Merge pull request #36 from c-jimenez/dev/security_secure_connection_user_certificates

Security - Secure connection user certificates

Author: c-jimenez

CMakeLists.txt

@@ -15,8 +15,13 @@ if(NOT DEFINED TARGET)
 endif()
 include(CMakeLists_${TARGET}.txt)
 
-# Subdirectories
+# 3rd party
 add_subdirectory(3rdparty)
+
+# OpenSSL is mandatory
+find_package(OpenSSL REQUIRED COMPONENTS SSL Crypto) 
+
+# Subdirectories
 add_subdirectory(examples)
 add_subdirectory(src)
 

README.md

@@ -67,7 +67,7 @@ The standard OCPP configuration persistency has to be handled by the user applic
 | Firmware Management | Support for firmware update management and diagnostic log file download | Actual file download/upload as well as firmware installation must be handled by the user application in the callbacks provided by **Open OCPP** |
 | Local Auth List Management | Features to manage the local authorization list in Charge Points | None |
 | Reservation | Support for reservation of a Charge Point. | None |
-| Smart Charging | Support for basic Smart Charging, for instance using control pilot | GetCompositeSchedule is not supported for now in Chare Point role |
+| Smart Charging | Support for basic Smart Charging, for instance using control pilot | GetCompositeSchedule is not supported for now in Charge Point role |
 | Remote Trigger | Support for remote triggering of Charge Point initiated messages | None |
 
 ### Supported OCPP configuration keys
@@ -86,7 +86,7 @@ In the "Owner" column, "S" means that the configuration key behavior is handled
 | ConnectionTimeOut | S | None |
 | ConnectorPhaseRotation | S | None |
 | ConnectorPhaseRotationMaxLength | S | None |
-| GetConfigurationMaxKeys | S | Must be set to the sum of OCPP configuration keys count (99) + user application configuration keys count to allow to export all the configuration in 1 message |
+| GetConfigurationMaxKeys | S | Must be set to the sum of OCPP configuration keys count (49) + user application configuration keys count to allow to export all the configuration in 1 message |
 | HeartbeatInterval | S | Heartbeat are only sent if no messages have been exchanged since HeartbeatInterval seconds |
 | LightIntensity | U | None |
 | LocalAuthorizeOffline | S | None |
@@ -139,10 +139,9 @@ In the "Owner" column, "S" means that the configuration key behavior is handled
 * 2 : TLS with HTTP Basic Authentication
 * 3 : TLS with Client Side Certificates
 
-The OCPP use cases to dynamically switch between Security Profiles is not implemented yet.
-Only the automatic reconnexion when the **AuthorizationKey** parameter has been modified is implemented.
-
-To switch between Security Profiles, the user application will have to : stop the stack, modify the connexion parameters, restart the stack.
+In Charge Point role, the stack will automatically disconnect and then reconnect to the Central System after one of the following parameters has been modified : 
+* **AuthorizationKey**
+* **Security Profile**
 
 #### Security events
 
@@ -159,6 +158,13 @@ In Charge Point role, the user application can generate custom security events a
 
 **Open OCPP** support this feature for both Charge Point and Central System roles.
 
+#### Certificate management messages
+
+**Open OCPP** support this feature for both Charge Point and Central System roles. 
+
+The actual storage of the certificates and their keys must be done by the user application. 
+
+**Open OCPP** provides callbacks and helper classes to ease certificate manipulation and installation.
 
 ## Build
 

examples/CMakeLists.txt

@@ -4,3 +4,5 @@ add_subdirectory(common)
 add_subdirectory(quick_start_centralsystem)
 add_subdirectory(quick_start_chargepoint)
 add_subdirectory(remote_chargepoint)
+add_subdirectory(security_centralsystem)
+add_subdirectory(security_chargepoint)

examples/README.md

@@ -6,6 +6,7 @@ The following examples are available :
 * [Quick start Central System example](./quick_start_centralsystem/README.md)
 * [Quick start Charge Point example](./quick_start_chargepoint/README.md)
 * [Remote Charge Point example](./remote_chargepoint/README.md)
+* [Security Charge Point example](./security_chargepoint/README.md)
 
 How to run the examples:
 * Customize the *config.ini* file of the selected example with the URL of the Central System and the other connection parameters has well has the OCPP configuration keys

examples/certificates/open-ocpp_ca.cnf

@@ -22,4 +22,4 @@ subjectAltName = @alt_names
 
 [alt_names]
 DNS.1 = localhost
-DNS.2 = IP:127.0.0.1
+IP.1 = 127.0.0.1

examples/certificates/open-ocpp_ca.crt

@@ -1,16 +1,16 @@
 -----BEGIN CERTIFICATE-----
-MIICfjCCAiSgAwIBAgIUROpklJY2B+02oFHz1MvijdkjtvgwCgYIKoZIzj0EAwIw
+MIICdjCCAhygAwIBAgIUU00opFUZAFZnWYQ+kgYIY/xRtrkwCgYIKoZIzj0EAwIw
 gaMxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZTYXZvaWUxETAPBgNVBAcMCENoYW1i
 ZXJ5MRIwEAYDVQQKDAlPcGVuIE9DUFAxETAPBgNVBAsMCEV4YW1wbGVzMSgwJgYD
 VQQDDB9PcGVuIE9DUFAgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR8wHQYJKoZIhvcN
-AQkBFhBjYUBvcGVuLW9jcHAub3JnMB4XDTIyMDEyNTA4MjQzM1oXDTMyMDEyMzA4
-MjQzM1owgaMxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZTYXZvaWUxETAPBgNVBAcM
+AQkBFhBjYUBvcGVuLW9jcHAub3JnMB4XDTIyMDEyODIyMTAwOVoXDTMyMDEyNjIy
+MTAwOVowgaMxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZTYXZvaWUxETAPBgNVBAcM
 CENoYW1iZXJ5MRIwEAYDVQQKDAlPcGVuIE9DUFAxETAPBgNVBAsMCEV4YW1wbGVz
 MSgwJgYDVQQDDB9PcGVuIE9DUFAgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR8wHQYJ
 KoZIhvcNAQkBFhBjYUBvcGVuLW9jcHAub3JnMFkwEwYHKoZIzj0CAQYIKoZIzj0D
-AQcDQgAEJZAFFCLPK7VimsLANzt6QEVVASRfqG+w6/oiCksM8l5/UkbtMi07Eum9
-IS1opxqsf5dPrGnLVz2wslSEsdHiaqM0MDIwDAYDVR0TBAUwAwEB/zAiBgNVHREE
-GzAZgglsb2NhbGhvc3SCDElQOjEyNy4wLjAuMTAKBggqhkjOPQQDAgNIADBFAiEA
-9Dwgm5x0hw+wRtek9UJ1aJdwmlVgHCeGqFUjwArjn1YCIES6iO0nG+sMMFhWdRHZ
-nmfCimIZKr/bIH6EefWzbg9s
+AQcDQgAELROcaZSbNQBW3xu4p6M38kFlL+nZvX+CCxZlZm8AYvT8CScbiEIhs4Yx
+pwPc7rw0Rg+ke+7mpiyVO6eckW8AA6MsMCowDAYDVR0TBAUwAwEB/zAaBgNVHREE
+EzARgglsb2NhbGhvc3SHBH8AAAEwCgYIKoZIzj0EAwIDSAAwRQIhAMnF/jvtMu9u
+LYlG6BtNb0QImbRACsJTvbc8vy0UWLqdAiA4SZLw3/jm6Wt0/KUBCauh9Q3ng4R7
+nra7+SE7jsfQGQ==
 -----END CERTIFICATE-----

examples/certificates/open-ocpp_ca.key

@@ -1,5 +1,5 @@
 -----BEGIN EC PRIVATE KEY-----
-MHcCAQEEIDKwZrJhHkMw8cMAUNRgXzaFKlnimYYY8xB6ifuL/s4OoAoGCCqGSM49
-AwEHoUQDQgAEJZAFFCLPK7VimsLANzt6QEVVASRfqG+w6/oiCksM8l5/UkbtMi07
-Eum9IS1opxqsf5dPrGnLVz2wslSEsdHiag==
+MHcCAQEEIIaECY0903wV9XcY5RlURk0WsHpCL2n8B/VzUwZ1+TZpoAoGCCqGSM49
+AwEHoUQDQgAELROcaZSbNQBW3xu4p6M38kFlL+nZvX+CCxZlZm8AYvT8CScbiEIh
+s4YxpwPc7rw0Rg+ke+7mpiyVO6eckW8AAw==
 -----END EC PRIVATE KEY-----

examples/certificates/open-ocpp_central-system.cnf

@@ -22,4 +22,4 @@ subjectAltName = @alt_names
 
 [alt_names]
 DNS.1 = localhost
-DNS.2 = IP:127.0.0.1
+IP.1 = 127.0.0.1

examples/certificates/open-ocpp_central-system.crt

@@ -1,16 +1,16 @@
 -----BEGIN CERTIFICATE-----
-MIICgDCCAiagAwIBAgIUE0SqeLRrvEnH5WWw36XvPEisumMwCgYIKoZIzj0EAwIw
+MIICeDCCAh6gAwIBAgIUE0SqeLRrvEnH5WWw36XvPEisumcwCgYIKoZIzj0EAwIw
 gaMxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZTYXZvaWUxETAPBgNVBAcMCENoYW1i
 ZXJ5MRIwEAYDVQQKDAlPcGVuIE9DUFAxETAPBgNVBAsMCEV4YW1wbGVzMSgwJgYD
 VQQDDB9PcGVuIE9DUFAgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MR8wHQYJKoZIhvcN
-AQkBFhBjYUBvcGVuLW9jcHAub3JnMB4XDTIyMDEyNTA4MjQzM1oXDTMyMDEyMzA4
-MjQzM1owgagxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZTYXZvaWUxETAPBgNVBAcM
+AQkBFhBjYUBvcGVuLW9jcHAub3JnMB4XDTIyMDEyODIyMTAwOVoXDTMyMDEyNjIy
+MTAwOVowgagxCzAJBgNVBAYTAkZSMQ8wDQYDVQQIDAZTYXZvaWUxETAPBgNVBAcM
 CENoYW1iZXJ5MRIwEAYDVQQKDAlPcGVuIE9DUFAxETAPBgNVBAsMCEV4YW1wbGVz
 MSEwHwYDVQQDDBhPcGVuIE9DUFAgQ2VudHJhbCBTeXN0ZW0xKzApBgkqhkiG9w0B
 CQEWHGNlbnRyYWwuc3lzdGVtQG9wZW4tb2NwcC5vcmcwWTATBgcqhkjOPQIBBggq
-hkjOPQMBBwNCAAR677GKDxt/gxd7ijqSvhF61+ETcNAvleHheWYuMiDQdfkVazz/
-pEBvvyRDiYpL39GyLubcW0cFJY41inripW44ozEwLzAJBgNVHRMEAjAAMCIGA1Ud
-EQQbMBmCCWxvY2FsaG9zdIIMSVA6MTI3LjAuMC4xMAoGCCqGSM49BAMCA0gAMEUC
-IH2UJPDnxHhg6nT/GnW+qIDvas7BSAZMIRQQpzYpxINaAiEA1Xe79Q7BUJ98esNN
-NhtHEYmVcY4Pjzdb6r75m/vjJN4=
+hkjOPQMBBwNCAASQh65x/PvhYJJneJ4+SvRs8UFU86LvZatCsquGNbKFOPun8cRP
+VO/4kFRvQ5ePBCAjzKoPQD7n+U5ROZCWoDTuoykwJzAJBgNVHRMEAjAAMBoGA1Ud
+EQQTMBGCCWxvY2FsaG9zdIcEfwAAATAKBggqhkjOPQQDAgNIADBFAiEAiSPkDrFg
+ktbdMtzzi6AQgwbcQYDkmMmZKVoXjLqysrkCIBAfo0Iaj5/ZLGFKpaU7vvhR1CNb
+eavbFo36TILEfKYe
 -----END CERTIFICATE-----

examples/certificates/open-ocpp_central-system.key

@@ -1,5 +1,5 @@
 -----BEGIN EC PRIVATE KEY-----
-MHcCAQEEIFzxXv+7UwwnKeLgp8IB01r+fs5qAXiqjo8Ji/QJyCMjoAoGCCqGSM49
-AwEHoUQDQgAEeu+xig8bf4MXe4o6kr4RetfhE3DQL5Xh4XlmLjIg0HX5FWs8/6RA
-b78kQ4mKS9/Rsi7m3FtHBSWONYp64qVuOA==
+MHcCAQEEIBgb3p8yNSp0jonK6hQ/34jx8uVHVZJ6DkeiftklrDYxoAoGCCqGSM49
+AwEHoUQDQgAEkIeucfz74WCSZ3iePkr0bPFBVPOi72WrQrKrhjWyhTj7p/HET1Tv
++JBUb0OXjwQgI8yqD0A+5/lOUTmQlqA07g==
 -----END EC PRIVATE KEY-----