chore: remove certificate pinning (before expiry) (evcc-io#12670)

ca-dmin · Mar 5, 2024 · 0414279 · 0414279
1 parent f41901b
commit 0414279
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 104 deletions.
diff --git a/util/cloud/ca-cert.pem b/util/cloud/ca-cert.pem
diff --git a/util/cloud/client.go b/util/cloud/client.go
@@ -1,84 +1,25 @@
 package cloud
 
 import (
-	"bytes"
-	"crypto/tls"
-	"crypto/x509"
 	_ "embed"
-	"errors"
-	"fmt"
-	"net"
-	"strings"
 
+	"github.com/evcc-io/evcc/util"
 	"google.golang.org/grpc"
-	"google.golang.org/grpc/credentials"
-	"google.golang.org/grpc/credentials/insecure"
 )
 
-var Host = "sponsor.evcc.io:8080"
+var (
+	host = util.Getenv("GRPC_URI", "sponsor.evcc.io:8080")
 
-var conn *grpc.ClientConn
-
-//go:embed ca-cert.pem
-var caCert []byte
-
-func caPEM() []byte {
-	copy := bytes.NewBuffer(caCert)
-	return copy.Bytes()
-}
-
-func loadTLSCredentials() (*tls.Config, error) {
-	certPool, err := x509.SystemCertPool()
-	if err != nil {
-		return nil, err
-	}
-
-	if !certPool.AppendCertsFromPEM(caPEM()) {
-		return nil, fmt.Errorf("failed to add CA certificate")
-	}
-
-	// create the credentials and return it
-	config := &tls.Config{
-		RootCAs: certPool,
-	}
-
-	return config, nil
-}
-
-func verifyConnection(host string) func(conn tls.ConnectionState) error {
-	return func(conn tls.ConnectionState) error {
-		if len(conn.PeerCertificates) > 0 {
-			peer := conn.PeerCertificates[0]
-			return peer.VerifyHostname(host)
-		}
+	conn *grpc.ClientConn
+)
 
-		return errors.New("missing host certificate")
+func Connection() (*grpc.ClientConn, error) {
+	if conn != nil {
+		return conn, nil
 	}
-}
 
-func Connection(hostPort string) (*grpc.ClientConn, error) {
 	var err error
-	if conn == nil {
-		creds := insecure.NewCredentials()
-
-		if !strings.HasPrefix(hostPort, "localhost") {
-			host, _, err := net.SplitHostPort(hostPort)
-			if err != nil {
-				return nil, err
-			}
-
-			var tlsConfig *tls.Config
-			if tlsConfig, err = loadTLSCredentials(); err != nil {
-				return nil, err
-			}
-
-			// make sure it matches the hostname
-			tlsConfig.VerifyConnection = verifyConnection(host)
-
-			creds = credentials.NewTLS(tlsConfig)
-		}
-		conn, err = grpc.Dial(hostPort, grpc.WithTransportCredentials(creds))
-	}
+	conn, err = grpc.Dial(host)
 
 	return conn, err
 }
diff --git a/util/sponsor/auth.go b/util/sponsor/auth.go
@@ -6,7 +6,6 @@ import (
 	"time"
 
 	"github.com/evcc-io/evcc/api/proto/pb"
-	"github.com/evcc-io/evcc/util"
 	"github.com/evcc-io/evcc/util/cloud"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
@@ -36,8 +35,7 @@ func ConfigureSponsorship(token string) error {
 		}
 	}
 
-	host := util.Getenv("GRPC_URI", cloud.Host)
-	conn, err := cloud.Connection(host)
+	conn, err := cloud.Connection()
 	if err != nil {
 		return err
 	}

diff --git a/vehicle/cloud.go b/vehicle/cloud.go
@@ -48,8 +48,7 @@ func NewCloudFromConfig(other map[string]interface{}) (api.Vehicle, error) {
 		return nil, api.ErrSponsorRequired
 	}
 
-	host := util.Getenv("GRPC_URI", cloud.Host)
-	conn, err := cloud.Connection(host)
+	conn, err := cloud.Connection()
 	if err != nil {
 		return nil, err
 	}
@@ -62,9 +61,7 @@ func NewCloudFromConfig(other map[string]interface{}) (api.Vehicle, error) {
 		client: pb.NewVehicleClient(conn),
 	}
 
-	if err == nil {
-		err = v.prepareVehicle()
-	}
+	err = v.prepareVehicle()
 
 	v.chargeStateG = provider.Cached(v.chargeState, cc.Cache)