fix: add component variables in security controller

Signed-off-by: Xin Xu <[email protected]>

config/v201/component_config/standardized/SecurityCtrlr.json

@@ -177,6 +177,38 @@
       "maximum": 3,
       "default": "1",
       "type": "integer"
+    },
+    "AllowCSMSRootCertificateInstallWhenLowSecurityProfile": {
+      "variable_name": "AllowCSMSRootCertificateInstallWhenLowSecurityProfile",
+      "characteristics": {
+        "supportsMonitoring": true,
+        "dataType": "boolean"
+      },
+      "attributes": [
+        {
+          "type": "Actual",
+          "mutability": "ReadWrite"
+        }
+      ],
+      "description": "The flag that indicates if installation of CSMSRootCertificate is allowed when security profile is 1.",
+      "default": true,
+      "type": "boolean"
+    },
+    "AllowManufacturerRootCertificateInstallWhenLowSecurityProfile": {
+      "variable_name": "AllowManufacturerRootCertificateInstallWhenLowSecurityProfile",
+      "characteristics": {
+        "supportsMonitoring": true,
+        "dataType": "boolean"
+      },
+      "attributes": [
+        {
+          "type": "Actual",
+          "mutability": "ReadWrite"
+        }
+      ],
+      "description": "The flag that indicates if installation of ManufacturerRootCertificate is allowed when security profile is 1.",
+      "default": true,
+      "type": "boolean"
     }
   },
   "required": [

include/ocpp/v201/charge_point.hpp

@@ -782,6 +782,12 @@ class ChargePoint : public ChargePointInterface, private ocpp::ChargingStationBa
     /// If \param persist is set to true, the change will be persisted across a reboot
     void execute_change_availability_request(ChangeAvailabilityRequest request, bool persist);
 
+
+    /// \brief Helper function to determine if a certificate installation should be rejected
+    /// \param cert_type is the certificate type to be checked
+    /// \return true if it should be rejected
+    bool should_reject_certificate_install(InstallCertificateUseEnum cert_type) const;
+
 protected:
     std::shared_ptr<SmartChargingHandlerInterface> smart_charging_handler;
 

include/ocpp/v201/ctrlr_component_variables.hpp

@@ -201,6 +201,8 @@ extern const ComponentVariable& MaxCertificateChainSize;
 extern const ComponentVariable& UpdateCertificateSymlinks;
 extern const RequiredComponentVariable& OrganizationName;
 extern const RequiredComponentVariable& SecurityProfile;
+extern const ComponentVariable& AllowCSMSRootCertificateInstallWhenLowSecurityProfile;
+extern const ComponentVariable& AllowManufacturerRootCertificateInstallWhenLowSecurityProfile;
 extern const ComponentVariable& ACPhaseSwitchingSupported;
 extern const ComponentVariable& SmartChargingCtrlrAvailable;
 extern const ComponentVariable& SmartChargingCtrlrEnabled;

lib/ocpp/v201/charge_point.cpp

@@ -3588,19 +3588,38 @@ void ChargePoint::handle_get_installed_certificate_ids_req(Call<GetInstalledCert
     this->send<GetInstalledCertificateIdsResponse>(call_result);
 }
 
+void ChargePoint::should_reject_certificate_install(InstallCertificateUseEnum cert_type) const {
+        const int security_profile = this->device_model->get_value<int>(ControllerComponentVariables::SecurityProfile);
+
+        if (security_profile > 1) {
+            return false;
+        }
+        switch (cert_type) {
+            case InstallCertificateUseEnum::CSMSRootCertificate:
+                return !this->device_model
+                    .get_optional_value<bool>(ControllerComponentVariables::AllowCSMSRootCertificateInstallWhenLowSecurityProfile)
+                    .value_or(true);
+
+            case InstallCertificateUseEnum::ManufacturerRootCertificate:
+                return !this->device_model
+                    .get_optional_value<bool>(ControllerComponentVariables::AllowManufacturerRootCertificateInstallWhenLowSecurityProfile)
+                    .value_or(true);  
+            default:
+                return false;
+        }
+}
+
 void ChargePoint::handle_install_certificate_req(Call<InstallCertificateRequest> call) {
     EVLOG_debug << "Received InstallCertificateRequest: " << call.msg << "\nwith messageId: " << call.uniqueId;
 
     const auto msg = call.msg;
     InstallCertificateResponse response;
 
-    if ((msg.certificateType == InstallCertificateUseEnum::CSMSRootCertificate ||
-         msg.certificateType == InstallCertificateUseEnum::ManufacturerRootCertificate) &&
-        this->device_model->get_value<int>(ControllerComponentVariables::SecurityProfile) <= 1) {
+    if (should_reject_certificate_install(msg.certificateType)) {
         response.status = InstallCertificateStatusEnum::Rejected;
         response.statusInfo = StatusInfo();
-        response.statusInfo->reasonCode = "Invalid security profile";
-        response.statusInfo->additionalInfo = "SecurityProfileTooLowForCertificateHandling";
+        response.statusInfo->reasonCode = "LowSecurityProfile";
+        response.statusInfo->additionalInfo = "SecurityProfileTooLowForCertificateInstall";
     } else {
         const auto result = this->evse_security->install_ca_certificate(
             msg.certificate.get(), ocpp::evse_security_conversions::from_ocpp_v201(msg.certificateType));

lib/ocpp/v201/ctrlr_component_variables.cpp

@@ -1116,6 +1116,20 @@ const RequiredComponentVariable& SecurityProfile = {
         "SecurityProfile",
     }),
 };
+const ComponentVariable& AllowCSMSRootCertificateInstallWhenLowSecurityProfile = {
+    ControllerComponents::SecurityCtrlr,
+    std::nullopt,
+    std::optional<Variable>({
+        "AllowCSMSRootCertificateInstallWhenLowSecurityProfile",
+    }),
+};
+const ComponentVariable& AllowManufacturerRootCertificateInstallWhenLowSecurityProfile = {
+    ControllerComponents::SecurityCtrlr,
+    std::nullopt,
+    std::optional<Variable>({
+        "AllowCSMSRootCertificateInstallWhenLowSecurityProfile",
+    }),
+};
 const ComponentVariable& ACPhaseSwitchingSupported = {
     ControllerComponents::SmartChargingCtrlr,
     std::nullopt,