Add extracted tools: CitrineOS, OpenOCPP, ShapeShifter

- CitrineOS core extracted (CSMS OCPP 2.0.1)
- OpenOCPP extracted (firmware OCPP 1.6J/2.0.1)
- ShapeShifter library installed (pip install -e)
- ShapeShifter specification extracted
- EVerest extracted

TODO updated with progress

tools/EVerest-main/lib/everest/evse_security/tests/CMakeLists.txt

@@ -0,0 +1,90 @@
+set(TEST_TARGET_NAME ${PROJECT_NAME}_evse_security_tests)
+add_executable(${TEST_TARGET_NAME})
+
+target_sources(${TEST_TARGET_NAME} PRIVATE
+    tests.cpp
+    openssl_supplier_test.cpp
+)
+
+find_package(OpenSSL REQUIRED)
+
+target_link_libraries(${TEST_TARGET_NAME} PRIVATE
+    evse_security
+    GTest::gtest_main
+)
+
+if(USING_TPM2)
+    target_sources(${TEST_TARGET_NAME} PRIVATE
+        openssl_supplier_test_tpm.cpp
+    )
+    target_compile_definitions(${TEST_TARGET_NAME} PRIVATE
+        USING_TPM2
+        PROPQUERY_DEFAULT="${PROPQUERY_DEFAULT}"
+        PROPQUERY_TPM2="${PROPQUERY_TPM2}"
+    )
+endif()
+
+if(LIBEVSE_CRYPTO_SUPPLIER_OPENSSL)
+    add_compile_definitions(LIBEVSE_CRYPTO_SUPPLIER_OPENSSL)
+endif()
+
+add_compile_definitions(BUILD_TESTING_EVSE_SECURITY)
+add_compile_definitions(DEBUG_MODE_EVSE_SECURITY)
+
+set(LIBEVSE_SECURITY_TEST_DIR "${CMAKE_BINARY_DIR}")
+if (EVEREST_CORE_BUILD_TESTING)
+    set(LIBEVSE_SECURITY_TEST_DIR "${CMAKE_BINARY_DIR}/lib/everest/evse_security")
+endif()
+
+add_test(
+    NAME ${TEST_TARGET_NAME}
+    COMMAND ${TEST_TARGET_NAME}
+    WORKING_DIRECTORY "${LIBEVSE_SECURITY_TEST_DIR}/tests"
+)
+
+file(COPY
+    "${CMAKE_CURRENT_SOURCE_DIR}/generate_test_certs.sh"
+    "${CMAKE_CURRENT_SOURCE_DIR}/generate_test_certs_root_multi.sh"
+    "${CMAKE_CURRENT_SOURCE_DIR}/generate_test_certs_leaf_multi.sh"
+    DESTINATION "${LIBEVSE_SECURITY_TEST_DIR}/tests"
+)
+
+file(COPY
+    "${CMAKE_CURRENT_SOURCE_DIR}/configs"
+    DESTINATION "${LIBEVSE_SECURITY_TEST_DIR}/tests"
+    FILES_MATCHING PATTERN "*.cnf"
+)
+
+file(COPY
+    "${CMAKE_CURRENT_SOURCE_DIR}/future_leaf"
+    DESTINATION "${LIBEVSE_SECURITY_TEST_DIR}/tests"
+    FILES_MATCHING PATTERN "*"
+)
+
+file(COPY
+    "${CMAKE_CURRENT_SOURCE_DIR}/csms_certs"
+    DESTINATION "${LIBEVSE_SECURITY_TEST_DIR}/tests"
+    FILES_MATCHING PATTERN "*"
+)
+
+file(COPY
+    "${CMAKE_CURRENT_SOURCE_DIR}/expired_leaf"
+        DESTINATION "${LIBEVSE_SECURITY_TEST_DIR}/tests"
+        FILES_MATCHING PATTERN "*"
+)
+
+file(COPY
+    "${CMAKE_CURRENT_SOURCE_DIR}/expired_runtime"
+    DESTINATION "${LIBEVSE_SECURITY_TEST_DIR}/tests"
+    FILES_MATCHING PATTERN "*"
+)
+
+file(COPY
+    "${CMAKE_CURRENT_SOURCE_DIR}/create-pki.sh"
+    DESTINATION "${LIBEVSE_SECURITY_TEST_DIR}/tests"
+)
+
+file(COPY
+    "${CMAKE_CURRENT_SOURCE_DIR}/openssl-pki.conf"
+    DESTINATION "${LIBEVSE_SECURITY_TEST_DIR}/tests"
+)

tools/EVerest-main/lib/everest/evse_security/tests/configs/MOLeafCert.cnf

@@ -0,0 +1,15 @@
+[req]
+prompt 					= no
+distinguished_name		= ca_dn
+
+[ca_dn]
+commonName				= MOCertLeaf
+organizationName		= EVerest
+countryName				= DE
+domainComponent			= MO
+
+[ext]
+basicConstraints		= critical,CA:false
+keyUsage				= critical,digitalSignature,keyAgreement
+subjectKeyIdentifier	= hash
+

tools/EVerest-main/lib/everest/evse_security/tests/configs/MOLeafCert_V2G.cnf

@@ -0,0 +1,15 @@
+[req]
+prompt 					= no
+distinguished_name		= ca_dn
+
+[ca_dn]
+commonName				= MOCertLeaf_V2G
+organizationName		= EVerest
+countryName				= DE
+domainComponent			= MO
+
+[ext]
+basicConstraints		= critical,CA:false
+keyUsage				= critical,digitalSignature,keyAgreement
+subjectKeyIdentifier	= hash
+

tools/EVerest-main/lib/everest/evse_security/tests/configs/MORootCACert.cnf

@@ -0,0 +1,15 @@
+[req]
+prompt 					= no
+distinguished_name		= ca_dn
+
+[ca_dn]
+commonName				= MORootCA
+organizationName		= EVerest
+countryName				= DE
+domainComponent			= MO
+
+[ext]
+basicConstraints		= critical,CA:true
+keyUsage				= critical,keyCertSign,cRLSign
+subjectKeyIdentifier	= hash
+

tools/EVerest-main/lib/everest/evse_security/tests/configs/MOSubCA1Cert.cnf

@@ -0,0 +1,15 @@
+[req]
+prompt 					= no
+distinguished_name		= ca_dn
+
+[ca_dn]
+commonName				= MOSubCA1
+organizationName		= EVerest
+countryName				= DE
+domainComponent			= MO
+
+[ext]
+basicConstraints		= critical,CA:true,pathlen:1
+keyUsage				= critical,keyCertSign,cRLSign
+subjectKeyIdentifier	= hash
+authorityInfoAccess = OCSP;URI:https://www.example.com/, caIssuers;URI:https://www.example.com/Intermediate-CA.cer

tools/EVerest-main/lib/everest/evse_security/tests/configs/MOSubCA2Cert.cnf

@@ -0,0 +1,15 @@
+[req]
+prompt 					= no
+distinguished_name		= ca_dn
+
+[ca_dn]
+commonName				= MOSubCA2
+organizationName		= EVerest
+countryName				= DE
+domainComponent			= MO
+
+[ext]
+basicConstraints		= critical,CA:true,pathlen:0
+keyUsage				= critical,keyCertSign,cRLSign
+subjectKeyIdentifier	= hash
+authorityInfoAccess = OCSP;URI:https://www.example.com/, caIssuers;URI:https://www.example.com/Intermediate-CA.cer

tools/EVerest-main/lib/everest/evse_security/tests/configs/cpoSubCA1Cert.cnf

@@ -0,0 +1,15 @@
+[req]
+prompt 					= no
+distinguished_name		= ca_dn
+
+[ca_dn]
+commonName				= CPOSubCA1
+organizationName		= EVerest
+countryName				= DE
+domainComponent			= V2G
+
+[ext]
+basicConstraints		= critical,CA:true,pathlen:1
+keyUsage				= critical,keyCertSign,cRLSign
+subjectKeyIdentifier	= hash
+authorityInfoAccess = OCSP;URI:https://www.example.com/, caIssuers;URI:https://www.example.com/Intermediate-CA.cer

tools/EVerest-main/lib/everest/evse_security/tests/configs/cpoSubCA2Cert.cnf

@@ -0,0 +1,15 @@
+[req]
+prompt 					= no
+distinguished_name		= ca_dn
+
+[ca_dn]
+commonName				= CPOSubCA2
+organizationName		= EVerest
+countryName				= DE
+domainComponent			= V2G
+
+[ext]
+basicConstraints		= critical,CA:true,pathlen:0
+keyUsage				= critical,keyCertSign,cRLSign
+subjectKeyIdentifier	= hash
+authorityInfoAccess = OCSP;URI:https://www.example.com/, caIssuers;URI:https://www.example.com/Intermediate-CA.cer

tools/EVerest-main/lib/everest/evse_security/tests/configs/install_test.cnf

@@ -0,0 +1,15 @@
+[req]
+prompt 					= no
+distinguished_name		= ca_dn
+
+[ca_dn]
+commonName				= InstallTestCA
+organizationName		= EVerest
+countryName				= DE
+domainComponent			= V2G
+
+[ext]
+basicConstraints		= critical,CA:true
+keyUsage				= critical,keyCertSign,cRLSign
+subjectKeyIdentifier	= hash
+

tools/EVerest-main/lib/everest/evse_security/tests/configs/install_test_subca1.cnf

@@ -0,0 +1,15 @@
+[req]
+prompt 					= no
+distinguished_name		= ca_dn
+
+[ca_dn]
+commonName				= InstallTestSubCA1
+organizationName		= EVerest
+countryName				= DE
+domainComponent			= V2G
+
+[ext]
+basicConstraints		= critical,CA:true
+keyUsage				= critical,keyCertSign,cRLSign
+subjectKeyIdentifier	= hash
+

tools/EVerest-main/lib/everest/evse_security/tests/configs/install_test_subca2.cnf

@@ -0,0 +1,15 @@
+[req]
+prompt 					= no
+distinguished_name		= ca_dn
+
+[ca_dn]
+commonName				= InstallTestSubCA2
+organizationName		= EVerest
+countryName				= DE
+domainComponent			= V2G
+
+[ext]
+basicConstraints		= critical,CA:true
+keyUsage				= critical,keyCertSign,cRLSign
+subjectKeyIdentifier	= hash
+

tools/EVerest-main/lib/everest/evse_security/tests/configs/seccLeafCert.cnf

@@ -0,0 +1,15 @@
+[req]
+prompt 					= no
+distinguished_name		= ca_dn
+
+[ca_dn]
+commonName				= SECCCert
+organizationName		= EVerest
+countryName				= DE
+domainComponent			= CPO
+
+[ext]
+basicConstraints		= critical,CA:false
+keyUsage				= critical,digitalSignature,keyAgreement
+subjectKeyIdentifier	= hash
+authorityInfoAccess = OCSP;URI:https://www.example.com/, caIssuers;URI:https://www.example.com/Leaf-CA.cer

tools/EVerest-main/lib/everest/evse_security/tests/configs/seccLeafCert_Alternate.cnf

@@ -0,0 +1,15 @@
+[req]
+prompt 					= no
+distinguished_name		= ca_dn
+
+[ca_dn]
+commonName				= SECCGridSyncCert
+organizationName		= GridSync
+countryName				= DE
+domainComponent			= CPO
+
+[ext]
+basicConstraints		= critical,CA:false
+keyUsage				= critical,digitalSignature,keyAgreement
+subjectKeyIdentifier	= hash
+authorityInfoAccess = OCSP;URI:https://www.example.com/, caIssuers;URI:https://www.example.com/Leaf-CA.cer

tools/EVerest-main/lib/everest/evse_security/tests/configs/v2gRootCACert.cnf

@@ -0,0 +1,15 @@
+[req]
+prompt 					= no
+distinguished_name		= ca_dn
+
+[ca_dn]
+commonName				= V2GRootCA
+organizationName		= EVerest
+countryName				= DE
+domainComponent			= V2G
+
+[ext]
+basicConstraints		= critical,CA:true
+keyUsage				= critical,keyCertSign,cRLSign
+subjectKeyIdentifier	= hash
+

tools/EVerest-main/lib/everest/evse_security/tests/configs/v2gRootCACert_Alternate.cnf

@@ -0,0 +1,15 @@
+[req]
+prompt 					= no
+distinguished_name		= ca_dn
+
+[ca_dn]
+commonName				= V2GRootGridSyncCA
+organizationName		= GridSync
+countryName				= DE
+domainComponent			= V2G
+
+[ext]
+basicConstraints		= critical,CA:true
+keyUsage				= critical,keyCertSign,cRLSign
+subjectKeyIdentifier	= hash
+

tools/EVerest-main/lib/everest/evse_security/tests/create-pki.sh

@@ -0,0 +1,67 @@
+#!/bin/sh
+
+base=.
+cfg=./openssl-pki.conf
+tpm=$1
+
+if [ -z "$tpm" ]; then
+    dir=pki
+else
+    dir=tpm_pki
+fi
+
+[ ! -f "$cfg" ] && echo "missing openssl-pki.conf" && exit 1
+
+generate() {
+    local base=$1
+    local dir=$2
+    mkdir -p ${base}/${dir}
+
+    local root_priv=${base}/${dir}/root_priv.pem
+    local ca_priv=${base}/${dir}/ca_priv.pem
+    local server_priv=${base}/${dir}/server_priv.pem
+
+    local root_cert=${base}/${dir}/root_cert.pem
+    local ca_cert=${base}/${dir}/ca_cert.pem
+    local server_cert=${base}/${dir}/server_cert.pem
+    local cert_path=${base}/${dir}/cert_path.pem
+
+    local tpmA tpmB
+    local propA propB
+    if [ -n "$3" ]; then
+        tpmA="-provider"
+        tpmB="tpm2"
+        propA="-propquery"
+        propB="?provider=tpm2"
+    fi
+
+    # generate keys
+    for i in ${root_priv} ${ca_priv} ${server_priv}
+    do
+        openssl genpkey -config ${cfg} ${tpmA} ${tpmB} ${propA} ${propB} -algorithm RSA -pkeyopt bits:2048 -out $i
+    done
+
+    export OPENSSL_CONF=${cfg}
+    # generate root cert
+    echo "Generate root"
+    openssl req ${tpmA} ${tpmB} -provider default ${propA} ${propB} \
+        -config ${cfg} -x509 -section req_root -extensions v3_root \
+        -key ${root_priv} -out ${root_cert}
+    # generate ca cert
+    echo "Generate ca"
+    openssl req ${tpmA} ${tpmB} -provider default ${propA} ${propB} \
+        -config ${cfg} -x509 -section req_ca -extensions v3_ca \
+        -key ${ca_priv} -CA ${root_cert} \
+        -CAkey ${root_priv} -out ${ca_cert}
+    # generate server cert
+    echo "Generate server"
+    openssl req ${tpmA} ${tpmB} -provider default ${propA} ${propB} \
+        -config ${cfg} -x509 -section req_server -extensions v3_server \
+        -key ${server_priv} -CA ${ca_cert} \
+        -CAkey ${ca_priv} -out ${server_cert}
+
+    # create bundle
+    cat ${server_cert} ${ca_cert} > ${cert_path}
+}
+
+generate $base $dir $tpm

tools/EVerest-main/lib/everest/evse_security/tests/csms_certs/ca/V2G_ROOT_CA_PX.key

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIJ9RbIOPOVCNRhrcq6Fw/3qWw6J00lF/yT7FdrSXCuhzoAoGCCqGSM49
+AwEHoUQDQgAEQplOIWUtl6KOnRhM9OQRu7TawKd0SAExZwztsJChemlIXEJ9D5dc
+K0/+rKjpTgHoDg9LdluA+tv9nmeeyiX8pQ==
+-----END EC PRIVATE KEY-----

tools/EVerest-main/lib/everest/evse_security/tests/csms_certs/ca/V2G_ROOT_CA_PX.pem

@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBkDCCATWgAwIBAgIUUhx2j1hK10LEIz7YWfqxrImxoRkwCgYIKoZIzj0EAwIw
+HDEaMBgGA1UEAwwRVjJHUm9vdENBX1BYX0NTTVMwIBcNMjUwNjEyMTI1OTIzWhgP
+MjA1MjEwMjgxMjU5MjNaMBwxGjAYBgNVBAMMEVYyR1Jvb3RDQV9QWF9DU01TMFkw
+EwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEQplOIWUtl6KOnRhM9OQRu7TawKd0SAEx
+ZwztsJChemlIXEJ9D5dcK0/+rKjpTgHoDg9LdluA+tv9nmeeyiX8paNTMFEwHQYD
+VR0OBBYEFNuKFuy+RkEgJd1HDGiEHLMb4AkkMB8GA1UdIwQYMBaAFNuKFuy+RkEg
+Jd1HDGiEHLMb4AkkMA8GA1UdEwEB/wQFMAMBAf8wCgYIKoZIzj0EAwIDSQAwRgIh
+AKAp7QkWQAGVld3ZNN6g9uJrk0w0QweSMNQrr7T4+qarAiEAt33b6cX+o8JrVkOu
+uglyjLACI4LdKyETkSotKAF/Pqw=
+-----END CERTIFICATE-----

tools/EVerest-main/lib/everest/evse_security/tests/csms_certs/client/CPO_CERT_SECC_LEAF_CHAIN_A.pem

@@ -0,0 +1,42 @@
+-----BEGIN CERTIFICATE-----
+MIICJTCCAcqgAwIBAgIUKg1NxeDzrOBL1u7mC0CNQ9+qDNgwCgYIKoZIzj0EAwIw
+HzEdMBsGA1UEAwwUQ1BPIFN1YiBOZXh0IENBIDIgVjEwHhcNMjUwNjEyMTMzNDAx
+WhcNNDQwODExMTMzNDAxWjAYMRYwFAYDVQQDDA1ERVBpb25peExlYWZBMFkwEwYH
+KoZIzj0CAQYIKoZIzj0DAQcDQgAEEvKLd+Kd3aPOhE7LFHRQYTYQdR63u5UdtUcm
+E443vsTPPIRpF+8664YxEBtcVyPjLDtcX8JfpzTySJpxudvmjKOB6jCB5zAfBgNV
+HSMEGDAWgBR2E1GkzArGFjN/mYT0p+hlnPNY9zAPBgNVHRMECDAGAQH/AgEBMA4G
+A1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwZQYI
+KwYBBQUHAQEEWTBXMCQGCCsGAQUFBzABhhhodHRwczovL3d3dy5leGFtcGxlLmNv
+bS8wLwYIKwYBBQUHMAKGI2h0dHBzOi8vd3d3LmV4YW1wbGUuY29tL0xlYWYtQ0Eu
+Y2VyMB0GA1UdDgQWBBS69kEneMseD8T1X3U5sBt2wx/eIjAKBggqhkjOPQQDAgNJ
+ADBGAiEAqQD6cffwNrvS0RvY/LkL5aTzPp6iJGDQ3by3qqzd/m8CIQCvKsGoyB8U
+MpVqnqoOu+kCNhf07XcEYSawtL5VYCkwRA==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICJTCCAcugAwIBAgIUJWEONn4Mv4A9h06SwukrdjXTFL0wCgYIKoZIzj0EAwIw
+GTEXMBUGA1UEAwwOQ1BPIFN1YiAyIENBIDEwHhcNMjUwNjEyMTMzMTA4WhcNNDQw
+ODExMTMzMTA4WjAfMR0wGwYDVQQDDBRDUE8gU3ViIE5leHQgQ0EgMiBWMTBZMBMG
+ByqGSM49AgEGCCqGSM49AwEHA0IABLbrtvRnzyKourVxRIuVXj8NbTf3AWZuK7Q4
+qhWb1M0cTSnW8FM2SdExffFdoiEHH1J5LvJ+VCesoq1b9FjEBcejgeowgecwHwYD
+VR0jBBgwFoAUixCrftMh4UK67fiP0R8DnAb1020wDwYDVR0TBAgwBgEB/wIBATAO
+BgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGUG
+CCsGAQUFBwEBBFkwVzAkBggrBgEFBQcwAYYYaHR0cHM6Ly93d3cuZXhhbXBsZS5j
+b20vMC8GCCsGAQUFBzAChiNodHRwczovL3d3dy5leGFtcGxlLmNvbS9MZWFmLUNB
+LmNlcjAdBgNVHQ4EFgQUdhNRpMwKxhYzf5mE9KfoZZzzWPcwCgYIKoZIzj0EAwID
+SAAwRQIgKJ3mzMjDScrH8V6lWA00gLXl2QTtIO4ahksUBCQp0TICIQCDWIN16mdI
+qs6JAH1uuXay9UVWZovEmzzR1wdeMtu/7A==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICITCCAcigAwIBAgIUJlspPfMG7ECCjCO0ma/8vbVKuL8wCgYIKoZIzj0EAwIw
+HDEaMBgGA1UEAwwRVjJHUm9vdENBX1BYX0NTTVMwHhcNMjUwNjEyMTMyMDMyWhcN
+NDQwODExMTMyMDMyWjAZMRcwFQYDVQQDDA5DUE8gU3ViIDIgQ0EgMTBZMBMGByqG
+SM49AgEGCCqGSM49AwEHA0IABFDiKpE0Z1AUKYewLLtFHwtEwy7xDsVptoSkSMzi
+xYTngcu8DHjOt0rQIvw951SOM7vdrOnrkzICXs60LMTn6L6jgeowgecwHwYDVR0j
+BBgwFoAU24oW7L5GQSAl3UcMaIQcsxvgCSQwDwYDVR0TBAgwBgEB/wIBATAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGUGCCsG
+AQUFBwEBBFkwVzAkBggrBgEFBQcwAYYYaHR0cHM6Ly93d3cuZXhhbXBsZS5jb20v
+MC8GCCsGAQUFBzAChiNodHRwczovL3d3dy5leGFtcGxlLmNvbS9MZWFmLUNBLmNl
+cjAdBgNVHQ4EFgQUixCrftMh4UK67fiP0R8DnAb1020wCgYIKoZIzj0EAwIDRwAw
+RAIgS2BRfHq2gTeqZWgnp1Onc65klD3SbOoOk+cb1hI6mYICIFGNkSkGN3D/gH95
+p0vw0eFHBFE+mHP1ubcMvVYDu8AR
+-----END CERTIFICATE-----

tools/EVerest-main/lib/everest/evse_security/tests/csms_certs/client/CPO_CERT_SECC_LEAF_CHAIN_B.pem

@@ -0,0 +1,42 @@
+-----BEGIN CERTIFICATE-----
+MIICJDCCAcqgAwIBAgIUTtaY1jxyTGphoMzE/4Czgxkt/XowCgYIKoZIzj0EAwIw
+HzEdMBsGA1UEAwwUQ1BPIFN1YiBOZXh0IENBIDIgVjIwHhcNMjUwNjEyMTMzNDEz
+WhcNNDQwODExMTMzNDEzWjAYMRYwFAYDVQQDDA1ERVBpb25peExlYWZCMFkwEwYH
+KoZIzj0CAQYIKoZIzj0DAQcDQgAEieno+61njtJx4QY7j6M8eAelAR5AwFLrnP2h
+G5dGX7EYWsouYp7R6SKuuGxtTIR7w5VU+mnHiSd+wItjJA6sXaOB6jCB5zAfBgNV
+HSMEGDAWgBS3pelS2jYhYHpxd4AS3pXF049VYzAPBgNVHRMECDAGAQH/AgEBMA4G
+A1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwZQYI
+KwYBBQUHAQEEWTBXMCQGCCsGAQUFBzABhhhodHRwczovL3d3dy5leGFtcGxlLmNv
+bS8wLwYIKwYBBQUHMAKGI2h0dHBzOi8vd3d3LmV4YW1wbGUuY29tL0xlYWYtQ0Eu
+Y2VyMB0GA1UdDgQWBBSUSqYHsin+1h5Acqw18D7rrhQkITAKBggqhkjOPQQDAgNI
+ADBFAiAGRhek1Z2JUU/vuQa9VHFeJ9leP3DVDfIjQkYibIyP/wIhAO/BUNBWwIY0
+wj1mIDddUxh4MlEMIjT3vsRRk5OrqBKz
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICJTCCAcugAwIBAgIUKQ+ojAkrsU7LBTYLb7uZ5zjHT5cwCgYIKoZIzj0EAwIw
+GTEXMBUGA1UEAwwOQ1BPIFN1YiAyIENBIDEwHhcNMjUwNjEyMTMzMTI2WhcNNDQw
+ODExMTMzMTI2WjAfMR0wGwYDVQQDDBRDUE8gU3ViIE5leHQgQ0EgMiBWMjBZMBMG
+ByqGSM49AgEGCCqGSM49AwEHA0IABKu/v1xCrE6QZf+VGTjfi7aH8gsMs0T3RDVk
+ZEIQk/cL6EsTE8irqg8Jw2wzPPMBSi7gRJPqbnbFtaT1Lx571NejgeowgecwHwYD
+VR0jBBgwFoAUFqJIf6+UCGHOPxco7gu0ABOZmiQwDwYDVR0TBAgwBgEB/wIBATAO
+BgNVHQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGUG
+CCsGAQUFBwEBBFkwVzAkBggrBgEFBQcwAYYYaHR0cHM6Ly93d3cuZXhhbXBsZS5j
+b20vMC8GCCsGAQUFBzAChiNodHRwczovL3d3dy5leGFtcGxlLmNvbS9MZWFmLUNB
+LmNlcjAdBgNVHQ4EFgQUt6XpUto2IWB6cXeAEt6VxdOPVWMwCgYIKoZIzj0EAwID
+SAAwRQIhAMlqhQthKokgDSHaFw+bG1JTcxggSl8/pMoxVmMlmQZbAiBWMe+14M9L
+OIvJlR8ru9umEcCihOY5ijueKT47vpIQfw==
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIICIjCCAcigAwIBAgIUJlspPfMG7ECCjCO0ma/8vbVKuMAwCgYIKoZIzj0EAwIw
+HDEaMBgGA1UEAwwRVjJHUm9vdENBX1BYX0NTTVMwHhcNMjUwNjEyMTMyMDUyWhcN
+NDQwODExMTMyMDUyWjAZMRcwFQYDVQQDDA5DUE8gU3ViIDIgQ0EgMTBZMBMGByqG
+SM49AgEGCCqGSM49AwEHA0IABPOaA6ir8KL2FHGhjMVzNnc6RzkefDX2a59GqDM4
+HSJmWTbFhNdaNUgLeszINiFo4JdDiHX4Yi84sDfUci0O9p+jgeowgecwHwYDVR0j
+BBgwFoAU24oW7L5GQSAl3UcMaIQcsxvgCSQwDwYDVR0TBAgwBgEB/wIBATAOBgNV
+HQ8BAf8EBAMCAQYwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGUGCCsG
+AQUFBwEBBFkwVzAkBggrBgEFBQcwAYYYaHR0cHM6Ly93d3cuZXhhbXBsZS5jb20v
+MC8GCCsGAQUFBzAChiNodHRwczovL3d3dy5leGFtcGxlLmNvbS9MZWFmLUNBLmNl
+cjAdBgNVHQ4EFgQUFqJIf6+UCGHOPxco7gu0ABOZmiQwCgYIKoZIzj0EAwIDSAAw
+RQIgZZkmdAu7vY6hgfFFVkPwnF/7uKr7sBd18R7ZfucVrDYCIQCN8ieOUwHZbisC
+Q5F0bmA+Atvba6GW+Gu9K5sfACdEMQ==
+-----END CERTIFICATE-----

tools/EVerest-main/lib/everest/evse_security/tests/csms_certs/client/SECC_LEAF_A.key

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIB71Owd1hTS6T9kNtK2pgbfL/bCuEpM+3aHMquGhJJejoAoGCCqGSM49
+AwEHoUQDQgAEEvKLd+Kd3aPOhE7LFHRQYTYQdR63u5UdtUcmE443vsTPPIRpF+86
+64YxEBtcVyPjLDtcX8JfpzTySJpxudvmjA==
+-----END EC PRIVATE KEY-----

tools/EVerest-main/lib/everest/evse_security/tests/csms_certs/client/SECC_LEAF_A.pem

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICJTCCAcqgAwIBAgIUKg1NxeDzrOBL1u7mC0CNQ9+qDNgwCgYIKoZIzj0EAwIw
+HzEdMBsGA1UEAwwUQ1BPIFN1YiBOZXh0IENBIDIgVjEwHhcNMjUwNjEyMTMzNDAx
+WhcNNDQwODExMTMzNDAxWjAYMRYwFAYDVQQDDA1ERVBpb25peExlYWZBMFkwEwYH
+KoZIzj0CAQYIKoZIzj0DAQcDQgAEEvKLd+Kd3aPOhE7LFHRQYTYQdR63u5UdtUcm
+E443vsTPPIRpF+8664YxEBtcVyPjLDtcX8JfpzTySJpxudvmjKOB6jCB5zAfBgNV
+HSMEGDAWgBR2E1GkzArGFjN/mYT0p+hlnPNY9zAPBgNVHRMECDAGAQH/AgEBMA4G
+A1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwZQYI
+KwYBBQUHAQEEWTBXMCQGCCsGAQUFBzABhhhodHRwczovL3d3dy5leGFtcGxlLmNv
+bS8wLwYIKwYBBQUHMAKGI2h0dHBzOi8vd3d3LmV4YW1wbGUuY29tL0xlYWYtQ0Eu
+Y2VyMB0GA1UdDgQWBBS69kEneMseD8T1X3U5sBt2wx/eIjAKBggqhkjOPQQDAgNJ
+ADBGAiEAqQD6cffwNrvS0RvY/LkL5aTzPp6iJGDQ3by3qqzd/m8CIQCvKsGoyB8U
+MpVqnqoOu+kCNhf07XcEYSawtL5VYCkwRA==
+-----END CERTIFICATE-----

tools/EVerest-main/lib/everest/evse_security/tests/csms_certs/client/SECC_LEAF_B.key

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIH13t8Z/SV8kObot1c15YsTp/OZgbAw8r6Ns9DzHl2WAoAoGCCqGSM49
+AwEHoUQDQgAEieno+61njtJx4QY7j6M8eAelAR5AwFLrnP2hG5dGX7EYWsouYp7R
+6SKuuGxtTIR7w5VU+mnHiSd+wItjJA6sXQ==
+-----END EC PRIVATE KEY-----

tools/EVerest-main/lib/everest/evse_security/tests/csms_certs/client/SECC_LEAF_B.pem

@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICJDCCAcqgAwIBAgIUTtaY1jxyTGphoMzE/4Czgxkt/XowCgYIKoZIzj0EAwIw
+HzEdMBsGA1UEAwwUQ1BPIFN1YiBOZXh0IENBIDIgVjIwHhcNMjUwNjEyMTMzNDEz
+WhcNNDQwODExMTMzNDEzWjAYMRYwFAYDVQQDDA1ERVBpb25peExlYWZCMFkwEwYH
+KoZIzj0CAQYIKoZIzj0DAQcDQgAEieno+61njtJx4QY7j6M8eAelAR5AwFLrnP2h
+G5dGX7EYWsouYp7R6SKuuGxtTIR7w5VU+mnHiSd+wItjJA6sXaOB6jCB5zAfBgNV
+HSMEGDAWgBS3pelS2jYhYHpxd4AS3pXF049VYzAPBgNVHRMECDAGAQH/AgEBMA4G
+A1UdDwEB/wQEAwIBBjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwZQYI
+KwYBBQUHAQEEWTBXMCQGCCsGAQUFBzABhhhodHRwczovL3d3dy5leGFtcGxlLmNv
+bS8wLwYIKwYBBQUHMAKGI2h0dHBzOi8vd3d3LmV4YW1wbGUuY29tL0xlYWYtQ0Eu
+Y2VyMB0GA1UdDgQWBBSUSqYHsin+1h5Acqw18D7rrhQkITAKBggqhkjOPQQDAgNI
+ADBFAiAGRhek1Z2JUU/vuQa9VHFeJ9leP3DVDfIjQkYibIyP/wIhAO/BUNBWwIY0
+wj1mIDddUxh4MlEMIjT3vsRRk5OrqBKz
+-----END CERTIFICATE-----

tools/EVerest-main/lib/everest/evse_security/tests/csms_certs/client/ocsp/SECC_LEAF_ocsp.der

@@ -0,0 +1 @@
+OCSP_CUSTOM_DATA

tools/EVerest-main/lib/everest/evse_security/tests/csms_certs/client/ocsp/SECC_LEAF_ocsp.hash

@@ -0,0 +1,4 @@
+SHA256
+82addb4b47026c702b9ed9d482c6e3570bbae9c49b963ec18b0a3523dfb47fe3
+e9d2a6d245233edbf5a8319b99087313e16307ca29b388373d951b50e93090aa
+4ed698d63c724c6a61a0ccc4ff80b383192dfd7a

tools/EVerest-main/lib/everest/evse_security/tests/expired_leaf/SECC_LEAF_EXPIRED.csr

@@ -0,0 +1,8 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBAjCBqQIBADBHMREwDwYDVQQDDAhTRUNDQ2VydDEQMA4GA1UECgwHRVZlcmVz
+dDELMAkGA1UEBhMCREUxEzARBgoJkiaJk/IsZAEZFgNDUE8wWTATBgcqhkjOPQIB
+BggqhkjOPQMBBwNCAARlxNKadJ0NCSFMfvNd5Y+vExLPqq4q9WsweCR7hnENyAa3
+VJ6JFkgtm93GIS2ebML/QR3VFWWxCO3+bAK6MswUoAAwCgYIKoZIzj0EAwIDSAAw
+RQIhAOWltS/gdYqIYndktWPtUdLypfTu59kMNkBOYCgkxq8GAiBW1EG1OeZ56iAB
+vnu/GEDA0hBBVTV/4SmJB4dKu6gfEQ==
+-----END CERTIFICATE REQUEST-----

tools/EVerest-main/lib/everest/evse_security/tests/expired_leaf/SECC_LEAF_EXPIRED.key

@@ -0,0 +1,8 @@
+-----BEGIN EC PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,AB729A472F0970C8348076555BB2FAB2
+
+A56CcGtbBVUM5NZaG3pxRQBzPX7U6tuk/uraLP8q5ElHGslg1bBKwDNtQqFs1b0H
+G3Qw2DhlIx1LOIXnNalMlEvWwyMpRqjOPsyxjwwjPcUCp9Bxd6w3KYWuVcXN3SuD
+TARrzp8XoapdNbk2Eb8JPduYOcs+U5j9KySZfcWfS2E=
+-----END EC PRIVATE KEY-----

tools/EVerest-main/lib/everest/evse_security/tests/expired_leaf/SECC_LEAF_EXPIRED.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB4DCCAYagAwIBAgIDB6EgMAoGCCqGSM49BAMCMEgxEjAQBgNVBAMMCVYyR1Jv
+b3RDQTEQMA4GA1UECgwHRVZlcmVzdDELMAkGA1UEBhMCREUxEzARBgoJkiaJk/Is
+ZAEZFgNWMkcwHhcNNzMxMTIzMTI0NTEzWhcNNzQxMTIzMTI0NTEzWjBHMREwDwYD
+VQQDDAhTRUNDQ2VydDEQMA4GA1UECgwHRVZlcmVzdDELMAkGA1UEBhMCREUxEzAR
+BgoJkiaJk/IsZAEZFgNDUE8wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARlxNKa
+dJ0NCSFMfvNd5Y+vExLPqq4q9WsweCR7hnENyAa3VJ6JFkgtm93GIS2ebML/QR3V
+FWWxCO3+bAK6MswUo2AwXjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIDiDAd
+BgNVHQ4EFgQUWiYTE981mb99VHFcgv965AhG5oQwHwYDVR0jBBgwFoAULM49T3Zw
+XHmTfuClGd3yntJ9wk8wCgYIKoZIzj0EAwIDSAAwRQIgOK0xDHqrklhQJj/llIgq
+Jxpa5iY9Jpg8hu4LS7g/UWICIQC/acsLgooZ1Z0DAhLepxUTmHwoAJlY3XIVwwu8
+QuyA9g==
+-----END CERTIFICATE-----

tools/EVerest-main/lib/everest/evse_security/tests/expired_leaf/V2G_ROOT_CA.csr

@@ -0,0 +1,8 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBBDCBqgIBADBIMRIwEAYDVQQDDAlWMkdSb290Q0ExEDAOBgNVBAoMB0VWZXJl
+c3QxCzAJBgNVBAYTAkRFMRMwEQYKCZImiZPyLGQBGRYDVjJHMFkwEwYHKoZIzj0C
+AQYIKoZIzj0DAQcDQgAEbdDhKFQmacJwZV1K0PuqHNumOKZTsxRNOyxaRO76+NR/
+GmwSSeBDiGWZD0KcHA6kQd7GSFQWMQ0m1tX5t87CAaAAMAoGCCqGSM49BAMCA0kA
+MEYCIQD8wRH3zKKgdCp1169qG72kXflAIE2AupUEDXtQjU9gzwIhALed/4jhovZd
+GDX7NIXupLXmXZQf14nv2RxZMKMuxW/X
+-----END CERTIFICATE REQUEST-----

tools/EVerest-main/lib/everest/evse_security/tests/expired_leaf/V2G_ROOT_CA.key

@@ -0,0 +1,8 @@
+-----BEGIN EC PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,C58A94AC0F142EF36F4139972BA6B894
+
+Wdlblg4YwT65cj2gdbfMfCXzAH/v6VhIPnFa7VQXlBL4Swj+cTxRrsRe+S6EDe2m
+eyAR8nuvEpoEhhk4o5u6ihEjSAqdjQWzrq3EGRN+1Ms4aG+opzrZyZPv0qYqV1xj
+yKibyypuPjEu/RW5cGINnQIyn9kjV4g1Nb3pggUmtQQ=
+-----END EC PRIVATE KEY-----

tools/EVerest-main/lib/everest/evse_security/tests/expired_leaf/V2G_ROOT_CA.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBxTCCAWugAwIBAgIDAJxAMAoGCCqGSM49BAMCMEgxEjAQBgNVBAMMCVYyR1Jv
+b3RDQTEQMA4GA1UECgwHRVZlcmVzdDELMAkGA1UEBhMCREUxEzARBgoJkiaJk/Is
+ZAEZFgNWMkcwIBcNNzMxMTIzMTI0NTA5WhgPMjk3MzAzMjUxMjQ1MDlaMEgxEjAQ
+BgNVBAMMCVYyR1Jvb3RDQTEQMA4GA1UECgwHRVZlcmVzdDELMAkGA1UEBhMCREUx
+EzARBgoJkiaJk/IsZAEZFgNWMkcwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARt
+0OEoVCZpwnBlXUrQ+6oc26Y4plOzFE07LFpE7vr41H8abBJJ4EOIZZkPQpwcDqRB
+3sZIVBYxDSbW1fm3zsIBo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
+AwIBBjAdBgNVHQ4EFgQULM49T3ZwXHmTfuClGd3yntJ9wk8wCgYIKoZIzj0EAwID
+SAAwRQIgTO/bOWw/x7tDV1jxjvfjVqaN/QtXC7spOMHcSBUE7n4CIQDa0kOL2Vis
+2DO2PXWaZvEKmpY1P1Kjojb+k+ge1BnXyw==
+-----END CERTIFICATE-----

tools/EVerest-main/lib/everest/evse_security/tests/expired_runtime/conf.cnf

@@ -0,0 +1,30 @@
+[ ca ]
+default_ca      = CA_default            # The default ca section
+ 
+[ CA_default ]
+
+dir            = .              	# top dir
+database       = expired_bulk/index.txt        # index file.
+new_certs_dir  = $dir/expired_bulk         # new certs dir
+ 
+certificate    = $dir/cert.pem       	# The CA cert
+serial         = $dir/expired_bulk/serial           	# serial no file
+private_key    = $dir/cert.key		# CA private key
+RANDFILE       = $dir/private/.rand    	# random number file
+ 
+default_days   = 365                   # how long to certify for
+default_md     = md5                   # md to use
+
+policy         = policy_any            # default policy
+email_in_dn    = no                    # Don't add the email into cert DN
+
+name_opt       = ca_default            # Subject name display option
+cert_opt       = ca_default            # Certificate display option
+copy_extensions = none                 # Don't copy extensions from request
+
+[ policy_any ]
+countryName            = supplied
+stateOrProvinceName    = optional
+organizationName       = optional
+organizationalUnitName = optional
+commonName             = supplied

tools/EVerest-main/lib/everest/evse_security/tests/future_leaf/SECC_LEAF_FUTURE.csr

@@ -0,0 +1,8 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIBAjCBqQIBADBHMREwDwYDVQQDDAhTRUNDQ2VydDEQMA4GA1UECgwHRVZlcmVz
+dDELMAkGA1UEBhMCREUxEzARBgoJkiaJk/IsZAEZFgNDUE8wWTATBgcqhkjOPQIB
+BggqhkjOPQMBBwNCAASyun0cfxUIIGFWEc8MkdVVvQlfzPPDqjO6tbSogEvT79Vd
++vKkAFHM/sjZwwVteOIswBLC03QN5GuwSOnoPtI9oAAwCgYIKoZIzj0EAwIDSAAw
+RQIhAKp82SmThGq04FGShXtzydwmCm7W7l9yBqjLL/0+Si9aAiBFqreBoS7lvniy
+R7tRgnrqIek8Yd/bSRodZSG/HQyUtQ==
+-----END CERTIFICATE REQUEST-----

tools/EVerest-main/lib/everest/evse_security/tests/future_leaf/SECC_LEAF_FUTURE.key

@@ -0,0 +1,8 @@
+-----BEGIN EC PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,9B7B1D26EAB889668AD829E722BB9CD1
+
+goWq5y9cvQZvW6j6Ne+ACUd1+VbSUZj4EbcZBTf9h2mkiLN/NtCf/FSLmTpyco6Q
+Lfrnaz0HbJV+8NNHotyOEqiGYJkm+rQr1tGw6zv6rRDCQOwtWLhwV8bbo3ZElk+X
+Fy7/uuVuKFDfBvvHuQJFyQBinLRBhDdWU64a0rB68WE=
+-----END EC PRIVATE KEY-----

tools/EVerest-main/lib/everest/evse_security/tests/future_leaf/SECC_LEAF_FUTURE.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB5TCCAYqgAwIBAgIDAMNQMAoGCCqGSM49BAMCMEgxEjAQBgNVBAMMCVYyR1Jv
+b3RDQTEQMA4GA1UECgwHRVZlcmVzdDELMAkGA1UEBhMCREUxEzARBgoJkiaJk/Is
+ZAEZFgNWMkcwIhgPMjEyMzExMjMxMjMzMTZaGA8yMTI0MTEyMjEyMzMxNlowRzER
+MA8GA1UEAwwIU0VDQ0NlcnQxEDAOBgNVBAoMB0VWZXJlc3QxCzAJBgNVBAYTAkRF
+MRMwEQYKCZImiZPyLGQBGRYDQ1BPMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE
+srp9HH8VCCBhVhHPDJHVVb0JX8zzw6ozurW0qIBL0+/VXfrypABRzP7I2cMFbXji
+LMASwtN0DeRrsEjp6D7SPaNgMF4wDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMC
+A4gwHQYDVR0OBBYEFKVZrBNwlKDQUS+yPKXI+zg2k6WLMB8GA1UdIwQYMBaAFP32
+NXYHCHWxVUbsKZeyLcP9twwFMAoGCCqGSM49BAMCA0kAMEYCIQDDTiywDU34zIKE
+MVShaXA53sF9/9wtDtWoKgDuG2WA6AIhAN+ab34CVF5++P3zDaHZ4uYHj/5S+vCN
+p78XvoeGnSG3
+-----END CERTIFICATE-----

tools/EVerest-main/lib/everest/evse_security/tests/future_leaf/V2G_ROOT_CA.key

@@ -0,0 +1,8 @@
+-----BEGIN EC PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,7AB01F370701C906A96B511640DC7E1F
+
+zq9LdsWtB/QquUTP+aEBzrkdkmXEuMRTD4Wq62g1Ic+9rCbOTqn46CGjj40k3i0W
+VjaRddZ/jgNgAO3PpdLIpI5Lu4wTqFRPNebm0mzAOt+HeAeUvipA3OIaeAy1CAJ4
+d6wA2JPMyAIfeZbG/pwzrzqxdlqEzJy2ZNfMJ0nqtcA=
+-----END EC PRIVATE KEY-----

tools/EVerest-main/lib/everest/evse_security/tests/future_leaf/V2G_ROOT_CA.pem

@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBxDCCAWqgAwIBAgICMDkwCgYIKoZIzj0EAwIwSDESMBAGA1UEAwwJVjJHUm9v
+dENBMRAwDgYDVQQKDAdFVmVyZXN0MQswCQYDVQQGEwJERTETMBEGCgmSJomT8ixk
+ARkWA1YyRzAgFw0yMzExMjMxMjAzMDNaGA8zMDIzMDMyNjEyMDMwM1owSDESMBAG
+A1UEAwwJVjJHUm9vdENBMRAwDgYDVQQKDAdFVmVyZXN0MQswCQYDVQQGEwJERTET
+MBEGCgmSJomT8ixkARkWA1YyRzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABHRc
+wtH/nAaONX07z9F/zvKkrFlsabTXPFybrADcI+EdigFs970aakxWabIyfDeTccxO
+u9HxvpvqBml/FXtG2OmjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD
+AgEGMB0GA1UdDgQWBBT99jV2Bwh1sVVG7CmXsi3D/bcMBTAKBggqhkjOPQQDAgNI
+ADBFAiEArTdHTcGWNyYKa/aS0h8PNOaSgk5XYvXQjsZVri+KC8oCIGdSld8XrgBm
+xdMwvu0rqdMjqNnQJ2kTDEWCPRz9fbPN
+-----END CERTIFICATE-----

tools/EVerest-main/lib/everest/evse_security/tests/generate_test_certs.sh

@@ -0,0 +1,110 @@
+#!/bin/bash
+
+CERT_PATH="./certs"
+CSR_PATH="./csr"
+
+EC_CURVE=prime256v1
+SYMMETRIC_CIPHER=-aes-128-cbc
+password="123456"
+
+CA_CSMS_PATH="$CERT_PATH/ca/csms"
+CA_CSO_PATH="$CERT_PATH/ca/cso"
+CA_V2G_PATH="$CERT_PATH/ca/v2g"
+CA_MO_PATH="$CERT_PATH/ca/mo"
+CA_INVALID_PATH="$CERT_PATH/ca/invalid"
+
+CLIENT_CSMS_PATH="$CERT_PATH/client/csms"
+CLIENT_CSO_PATH="$CERT_PATH/client/cso"
+CLIENT_V2G_PATH="$CERT_PATH/client/v2g"
+CLIENT_MO_PATH="$CERT_PATH/client/mo"
+CLIENT_INVALID_PATH="$CERT_PATH/client/invalid"
+VALIDITY=3650
+
+TO_BE_INSTALLED_PATH="$CERT_PATH/to_be_installed"
+
+mkdir -p "$CERT_PATH"
+mkdir -p "$CSR_PATH"
+mkdir -p "$CA_CSMS_PATH"
+mkdir -p "$CA_CSO_PATH"
+mkdir -p "$CA_V2G_PATH"
+mkdir -p "$CA_MO_PATH"
+mkdir -p "$CLIENT_CSMS_PATH"
+mkdir -p "$CLIENT_CSO_PATH"
+mkdir -p "$CLIENT_V2G_PATH"
+mkdir -p "$CLIENT_MO_PATH"
+mkdir -p "$CLIENT_INVALID_PATH"
+mkdir -p "$TO_BE_INSTALLED_PATH"
+
+function create_certificate() {
+  # Args:
+  # $1: name of the certificate (without the .pem extension)
+  # $2: directory to install the certificate and private key into
+  # $3: openssl config file for the certificate
+  # $4: serial number for the certificate
+  # $5: CA certificate file. If this is missing, we will create a self-signed certificate.
+  # $6: CA private key file. Likewise omit this to create a self-signed certificate.
+
+  local name="$1"
+  local install_dir="$2"
+  local config="$3"
+  local serial_num="$4"
+  local signed_by_cert="$5"
+  local signed_by_key="$6"
+
+  openssl ecparam -genkey -name "$EC_CURVE" | openssl ec "$SYMMETRIC_CIPHER" -passout pass:"$password" -out "${install_dir}/${name}.key"
+
+  if [ -z $signed_by_cert ]
+  then
+    openssl req -new -key "${install_dir}/${name}.key" -passin pass:"$password" -config "configs/${config}" -out "${CSR_PATH}/${name}.csr"
+    openssl x509 -req -in "${CSR_PATH}/${name}.csr" -extfile "configs/${config}" -extensions ext -signkey "${install_dir}/${name}.key" -passin pass:"$password" $SHA -set_serial "${serial_num}" -out "${install_dir}/${name}.pem" -days "$VALIDITY"
+  else
+    openssl req -new -key "${install_dir}/${name}.key" -passin pass:"$password" -config "configs/${config}" -out "${CSR_PATH}/${name}.csr"
+    openssl x509 -req -in "${CSR_PATH}/${name}.csr" -extfile "configs/${config}" -extensions ext -CA "${signed_by_cert}" -CAkey "${signed_by_key}" -passin pass:"$password" -set_serial "${serial_num}" -out "${install_dir}/${name}.pem" -days "$VALIDITY"
+  fi
+}
+
+# V2G root CA
+create_certificate V2G_ROOT_CA "${CA_V2G_PATH}" v2gRootCACert.cnf 12345
+# Second V2G root CA
+create_certificate V2G_ROOT_CA_NEW "${CA_V2G_PATH}" v2gRootCACert.cnf 12349
+# Sub-CA 1
+create_certificate CPO_SUB_CA1 "${CA_CSMS_PATH}" cpoSubCA1Cert.cnf 12346 "${CA_V2G_PATH}/V2G_ROOT_CA.pem" "${CA_V2G_PATH}/V2G_ROOT_CA.key"
+# Sub-CA 2
+create_certificate CPO_SUB_CA2 "${CA_CSMS_PATH}" cpoSubCA2Cert.cnf 12347 "${CA_CSMS_PATH}/CPO_SUB_CA1.pem" "${CA_CSMS_PATH}/CPO_SUB_CA1.key"
+# Chargepoint leaf
+create_certificate SECC_LEAF "${CLIENT_CSO_PATH}" seccLeafCert.cnf 12348 "${CA_CSMS_PATH}/CPO_SUB_CA2.pem" "${CA_CSMS_PATH}/CPO_SUB_CA2.key"
+# Invalid self-signed CSMS cert
+create_certificate INVALID_CSMS "${CLIENT_INVALID_PATH}" v2gRootCACert.cnf 12345
+
+# create cert chain bundles in the V2G root ca and chargepoint leaf dirs
+cat "$CA_CSMS_PATH/CPO_SUB_CA2.pem" "$CA_CSMS_PATH/CPO_SUB_CA1.pem" "$CA_V2G_PATH/V2G_ROOT_CA.pem" > "$CA_V2G_PATH/V2G_CA_BUNDLE.pem"
+cat "$CLIENT_CSO_PATH/SECC_LEAF.pem" "$CA_CSMS_PATH/CPO_SUB_CA2.pem" "$CA_CSMS_PATH/CPO_SUB_CA1.pem" > "$CLIENT_CSO_PATH/CPO_CERT_CHAIN.pem"
+
+cp "$CLIENT_CSO_PATH/SECC_LEAF.key" "$CLIENT_CSMS_PATH/CSMS_LEAF.key"
+
+# assume CSO and CSMS are same authority
+cp -r $CA_CSMS_PATH/* $CA_CSO_PATH
+cp "$CLIENT_CSO_PATH/SECC_LEAF.pem" "$CLIENT_CSMS_PATH/CSMS_LEAF.pem"
+
+# MO root CA
+create_certificate MO_ROOT_CA "${CA_MO_PATH}" MORootCACert.cnf 32345
+# MO Sub-CA 1
+create_certificate MO_SUB_CA1 "${CA_MO_PATH}" MOSubCA1Cert.cnf 32346 "${CA_MO_PATH}/MO_ROOT_CA.pem" "${CA_MO_PATH}/MO_ROOT_CA.key"
+# MO Sub-CA 2
+create_certificate MO_SUB_CA2 "${CA_MO_PATH}" MOSubCA2Cert.cnf 32347 "${CA_MO_PATH}/MO_SUB_CA1.pem" "${CA_MO_PATH}/MO_SUB_CA1.key"
+
+# create cert chain bundles in the MO root ca
+cat "$CA_MO_PATH/MO_SUB_CA2.pem" "$CA_MO_PATH/MO_SUB_CA1.pem" "$CA_MO_PATH/MO_ROOT_CA.pem" > "$CA_MO_PATH/MO_CA_BUNDLE.pem"
+
+# MO Leaf signed by MO Root
+create_certificate MO_LEAF "${CLIENT_MO_PATH}" MOLeafCert.cnf 32348 "${CA_MO_PATH}/MO_SUB_CA2.pem" "${CA_MO_PATH}/MO_SUB_CA2.key"
+
+# MO Leaf signed by V2G Root
+create_certificate MO_LEAF_V2G "${CLIENT_MO_PATH}" MOLeafCert_V2G.cnf 32349 "${CA_CSMS_PATH}/CPO_SUB_CA2.pem" "${CA_CSMS_PATH}/CPO_SUB_CA2.key"
+
+# Create certificates used for installation tests
+create_certificate INSTALL_TEST_ROOT_CA1 "${TO_BE_INSTALLED_PATH}" install_test.cnf 21234
+create_certificate INSTALL_TEST_ROOT_CA2 "${TO_BE_INSTALLED_PATH}" install_test.cnf 21235
+create_certificate INSTALL_TEST_ROOT_CA3 "${TO_BE_INSTALLED_PATH}" install_test.cnf 21236
+create_certificate INSTALL_TEST_ROOT_CA3_SUBCA1 "${TO_BE_INSTALLED_PATH}" install_test_subca1.cnf 21237 "${TO_BE_INSTALLED_PATH}/INSTALL_TEST_ROOT_CA3.pem" "${TO_BE_INSTALLED_PATH}/INSTALL_TEST_ROOT_CA3.key"
+create_certificate INSTALL_TEST_ROOT_CA3_SUBCA2 "${TO_BE_INSTALLED_PATH}" install_test_subca2.cnf 21238 "${TO_BE_INSTALLED_PATH}/INSTALL_TEST_ROOT_CA3_SUBCA1.pem" "${TO_BE_INSTALLED_PATH}/INSTALL_TEST_ROOT_CA3_SUBCA1.key"

tools/EVerest-main/lib/everest/evse_security/tests/generate_test_certs_leaf_multi.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+
+CERT_PATH="./certs"
+CSR_PATH="./csr"
+
+EC_CURVE=prime256v1
+SYMMETRIC_CIPHER=-aes-128-cbc
+password="123456"
+
+CA_CSMS_PATH="$CERT_PATH/ca/csms"
+CA_CSO_PATH="$CERT_PATH/ca/cso"
+CA_V2G_PATH="$CERT_PATH/ca/v2g"
+CA_MO_PATH="$CERT_PATH/ca/mo"
+CA_INVALID_PATH="$CERT_PATH/ca/invalid"
+
+CLIENT_CSMS_PATH="$CERT_PATH/client/csms"
+CLIENT_CSO_PATH="$CERT_PATH/client/cso"
+CLIENT_V2G_PATH="$CERT_PATH/client/v2g"
+CLIENT_INVALID_PATH="$CERT_PATH/client/invalid"
+VALIDITY=3650
+
+TO_BE_INSTALLED_PATH="$CERT_PATH/to_be_installed"
+
+mkdir -p "$CERT_PATH"
+mkdir -p "$CSR_PATH"
+mkdir -p "$CA_CSMS_PATH"
+mkdir -p "$CA_CSO_PATH"
+mkdir -p "$CA_V2G_PATH"
+mkdir -p "$CA_MO_PATH"
+mkdir -p "$CLIENT_CSMS_PATH"
+mkdir -p "$CLIENT_CSO_PATH"
+mkdir -p "$CLIENT_V2G_PATH"
+mkdir -p "$CLIENT_INVALID_PATH"
+mkdir -p "$TO_BE_INSTALLED_PATH"
+
+function create_certificate() {
+  # Args:
+  # $1: name of the certificate (without the .pem extension)
+  # $2: directory to install the certificate and private key into
+  # $3: openssl config file for the certificate
+  # $4: serial number for the certificate
+  # $5: CA certificate file. If this is missing, we will create a self-signed certificate.
+  # $6: CA private key file. Likewise omit this to create a self-signed certificate.
+
+  local name="$1"
+  local install_dir="$2"
+  local config="$3"
+  local serial_num="$4"
+  local signed_by_cert="$5"
+  local signed_by_key="$6"
+
+  openssl ecparam -genkey -name "$EC_CURVE" | openssl ec "$SYMMETRIC_CIPHER" -passout pass:"$password" -out "${install_dir}/${name}.key"
+
+  if [ -z $signed_by_cert ]
+  then
+    openssl req -new -key "${install_dir}/${name}.key" -passin pass:"$password" -config "configs/${config}" -out "${CSR_PATH}/${name}.csr"
+    openssl x509 -req -in "${CSR_PATH}/${name}.csr" -extfile "configs/${config}" -extensions ext -signkey "${install_dir}/${name}.key" -passin pass:"$password" $SHA -set_serial "${serial_num}" -out "${install_dir}/${name}.pem" -days "$VALIDITY"
+  else
+    openssl req -new -key "${install_dir}/${name}.key" -passin pass:"$password" -config "configs/${config}" -out "${CSR_PATH}/${name}.csr"
+    openssl x509 -req -in "${CSR_PATH}/${name}.csr" -extfile "configs/${config}" -extensions ext -CA "${signed_by_cert}" -CAkey "${signed_by_key}" -passin pass:"$password" -set_serial "${serial_num}" -out "${install_dir}/${name}.pem" -days "$VALIDITY"
+  fi
+}
+
+# V2G root CA
+create_certificate V2G_ROOT_CA "${CA_V2G_PATH}" v2gRootCACert.cnf 12345
+# Second V2G root CA
+create_certificate V2G_ROOT_CA_NEW "${CA_V2G_PATH}" v2gRootCACert.cnf 12349
+# Sub-CA 1
+create_certificate CPO_SUB_CA1 "${CA_CSMS_PATH}" cpoSubCA1Cert.cnf 12346 "${CA_V2G_PATH}/V2G_ROOT_CA.pem" "${CA_V2G_PATH}/V2G_ROOT_CA.key"
+# Sub-CA 2
+create_certificate CPO_SUB_CA2 "${CA_CSMS_PATH}" cpoSubCA2Cert.cnf 12347 "${CA_CSMS_PATH}/CPO_SUB_CA1.pem" "${CA_CSMS_PATH}/CPO_SUB_CA1.key"
+# Chargepoint leaf
+create_certificate SECC_LEAF "${CLIENT_CSO_PATH}" seccLeafCert.cnf 12348 "${CA_CSMS_PATH}/CPO_SUB_CA2.pem" "${CA_CSMS_PATH}/CPO_SUB_CA2.key"
+# Alternate chargepoint leaf
+create_certificate SECC_LEAF_GRIDSYNC "${CLIENT_CSO_PATH}" seccLeafCert_Alternate.cnf 12349 "${CA_CSMS_PATH}/CPO_SUB_CA2.pem" "${CA_CSMS_PATH}/CPO_SUB_CA2.key"
+# Invalid self-signed CSMS cert
+create_certificate INVALID_CSMS "${CLIENT_INVALID_PATH}" v2gRootCACert.cnf 12345
+
+# create cert chain bundles in the V2G root ca and chargepoint leaf dirs
+cat "$CA_CSMS_PATH/CPO_SUB_CA2.pem" "$CA_CSMS_PATH/CPO_SUB_CA1.pem" "$CA_V2G_PATH/V2G_ROOT_CA.pem" > "$CA_V2G_PATH/V2G_CA_BUNDLE.pem"
+cat "$CLIENT_CSO_PATH/SECC_LEAF.pem" "$CA_CSMS_PATH/CPO_SUB_CA2.pem" "$CA_CSMS_PATH/CPO_SUB_CA1.pem" > "$CLIENT_CSO_PATH/CPO_CERT_CHAIN.pem"
+
+cp "$CLIENT_CSO_PATH/SECC_LEAF.key" "$CLIENT_CSMS_PATH/CSMS_LEAF.key"
+
+# assume CSO and CSMS are same authority
+cp -r $CA_CSMS_PATH/* $CA_CSO_PATH
+cp "$CLIENT_CSO_PATH/SECC_LEAF.pem" "$CLIENT_CSMS_PATH/CSMS_LEAF.pem"
+
+# empty MO bundle
+touch "$CA_MO_PATH/MO_CA_BUNDLE.pem"
+
+# Create certificates used for installation tests
+create_certificate INSTALL_TEST_ROOT_CA1 "${TO_BE_INSTALLED_PATH}" install_test.cnf 21234
+create_certificate INSTALL_TEST_ROOT_CA2 "${TO_BE_INSTALLED_PATH}" install_test.cnf 21235
+create_certificate INSTALL_TEST_ROOT_CA3 "${TO_BE_INSTALLED_PATH}" install_test.cnf 21236
+create_certificate INSTALL_TEST_ROOT_CA3_SUBCA1 "${TO_BE_INSTALLED_PATH}" install_test_subca1.cnf 21237 "${TO_BE_INSTALLED_PATH}/INSTALL_TEST_ROOT_CA3.pem" "${TO_BE_INSTALLED_PATH}/INSTALL_TEST_ROOT_CA3.key"
+create_certificate INSTALL_TEST_ROOT_CA3_SUBCA2 "${TO_BE_INSTALLED_PATH}" install_test_subca2.cnf 21238 "${TO_BE_INSTALLED_PATH}/INSTALL_TEST_ROOT_CA3_SUBCA1.pem" "${TO_BE_INSTALLED_PATH}/INSTALL_TEST_ROOT_CA3_SUBCA1.key"

tools/EVerest-main/lib/everest/evse_security/tests/generate_test_certs_root_multi.sh

@@ -0,0 +1,100 @@
+#!/bin/bash
+
+CERT_PATH="./certs"
+CSR_PATH="./csr"
+
+EC_CURVE=prime256v1
+SYMMETRIC_CIPHER=-aes-128-cbc
+password="123456"
+
+CA_CSMS_PATH="$CERT_PATH/ca/csms"
+CA_CSO_PATH="$CERT_PATH/ca/cso"
+CA_V2G_PATH="$CERT_PATH/ca/v2g"
+CA_MO_PATH="$CERT_PATH/ca/mo"
+CA_INVALID_PATH="$CERT_PATH/ca/invalid"
+
+CLIENT_CSMS_PATH="$CERT_PATH/client/csms"
+CLIENT_CSO_PATH="$CERT_PATH/client/cso"
+CLIENT_V2G_PATH="$CERT_PATH/client/v2g"
+CLIENT_INVALID_PATH="$CERT_PATH/client/invalid"
+VALIDITY=3650
+
+TO_BE_INSTALLED_PATH="$CERT_PATH/to_be_installed"
+
+mkdir -p "$CERT_PATH"
+mkdir -p "$CSR_PATH"
+mkdir -p "$CA_CSMS_PATH"
+mkdir -p "$CA_CSO_PATH"
+mkdir -p "$CA_V2G_PATH"
+mkdir -p "$CA_MO_PATH"
+mkdir -p "$CLIENT_CSMS_PATH"
+mkdir -p "$CLIENT_CSO_PATH"
+mkdir -p "$CLIENT_V2G_PATH"
+mkdir -p "$CLIENT_INVALID_PATH"
+mkdir -p "$TO_BE_INSTALLED_PATH"
+
+function create_certificate() {
+  # Args:
+  # $1: name of the certificate (without the .pem extension)
+  # $2: directory to install the certificate and private key into
+  # $3: openssl config file for the certificate
+  # $4: serial number for the certificate
+  # $5: CA certificate file. If this is missing, we will create a self-signed certificate.
+  # $6: CA private key file. Likewise omit this to create a self-signed certificate.
+
+  local name="$1"
+  local install_dir="$2"
+  local config="$3"
+  local serial_num="$4"
+  local signed_by_cert="$5"
+  local signed_by_key="$6"
+
+  openssl ecparam -genkey -name "$EC_CURVE" | openssl ec "$SYMMETRIC_CIPHER" -passout pass:"$password" -out "${install_dir}/${name}.key"
+
+  if [ -z $signed_by_cert ]
+  then
+    openssl req -new -key "${install_dir}/${name}.key" -passin pass:"$password" -config "configs/${config}" -out "${CSR_PATH}/${name}.csr"
+    openssl x509 -req -in "${CSR_PATH}/${name}.csr" -extfile "configs/${config}" -extensions ext -signkey "${install_dir}/${name}.key" -passin pass:"$password" $SHA -set_serial "${serial_num}" -out "${install_dir}/${name}.pem" -days "$VALIDITY"
+  else
+    openssl req -new -key "${install_dir}/${name}.key" -passin pass:"$password" -config "configs/${config}" -out "${CSR_PATH}/${name}.csr"
+    openssl x509 -req -in "${CSR_PATH}/${name}.csr" -extfile "configs/${config}" -extensions ext -CA "${signed_by_cert}" -CAkey "${signed_by_key}" -passin pass:"$password" -set_serial "${serial_num}" -out "${install_dir}/${name}.pem" -days "$VALIDITY"
+  fi
+}
+
+# V2G root CA
+create_certificate V2G_ROOT_CA "${CA_V2G_PATH}" v2gRootCACert.cnf 12345
+# Second V2G root CA
+create_certificate V2G_ROOT_CA_NEW "${CA_V2G_PATH}" v2gRootCACert.cnf 12349
+# Sub-CA 1
+create_certificate CPO_SUB_CA1 "${CA_CSMS_PATH}" cpoSubCA1Cert.cnf 12346 "${CA_V2G_PATH}/V2G_ROOT_CA.pem" "${CA_V2G_PATH}/V2G_ROOT_CA.key"
+# Sub-CA 2
+create_certificate CPO_SUB_CA2 "${CA_CSMS_PATH}" cpoSubCA2Cert.cnf 12347 "${CA_CSMS_PATH}/CPO_SUB_CA1.pem" "${CA_CSMS_PATH}/CPO_SUB_CA1.key"
+# Chargepoint leaf
+create_certificate SECC_LEAF "${CLIENT_CSO_PATH}" seccLeafCert.cnf 12348 "${CA_CSMS_PATH}/CPO_SUB_CA2.pem" "${CA_CSMS_PATH}/CPO_SUB_CA2.key"
+# Invalid self-signed CSMS cert
+create_certificate INVALID_CSMS "${CLIENT_INVALID_PATH}" v2gRootCACert.cnf 12345
+
+# V2G alternate root CA
+create_certificate V2G_ROOT_GRIDSYNC_CA "${CA_V2G_PATH}" v2gRootCACert_Alternate.cnf 12345
+# Alternate chargepoint leaf
+create_certificate SECC_LEAF_GRIDSYNC "${CLIENT_CSMS_PATH}" seccLeafCert_Alternate.cnf 12348 "${CA_V2G_PATH}/V2G_ROOT_GRIDSYNC_CA.pem" "${CA_V2G_PATH}/V2G_ROOT_GRIDSYNC_CA.key"
+
+# create cert chain bundles in the V2G root ca and chargepoint leaf dirs
+cat "$CA_CSMS_PATH/CPO_SUB_CA2.pem" "$CA_CSMS_PATH/CPO_SUB_CA1.pem" "$CA_V2G_PATH/V2G_ROOT_CA.pem" "$CA_V2G_PATH/V2G_ROOT_GRIDSYNC_CA.pem" > "$CA_V2G_PATH/V2G_CA_BUNDLE.pem"
+cat "$CLIENT_CSO_PATH/SECC_LEAF.pem" "$CA_CSMS_PATH/CPO_SUB_CA2.pem" "$CA_CSMS_PATH/CPO_SUB_CA1.pem" > "$CLIENT_CSO_PATH/CPO_CERT_CHAIN.pem"
+
+cp "$CLIENT_CSO_PATH/SECC_LEAF.key" "$CLIENT_CSMS_PATH/CSMS_LEAF.key"
+
+# assume CSO and CSMS are same authority
+cp -r $CA_CSMS_PATH/* $CA_CSO_PATH
+cp "$CLIENT_CSO_PATH/SECC_LEAF.pem" "$CLIENT_CSMS_PATH/CSMS_LEAF.pem"
+
+# empty MO bundle
+touch "$CA_MO_PATH/MO_CA_BUNDLE.pem"
+
+# Create certificates used for installation tests
+create_certificate INSTALL_TEST_ROOT_CA1 "${TO_BE_INSTALLED_PATH}" install_test.cnf 21234
+create_certificate INSTALL_TEST_ROOT_CA2 "${TO_BE_INSTALLED_PATH}" install_test.cnf 21235
+create_certificate INSTALL_TEST_ROOT_CA3 "${TO_BE_INSTALLED_PATH}" install_test.cnf 21236
+create_certificate INSTALL_TEST_ROOT_CA3_SUBCA1 "${TO_BE_INSTALLED_PATH}" install_test_subca1.cnf 21237 "${TO_BE_INSTALLED_PATH}/INSTALL_TEST_ROOT_CA3.pem" "${TO_BE_INSTALLED_PATH}/INSTALL_TEST_ROOT_CA3.key"
+create_certificate INSTALL_TEST_ROOT_CA3_SUBCA2 "${TO_BE_INSTALLED_PATH}" install_test_subca2.cnf 21238 "${TO_BE_INSTALLED_PATH}/INSTALL_TEST_ROOT_CA3_SUBCA1.pem" "${TO_BE_INSTALLED_PATH}/INSTALL_TEST_ROOT_CA3_SUBCA1.key"

tools/EVerest-main/lib/everest/evse_security/tests/openssl-pki.conf

@@ -0,0 +1,78 @@
+openssl_conf = openssl_init
+
+[openssl_init]
+providers = provider_section
+
+[provider_section]
+default = default_section
+tpm2 = tpm2_section
+base = base_section
+
+[default_section]
+activate = 1
+
+[tpm2_section]
+activate = 1
+
+[base_section]
+activate = 1
+
+[tpm2tss_section]
+engine_id = tpm2tss
+dynamic_path = /usr/lib/engines-3/libtpm2tss.so
+init = 1
+
+[req_root]
+distinguished_name = req_dn_root
+utf8 = yes
+prompt = no
+req_extensions = v3_root
+
+[req_ca]
+distinguished_name = req_dn_ca
+utf8 = yes
+prompt = no
+req_extensions = v3_ca
+
+[req_server]
+distinguished_name = req_dn_server
+utf8 = yes
+prompt = no
+req_extensions = v3_server
+
+[req_dn_root]
+C = GB
+O = Pionix
+L = London
+CN = Root Trust Anchor
+
+[req_dn_ca]
+C = GB
+O = Pionix
+L = London
+CN = Intermediate CA
+
+[req_dn_server]
+C = GB
+O = Pionix
+L = London
+CN = 00000000
+
+[v3_root]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = critical, CA:true, pathlen:2
+keyUsage = keyCertSign, cRLSign
+
+[v3_ca]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+basicConstraints = critical, CA:true
+keyUsage = keyCertSign, cRLSign
+
+[v3_server]
+subjectKeyIdentifier=hash
+authorityKeyIdentifier=keyid:always,issuer:always
+keyUsage = digitalSignature, keyEncipherment, keyAgreement
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName = IP:192.168.240.1, DNS:pionix.com

tools/EVerest-main/lib/everest/evse_security/tests/openssl_supplier_test.cpp

@@ -0,0 +1,182 @@
+#include <cstdlib>
+#include <fstream>
+#include <gtest/gtest.h>
+
+#include <evse_security/crypto/openssl/openssl_crypto_supplier.hpp>
+#include <optional>
+
+// #define OUTPUT_CSR
+
+using namespace evse_security;
+
+namespace {
+
+static std::string getFile(const std::string name) {
+    std::ifstream file(name);
+    return std::string((std::istreambuf_iterator<char>(file)), std::istreambuf_iterator<char>());
+}
+
+class OpenSSLSupplierTest : public testing::Test {
+protected:
+    static void SetUpTestSuite() {
+        std::system("./create-pki.sh");
+    }
+};
+
+TEST_F(OpenSSLSupplierTest, generate_key_RSA_TPM20) {
+    KeyGenerationInfo info = {
+        CryptoKeyType::RSA_TPM20, false, std::nullopt, std::nullopt, std::nullopt,
+    };
+    KeyHandle_ptr key;
+    auto res = OpenSSLSupplier::generate_key(info, key);
+    ASSERT_TRUE(res);
+}
+
+TEST_F(OpenSSLSupplierTest, generate_key_RSA_3072) {
+    KeyGenerationInfo info = {
+        CryptoKeyType::RSA_3072, false, std::nullopt, std::nullopt, std::nullopt,
+    };
+    KeyHandle_ptr key;
+    auto res = OpenSSLSupplier::generate_key(info, key);
+    ASSERT_TRUE(res);
+}
+
+TEST_F(OpenSSLSupplierTest, generate_key_EC_prime256v1) {
+    KeyGenerationInfo info = {
+        CryptoKeyType::EC_prime256v1, false, std::nullopt, std::nullopt, std::nullopt,
+    };
+    KeyHandle_ptr key;
+    auto res = OpenSSLSupplier::generate_key(info, key);
+    ASSERT_TRUE(res);
+}
+
+TEST_F(OpenSSLSupplierTest, generate_key_EC_EC_secp384r1) {
+    KeyGenerationInfo info = {
+        CryptoKeyType::EC_secp384r1, false, std::nullopt, std::nullopt, std::nullopt,
+    };
+    KeyHandle_ptr key;
+    auto res = OpenSSLSupplier::generate_key(info, key);
+    ASSERT_TRUE(res);
+}
+
+TEST_F(OpenSSLSupplierTest, load_certificates) {
+    auto file = getFile("pki/cert_path.pem");
+    auto res = OpenSSLSupplier::load_certificates(file, EncodingFormat::PEM);
+    ASSERT_EQ(res.size(), 2);
+}
+
+TEST_F(OpenSSLSupplierTest, x509_check_private_key) {
+    auto cert_leaf = getFile("pki/server_cert.pem");
+    auto res_leaf = OpenSSLSupplier::load_certificates(cert_leaf, EncodingFormat::PEM);
+    auto cert = res_leaf[0].get();
+    auto key = getFile("pki/server_priv.pem");
+    auto res = OpenSSLSupplier::x509_check_private_key(cert, key, std::nullopt);
+    ASSERT_TRUE(res == KeyValidationResult::Valid);
+}
+
+TEST_F(OpenSSLSupplierTest, x509_verify_certificate_chain) {
+    auto cert_path = getFile("pki/cert_path.pem");
+    auto cert_leaf = getFile("pki/server_cert.pem");
+
+    auto res_path = OpenSSLSupplier::load_certificates(cert_path, EncodingFormat::PEM);
+    auto res_leaf = OpenSSLSupplier::load_certificates(cert_leaf, EncodingFormat::PEM);
+
+    std::vector<X509Handle*> parents;
+    std::vector<X509Handle*> empty_untrusted;
+
+    for (auto& i : res_path) {
+        parents.push_back(i.get());
+    }
+
+    auto res = OpenSSLSupplier::x509_verify_certificate_chain(res_leaf[0].get(), parents, empty_untrusted, true,
+                                                              std::nullopt, "pki/root_cert.pem");
+    ASSERT_EQ(res, CertificateValidationResult::Valid);
+}
+
+TEST_F(OpenSSLSupplierTest, x509_generate_csr) {
+    std::string csr;
+    CertificateSigningRequestInfo csr_info = {
+        0,
+        "UK",
+        "Pionix",
+        "0123456789",
+        .dns_name = std::nullopt,
+        .ip_address = std::nullopt,
+        {CryptoKeyType::EC_prime256v1, false, std::nullopt, "pki/csr_key.pem", std::nullopt}};
+    auto res = OpenSSLSupplier::x509_generate_csr(csr_info, csr);
+    ASSERT_EQ(res, CertificateSignRequestResult::Valid);
+
+    std::ofstream out("csr.pem");
+    out << csr;
+    out.close();
+
+    ASSERT_GT(csr.size(), 0);
+}
+
+TEST_F(OpenSSLSupplierTest, x509_generate_csr_dns) {
+    std::string csr;
+    CertificateSigningRequestInfo csr_info = {
+        0,
+        "UK",
+        "Pionix",
+        "0123456789",
+        .dns_name = "cs.pionix.de",
+        .ip_address = std::nullopt,
+        {CryptoKeyType::EC_prime256v1, false, std::nullopt, "pki/csr_key.pem", std::nullopt}};
+    auto res = OpenSSLSupplier::x509_generate_csr(csr_info, csr);
+    ASSERT_EQ(res, CertificateSignRequestResult::Valid);
+
+#ifdef OUTPUT_CSR
+    std::ofstream out("csr_dns.pem");
+    out << csr;
+    out.close();
+#endif
+
+    ASSERT_GT(csr.size(), 0);
+}
+
+TEST_F(OpenSSLSupplierTest, x509_generate_csr_ip) {
+    std::string csr;
+    CertificateSigningRequestInfo csr_info = {
+        0,
+        "UK",
+        "Pionix",
+        "0123456789",
+        .dns_name = std::nullopt,
+        .ip_address = "127.0.0.1",
+        {CryptoKeyType::EC_prime256v1, false, std::nullopt, "pki/csr_key.pem", std::nullopt}};
+    auto res = OpenSSLSupplier::x509_generate_csr(csr_info, csr);
+    ASSERT_EQ(res, CertificateSignRequestResult::Valid);
+
+#ifdef OUTPUT_CSR
+    std::ofstream out("csr_ip.pem");
+    out << csr;
+    out.close();
+#endif
+
+    ASSERT_GT(csr.size(), 0);
+}
+
+TEST_F(OpenSSLSupplierTest, x509_generate_csr_dns_ip) {
+    std::string csr;
+    CertificateSigningRequestInfo csr_info = {
+        0,
+        "UK",
+        "Pionix",
+        "0123456789",
+        .dns_name = "cs.pionix.de",
+        .ip_address = "127.0.0.1",
+        {CryptoKeyType::EC_prime256v1, false, std::nullopt, "pki/csr_key.pem", std::nullopt}};
+    auto res = OpenSSLSupplier::x509_generate_csr(csr_info, csr);
+    ASSERT_EQ(res, CertificateSignRequestResult::Valid);
+
+#ifdef OUTPUT_CSR
+    std::ofstream out("csr_dns_ip.pem");
+    out << csr;
+    out.close();
+#endif
+
+    ASSERT_GT(csr.size(), 0);
+}
+
+} // namespace

tools/EVerest-main/lib/everest/evse_security/tests/openssl_supplier_test_tpm.cpp

@@ -0,0 +1,153 @@
+#include <cstdlib>
+#include <filesystem>
+#include <fstream>
+#include <gtest/gtest.h>
+#include <iostream>
+
+#include <evse_security/crypto/openssl/openssl_crypto_supplier.hpp>
+#include <evse_security/crypto/openssl/openssl_provider.hpp>
+
+using namespace evse_security;
+
+namespace {
+
+static std::string getFile(const std::string name) {
+    std::ifstream file(name);
+    return std::string((std::istreambuf_iterator<char>(file)), std::istreambuf_iterator<char>());
+}
+
+class OpenSSLSupplierTpmTest : public testing::Test {
+protected:
+    static void SetUpTestSuite() {
+        std::system("./create-pki.sh tpm");
+    }
+};
+
+TEST_F(OpenSSLSupplierTpmTest, supports_provider_tpm) {
+    OpenSSLProvider::cleanup();
+    ASSERT_FALSE(OpenSSLProvider::supports_provider_tpm());
+    // calculates
+    OpenSSLProvider provider;
+    // returns cached
+    ASSERT_TRUE(OpenSSLProvider::supports_provider_tpm());
+}
+
+TEST_F(OpenSSLSupplierTpmTest, supports_provider_tpm_key_creation) {
+    OpenSSLProvider::cleanup();
+    ASSERT_FALSE(OpenSSLProvider::supports_provider_tpm());
+    // should calculate
+    ASSERT_TRUE(OpenSSLSupplier::supports_tpm_key_creation());
+}
+
+TEST_F(OpenSSLSupplierTpmTest, generate_key_RSA_TPM20) {
+    KeyGenerationInfo info = {
+        CryptoKeyType::RSA_TPM20, true, std::nullopt, std::nullopt, std::nullopt,
+    };
+    KeyHandle_ptr key;
+    auto res = OpenSSLSupplier::generate_key(info, key);
+    ASSERT_TRUE(res);
+}
+
+TEST_F(OpenSSLSupplierTpmTest, generate_key_RSA_3072) {
+    // Enable this test manually only if your platform supports 3072 TPM keys
+    GTEST_SKIP() << "Skipping TPM2.0 GEN_RSA_3072 test since it is a non-spec value"
+                    " which probably will not be supported on many platforms!";
+
+    KeyGenerationInfo info = {
+        CryptoKeyType::RSA_3072, true, std::nullopt, std::nullopt, std::nullopt,
+    };
+    KeyHandle_ptr key;
+    auto res = OpenSSLSupplier::generate_key(info, key);
+    ASSERT_TRUE(res);
+}
+
+TEST_F(OpenSSLSupplierTpmTest, generate_key_EC_prime256v1) {
+    KeyGenerationInfo info = {
+        CryptoKeyType::EC_prime256v1, true, std::nullopt, std::nullopt, std::nullopt,
+    };
+    KeyHandle_ptr key;
+    auto res = OpenSSLSupplier::generate_key(info, key);
+    ASSERT_TRUE(res);
+}
+
+TEST_F(OpenSSLSupplierTpmTest, generate_key_EC_EC_secp384r1) {
+    KeyGenerationInfo info = {
+        CryptoKeyType::EC_secp384r1, true, std::nullopt, std::nullopt, std::nullopt,
+    };
+    KeyHandle_ptr key;
+    auto res = OpenSSLSupplier::generate_key(info, key);
+    ASSERT_TRUE(res);
+}
+
+TEST_F(OpenSSLSupplierTpmTest, load_certificates) {
+    auto file = getFile("tpm_pki/cert_path.pem");
+    auto res = OpenSSLSupplier::load_certificates(file, EncodingFormat::PEM);
+    ASSERT_EQ(res.size(), 2);
+}
+
+TEST_F(OpenSSLSupplierTpmTest, x509_check_private_key) {
+    auto cert_leaf = getFile("tpm_pki/server_cert.pem");
+    auto res_leaf = OpenSSLSupplier::load_certificates(cert_leaf, EncodingFormat::PEM);
+    auto cert = res_leaf[0].get();
+    auto key = getFile("tpm_pki/server_priv.pem");
+    auto res = OpenSSLSupplier::x509_check_private_key(cert, key, std::nullopt);
+    ASSERT_EQ(res, KeyValidationResult::Valid);
+}
+
+TEST_F(OpenSSLSupplierTpmTest, x509_verify_certificate_chain) {
+    auto cert_path = getFile("tpm_pki/cert_path.pem");
+    auto cert_leaf = getFile("tpm_pki/server_cert.pem");
+
+    auto res_path = OpenSSLSupplier::load_certificates(cert_path, EncodingFormat::PEM);
+    auto res_leaf = OpenSSLSupplier::load_certificates(cert_leaf, EncodingFormat::PEM);
+
+    std::vector<X509Handle*> parents;
+
+    for (auto& i : res_path) {
+        parents.push_back(i.get());
+    }
+
+    auto res = OpenSSLSupplier::x509_verify_certificate_chain(res_leaf[0].get(), parents, {}, true, std::nullopt,
+                                                              "tpm_pki/root_cert.pem");
+    ASSERT_EQ(res, CertificateValidationResult::Valid);
+}
+
+TEST_F(OpenSSLSupplierTpmTest, x509_generate_csr) {
+    std::string csr;
+    CertificateSigningRequestInfo csr_info = {
+        0,
+        "UK",
+        "Pionix",
+        "0123456789",
+        .dns_name = std::nullopt,
+        .ip_address = std::nullopt,
+        {CryptoKeyType::EC_prime256v1, true, std::nullopt, "tpm_pki/csr_key.tkey", std::nullopt}};
+
+    // std::cout << "tpm2 pre: " << OSSL_PROVIDER_available(nullptr, "tpm2") << std::endl;
+    // std::cout << "base pre: " << OSSL_PROVIDER_available(nullptr, "base") << std::endl;
+    auto res = OpenSSLSupplier::x509_generate_csr(csr_info, csr);
+    // std::cout << "tpm2 post: " << OSSL_PROVIDER_available(nullptr, "tpm2") << std::endl;
+    // std::cout << "base post: " << OSSL_PROVIDER_available(nullptr, "base") << std::endl;
+
+    ASSERT_EQ(res, CertificateSignRequestResult::Valid);
+    ASSERT_GT(csr.size(), 0);
+}
+
+TEST_F(OpenSSLSupplierTpmTest, x509_generate_csr2) {
+    std::string csr;
+    CertificateSigningRequestInfo csr_info = {
+        0,
+        "UK",
+        "Pionix",
+        "0123456789",
+        .dns_name = std::nullopt,
+        .ip_address = std::nullopt,
+        {CryptoKeyType::RSA_TPM20, true, std::nullopt, "tpm_pki/csr_key.tkey", std::nullopt}};
+
+    auto res = OpenSSLSupplier::x509_generate_csr(csr_info, csr);
+
+    ASSERT_EQ(res, CertificateSignRequestResult::Valid);
+    ASSERT_GT(csr.size(), 0);
+}
+
+} // namespace