Refactoring TLS 1.3 support (#86)

Refactoring connection_ssl: Updating TLS1.3 support, setting verify mode based on tls version, generate the vehicle cert leaf hash for pause/resume, added a standalone connection_openssl test / standalone tls server to test the server, generate own certs for this tls server and openssl client

Signed-off-by: Sebastian Lukas <sebastian.lukas@pionix.de>

Author: SebaLukas

.gitignore

@@ -1,4 +1,4 @@
 *build
 .vscode
-pki
+/pki
 test/sample_data

include/iso15118/config.hpp

@@ -2,6 +2,7 @@
 // Copyright 2023 Pionix GmbH and Contributors to EVerest
 #pragma once
 
+#include <filesystem>
 #include <optional>
 #include <string>
 
@@ -17,16 +18,21 @@ enum class CertificateBackend {
     EVEREST_LAYOUT,
     JOSEPPA_LAYOUT,
 };
+
 struct SSLConfig {
-    CertificateBackend backend;
+    CertificateBackend backend{CertificateBackend::EVEREST_LAYOUT};
     // Used by the JOSEPPA_LAYOUT
     std::string config_string;
     // Used by the EVEREST_LAYOUT
     std::string path_certificate_chain;
     std::string path_certificate_key;
-    std::optional<std::string> private_key_password;
+    std::optional<std::string> private_key_password{};
+    std::string path_certificate_v2g_root;
+    std::string path_certificate_mo_root;
     bool enable_ssl_logging{false};
     bool enable_tls_key_logging{false};
+    bool enforce_tls_1_3{false};
+    std::filesystem::path tls_key_logging_path{};
 };
 
 } // namespace iso15118::config

include/iso15118/detail/io/sha_hash.hpp

@@ -0,0 +1,13 @@
+// SPDX-License-Identifier: Apache-2.0
+// Copyright 2024 Pionix GmbH and Contributors to EVerest
+#pragma once
+
+#include <array>
+#include <cstdint>
+
+namespace iso15118::io {
+
+constexpr std::size_t sha_512_hash_size = 64;
+using sha512_hash_t = std::array<uint8_t, sha_512_hash_size>;
+
+} // namespace iso15118::io

include/iso15118/io/connection_abstract.hpp

@@ -4,9 +4,12 @@
 
 #include <cstddef>
 #include <functional>
+#include <optional>
 
 #include "ipv6_endpoint.hpp"
 
+#include <iso15118/detail/io/sha_hash.hpp>
+
 namespace iso15118::io {
 
 enum class ConnectionEvent {
@@ -33,6 +36,8 @@ struct IConnection {
 
     virtual void close() = 0;
 
+    virtual std::optional<sha512_hash_t> get_vehicle_cert_hash() const = 0;
+
     virtual ~IConnection() = default;
 };
 } // namespace iso15118::io

include/iso15118/io/connection_plain.hpp

@@ -21,6 +21,10 @@ class ConnectionPlain : public IConnection {
 
     void close() final;
 
+    std::optional<sha512_hash_t> get_vehicle_cert_hash() const final {
+        return std::nullopt;
+    }
+
     ~ConnectionPlain();
 
 private:

include/iso15118/io/connection_ssl.hpp

@@ -4,8 +4,10 @@
 #include "connection_abstract.hpp"
 
 #include <memory>
+#include <optional>
 
 #include <iso15118/config.hpp>
+#include <iso15118/detail/io/sha_hash.hpp>
 #include <iso15118/io/poll_manager.hpp>
 
 namespace iso15118::io {
@@ -24,6 +26,8 @@ class ConnectionSSL : public IConnection {
 
     void close() final;
 
+    std::optional<sha512_hash_t> get_vehicle_cert_hash() const final;
+
     ~ConnectionSSL();
 
 private:

include/iso15118/io/sdp_server.hpp

@@ -53,8 +53,13 @@ class TlsKeyLoggingServer {
         return fd;
     }
 
+    auto get_port() const {
+        return port;
+    }
+
 private:
     int fd{-1};
+    uint16_t port{0};
     sockaddr_in6 destination_address{};
 };
 

include/iso15118/tbd_controller.hpp

@@ -20,7 +20,7 @@
 namespace iso15118 {
 
 struct TbdConfig {
-    config::SSLConfig ssl{config::CertificateBackend::EVEREST_LAYOUT, {}, {}, {}, {}};
+    config::SSLConfig ssl{config::CertificateBackend::EVEREST_LAYOUT, {}, {}, {}, {}, {}, {}};
     std::string interface_name;
     config::TlsNegotiationStrategy tls_negotiation_strategy{config::TlsNegotiationStrategy::ACCEPT_CLIENT_OFFER};
     bool enable_sdp_server{true};