Merge pull request #23 from c-jimenez/dev/websocket_cert_management

[websocket] Add option to use PEM encoded data instead of PEM file pa…

Author: c-jimenez

examples/common/config/CentralSystemConfig.h

@@ -76,8 +76,6 @@ class CentralSystemConfig : public ocpp::config::ICentralSystemConfig
     std::string tlsServerCertificatePrivateKeyPassphrase() const override { return getString("TlsServerCertificatePrivateKeyPassphrase"); }
     /** @brief Certification Authority signing chain for the server certificate */
     std::string tlsServerCertificateCa() const override { return getString("TlsServerCertificateCa"); }
-    /** @brief Certification Authority signing chain for the clients certificates */
-    std::string tlsClientCertificateCa() const override { return getString("TlsClientCertificateCa"); }
     /** @brief Enable client authentication using certificate */
     bool tlsClientCertificateAuthent() const override { return getBool("TlsClientCertificateAuthent"); }
 

examples/common/config/ChargePointConfig.h

@@ -63,6 +63,14 @@ class ChargePointConfig : public ocpp::config::IChargePointConfig
     std::string tlsv13CipherList() const override { return getString("Tlsv13CipherList"); }
     /** @brief ECDH curve to use for TLS connections */
     std::string tlsEcdhCurve() const override { return getString("TlsEcdhCurve"); }
+    /** @brief Certification Authority signing chain for the server certificate */
+    std::string tlsServerCertificateCa() const override { return getString("TlsServerCertificateCa"); }
+    /** @brief Client certificate */
+    std::string tlsClientCertificate() const override { return getString("TlsClientCertificate"); }
+    /** @brief Client certificate's private key */
+    std::string tlsClientCertificatePrivateKey() const override { return getString("TlsClientCertificatePrivateKey"); }
+    /** @brief Client certificate's private key passphrase */
+    std::string tlsClientCertificatePrivateKeyPassphrase() const override { return getString("TlsClientCertificatePrivateKeyPassphrase"); }
     /** @brief Allow TLS connections using self-signed certificates
      *         (Warning : enabling this feature is not recommended in production) */
     bool tlsAllowSelfSignedCertificates() const override { return getBool("TlsAllowSelfSignedCertificates"); }

examples/quick_start_centralsystem/config/quick_start_centralsystem.ini

@@ -1,7 +1,7 @@
 [CentralSystem]
 DatabasePath=./quick_start_centralsystem.db
 JsonSchemasPath=../../schemas/ocpp16/
-ListenUrl=ws://127.0.0.1:8180/steve/websocket/CentralSystemService/
+ListenUrl=wss://127.0.0.1:8080/openocpp/
 CallRequestTimeout=2000
 WebSocketPingInterval=30
 BootNotificationRetryInterval=30
@@ -14,6 +14,5 @@ TlsServerCertificate=../../examples/certificates/open-ocpp_central-system.crt
 TlsServerCertificatePrivateKey=../../examples/certificates/open-ocpp_central-system.key
 TlsServerCertificatePrivateKeyPassphrase=
 TlsServerCertificateCa=../../examples/certificates/open-ocpp_ca.crt
-TlsClientCertificateCa=../../examples/certificates/open-ocpp_ca.crt
-TlsClientCertificateAuthent=false
+TlsClientCertificateAuthent=true
 LogMaxEntriesCount=2000

examples/quick_start_chargepoint/config/quick_start_chargepoint.ini

@@ -1,13 +1,17 @@
 [ChargePoint]
 DatabasePath=./quick_start_chargepoint.db
 JsonSchemasPath=../../schemas/ocpp16/
-ConnexionUrl=ws://127.0.0.1:8180/steve/websocket/CentralSystemService/
+ConnexionUrl=wss://127.0.0.1:8080/openocpp/
 Tlsv12CipherList=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-WITH-AES-256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:TLS-PSK-WITH-AES-256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-WITH-AES-128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:TLS-PSK-WITH-AES-128-GCM-SHA256
 Tlsv13CipherList=TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
 TlsEcdhCurve=prime256v1
-TlsAllowSelfSignedCertificates=true
-TlsAllowExpiredCertificates=true
-TlsAcceptNonTrustedCertificates=true
+TlsServerCertificateCa=../../examples/certificates/open-ocpp_ca.crt
+TlsClientCertificate=../../examples/certificates/open-ocpp_charge-point.crt
+TlsClientCertificatePrivateKey=../../examples/certificates/open-ocpp_charge-point.key
+TlsClientCertificatePrivateKeyPassphrase=
+TlsAllowSelfSignedCertificates=false
+TlsAllowExpiredCertificates=false
+TlsAcceptNonTrustedCertificates=false
 TlsSkipServerNameCheck=true
 ChargePointIdentifier=ChargePointTest
 ConnectionTimeout=2000

examples/remote_chargepoint/config/remote_chargepoint.ini

@@ -1,13 +1,17 @@
 [ChargePoint]
 DatabasePath=./remote_chargepoint.db
 JsonSchemasPath=../../schemas/ocpp16/
-ConnexionUrl=ws://127.0.0.1:8180/steve/websocket/CentralSystemService/
+ConnexionUrl=wss://127.0.0.1:8080/openocpp/
 Tlsv12CipherList=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-WITH-AES-256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:TLS-PSK-WITH-AES-256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-WITH-AES-128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:TLS-PSK-WITH-AES-128-GCM-SHA256
 Tlsv13CipherList=TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
 TlsEcdhCurve=prime256v1
-TlsAllowSelfSignedCertificates=true
-TlsAllowExpiredCertificates=true
-TlsAcceptNonTrustedCertificates=true
+TlsServerCertificateCa=../../examples/certificates/open-ocpp_ca.crt
+TlsClientCertificate=../../examples/certificates/open-ocpp_charge-point.crt
+TlsClientCertificatePrivateKey=../../examples/certificates/open-ocpp_charge-point.key
+TlsClientCertificatePrivateKeyPassphrase=
+TlsAllowSelfSignedCertificates=false
+TlsAllowExpiredCertificates=false
+TlsAcceptNonTrustedCertificates=false
 TlsSkipServerNameCheck=true
 ChargePointIdentifier=ChargePointTest
 ConnectionTimeout=2000

src/centralsystem/CentralSystem.cpp

@@ -167,8 +167,8 @@ bool CentralSystem::start()
         credentials.server_certificate_private_key            = m_stack_config.tlsServerCertificatePrivateKey();
         credentials.server_certificate_private_key_passphrase = m_stack_config.tlsServerCertificatePrivateKeyPassphrase();
         credentials.server_certificate_ca                     = m_stack_config.tlsServerCertificateCa();
-        credentials.client_certificate_ca                     = m_stack_config.tlsClientCertificateCa();
         credentials.client_certificate_authent                = m_stack_config.tlsClientCertificateAuthent();
+        credentials.encoded_pem_certificates                  = false;
 
         // Start listening
         ret = m_rpc_server->start(m_stack_config.listenUrl(), credentials, m_stack_config.webSocketPingInterval());

src/centralsystem/interface/ICentralSystemConfig.h

@@ -69,8 +69,6 @@ class ICentralSystemConfig
     virtual std::string tlsServerCertificatePrivateKeyPassphrase() const = 0;
     /** @brief Certification Authority signing chain for the server certificate */
     virtual std::string tlsServerCertificateCa() const = 0;
-    /** @brief Certification Authority signing chain for the clients certificates */
-    virtual std::string tlsClientCertificateCa() const = 0;
     /** @brief Enable client authentication using certificate */
     virtual bool tlsClientCertificateAuthent() const = 0;
 

src/chargepoint/ChargePoint.cpp

@@ -803,13 +803,18 @@ bool ChargePoint::doConnect()
         credentials.user     = m_stack_config.chargePointIdentifier();
         credentials.password = authorization_key;
     }
-    credentials.tls12_cipher_list             = m_stack_config.tlsv12CipherList();
-    credentials.tls13_cipher_list             = m_stack_config.tlsv13CipherList();
-    credentials.ecdh_curve                    = m_stack_config.tlsEcdhCurve();
-    credentials.allow_selfsigned_certificates = m_stack_config.tlsAllowSelfSignedCertificates();
-    credentials.allow_expired_certificates    = m_stack_config.tlsAllowExpiredCertificates();
-    credentials.accept_untrusted_certificates = m_stack_config.tlsAcceptNonTrustedCertificates();
-    credentials.skip_server_name_check        = m_stack_config.tlsSkipServerNameCheck();
+    credentials.tls12_cipher_list                         = m_stack_config.tlsv12CipherList();
+    credentials.tls13_cipher_list                         = m_stack_config.tlsv13CipherList();
+    credentials.ecdh_curve                                = m_stack_config.tlsEcdhCurve();
+    credentials.server_certificate_ca                     = m_stack_config.tlsServerCertificateCa();
+    credentials.client_certificate                        = m_stack_config.tlsClientCertificate();
+    credentials.client_certificate_private_key            = m_stack_config.tlsClientCertificatePrivateKey();
+    credentials.client_certificate_private_key_passphrase = m_stack_config.tlsClientCertificatePrivateKeyPassphrase();
+    credentials.allow_selfsigned_certificates             = m_stack_config.tlsAllowSelfSignedCertificates();
+    credentials.allow_expired_certificates                = m_stack_config.tlsAllowExpiredCertificates();
+    credentials.accept_untrusted_certificates             = m_stack_config.tlsAcceptNonTrustedCertificates();
+    credentials.skip_server_name_check                    = m_stack_config.tlsSkipServerNameCheck();
+    credentials.encoded_pem_certificates                  = false;
 
     // Start connection process
     return m_rpc_client->start(connection_url,

src/chargepoint/interface/IChargePointConfig.h

@@ -59,6 +59,14 @@ class IChargePointConfig
     virtual std::string tlsv13CipherList() const = 0;
     /** @brief ECDH curve to use for TLS connections */
     virtual std::string tlsEcdhCurve() const = 0;
+    /** @brief Certification Authority signing chain for the server certificate */
+    virtual std::string tlsServerCertificateCa() const = 0;
+    /** @brief Client certificate */
+    virtual std::string tlsClientCertificate() const = 0;
+    /** @brief Client certificate's private key */
+    virtual std::string tlsClientCertificatePrivateKey() const = 0;
+    /** @brief Client certificate's private key passphrase */
+    virtual std::string tlsClientCertificatePrivateKeyPassphrase() const = 0;
     /** @brief Allow TLS connections using self-signed certificates
      *         (Warning : enabling this feature is not recommended in production) */
     virtual bool tlsAllowSelfSignedCertificates() const = 0;

src/websockets/IWebsocketClient.h

@@ -129,6 +129,17 @@ class IWebsocketClient
         /** @brief ECDH curve, leave empty for default
          *         (OpenSSL format, default = system dependent) */
         std::string ecdh_curve;
+        /** @brief Indicate if the below certificates parameters are path to PEM encoded certificate files (false)
+         *         or if they contain directly PEM encoded certificates (true) */
+        bool encoded_pem_certificates;
+        /** @brief Certification Authority signing chain for the server certificate */
+        std::string server_certificate_ca;
+        /** @brief Client certificate */
+        std::string client_certificate;
+        /** @brief Client certificate's private key */
+        std::string client_certificate_private_key;
+        /** @brief Client certificate's private key passphrase */
+        std::string client_certificate_private_key_passphrase;
         /** @brief Allow TLS connections using self-signed certificates
          *         (Warning : enabling this feature is not recommended in production) */
         bool allow_selfsigned_certificates;