diff --git a/include/evse_security/crypto/interface/crypto_types.hpp b/include/evse_security/crypto/interface/crypto_types.hpp index 4d0ed14..5f5afa4 100644 --- a/include/evse_security/crypto/interface/crypto_types.hpp +++ b/include/evse_security/crypto/interface/crypto_types.hpp @@ -8,6 +8,7 @@ #include #include +#include namespace evse_security { enum class CertificateValidationError { @@ -20,14 +21,6 @@ enum class CertificateValidationError { Unknown, }; -enum class CryptoKeyType { - EC_prime256v1, // Default EC. P-256, ~equiv to rsa 3072 - EC_secp384r1, // P-384, ~equiv to rsa 7680 - RSA_TPM20, // Default TPM RSA, only option allowed for TPM (universal support), 2048 bits - RSA_3072, // Default RSA. Protection lifetime: ~2030 - RSA_7680, // Protection lifetime: >2031 -}; - struct KeyGenerationInfo { CryptoKeyType key_type; diff --git a/include/evse_security/evse_security.hpp b/include/evse_security/evse_security.hpp index 18366f8..22b5584 100644 --- a/include/evse_security/evse_security.hpp +++ b/include/evse_security/evse_security.hpp @@ -153,6 +153,9 @@ class EvseSecurity { std::string generate_certificate_signing_request(LeafCertificateType certificate_type, const std::string& country, const std::string& organization, const std::string& common); + std::string generate_certificate_signing_request_full(LeafCertificateType certificate_type, + GenerateCSRInfo& full_info); + /// @brief Searches the filesystem on the specified directories for the given \p certificate_type and retrieves the /// most recent certificate that is already valid and the respective key. If no certificate is present or no key is /// matching the certificate, this function returns std::nullopt diff --git a/include/evse_security/evse_types.hpp b/include/evse_security/evse_types.hpp index f4f8450..a40576e 100644 --- a/include/evse_security/evse_types.hpp +++ b/include/evse_security/evse_types.hpp @@ -42,6 +42,14 @@ enum class HashAlgorithm { SHA512, }; +enum class CryptoKeyType { + EC_prime256v1, // Default EC. P-256, ~equiv to rsa 3072 + EC_secp384r1, // P-384, ~equiv to rsa 7680 + RSA_TPM20, // Default TPM RSA, only option allowed for TPM (universal support), 2048 bits + RSA_3072, // Default RSA. Protection lifetime: ~2030 + RSA_7680, // Protection lifetime: >2031 +}; + // the following 3 enum classes should go into evse_security enum class InstallCertificateResult { InvalidSignature, @@ -125,6 +133,19 @@ struct GetKeyPairResult { std::optional pair; }; +struct GenerateCSRInfo { + CryptoKeyType key_type; + bool generate_key_on_tpm; + + int n_version; + std::string country; + std::string organization; + std::string common_name; + + std::optional dns_name; + std::optional ip_address; +}; + namespace conversions { std::string encoding_format_to_string(EncodingFormat e); std::string ca_certificate_type_to_string(CaCertificateType e); diff --git a/lib/evse_security/evse_security.cpp b/lib/evse_security/evse_security.cpp index c7581a1..2d54ec5 100644 --- a/lib/evse_security/evse_security.cpp +++ b/lib/evse_security/evse_security.cpp @@ -698,12 +698,36 @@ std::string EvseSecurity::generate_certificate_signing_request(LeafCertificateTy const std::string& country, const std::string& organization, const std::string& common, bool use_tpm) { + GenerateCSRInfo info; + + info.country = country; + info.organization = organization; + info.common_name = common; + + // Default key + info.key_type = CryptoKeyType::EC_prime256v1; + info.generate_key_on_tpm = use_tpm; + + return generate_certificate_signing_request_full(certificate_type, info); +} + +std::string EvseSecurity::generate_certificate_signing_request(LeafCertificateType certificate_type, + const std::string& country, + const std::string& organization, + const std::string& common) { + return generate_certificate_signing_request(certificate_type, country, organization, common, false); +} + +std::string EvseSecurity::generate_certificate_signing_request_full(LeafCertificateType certificate_type, + GenerateCSRInfo& full_info) { std::lock_guard guard(EvseSecurity::security_mutex); fs::path key_path; EVLOG_info << "generate_certificate_signing_request: create filename"; + const bool use_tpm = full_info.generate_key_on_tpm; + // Make a difference between normal and tpm keys for identification const auto file_name = std::string("SECC_LEAF_") + @@ -721,23 +745,18 @@ std::string EvseSecurity::generate_certificate_signing_request(LeafCertificateTy std::string csr; CertificateSigningRequestInfo info; - info.n_version = 0; - info.commonName = common; - info.country = country; - info.organization = organization; -#ifdef CSR_DNS_NAME - info.dns_name = CSR_DNS_NAME; -#else - info.dns_name = std::nullopt; -#endif -#ifdef CSR_IP_ADDRESS - info.ip_address = CSR_IP_ADDRESS; -#else - info.ip_address = std::nullopt; -#endif - - info.key_info.key_type = CryptoKeyType::EC_prime256v1; - info.key_info.generate_on_tpm = use_tpm; + info.n_version = full_info.n_version; + info.commonName = full_info.common_name; + info.country = full_info.country; + info.organization = full_info.organization; + + if (full_info.dns_name.has_value()) + info.dns_name = full_info.dns_name.value(); + if (full_info.ip_address.has_value()) + info.ip_address = full_info.dns_name.value(); + + info.key_info.key_type = full_info.key_type; + info.key_info.generate_on_tpm = full_info.generate_key_on_tpm; info.key_info.private_key_file = key_path; if ((use_tpm == false) && private_key_password.has_value()) { @@ -756,13 +775,6 @@ std::string EvseSecurity::generate_certificate_signing_request(LeafCertificateTy return csr; } -std::string EvseSecurity::generate_certificate_signing_request(LeafCertificateType certificate_type, - const std::string& country, - const std::string& organization, - const std::string& common) { - return generate_certificate_signing_request(certificate_type, country, organization, common, false); -} - GetKeyPairResult EvseSecurity::get_key_pair(LeafCertificateType certificate_type, EncodingFormat encoding) { std::lock_guard guard(EvseSecurity::security_mutex);