include <MicroOcpp/Model/Diagnostics/DiagnosticsService.h>
#include <MicroOcpp/Model/FirmwareManagement/FirmwareService.h>
#include <MongooseCore.h>

Copy link

Copilot AI Oct 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] Include <cstdlib> should be placed with other system includes at the top, before the blank line that separates system includes from local includes.

Suggested change

Copilot uses AI. Check for mistakes.
@jeremypoulter
Copy link
Collaborator

jeremypoulter commented Oct 14, 2025

Thank you for your contribution, I will take a look

@jeremypoulter
Copy link
Collaborator

jeremypoulter commented Oct 15, 2025

@0xStuart Have you made appropriate UI updates to alloe the certificate to be set? Also please check the CoPilot comments

@0xStuart @factory-droid
Fix OCPP TLS CA comparison logic
31fc3a8 
Co-authored-by: factory-droid[bot] <138933559+factory-droid[bot]@users.noreply.github.com>
@0xStuart
Copy link
Author

0xStuart commented Oct 15, 2025

@jeremypoulter
As far as I know the general root CA bundle is built by buildRootCa() and used when no specific cert is chosen.
I'm not very familiar with the codebase. I wouldn't have thought any additional UI was necessary.
As I say, I don't have any hardware to test this right now.

@jeremypoulter
Copy link
Collaborator

jeremypoulter commented Oct 20, 2025

buildRootCa() will combine all the root certificats, those compiled and those uploaded by the user, so if your goal is to just allow additional certificates then you do not need any of the changes to the config, or seelction of a specific OCPP certificate.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@0xStuart @jeremypoulter