add more build switches for TLS (#292)

* add cmake switch MO_BUILD_UNIT_MBEDTLS

* fix memory leaks

* add MO_ENABLE_CERT_MGMT switch

* add .gitignore

* update changelog

* update changelog

* enable Cert Mgmt by default for v2.0.1

Author: matth-x

.github/workflows/tests.yml

@@ -15,6 +15,12 @@ jobs:
     steps:
     - name: Check out repository code
       uses: actions/checkout@v3
+    - name: Check out MbedTLS
+      uses: actions/checkout@v3
+      with:
+        repository: Mbed-TLS/mbedtls
+        ref: v2.28.1
+        path: lib/mbedtls
     - name: Get build tools
       run: |
         sudo apt update
@@ -25,23 +31,21 @@ jobs:
     - name: Get ArduinoJson
       run: wget -Uri https://github.com/bblanchon/ArduinoJson/releases/download/v6.21.3/ArduinoJson-v6.21.3.h -O ./src/ArduinoJson.h
     - name: Generate CMake build files
-      run: cmake -S . -B ./build
+      run: cmake -S . -B ./build -DMO_BUILD_UNIT_MBEDTLS=True
     - name: Compile
-      run: cmake --build ./build -j 16 --target mo_unit_tests
+      run: cmake --build ./build -j 32 --target mo_unit_tests
     - name: Configure FS
       run: mkdir mo_store
-    - name: Run tests
-      run: ./build/mo_unit_tests
     - name: Run tests (valgrind)
-      run: valgrind --error-exitcode=1 --leak-check=full ./build/mo_unit_tests
+      run: valgrind --error-exitcode=1 --leak-check=full ./build/mo_unit_tests --abort
     - name: Generate CMake build files (AddressSanitizer, UndefinedBehaviorSanitizer)
       run: |
         rm -r ./build
-        cmake -S . -B ./build -DCMAKE_CXX_FLAGS="-fsanitize=address -fsanitize=undefined" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address -fsanitize=undefined"
+        cmake -S . -B ./build -DCMAKE_CXX_FLAGS="-fsanitize=address -fsanitize=undefined" -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address -fsanitize=undefined" -DMO_BUILD_UNIT_MBEDTLS=True
     - name: Compile (ASan, UBSan)
-      run: cmake --build ./build -j 16 --target mo_unit_tests
+      run: cmake --build ./build -j 32 --target mo_unit_tests
     - name: Run tests (ASan, UBSan)
-      run: ./build/mo_unit_tests
+      run: ./build/mo_unit_tests --abort
     - name: Create coverage report
       run: |
         lcov --directory . --capture --output-file coverage.info

.gitignore

@@ -0,0 +1,7 @@
+.pio
+build
+lib
+mo_store
+src/ArduinoJson*
+src/main.cpp
+coverage.info

CHANGELOG.md

@@ -4,22 +4,22 @@
 
 ### Changed
 
-- Replace `PollResult<bool>` with enum `UnlockConnectorResult`
+- Replace `PollResult<bool>` with enum `UnlockConnectorResult` ([#271](https://github.com/matth-x/MicroOcpp/pull/271))
 - Rename master branch into main
 - Tx logic directly checks if WebSocket is offline ([#282](https://github.com/matth-x/MicroOcpp/pull/282))
+- `ocppPermitsCharge` ignores Faulted state ([#279](https://github.com/matth-x/MicroOcpp/pull/279))
 
 ### Added
 
 - File index ([#270](https://github.com/matth-x/MicroOcpp/pull/270))
-- Config `Cst_TxStartOnPowerPathClosed` to put back TxStartPoint
+- Config `Cst_TxStartOnPowerPathClosed` to put back TxStartPoint ([#271](https://github.com/matth-x/MicroOcpp/pull/271))
 - Function `bool isConnected()` in `Connection` interface ([#282](https://github.com/matth-x/MicroOcpp/pull/282))
-- Build flags for customizing memory limits of SmartCharging
+- Build flags for customizing memory limits of SmartCharging ([#260](https://github.com/matth-x/MicroOcpp/pull/260))
 - SConscript ([#287](https://github.com/matth-x/MicroOcpp/pull/287))
-- Operation GetInstalledCertificateIds, UC M03 ([#262](https://github.com/matth-x/MicroOcpp/pull/262))
-- Operation DeleteCertificate, UC M04 ([#262](https://github.com/matth-x/MicroOcpp/pull/262))
-- Operation InstallCertificate, UC M05 ([#262](https://github.com/matth-x/MicroOcpp/pull/262))
+- Certificate Management, UCs M03 - M05 ([#262](https://github.com/matth-x/MicroOcpp/pull/262), [#274](https://github.com/matth-x/MicroOcpp/pull/274), [#292](https://github.com/matth-x/MicroOcpp/pull/292))
+- FTP Client ([#291](https://github.com/matth-x/MicroOcpp/pull/291))
 - `ProtocolVersion` selects v1.6 or v2.0.1 ([#247](https://github.com/matth-x/MicroOcpp/pull/247))
-- Build flag `MO_ENABLE_V201` set to 1 enables OCPP 2.0.1 features ([#247](https://github.com/matth-x/MicroOcpp/pull/247))
+- Build flag `MO_ENABLE_V201=1` enables OCPP 2.0.1 features ([#247](https://github.com/matth-x/MicroOcpp/pull/247))
     - Variables (non-persistent), UCs B05 - B07 ([#247](https://github.com/matth-x/MicroOcpp/pull/247), [#284](https://github.com/matth-x/MicroOcpp/pull/284))
     - Transactions (preview only), UCs E01 - E12 ([#247](https://github.com/matth-x/MicroOcpp/pull/247))
     - StatusNotification compatibility ([#247](https://github.com/matth-x/MicroOcpp/pull/247))
@@ -29,15 +29,15 @@
 
 ### Fixed
 
-- Fix defect idTag check in `endTransaction`
+- Fix defect idTag check in `endTransaction` ([#275](https://github.com/matth-x/MicroOcpp/pull/275))
 - Make field localAuthorizationList in SendLocalList optional
 - Update charging profiles when flash disabled (relates to [#260](https://github.com/matth-x/MicroOcpp/pull/260))
-- Ignore UnlockConnector when handler not set
-- Reject ChargingProfile if unit not supported
+- Ignore UnlockConnector when handler not set ([#271](https://github.com/matth-x/MicroOcpp/pull/271))
+- Reject ChargingProfile if unit not supported ([#271](https://github.com/matth-x/MicroOcpp/pull/271))
 - Fix building with debug level warn and error
 - Fix transaction freeze in offline mode ([#279](https://github.com/matth-x/MicroOcpp/pull/279), [#287](https://github.com/matth-x/MicroOcpp/pull/287))
 - Fix compilation error caused by `PRId32` ([#279](https://github.com/matth-x/MicroOcpp/pull/279))
-- Don't load FW-mngt. module when no handlers set
+- Don't load FW-mngt. module when no handlers set ([#271](https://github.com/matth-x/MicroOcpp/pull/271))
 - Avoid creating conf when operation fails ([#290](https://github.com/matth-x/MicroOcpp/pull/290))
 
 ## [1.0.3] - 2024-04-06

CMakeLists.txt

@@ -147,7 +147,7 @@ set(MO_SRC_UNIT
     tests/LocalAuthList.cpp
     tests/Variables.cpp
     tests/Transactions.cpp
-    #tests/Certificates.cpp # add if MbedTLS is available
+    tests/Certificates.cpp
 )
 
 add_executable(mo_unit_tests
@@ -156,13 +156,18 @@ add_executable(mo_unit_tests
     ./tests/catch2/catchMain.cpp
 )
 
-# add MbedTLS for testing (TODO integrate properly into build system)
-#add_subdirectory(lib/mbedtls)
-#target_link_libraries(mo_unit_tests PUBLIC 
-#    mbedtls
-#    mbedcrypto
-#    mbedx509
-#)
+if (MO_BUILD_UNIT_MBEDTLS)
+    add_subdirectory(lib/mbedtls)
+    target_link_libraries(mo_unit_tests PUBLIC 
+        mbedtls
+        mbedcrypto
+        mbedx509
+    )
+
+    target_compile_definitions(mo_unit_tests PUBLIC
+        MO_ENABLE_MBEDTLS=1
+    )
+endif()
 
 target_include_directories(mo_unit_tests PUBLIC
     "./tests/catch2"
@@ -181,10 +186,10 @@ target_compile_definitions(mo_unit_tests PUBLIC
     MO_LocalAuthListMaxLength=8
     MO_SendLocalListMaxLength=4
     MO_ENABLE_FILE_INDEX=1
-    #MO_ENABLE_MBEDTLS=1
     MO_ChargeProfileMaxStackLevel=2
     MO_ChargingScheduleMaxPeriods=4
     MO_MaxChargingProfilesInstalled=3
+    MO_ENABLE_CERT_MGMT=1
 )
 
 target_compile_options(mo_unit_tests PUBLIC

src/MicroOcpp.cpp

@@ -20,7 +20,7 @@
 #include <MicroOcpp/Model/Variables/VariableService.h>
 #include <MicroOcpp/Model/Transactions/TransactionService.h>
 #include <MicroOcpp/Model/Certificates/CertificateService.h>
-#include <MicroOcpp/Model/Certificates/CertificateMbedTLS.h> //default CertStore implementation depends on MbedTLS
+#include <MicroOcpp/Model/Certificates/CertificateMbedTLS.h>
 #include <MicroOcpp/Core/SimpleRequestFactory.h>
 #include <MicroOcpp/Core/OperationRegistry.h>
 #include <MicroOcpp/Core/FilesystemAdapter.h>
@@ -234,7 +234,7 @@ ChargerCredentials ChargerCredentials::v201(const char *cpModel, const char *cpV
     return res;
 }
 
-void mocpp_initialize(Connection& connection, const char *bootNotificationCredentials, std::shared_ptr<FilesystemAdapter> fs, bool autoRecover, MicroOcpp::ProtocolVersion version, std::unique_ptr<CertificateStore> certStore) {
+void mocpp_initialize(Connection& connection, const char *bootNotificationCredentials, std::shared_ptr<FilesystemAdapter> fs, bool autoRecover, MicroOcpp::ProtocolVersion version) {
     if (context) {
         MO_DBG_WARN("already initialized. To reinit, call mocpp_deinitialize() before");
         return;
@@ -297,6 +297,17 @@ void mocpp_initialize(Connection& connection, const char *bootNotificationCreden
         new TransactionService(*context)));
 #endif
 
+#if MO_ENABLE_CERT_MGMT && MO_ENABLE_CERT_STORE_MBEDTLS
+    std::unique_ptr<CertificateStore> certStore = makeCertificateStoreMbedTLS(filesystem);
+    if (certStore) {
+        model.setCertificateService(std::unique_ptr<CertificateService>(
+            new CertificateService(*context)));
+    }
+    if (certStore && model.getCertificateService()) {
+        model.getCertificateService()->setCertificateStore(std::move(certStore));
+    }
+#endif
+
 #if MO_ENABLE_V201
     if (version.major == 2) {
         //depends on VariableService
@@ -309,21 +320,6 @@ void mocpp_initialize(Connection& connection, const char *bootNotificationCreden
             new ResetService(*context)));
     }
 
-    std::unique_ptr<CertificateStore> certStoreUse;
-    if (certStore) {
-        certStoreUse = std::move(certStore);
-    }
-#if MO_ENABLE_MBEDTLS && MO_ENABLE_CERT_STORE_MBEDTLS
-    else {
-        certStoreUse = makeCertificateStoreMbedTLS(filesystem);
-    }
-#endif
-
-    if (certStoreUse) {
-        model.setCertificateService(std::unique_ptr<CertificateService>(
-            new CertificateService(*context, std::move(certStoreUse))));
-    }
-
 #if MO_PLATFORM == MO_PLATFORM_ARDUINO && !defined(MO_CUSTOM_UPDATER)
 #if defined(ESP32) || defined(ESP8266)
     model.setFirmwareService(std::unique_ptr<FirmwareService>(
@@ -956,6 +952,28 @@ DiagnosticsService *getDiagnosticsService() {
     return model.getDiagnosticsService();
 }
 
+#if MO_ENABLE_CERT_MGMT
+
+void setCertificateStore(std::unique_ptr<MicroOcpp::CertificateStore> certStore) {
+    if (!context) {
+        MO_DBG_ERR("OCPP uninitialized"); //need to call mocpp_initialize before
+        return;
+    }
+
+    auto& model = context->getModel();
+    if (!model.getCertificateService()) {
+        model.setCertificateService(std::unique_ptr<CertificateService>(
+            new CertificateService(*context)));
+    }
+    if (auto certService = model.getCertificateService()) {
+        certService->setCertificateStore(std::move(certStore));
+    } else {
+        MO_DBG_ERR("OOM");
+        (void)0;
+    }
+}
+#endif //MO_ENABLE_CERT_MGMT
+
 Context *getOcppContext() {
     return context;
 }

src/MicroOcpp.h

@@ -110,8 +110,7 @@ void mocpp_initialize(
             std::shared_ptr<MicroOcpp::FilesystemAdapter> filesystem =
                 MicroOcpp::makeDefaultFilesystemAdapter(MicroOcpp::FilesystemOpt::Use_Mount_FormatOnFail), //If this library should format the flash if necessary. Find further options in ConfigurationOptions.h
             bool autoRecover = false, //automatically sanitize the local data store when the lib detects recurring crashes. Not recommended during development
-            MicroOcpp::ProtocolVersion version = MicroOcpp::ProtocolVersion(1,6),
-            std::unique_ptr<MicroOcpp::CertificateStore> certStore = nullptr); //optionally use custom Cert Store (default depends on MbedTLS)
+            MicroOcpp::ProtocolVersion version = MicroOcpp::ProtocolVersion(1,6));
 
 /*
  * Stop the OCPP library and release allocated resources.
@@ -356,6 +355,22 @@ MicroOcpp::FirmwareService *getFirmwareService();
  */
 MicroOcpp::DiagnosticsService *getDiagnosticsService();
 
+#if MO_ENABLE_CERT_MGMT
+/*
+ * Set a custom Certificate Store which implements certificate updates on the host system. 
+ * MicroOcpp will forward OCPP-side update requests to the certificate store, as well as
+ * query the certificate store upon server request.
+ *
+ * To enable OCPP-side certificate updates (UCs M03 - M05), set the build flag
+ * MO_ENABLE_CERT_MGMT=1 so that this function becomes accessible.
+ * 
+ * To use the built-in certificate store (depends on MbedTLS), set the build flag
+ * MO_ENABLE_MBEDTLS=1. To not use the built-in implementation, but still enable MbedTLS,
+ * additionally set MO_ENABLE_CERT_STORE_MBEDTLS=0.
+ */
+void setCertificateStore(std::unique_ptr<MicroOcpp::CertificateStore> certStore);
+#endif //MO_ENABLE_CERT_MGMT
+
 /*
  * Add features and customize the behavior of the OCPP client
  */

src/MicroOcpp/Core/FtpMbedTLS.cpp

@@ -7,6 +7,7 @@
 #if MO_ENABLE_MBEDTLS
 
 #include <string>
+#include <string.h>
 #include <functional>
 
 #include "mbedtls/net_sockets.h"

src/MicroOcpp/Model/Certificates/Certificate.cpp

@@ -4,6 +4,8 @@
 
 #include <MicroOcpp/Model/Certificates/Certificate.h>
 
+#if MO_ENABLE_CERT_MGMT
+
 #include <string.h>
 #include <stdio.h>
 
@@ -161,3 +163,5 @@ int ocpp_cert_set_serialNumber(ocpp_cert_hash *dst, const char *hex_src) {
 
     return ret;
 }
+
+#endif //MO_ENABLE_CERT_MGMT

src/MicroOcpp/Model/Certificates/Certificate.h

@@ -5,6 +5,10 @@
 #ifndef MO_CERTIFICATE_H
 #define MO_CERTIFICATE_H
 
+#include <MicroOcpp/Version.h>
+
+#if MO_ENABLE_CERT_MGMT
+
 #include <stddef.h>
 
 #ifdef __cplusplus
@@ -144,6 +148,8 @@ struct CertificateChainHash {
  */
 class CertificateStore {
 public:
+    virtual ~CertificateStore() = default;
+
     virtual GetInstalledCertificateStatus getCertificateIds(const std::vector<GetCertificateIdType>& certificateType, std::vector<CertificateChainHash>& out) = 0;
     virtual DeleteCertificateStatus deleteCertificate(const CertificateHash& hash) = 0;
     virtual InstallCertificateStatus installCertificate(InstallCertificateType certificateType, const char *certificate) = 0;
@@ -152,5 +158,5 @@ class CertificateStore {
 } //namespace MicroOcpp
 
 #endif //__cplusplus
-
+#endif //MO_ENABLE_CERT_MGMT
 #endif

src/MicroOcpp/Model/Certificates/CertificateMbedTLS.cpp

@@ -4,7 +4,7 @@
 
 #include <MicroOcpp/Model/Certificates/CertificateMbedTLS.h>
 
-#if MO_ENABLE_MBEDTLS && MO_ENABLE_CERT_STORE_MBEDTLS
+#if MO_ENABLE_CERT_MGMT && MO_ENABLE_CERT_STORE_MBEDTLS
 
 #include <string.h>
 
@@ -15,19 +15,7 @@
 
 #include <MicroOcpp/Debug.h>
 
-bool ocpp_get_cert_hash(const unsigned char *buf, size_t len, HashAlgorithmType hashAlg, ocpp_cert_hash *out) {
-
-    mbedtls_x509_crt cacert;
-    mbedtls_x509_crt_init(&cacert);
-
-    int ret;
-
-    if((ret = mbedtls_x509_crt_parse(&cacert, buf, len + 1)) < 0) {
-        char err [100];
-        mbedtls_strerror(ret, err, 100);
-        MO_DBG_ERR("mbedtls_x509_crt_parse: %i -- %s", ret, err);
-        return false;
-    }
+bool ocpp_get_cert_hash(mbedtls_x509_crt& cacert, HashAlgorithmType hashAlg, ocpp_cert_hash *out) {
 
     if (cacert.next) {
         MO_DBG_ERR("only sole root certs supported");
@@ -72,6 +60,8 @@ bool ocpp_get_cert_hash(const unsigned char *buf, size_t len, HashAlgorithmType
         return false;
     }
 
+    int ret;
+
     if ((ret = mbedtls_md(md_info, cacert.issuer_raw.p, cacert.issuer_raw.len, out->issuerNameHash))) {
         MO_DBG_ERR("mbedtls_md: %i", ret);
         return false;
@@ -122,6 +112,26 @@ bool ocpp_get_cert_hash(const unsigned char *buf, size_t len, HashAlgorithmType
     return true;
 }
 
+bool ocpp_get_cert_hash(const unsigned char *buf, size_t len, HashAlgorithmType hashAlg, ocpp_cert_hash *out) {
+
+    mbedtls_x509_crt cacert;
+    mbedtls_x509_crt_init(&cacert);
+
+    bool success = false;
+    int ret;
+
+    if((ret = mbedtls_x509_crt_parse(&cacert, buf, len + 1)) >= 0) {
+        success = ocpp_get_cert_hash(cacert, hashAlg, out);
+    } else {
+        char err [100];
+        mbedtls_strerror(ret, err, 100);
+        MO_DBG_ERR("mbedtls_x509_crt_parse: %i -- %s", ret, err);
+    }
+
+    mbedtls_x509_crt_free(&cacert);
+    return success;
+}
+
 namespace MicroOcpp {
 
 class CertificateStoreMbedTLS : public CertificateStore {
@@ -402,4 +412,4 @@ bool printCertFn(const char *certType, size_t index, char *buf, size_t bufsize)
 
 } //namespace MicroOcpp
 
-#endif //MO_ENABLE_MBEDTLS && MO_ENABLE_CERT_STORE_MBEDTLS
+#endif //MO_ENABLE_CERT_MGMT && MO_ENABLE_CERT_STORE_MBEDTLS