Merge pull request #39 from c-jimenez/dev/secure_connection_internal_certificates

Secure connection with internal certificate management

Author: c-jimenez

README.md

@@ -17,6 +17,7 @@ This implementation is based on the following libraries :
   + [Supported OCPP feature profiles](#supported-ocpp-feature-profiles)
   + [Supported OCPP configuration keys](#supported-ocpp-configuration-keys)
   + [OCPP security extensions](#ocpp-security-extensions)
+  * [Internal configuration keys](#internal-configuration-keys)
 * [Build](#build)
 * [Quick start](#quick-start)
   + [Charge Point role](#charge-point-role)
@@ -38,7 +39,7 @@ As of this version :
 
 * All the messages defined in the OCPP 1.6 edition 2 protocol have been implemented except GetCompositeSchedule for Charge Point role
 * All the configuration keys defined in the OCPP 1.6 edition 2 protocol have been implemented for the Charge Point role
-* Some Charge Point and Central System behavior related to the OCPP 1.6 security whitepaper edition 2 has been implemented (work in progress, see [OCPP security extensions](#ocpp-security-extensions))
+* Most of Charge Point and Central System behavior related to the OCPP 1.6 security whitepaper edition 2 has been implemented (work in progress, see [OCPP security extensions](#ocpp-security-extensions))
 
 The user application will have to implement some callbacks to provide the data needed by **Open OCPP** or to handle OCPP events (boot notification, remote start/stop notifications, meter values...).
 
@@ -51,6 +52,7 @@ The persistent data handled by **Open OCPP** is stored into a single file which
   + Badge cache and local list
   + Smart charging profile
   + Logs
+  * X.509 Certificates
 
 * For Central System role :
 
@@ -121,10 +123,10 @@ In the "Owner" column, "S" means that the configuration key behavior is handled
 | ChargingScheduleMaxPeriods | S | None |
 | ConnectorSwitch3to1PhaseSupported | S | None |
 | MaxChargingProfilesInstalled | S | None |
-| AdditionalRootCertificateCheck | U | None |
+| AdditionalRootCertificateCheck | U/S | Not implemented yet : implemented behavior is the same as if AdditionalRootCertificateCheck = False |
 | AuthorizationKey | S | None |
 | CertificateSignedMaxChainSize | S | None |
-| CertificateStoreMaxLength | U | None |
+| CertificateStoreMaxLength | U/S | If internal certificate management is enabled, the stack handle this parameter, otherwise it must be the user application |
 | CpoName | S | None |
 | SecurityProfile | S | None |
 
@@ -139,34 +141,112 @@ In the "Owner" column, "S" means that the configuration key behavior is handled
 * 2 : TLS with HTTP Basic Authentication
 * 3 : TLS with Client Side Certificates
 
-In Charge Point role, the stack will automatically disconnect and then reconnect to the Central System after one of the following parameters has been modified : 
+In Charge Point role, the stack will automatically disconnect and then reconnect using the new parameters to the Central System after one of the following parameters has been modified : 
 * **AuthorizationKey**
 * **Security Profile**
 
 #### Security events
 
 **Open OCPP** support the whole use cases of security events and logging. 
 
-In Charge Point role, it can optionnaly handle the storage of the security event log and the generation of the security log export when the Central System asks it. To enable/disable this feature, you have to modify the **SecurityLogMaxEntriesCount** charge point configuration value :
+In Charge Point role, it can optionnaly handle the storage of the security event log and the generation of the security log export when the Central System asks it. To enable/disable this feature, you have to modify the **SecurityLogMaxEntriesCount** charge point configuration key :
 
 * 0 = **Open OCPP** will not store security event and the security log must be generated by the user application
 * \>0 = **Open OCPP** will store at max **SecurityLogMaxEntriesCount** (circular log) and will automatically generate the security log as a CSV file
 
 In Charge Point role, the user application can generate custom security events and defines its criticity so that they are forwarded to the Central System.
 
-In Charge Point role, the notification of security events can be enabled or disabled with the IChargePointConfig::securityEventNotificationEnabled() configuration. This can be usefull to disable them when the Central System does not implement the security extensions.
+In Charge Point role, the notification of security events can be enabled or disabled with the **SecurityEventNotificationEnabled** configuration key. This can be usefull to disable them when the Central System does not implement the security extensions.
 
 #### Extended trigger messages
 
 **Open OCPP** support this feature for both Charge Point and Central System roles.
 
-#### Certificate management messages
+#### Certificate management
 
 **Open OCPP** support this feature for both Charge Point and Central System roles. 
 
-The actual storage of the certificates and their keys must be done by the user application. 
+The behavior of this feature is controlled by the **InternalCertificateManagementEnabled** configuration key.
 
-**Open OCPP** provides callbacks and helper classes to ease certificate manipulation and installation.
+If **InternalCertificateManagementEnabled** is set to **false**, the actual storage of the certificates and their keys must be done by the user application. **Open OCPP** provides callbacks and helper classes to ease certificate manipulation and installation. The user application also has to configure the path to the installed certificates for the establishment of the secure connections using the following configuration keys :
+
+* TlsServerCertificateCa
+* TlsClientCertificate
+* TlsClientCertificatePrivateKey
+* TlsClientCertificatePrivateKeyPassphrase
+
+If **InternalCertificateManagementEnabled** is set to **true**, the storage of certificates and their keys is fully handled by **Open OCPP**. The user application just has to provide a passphrase using the **TlsClientCertificatePrivateKeyPassphrase** configuration key to securily encrypt the certicates' private keys using AES-256-CBC algorithm. **Open OCPP** will automatically use the installed corresponding certificates depending on the configured Security Profile and the certificates validity dates.
+
+### Internal configuration keys
+
+The behavior and the configuration of the **Open OCPP** stack can be modified through configuration keys. Some are specific to an OCPP role and some are common.
+
+#### Common keys
+
+| Key | Type | Description |
+| :---: | :---: | :--- |
+| DatabasePath | string | Path to the database to store persistent data |
+| JsonSchemasPath | string | Path to the JSON schemas to validate the messages |
+| CallRequestTimeout | uint | Call request timeout in milliseconds |
+| Tlsv12CipherList | string | List of authorized ciphers for TLSv1.2 connections (OpenSSL format) |
+| Tlsv13CipherList | string | List of authorized ciphers for TLSv1.3 connections (OpenSSL format) |
+| LogMaxEntriesCount | uint | Maximum number of entries in the log (0 = no logs in database) |
+
+#### Charge Point keys
+
+| Key | Type | Description |
+| :---: | :---: | :--- |
+| ConnexionUrl | string | URL of the Central System |
+| ChargePointIdentifier | string | OCPP Charge Point identifier. Will be concatanated with the **ConnexionUrl** key |
+| ConnectionTimeout | uint | Connection timeout in milliseconds |
+| RetryInterval | uint | Retry interval when connection has failed in milliseconds |
+| ChargeBoxSerialNumber | string | Deprecated. Charge Box serial number for BootNotification message |
+| ChargePointModel | string | Charge Point model for BootNotification message |
+| ChargePointSerialNumber | string | Charge Point serial number for BootNotification message |
+| ChargePointVendor | string | Charge Point vendor for BootNotification message |
+| FirmwareVersion | string | Charge Point firmware version for BootNotification message |
+| Iccid | string | ICCID of the moden's SIM card for BootNotification message |
+| Imsi | string | IMSI of the moden's SIM card for BootNotification message |
+| MeterSerialNumber | string | Main electrical meter serial number for BootNotification message |
+| MeterType | string | Main electrical meter type for BootNotification message |
+| OperatingVoltage | float | Nominal operating voltage (needed for Watt to Amp conversions in smart charging profiles) |
+| AuthentCacheMaxEntriesCount | uint | Maximum number of entries in the authentication cache |
+| TlsServerCertificateCa | string | Path to Certification Authority signing chain to validate the Central System certificate |
+| TlsClientCertificate | string | Path to Charge Point certificate |
+| TlsClientCertificatePrivateKey | string | Path to Charge Point's certificate's private key |
+| TlsClientCertificatePrivateKeyPassphrase | string | Charge Point certificate's private key passphrase |
+| TlsAllowSelfSignedCertificates | bool | Allow TLS connections using self-signed certificates (Warning : enabling this feature is not recommended in production) |
+| TlsAllowExpiredCertificates | bool | Allow TLS connections using expired certificates (Warning : enabling this feature is not recommended in production) |
+| TlsAcceptNonTrustedCertificates | bool | Accept non trusted certificates for TLS connections (Warning : enabling this feature is not recommended in production) |
+| TlsSkipServerNameCheck | bool | Skip server name check in certificates for TLS connections (Warning : enabling this feature is not recommended in production) |
+| InternalCertificateManagementEnabled | bool | If true, certificates are stored inside **Open OCPP** databasen otherwise user application has to handle them|
+| SecurityEventNotificationEnabled | bool | Enable security event notification |
+| SecurityLogMaxEntriesCount | uint | Maximum number of entries in the security log (0 = no security logs in database) |
+| ClientCertificateRequestHashType | string | Hash type for certificate request generation : sha256, sha384 or sha512 |
+| ClientCertificateRequestKeyType | string | Key type for certificate request generation : ec or rsa |
+| ClientCertificateRequestRsaKeyLength | uint | Length in bits of the key for certificate request generation if rsa has been selected for key type : minimum 2048 |
+| ClientCertificateRequestEcCurve | string | Name of the elliptic curve for certificate request generation if ec has been selected for key type : prime256v1, secp256k1, secp384r1, secp521r1, brainpoolP256t1, brainpoolP384t1 or brainpoolP512t1 |
+| ClientCertificateRequestSubjectCountry | string | Country for the subject field of certificate request generation (can be left empty) |
+| ClientCertificateRequestSubjectState | string | State for the subject field of certificate request generation (can be left empty) |
+| ClientCertificateRequestSubjectLocation | string | Location for the subject field of certificate request generation (can be left empty) |
+| ClientCertificateRequestSubjectOrganizationUnit | string | Organization unit for the subject field of certificate request generation (can be left empty) |
+| ClientCertificateRequestSubjectEmail | string | Email for the subject field of certificate request generation (can be left empty) |
+
+#### Central System keys
+
+| Key | Type | Description |
+| :---: | :---: | :--- |
+| ListenUrl | string | URL to listen to incomming  websocket connections |
+| WebSocketPingInterval | uint | Websocket PING interval in seconds |
+| BootNotificationRetryInterval | uint | Boot notification retry interval in second (sent in BootNotificationConf when status is Pending or Rejected) |
+| HeartbeatInterval | uint | Heartbeat interval in seconds (sent in BootNotificationConf when status is Accepted) |
+| HttpBasicAuthent | bool | If set to true, the Charge Points must autenticate themselves using HTTP Basic Authentication method |
+| TlsEcdhCurve | string | ECDH curve to use for TLS connections with EC keys |
+| TlsServerCertificate | string | Path to the Central System's certificate |
+| TlsServerCertificatePrivateKey | string | Path to the Central System's certificate's private key |
+| TlsServerCertificatePrivateKeyPassphrase | string | Central System's certificate's private key passphrase |
+| TlsServerCertificateCa | string | Path to the Certification Authority signing chain for the Central System's certificate |
+| TlsClientCertificateAuthent | bool | If set to true, the Charge Points must authenticate themselves using an X.509 certificate |
 
 ## Build
 

examples/common/DefaultChargePointEventsHandler.cpp

@@ -23,7 +23,9 @@ SOFTWARE.
 */
 
 #include "DefaultChargePointEventsHandler.h"
+#include "CertificateRequest.h"
 #include "ChargePointDemoConfig.h"
+#include "PrivateKey.h"
 #include "Sha2.h"
 #include "String.h"
 
@@ -35,9 +37,10 @@ using namespace ocpp::types;
 using namespace ocpp::x509;
 
 /** @brief Constructor */
-DefaultChargePointEventsHandler::DefaultChargePointEventsHandler(ChargePointDemoConfig& config)
+DefaultChargePointEventsHandler::DefaultChargePointEventsHandler(ChargePointDemoConfig& config, const std::filesystem::path& working_dir)
     : m_config(config),
       m_chargepoint(nullptr),
+      m_working_dir(working_dir),
       m_remote_start_pending(config.ocppConfig().numberOfConnectors()),
       m_remote_stop_pending(m_remote_start_pending.size()),
       m_remote_start_id_tag(m_remote_start_pending.size())
@@ -338,7 +341,7 @@ ocpp::types::CertificateStatusEnumType DefaultChargePointEventsHandler::caCertif
 
             std::stringstream name;
             name << "fw_" << sha256.resultString() << ".pem";
-            ca_filename = name.str();
+            ca_filename = m_working_dir / name.str();
         }
         else
         {
@@ -355,7 +358,7 @@ ocpp::types::CertificateStatusEnumType DefaultChargePointEventsHandler::caCertif
 
             std::stringstream name;
             name << "cs_" << sha256.resultString() << ".pem";
-            ca_filename = name.str();
+            ca_filename = m_working_dir / name.str();
         }
 
         // Check if the certificate must be saved
@@ -405,7 +408,7 @@ bool DefaultChargePointEventsHandler::chargePointCertificateReceived(const ocpp:
 
     std::stringstream name;
     name << "cp_" << sha256.resultString() << ".pem";
-    std::string cert_filename = name.str();
+    std::string cert_filename = m_working_dir / name.str();
 
     // Save certificate
     if (certificate.toFile(cert_filename))
@@ -465,7 +468,7 @@ ocpp::types::DeleteCertificateStatusEnumType DefaultChargePointEventsHandler::de
     }
 
     // Look for installed certificates
-    for (auto const& dir_entry : std::filesystem::directory_iterator{std::filesystem::current_path()})
+    for (auto const& dir_entry : std::filesystem::directory_iterator{m_working_dir})
     {
         if (!dir_entry.is_directory())
         {
@@ -507,63 +510,22 @@ void DefaultChargePointEventsHandler::generateCsr(std::string& csr)
     cout << "Generate CSR requested" << endl;
 
     // Generata a new public/private key pair
-    std::string generate_params_cmd_line = "openssl ecparam -name prime256v1 -out /tmp/charge_point_key.param";
-    system(generate_params_cmd_line.c_str());
-    std::string generate_key_cmd_line = "openssl ecparam -in /tmp/charge_point_key.param -genkey -noout -out /tmp/charge_point_key.key";
-    system(generate_key_cmd_line.c_str());
-
-    // Create configuration file to generate the CSR
-    std::stringstream csr_config;
-    csr_config << R"([req]
-                     distinguished_name	= req_distinguished_name
-
-                     # Stop confirmation prompts. All information is contained below.
-                     prompt			= no
-
-                     # The extensions to add to a certificate request
-                     x509_extensions = v3_ca
-
-                     [req_distinguished_name]
-                     countryName =            FR
-                     stateOrProvinceName =    Savoie
-                     localityName =           Chambery
-                     organizationName =)"
-               << m_config.ocppConfig().cpoName() << R"(
-                     organizationalUnitName = Open OCPP Charge Points
-                     commonName =)"
-               << m_config.stackConfig().chargePointSerialNumber() << R"(
-                     emailAddress =           [email protected]
- 
-                     [v3_ca]
-                     basicConstraints = CA:FALSE
-                     subjectAltName = @alt_names
-
-                     [alt_names]
-                     DNS.1 = localhost
-                     DNS.2 = IP:127.0.0.1)";
-    std::fstream csr_config_file("/tmp/charge_point_csr.cnf", csr_config_file.out);
-    if (csr_config_file.is_open())
-    {
-        csr_config_file << csr_config.str();
-        csr_config_file.close();
-    }
+    PrivateKey private_key(PrivateKey::Type::EC,
+                           static_cast<unsigned int>(PrivateKey::Curve::PRIME256_V1),
+                           m_config.stackConfig().tlsClientCertificatePrivateKeyPassphrase());
+    private_key.privateToFile("/tmp/charge_point_key.key");
 
     // Generate the CSR
-    std::string generate_csr_cmd_line = "openssl req -new -sha256 -key /tmp/charge_point_key.key -extensions v3_ca -config "
-                                        "/tmp/charge_point_csr.cnf -out /tmp/charge_point.csr";
-    system(generate_csr_cmd_line.c_str());
-
-    // Read generated CSR file
-    std::fstream csr_file("/tmp/charge_point.csr", csr_config_file.in | csr_config_file.binary | csr_config_file.ate);
-    if (csr_file.is_open())
-    {
-        auto filesize = csr_file.tellg();
-        csr_file.seekg(0, csr_file.beg);
-        csr.resize(filesize);
-        csr_file.read(&csr[0], filesize);
-
-        csr_file.close();
-    }
+    CertificateRequest::Subject subject;
+    subject.country           = m_config.stackConfig().clientCertificateRequestSubjectCountry();
+    subject.state             = m_config.stackConfig().clientCertificateRequestSubjectState();
+    subject.location          = m_config.stackConfig().clientCertificateRequestSubjectLocation();
+    subject.organization      = m_config.ocppConfig().cpoName();
+    subject.organization_unit = m_config.stackConfig().clientCertificateRequestSubjectOrganizationUnit();
+    subject.common_name       = m_config.stackConfig().chargePointSerialNumber();
+    subject.email_address     = m_config.stackConfig().clientCertificateRequestSubjectEmail();
+    CertificateRequest certificate_request(subject, private_key);
+    csr = certificate_request.pem();
 }
 
 /** @copydoc void IChargePointEventsHandler::getInstalledCertificates(ocpp::types::CertificateUseEnumType,
@@ -573,7 +535,7 @@ void DefaultChargePointEventsHandler::getInstalledCertificates(ocpp::types::Cert
 {
     cout << "Get installed CA certificates requested : type = " << CertificateUseEnumTypeHelper.toString(type) << endl;
 
-    for (auto const& dir_entry : std::filesystem::directory_iterator{std::filesystem::current_path()})
+    for (auto const& dir_entry : std::filesystem::directory_iterator{m_working_dir})
     {
         if (!dir_entry.is_directory())
         {
@@ -648,7 +610,7 @@ bool DefaultChargePointEventsHandler::hasCentralSystemCaCertificateInstalled()
 bool DefaultChargePointEventsHandler::hasChargePointCertificateInstalled()
 {
     // A better implementation would also check the validity dates of the certificates
-    for (auto const& dir_entry : std::filesystem::directory_iterator{std::filesystem::current_path()})
+    for (auto const& dir_entry : std::filesystem::directory_iterator{m_working_dir})
     {
         if (!dir_entry.is_directory())
         {
@@ -671,7 +633,7 @@ bool DefaultChargePointEventsHandler::hasChargePointCertificateInstalled()
 unsigned int DefaultChargePointEventsHandler::getNumberOfCaCertificateInstalled(bool manufacturer, bool central_system)
 {
     unsigned int count = 0;
-    for (auto const& dir_entry : std::filesystem::directory_iterator{std::filesystem::current_path()})
+    for (auto const& dir_entry : std::filesystem::directory_iterator{m_working_dir})
     {
         if (!dir_entry.is_directory())
         {