diff options
| author | Thomas Vanbesien <tvanbesi@proton.me> | 2026-02-18 22:30:06 +0100 |
|---|---|---|
| committer | Thomas Vanbesien <tvanbesi@proton.me> | 2026-02-18 22:32:08 +0100 |
| commit | 5f5e172cd2392952162398c85b07e6f6b7e69398 (patch) | |
| tree | 65cd56e0e18d5e16dc5abf6c6d912a13d53aff68 /readme.md | |
| parent | 77e70beff33d89f30082f3e5d513cd657fa529ea (diff) | |
| download | BobinkCOpcUa-5f5e172cd2392952162398c85b07e6f6b7e69398.tar.gz BobinkCOpcUa-5f5e172cd2392952162398c85b07e6f6b7e69398.zip | |
Move certificates into per-test directories
Each secure test now has its own certs/ subfolder with per-identity
subdirectories and a single shared trust store. Configs reference
paths relative to the project root (e.g. tests/secure_anonymous/
certs/ServerLDS/cert.der). Cert generation logic removed from test
scripts since certs are now pre-generated and committed.
Diffstat (limited to 'readme.md')
| -rw-r--r-- | readme.md | 57 |
1 files changed, 14 insertions, 43 deletions
@@ -5,7 +5,7 @@ A small C project that demonstrates OPC UA server discovery using the - **ServerLDS** — Local Discovery Server that other servers register with - **ServerRegister** — a server that periodically registers itself with the LDS -- **Client** — queries the LDS for servers, lists endpoints, or reads the current time from a server +- **Client** — queries the LDS for servers, lists endpoints, reads the current time, or downloads a server's certificate ## Prerequisites @@ -23,52 +23,19 @@ git clone --recursive https://git.tvcloud.fr/opcua_c cd opcua_c ``` -### Generate certificates +### Certificates -The programs use TLS certificates for mutual authentication. ServerLDS and -ServerRegister can also run without certificates (SecurityPolicy#None only) by +Test certificates are pre-generated and committed under each test directory +(e.g. `tests/secure_anonymous/certs/`). Each secure test has per-identity +subdirectories (`ServerLDS/`, `ServerRegister/`, `ServerRegisterClient/`, +`Client/`) containing `cert.der` and `key.der`, plus a shared `trust/` +directory with all certificates. + +Programs can also run without certificates (SecurityPolicy#None only) by omitting the `certificate`, `privateKey`, and `trustStore` keys from their config files. -For encrypted operation, four identities are needed. Each call to -`tools/generate_certificate.sh` creates a self-signed RSA-2048 certificate -(`<name>_cert.der`) and private key (`<name>_key.der`) in the given directory: - -```sh -tools/generate_certificate.sh certs ServerLDS -tools/generate_certificate.sh certs ServerRegister -tools/generate_certificate.sh certs ServerRegisterClient -tools/generate_certificate.sh certs Client -``` - -| Identity | Used by | Purpose | -|----------|---------|---------| -| `ServerLDS` | ServerLDS | Server certificate for the LDS | -| `ServerRegister` | ServerRegister | Server certificate for the registering server | -| `ServerRegisterClient` | ServerRegister | Client certificate used when connecting to the LDS | -| `Client` | Client | Client certificate for all client operations | - -### Populate the trust stores - -OPC UA applications only accept connections from peers whose certificate is in -their trust store. Create the trust store directories and symlink each peer's -certificate: - -```sh -mkdir -p certs/trust/{server_lds,server_register,server_register_client,client} - -ln -s ../../ServerRegisterClient_cert.der ../../Client_cert.der \ - certs/trust/server_lds/ - -ln -s ../../ServerLDS_cert.der ../../Client_cert.der \ - certs/trust/server_register/ - -ln -s ../../ServerLDS_cert.der \ - certs/trust/server_register_client/ - -ln -s ../../ServerLDS_cert.der ../../ServerRegister_cert.der \ - certs/trust/client/ -``` +To generate new certificates, use `tools/generate_certificate.sh <output_dir> <name> [uri]`. ### Build @@ -102,6 +69,9 @@ build/Client tests/secure_user/client.conf get-endpoints opc.tcp://localhost:148 # 5. Read the current time from the registered server build/Client tests/secure_user/client.conf read-time opc.tcp://localhost:14841 + +# 6. Download the server's certificate to a local file +build/Client tests/secure_user/client.conf download-cert opc.tcp://localhost:14841 server.der ``` All three programs accept an optional log level as the last argument @@ -117,6 +87,7 @@ Integration tests exercise four combinations of security and authentication: | `secure_anonymous` | SignAndEncrypt / Aes256_Sha256_RsaPss | anonymous | | `secure_user` | SignAndEncrypt / Aes256_Sha256_RsaPss | user/password | | `secure_cert` | SignAndEncrypt / Aes256_Sha256_RsaPss | X509 certificate | +| `download_cert` | SignAndEncrypt / Aes256_Sha256_RsaPss | anonymous (download-cert) | Run all tests: |