Bugfix/get all installed leafs (#104)

* Added return of multiple leaf chains in get_installed_certificates
* Fixed test cases and removed duplicates from install
* Added test-case for multi-leaf certificate retrieval in V2GCertificateChain
---------

Signed-off-by: AssemblyJohn <ioan.bogdann@gmail.com>

Author: AssemblyJohn

CMakeLists.txt

@@ -1,6 +1,6 @@
 cmake_minimum_required(VERSION 3.14)
 
-project(everest-evse_security VERSION 0.9.3
+project(everest-evse_security VERSION 0.9.4
         DESCRIPTION "Implementation of EVSE related security operations"
 		LANGUAGES CXX C
 )

include/evse_security/evse_security.hpp

@@ -40,6 +40,22 @@ struct FilePaths {
     LinkPaths links;
 };
 
+struct CertificateQueryParams {
+    LeafCertificateType certificate_type;
+    EncodingFormat encoding{EncodingFormat::PEM};
+    /// if OCSP information should be included
+    bool include_ocsp{false};
+    /// if the root certificate of the leaf should be included in the returned list
+    bool include_root{false};
+    /// if true, all valid leafs will be included, sorted in order, with the newest being
+    /// first. If false, only the newest one will be returned
+    bool include_all_valid{false};
+    /// if true, will remove all duplicates found, since we can find a leaf for example
+    /// in 2 files, one in 'leaf_single' and one in 'leaf_chain'. For delete routines
+    /// we need both files returned, while for queries (v2g_chain) we don't need duplicates
+    bool remove_duplicates{false};
+};
+
 // Unchangeable security limit for certificate deletion, a min entry count will be always kept (newest)
 static constexpr std::size_t DEFAULT_MINIMUM_CERTIFICATE_ENTRIES = 10;
 // 50 MB default limit for filesystem usage
@@ -115,6 +131,8 @@ class EvseSecurity {
                                                      LeafCertificateType certificate_type);
 
     /// @brief Retrieves all certificates installed on the filesystem applying the \p certificate_type filter.
+    /// In the case of the 'V2GCertificateChain', it will return all valid leafs chains, with the newest being
+    /// the first in the list
     /// @param certificate_types
     /// @return contains the certificate hash data chains of the requested \p certificate_type
     GetInstalledCertificatesResult get_installed_certificate(CertificateType certificate_type);
@@ -285,15 +303,7 @@ class EvseSecurity {
                                                                 EncodingFormat encoding, bool include_ocsp = false);
 
     /// @brief Retrieves information related to leaf certificates
-    /// @param include_ocsp if OCSP information should be included
-    /// @param include_root if the root certificate of the leaf should be included in the returned list
-    /// @param include_all_valid if true, all valid leafs will be included, sorted in order, with the newest being
-    /// first. If false, only the newest one will be returned
-    GetCertificateFullInfoResult get_full_leaf_certificate_info_internal(LeafCertificateType certificate_type,
-                                                                         EncodingFormat encoding,
-                                                                         bool include_ocsp = false,
-                                                                         bool include_root = false,
-                                                                         bool include_all_valid = false);
+    GetCertificateFullInfoResult get_full_leaf_certificate_info_internal(const CertificateQueryParams& params);
 
     GetCertificateInfoResult get_ca_certificate_info_internal(CaCertificateType certificate_type);
     std::optional<fs::path> retrieve_ocsp_cache_internal(const CertificateHashData& certificate_hash_data);

lib/evse_security/evse_security.cpp

@@ -597,75 +597,85 @@ EvseSecurity::get_installed_certificates(const std::vector<CertificateType>& cer
     // retrieve v2g certificate chain
     if (std::find(certificate_types.begin(), certificate_types.end(), CertificateType::V2GCertificateChain) !=
         certificate_types.end()) {
-
-        // Internal since we already acquired the lock
-        const auto secc_key_pair =
-            this->get_leaf_certificate_info_internal(LeafCertificateType::V2G, EncodingFormat::PEM);
-        if (secc_key_pair.status == GetCertificateInfoStatus::Accepted) {
-            fs::path certificate_path;
-
-            if (secc_key_pair.info.value().certificate.has_value())
-                certificate_path = secc_key_pair.info.value().certificate.value();
-            else
-                certificate_path = secc_key_pair.info.value().certificate_single.value();
-
-            try {
-                // Leaf V2G chain, containing (SECCLeaf->SubCA2->SubCA1) or (SECCLeaf)
-                X509CertificateBundle leaf_bundle(certificate_path, EncodingFormat::PEM);
-
-                // V2G chain, containing the certs from the V2G bundle/folder,
-                // containing (SubCA2->SubCA1->V2GRoot) or (V2GRoot)
-                const auto ca_bundle_path = this->ca_bundle_path_map.at(CaCertificateType::V2G);
-                X509CertificateBundle ca_bundle(ca_bundle_path, EncodingFormat::PEM);
-
-                // Merge the bundles, adding only uniques for full chain
-                // (SubCA2->SubCA1->V2GRoot->SECCLeaf) in any order
-                for (auto& certif : leaf_bundle.split()) {
-                    ca_bundle.add_certificate_unique(std::move(certif));
+        // Retrieve all valid leaf certificates, we will return
+        // multiple chains for each valid leaf that we find
+        CertificateQueryParams params;
+        params.certificate_type = LeafCertificateType::V2G;
+        params.include_all_valid = true;
+        params.remove_duplicates = true;
+
+        GetCertificateFullInfoResult secc_key_pairs = get_full_leaf_certificate_info_internal(params);
+
+        if (secc_key_pairs.status == GetCertificateInfoStatus::Accepted) {
+            for (const auto& secc_key_pair : secc_key_pairs.info) {
+                fs::path certificate_path;
+
+                if (secc_key_pair.certificate.has_value()) {
+                    certificate_path = secc_key_pair.certificate.value();
+                } else if (secc_key_pair.certificate_single.has_value()) {
+                    certificate_path = secc_key_pair.certificate_single.value();
+                } else {
+                    throw std::runtime_error("Leaf certificate single/bundle not present, should never happen!");
                 }
 
-                // Create the proper certificate hierarchy since the bundle is not ordered
-                X509CertificateHierarchy& hierarchy = ca_bundle.get_certificate_hierarchy();
-                EVLOG_debug << "Hierarchy:(V2GCertificateChain)\n" << hierarchy.to_debug_string();
-
-                for (auto& root : hierarchy.get_hierarchy()) {
-                    CertificateHashDataChain certificate_hash_data_chain;
-                    certificate_hash_data_chain.certificate_type = CertificateType::V2GCertificateChain;
-
-                    // Since the hierarchy starts with V2G (Root) -> SubCa1->SubCa2 we have to reorder:
-                    // them with the leaf first when returning to:
-                    // * Leaf           [index 0]
-                    // --- SubCa2       [index 1]
-                    // --- SubCa1       [index 2]
-                    // --- --- V2GRoot  [index 3]
-                    std::vector<CertificateHashData> hierarchy_hash_data;
-
-                    // For each root's descendant, excluding the root
-                    X509CertificateHierarchy::for_each_descendant(
-                        [&](const X509Node& child, int depth) { hierarchy_hash_data.push_back(child.hash); }, root);
-
-                    // Now the hierarchy_hash_data contains SubCA1->SubCA2->SECCLeaf,
-                    // reverse order iteration to conform to the required leaf-first order
-                    if (hierarchy_hash_data.size()) {
-                        bool first_leaf = true;
-
-                        // Reverse iteration
-                        for (auto it = hierarchy_hash_data.rbegin(); it != hierarchy_hash_data.rend(); ++it) {
-                            if (first_leaf) {
-                                // Leaf is the last
-                                certificate_hash_data_chain.certificate_hash_data = *it;
-                                first_leaf = false;
-                            } else {
-                                certificate_hash_data_chain.child_certificate_hash_data.push_back(*it);
+                try {
+                    // Leaf V2G chain, containing (SECCLeaf->SubCA2->SubCA1) or (SECCLeaf)
+                    X509CertificateBundle leaf_bundle(certificate_path, EncodingFormat::PEM);
+
+                    // V2G chain, containing the certs from the V2G bundle/folder,
+                    // containing (SubCA2->SubCA1->V2GRoot) or (V2GRoot)
+                    const auto ca_bundle_path = this->ca_bundle_path_map.at(CaCertificateType::V2G);
+                    X509CertificateBundle ca_bundle(ca_bundle_path, EncodingFormat::PEM);
+
+                    // Merge the bundles, adding only uniques for full chain
+                    // (SubCA2->SubCA1->V2GRoot->SECCLeaf) in any order
+                    for (auto& certif : leaf_bundle.split()) {
+                        ca_bundle.add_certificate_unique(std::move(certif));
+                    }
+
+                    // Create the proper certificate hierarchy since the bundle is not ordered
+                    X509CertificateHierarchy& hierarchy = ca_bundle.get_certificate_hierarchy();
+                    EVLOG_debug << "Hierarchy:(V2GCertificateChain)\n" << hierarchy.to_debug_string();
+
+                    for (auto& root : hierarchy.get_hierarchy()) {
+                        CertificateHashDataChain certificate_hash_data_chain;
+                        certificate_hash_data_chain.certificate_type = CertificateType::V2GCertificateChain;
+
+                        // Since the hierarchy starts with V2G (Root) -> SubCa1->SubCa2 we have to reorder:
+                        // them with the leaf first when returning to:
+                        // * Leaf           [index 0]
+                        // --- SubCa2       [index 1]
+                        // --- SubCa1       [index 2]
+                        // --- --- V2GRoot  [index 3]
+                        std::vector<CertificateHashData> hierarchy_hash_data;
+
+                        // For each root's descendant, excluding the root
+                        X509CertificateHierarchy::for_each_descendant(
+                            [&](const X509Node& child, int depth) { hierarchy_hash_data.push_back(child.hash); }, root);
+
+                        // Now the hierarchy_hash_data contains SubCA1->SubCA2->SECCLeaf,
+                        // reverse order iteration to conform to the required leaf-first order
+                        if (hierarchy_hash_data.size()) {
+                            bool first_leaf = true;
+
+                            // Reverse iteration
+                            for (auto it = hierarchy_hash_data.rbegin(); it != hierarchy_hash_data.rend(); ++it) {
+                                if (first_leaf) {
+                                    // Leaf is the last
+                                    certificate_hash_data_chain.certificate_hash_data = *it;
+                                    first_leaf = false;
+                                } else {
+                                    certificate_hash_data_chain.child_certificate_hash_data.push_back(*it);
+                                }
                             }
-                        }
 
-                        // Add to our chains
-                        certificate_chains.push_back(certificate_hash_data_chain);
+                            // Add to our chains
+                            certificate_chains.push_back(certificate_hash_data_chain);
+                        }
                     }
+                } catch (const CertificateLoadException& e) {
+                    EVLOG_error << "Could not load installed leaf certificates: " << e.what();
                 }
-            } catch (const CertificateLoadException& e) {
-                EVLOG_error << "Could not load installed leaf certificates: " << e.what();
             }
         }
     }
@@ -1103,7 +1113,7 @@ GetCertificateFullInfoResult EvseSecurity::get_all_valid_certificates_info(LeafC
     std::lock_guard<std::mutex> guard(EvseSecurity::security_mutex);
 
     GetCertificateFullInfoResult result =
-        get_full_leaf_certificate_info_internal(certificate_type, encoding, include_ocsp, true, true);
+        get_full_leaf_certificate_info_internal({certificate_type, encoding, include_ocsp, true, true});
 
     // If we failed, simply return the result
     if (result.status != GetCertificateInfoStatus::Accepted) {
@@ -1149,7 +1159,7 @@ GetCertificateInfoResult EvseSecurity::get_leaf_certificate_info(LeafCertificate
 GetCertificateInfoResult EvseSecurity::get_leaf_certificate_info_internal(LeafCertificateType certificate_type,
                                                                           EncodingFormat encoding, bool include_ocsp) {
     GetCertificateFullInfoResult result =
-        get_full_leaf_certificate_info_internal(certificate_type, encoding, include_ocsp, false, false);
+        get_full_leaf_certificate_info_internal({certificate_type, encoding, include_ocsp, false, false});
     GetCertificateInfoResult internal_result;
 
     internal_result.status = result.status;
@@ -1160,10 +1170,10 @@ GetCertificateInfoResult EvseSecurity::get_leaf_certificate_info_internal(LeafCe
     return internal_result;
 }
 
-GetCertificateFullInfoResult EvseSecurity::get_full_leaf_certificate_info_internal(LeafCertificateType certificate_type,
-                                                                                   EncodingFormat encoding,
-                                                                                   bool include_ocsp, bool include_root,
-                                                                                   bool include_all_valid) {
+GetCertificateFullInfoResult
+EvseSecurity::get_full_leaf_certificate_info_internal(const CertificateQueryParams& params) {
+    auto certificate_type = params.certificate_type;
+
     EVLOG_info << "Requesting leaf certificate info: "
                << conversions::leaf_certificate_type_to_string(certificate_type);
 
@@ -1224,15 +1234,31 @@ GetCertificateFullInfoResult EvseSecurity::get_full_leaf_certificate_info_intern
                         // Found at least one valid key
                         any_valid_key = true;
 
-                        // Copy to latest valid
                         KeyPairInternal key_pair{chain.at(0), priv_key_path};
-                        valid_leafs.emplace_back(std::move(key_pair));
+
+                        if (params.remove_duplicates) {
+                            // Filter the already added certificates, since we can have a case
+                            // when a leaf is present in 2 files (single/chain) that causes it
+                            // to be added to the list twice by the bundle parser
+                            auto it = std::find_if(valid_leafs.begin(), valid_leafs.end(),
+                                                   [&key_pair](const auto& in_key_pair) {
+                                                       return in_key_pair.certificate == key_pair.certificate;
+                                                   });
+
+                            // None found
+                            if (it == valid_leafs.end()) {
+                                valid_leafs.emplace_back(std::move(key_pair));
+                            }
+                        } else {
+                            // Copy to latest valid
+                            valid_leafs.emplace_back(std::move(key_pair));
+                        }
 
                         // We found, break
                         EVLOG_info << "Found valid leaf: [" << chain.at(0).get_file().value() << "]";
 
                         // Collect all if we don't include valid only
-                        if (include_all_valid == false) {
+                        if (params.include_all_valid == false) {
                             EVLOG_info << "Not requiring all valid leafs, returning";
                             return false;
                         }
@@ -1329,15 +1355,15 @@ GetCertificateFullInfoResult EvseSecurity::get_full_leaf_certificate_info_intern
             }
 
             // Both require the hierarchy build
-            if (include_ocsp || include_root) {
+            if (params.include_ocsp || params.include_root) {
                 X509CertificateBundle root_bundle(root_dir, EncodingFormat::PEM); // Required for hierarchy
 
                 // The hierarchy is required for both roots and the OCSP cache
                 auto hierarchy = X509CertificateHierarchy::build_hierarchy(root_bundle.split(), leaf_directory.split());
                 EVLOG_debug << "Hierarchy for root/OCSP data: \n" << hierarchy.to_debug_string();
 
                 // Include OCSP data if possible
-                if (include_ocsp) {
+                if (params.include_ocsp) {
                     // Search for OCSP data for each certificate
                     if (leaf_fullchain != nullptr) {
                         for (const auto& chain_certif : *leaf_fullchain) {
@@ -1361,7 +1387,7 @@ GetCertificateFullInfoResult EvseSecurity::get_full_leaf_certificate_info_intern
                 }
 
                 // Include root data if possible
-                if (include_root) {
+                if (params.include_root) {
                     // Search for the root of any of the leafs
                     // present either in the chain or single
                     try {
@@ -1386,11 +1412,11 @@ GetCertificateFullInfoResult EvseSecurity::get_full_leaf_certificate_info_intern
             info.certificate_count = chain_len;
             info.password = this->private_key_password;
 
-            if (include_ocsp) {
+            if (params.include_ocsp) {
                 info.ocsp = certificate_ocsp;
             }
 
-            if (include_root && leafs_root.has_value()) {
+            if (params.include_root && leafs_root.has_value()) {
                 info.certificate_root = leafs_root.value();
             }
 

tests/CMakeLists.txt

@@ -49,7 +49,8 @@ setup_target_for_coverage_gcovr_xml(
 
 file(COPY
     "${CMAKE_CURRENT_SOURCE_DIR}/generate_test_certs.sh"
-    "${CMAKE_CURRENT_SOURCE_DIR}/generate_test_certs_multi.sh"
+    "${CMAKE_CURRENT_SOURCE_DIR}/generate_test_certs_root_multi.sh"
+    "${CMAKE_CURRENT_SOURCE_DIR}/generate_test_certs_leaf_multi.sh"
     DESTINATION "${CMAKE_BINARY_DIR}/tests"
 )