Replace ClientFindServers with unified Client, use trust store directories

Replace the single-purpose ClientFindServers program with a unified Client
that supports three operations via CLI: find-servers, get-endpoints, and
read-time.  This simplifies the architecture by using one client binary with
a single config file instead of a monolithic program that did everything in
one run.

Split the ServerRegister config into separate server and client config files
so the LDS-registration credentials are isolated from the server's own
settings.  The discovery URL moves from config to a CLI argument.

Replace repeated trustList config entries with a single trustStore directory
path.  Each program now points to a directory under certs/trust/ containing
.der files, so adding or removing trust is a file-copy operation rather than
editing every config file.  Add loadTrustStore()/freeTrustStore() to
common.c and remove the now-unused configGetAll() from the config parser.

Simplify the test matrix from 6 to 4 cases (security and auth are
orthogonal, so the full 3x2 matrix is unnecessary).  Update run_test.sh to
invoke the new Client three times and use port-polling instead of sleep.

5 files changed, 67 insertions, 91 deletions

diff --git a/config/client.conf b/config/client.conf
new file mode 100644
index 0000000..1d3fe1b
--- /dev/null
+++ b/config/client.conf
@@ -0,0 +1,23 @@
+# Client configuration
+#
+# Keys:
+#   applicationUri    OPC UA application URI
+#   certificate       Path to client certificate (.der)
+#   privateKey        Path to client private key (.der)
+#   securityMode      None, Sign, or SignAndEncrypt
+#   securityPolicy    None, Basic256Sha256, Aes256_Sha256_RsaPss,
+#                     Aes128_Sha256_RsaOaep, or ECC_nistP256
+#   authMode          "anonymous" or "user" (read-time only)
+#   username          Username (required when authMode = user)
+#   password          Password (required when authMode = user)
+#   trustStore        Directory containing trusted certificates (.der)
+
+applicationUri = urn:bobink.ClientFindServers
+certificate = certs/ClientFindServers_cert.der
+privateKey = certs/ClientFindServers_key.der
+securityMode = SignAndEncrypt
+securityPolicy = Aes256_Sha256_RsaPss
+authMode = user
+username = user
+password = password
+trustStore = certs/trust/client
diff --git a/config/client_find_servers.conf b/config/client_find_servers.conf
deleted file mode 100644
index 5ab15d5..0000000
--- a/config/client_find_servers.conf
+++ /dev/null
@@ -1,50 +0,0 @@
-# ClientFindServers configuration
-#
-# Shared keys:
-#   discoveryEndpoint   LDS endpoint URL (e.g. opc.tcp://localhost:4840)
-#   applicationUri      OPC UA application URI
-#
-# Discovery-side keys (LDS connection):
-#   discoveryCertificate      Path to certificate for LDS connections (.der)
-#   discoveryPrivateKey       Path to private key for LDS connections (.der)
-#   discoverySecurityMode     None, Sign, or SignAndEncrypt
-#   discoverySecurityPolicy   None, Basic256Sha256, Aes256_Sha256_RsaPss,
-#                             Aes128_Sha256_RsaOaep, or ECC_nistP256
-#   discoveryAuthMode         "anonymous" or "user"
-#   discoveryUsername         Username (required when discoveryAuthMode = user)
-#   discoveryPassword         Password (required when discoveryAuthMode = user)
-#   discoveryTrustList        Trusted certificate path (repeat for multiple)
-#
-# Server-side keys (connections to discovered servers):
-#   serverCertificate         Path to certificate for server connections (.der)
-#   serverPrivateKey          Path to private key for server connections (.der)
-#   serverSecurityMode        None, Sign, or SignAndEncrypt
-#   serverSecurityPolicy      None, Basic256Sha256, Aes256_Sha256_RsaPss,
-#                             Aes128_Sha256_RsaOaep, or ECC_nistP256
-#   serverAuthMode            "anonymous" or "user"
-#   serverUsername            Username (required when serverAuthMode = user)
-#   serverPassword            Password (required when serverAuthMode = user)
-#   serverTrustList           Trusted certificate path (repeat for multiple)
-
-discoveryEndpoint = opc.tcp://localhost:4840
-applicationUri = urn:bobink.ClientFindServers
-
-# Discovery (LDS) side
-discoveryCertificate = certs/ClientFindServers_cert.der
-discoveryPrivateKey = certs/ClientFindServers_key.der
-discoverySecurityMode = SignAndEncrypt
-discoverySecurityPolicy = Aes256_Sha256_RsaPss
-discoveryAuthMode = user
-discoveryUsername = user
-discoveryPassword = password
-discoveryTrustList = certs/ServerLDS_cert.der
-
-# Server side
-serverCertificate = certs/ClientFindServers_cert.der
-serverPrivateKey = certs/ClientFindServers_key.der
-serverSecurityMode = SignAndEncrypt
-serverSecurityPolicy = Aes256_Sha256_RsaPss
-serverAuthMode = user
-serverUsername = user
-serverPassword = password
-serverTrustList = certs/ServerRegister_cert.der
diff --git a/config/server_lds.conf b/config/server_lds.conf
index a30106c..7382dbe 100644
--- a/config/server_lds.conf
+++ b/config/server_lds.conf
@@ -9,7 +9,7 @@
 #   authMode          "anonymous" or "user"
 #   username          Username (required when authMode = user)
 #   password          Password (required when authMode = user)
-#   trustList         Trusted certificate path (repeat for multiple)
+#   trustStore        Directory containing trusted certificates (.der)
 
 port = 4840
 applicationUri = urn:bobink.ServerLDS
@@ -21,5 +21,4 @@ authMode = user
 username = user
 password = password
 
-trustList = certs/ServerRegisterClient_cert.der
-trustList = certs/ClientFindServers_cert.der
+trustStore = certs/trust/server_lds
diff --git a/config/server_register.conf b/config/server_register.conf
index c32c61e..ddacbac 100644
--- a/config/server_register.conf
+++ b/config/server_register.conf
@@ -1,47 +1,25 @@
-# ServerRegister configuration
+# ServerRegister — server configuration
 #
 # Keys:
-#   port                Server port number
-#   applicationUri      OPC UA application URI
-#   serverCertificate   Path to server certificate (.der)
-#   serverPrivateKey    Path to server private key (.der)
-#   clientCertificate   Path to client certificate for LDS connection (.der)
-#   clientPrivateKey    Path to client private key for LDS connection (.der)
-#   discoveryEndpoint   LDS endpoint URL (e.g. opc.tcp://localhost:4840)
-#   registerInterval    Seconds between re-registrations with the LDS
-#   securityMode        None, Sign, or SignAndEncrypt
-#   securityPolicy      None, Basic256Sha256, Aes256_Sha256_RsaPss,
-#                       Aes128_Sha256_RsaOaep, or ECC_nistP256
-#   serverAuthMode      Auth mode for clients connecting to this server:
-#                       "anonymous" or "user"
-#   serverUsername      Username (required when serverAuthMode = user)
-#   serverPassword      Password (required when serverAuthMode = user)
-#   clientAuthMode      Auth mode for connecting to the LDS:
-#                       "anonymous" or "user"
-#   clientUsername      Username (required when clientAuthMode = user)
-#   clientPassword      Password (required when clientAuthMode = user)
-#   trustList           Trusted certificate path (repeat for multiple)
+#   port              Server port number
+#   applicationUri    OPC UA application URI
+#   certificate       Path to server certificate (.der)
+#   privateKey        Path to server private key (.der)
+#   registerInterval  Seconds between re-registrations with the LDS
+#   authMode          "anonymous" or "user"
+#   username          Username (required when authMode = user)
+#   password          Password (required when authMode = user)
+#   trustStore        Directory containing trusted certificates (.der)
 
 port = 4841
 applicationUri = urn:bobink.ServerRegister
-serverCertificate = certs/ServerRegister_cert.der
-serverPrivateKey = certs/ServerRegister_key.der
-clientCertificate = certs/ServerRegisterClient_cert.der
-clientPrivateKey = certs/ServerRegisterClient_key.der
+certificate = certs/ServerRegister_cert.der
+privateKey = certs/ServerRegister_key.der
 
-discoveryEndpoint = opc.tcp://localhost:4840
 registerInterval = 10
 
-securityMode = SignAndEncrypt
-securityPolicy = Aes256_Sha256_RsaPss
+authMode = user
+username = user
+password = password
 
-serverAuthMode = user
-serverUsername = user
-serverPassword = password
-
-clientAuthMode = user
-clientUsername = user
-clientPassword = password
-
-trustList = certs/ServerLDS_cert.der
-trustList = certs/ClientFindServers_cert.der
+trustStore = certs/trust/server_register
diff --git a/config/server_register_client.conf b/config/server_register_client.conf
new file mode 100644
index 0000000..e4598a9
--- /dev/null
+++ b/config/server_register_client.conf
@@ -0,0 +1,26 @@
+# ServerRegister — client configuration for LDS registration
+#
+# Keys:
+#   applicationUri    OPC UA application URI
+#   certificate       Path to client certificate (.der)
+#   privateKey        Path to client private key (.der)
+#   securityMode      None, Sign, or SignAndEncrypt
+#   securityPolicy    None, Basic256Sha256, Aes256_Sha256_RsaPss,
+#                     Aes128_Sha256_RsaOaep, or ECC_nistP256
+#   authMode          "anonymous" or "user"
+#   username          Username (required when authMode = user)
+#   password          Password (required when authMode = user)
+#   trustStore        Directory containing trusted certificates (.der)
+
+applicationUri = urn:bobink.ServerRegister
+certificate = certs/ServerRegisterClient_cert.der
+privateKey = certs/ServerRegisterClient_key.der
+
+securityMode = SignAndEncrypt
+securityPolicy = Aes256_Sha256_RsaPss
+
+authMode = user
+username = user
+password = password
+
+trustStore = certs/trust/server_register_client