avoid copying TLS cert to heap (#10)

matth-x · web-flow · commit e336c4b1c095 · 2024-05-17T17:20:59.000+02:00
* change cert to zero-copy attribute

* update changelog
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 ### Changed
 
 - Adopt `bool isConnected()` from `Connection` interface ([#7](https://github.com/matth-x/MicroOcppMongoose/pull/7))
+- Do not copy cert into heap memory ([#10](https://github.com/matth-x/MicroOcppMongoose/pull/10))
 
 ### Added
 
@@ -15,6 +16,7 @@
 ### Removed
 
 - FTP moved into a new project [MicroFtp](https://github.com/matth-x/MicroFtp) ([#5](https://github.com/matth-x/MicroOcppMongoose/pull/5))
+- Custom config `Cst_CaCert` ([#10](https://github.com/matth-x/MicroOcppMongoose/pull/10))
 
 ## [1.0.0] - 2023-10-20
 
diff --git a/src/MicroOcppMongooseClient.cpp b/src/MicroOcppMongooseClient.cpp
@@ -22,7 +22,7 @@ MOcppMongooseClient::MOcppMongooseClient(struct mg_mgr *mgr,
             const char *backend_url_factory, 
             const char *charge_box_id_factory,
             const char *auth_key_factory,
-            const char *CA_cert_factory,
+            const char *ca_certificate,
             std::shared_ptr<FilesystemAdapter> filesystem,
             ProtocolVersion protocolVersion) : mgr(mgr), protocolVersion(protocolVersion) {
     
@@ -45,13 +45,6 @@ MOcppMongooseClient::MOcppMongooseClient(struct mg_mgr *mgr,
         MO_CONFIG_EXT_PREFIX "ChargeBoxId", charge_box_id_factory, MO_WSCONN_FN, readonly, true);
     setting_auth_key_str = declareConfiguration<const char*>(
         "AuthorizationKey", auth_key_factory, MO_WSCONN_FN, readonly, true);
-#if !MO_CA_CERT_LOCAL
-    setting_ca_cert_str = declareConfiguration<const char*>(
-        MO_CONFIG_EXT_PREFIX "CaCert", CA_cert_factory, MO_WSCONN_FN, readonly, true);
-#else
-    ca_cert = CA_cert_factory ? CA_cert_factory : "";
-#endif
-
     ws_ping_interval_int = declareConfiguration<int>(
         "WebSocketPingInterval", 5, MO_WSCONN_FN);
     reconnect_interval_int = declareConfiguration<int>(
@@ -61,6 +54,8 @@ MOcppMongooseClient::MOcppMongooseClient(struct mg_mgr *mgr,
 
     configuration_load(MO_WSCONN_FN); //load configs with values stored on flash
 
+    ca_cert = ca_certificate;
+
     reloadConfigs(); //load WS creds with configs values
 
 #if defined(MO_MG_VERSION_614)
@@ -166,7 +161,7 @@ void MOcppMongooseClient::maintainWsConn() {
     struct mg_connect_opts opts;
     memset(&opts, 0, sizeof(opts));
 
-    const char *ca_string = ca_cert.empty() ? "*" : ca_cert.c_str();
+    const char *ca_string = ca_cert ? ca_cert : "*"; //"*" enables TLS but disables CA verification
 
     //Check if SSL is disabled, i.e. if URL starts with "ws:"
     if (url.length() >= strlen("ws:") &&
@@ -270,19 +265,7 @@ void MOcppMongooseClient::setAuthKey(const char *auth_key_cstr) {
 }
 
 void MOcppMongooseClient::setCaCert(const char *ca_cert_cstr) {
-    if (!ca_cert_cstr) {
-        MO_DBG_ERR("invalid argument");
-        return;
-    }
-
-#if !MO_CA_CERT_LOCAL
-    if (setting_ca_cert_str) {
-        setting_ca_cert_str->setString(ca_cert_cstr);
-        configuration_save();
-    }
-#else
     ca_cert = ca_cert_cstr; //updated ca_cert takes immediate effect
-#endif
 }
 
 void MOcppMongooseClient::reloadConfigs() {
@@ -304,12 +287,6 @@ void MOcppMongooseClient::reloadConfigs() {
         auth_key = setting_auth_key_str->getString();
     }
 
-#if !MO_CA_CERT_LOCAL
-    if (setting_ca_cert_str) {
-        ca_cert = setting_ca_cert_str->getString();
-    }
-#endif
-
     /*
      * determine new URL and auth token with updated WS credentials
      */
@@ -464,7 +441,7 @@ void ws_cb(struct mg_connection *c, int ev, void *ev_data, void *fn_data) {
         // If target URL is SSL/TLS, command client connection to use TLS
         if (mg_url_is_ssl(osock->getUrl())) {
             const char *ca_string = osock->getCaCert();
-            if (ca_string && *ca_string == '\0') { //check if certificate validation is disabled by passing an empty string
+            if (ca_string && *ca_string == '\0') { //check if certificate verification is disabled (cert string is empty)
                 //yes, disabled
                 ca_string = nullptr;
             }
diff --git a/src/MicroOcppMongooseClient.h b/src/MicroOcppMongooseClient.h
@@ -5,7 +5,7 @@
 #ifndef MO_MONGOOSECLIENT_H
 #define MO_MONGOOSECLIENT_H
 
-#if defined(ARDUINO) //fix for conflicting defitions of IPAddress on Arduino
+#if defined(ARDUINO) //fix for conflicting definitions of IPAddress on Arduino
 #include <Arduino.h>
 #include <IPAddress.h>
 #endif
@@ -21,15 +21,6 @@
 #define MO_WSCONN_FN (MO_FILENAME_PREFIX "ws-conn.jsn")
 #endif
 
-/*
- * If you prefer not to have the TLS-certificate managed by OCPP, store it into
- * a file on the flash filesystem, define the following build flag as 1 and
- * pass the filename to the constructor instead of a default plain-text certificate.
-*/
-#ifndef MO_CA_CERT_LOCAL
-#define MO_CA_CERT_LOCAL 0
-#endif
-
 namespace MicroOcpp {
 
 class FilesystemAdapter;
@@ -44,13 +35,10 @@ class MOcppMongooseClient : public MicroOcpp::Connection {
     std::string url; //url = backend_url + '/' + cb_id
     std::string auth_key;
     std::string basic_auth64;
-    std::string ca_cert;
+    const char *ca_cert; //zero-copy. The host system must ensure that this pointer remains valid during the lifetime of this class
     std::shared_ptr<Configuration> setting_backend_url_str;
     std::shared_ptr<Configuration> setting_cb_id_str;
     std::shared_ptr<Configuration> setting_auth_key_str;
-#if !MO_CA_CERT_LOCAL
-    std::shared_ptr<Configuration> setting_ca_cert_str;
-#endif
     unsigned long last_status_dbg_msg {0}, last_recv {0};
     std::shared_ptr<Configuration> reconnect_interval_int; //minimum time between two connect trials in s
     unsigned long last_reconnection_attempt {-1UL / 2UL};
@@ -73,7 +61,7 @@ class MOcppMongooseClient : public MicroOcpp::Connection {
             const char *backend_url_factory = nullptr, 
             const char *charge_box_id_factory = nullptr,
             const char *auth_key_factory = nullptr,
-            const char *CA_cert_factory = nullptr, //forwards this string to Mongoose as ssl_ca_cert (see https://github.com/cesanta/mongoose/blob/ab650ec5c99ceb52bb9dc59e8e8ec92a2724932b/mongoose.h#L4192)
+            const char *ca_cert = nullptr, //zero-copy, the string must outlive this class and mg_mgr. Forwards this string to Mongoose as ssl_ca_cert (see https://github.com/cesanta/mongoose/blob/ab650ec5c99ceb52bb9dc59e8e8ec92a2724932b/mongoose.h#L4192)
             std::shared_ptr<MicroOcpp::FilesystemAdapter> filesystem = nullptr,
             ProtocolVersion protocolVersion = ProtocolVersion(1,6));
 
@@ -102,7 +90,7 @@ class MOcppMongooseClient : public MicroOcpp::Connection {
     const char *getBackendUrl() {return backend_url.c_str();}
     const char *getChargeBoxId() {return cb_id.c_str();}
     const char *getAuthKey() {return auth_key.c_str();}
-    const char *getCaCert() {return ca_cert.c_str();}
+    const char *getCaCert() {return ca_cert ? ca_cert : "";}
 
     const char *getUrl() {return url.c_str();}
 
