Add X509 certificate identity token authentication

Support authMode=cert alongside anonymous and user. The client
reuses its application certificate as the X509 identity token
(open62541 requires both to match). Server-side access control
advertises the certificate token policy automatically when
sessionPKI is configured.

1 files changed, 19 insertions, 10 deletions

diff --git a/src/common.h b/src/common.h
index a531fc9..aff6ff4 100644
--- a/src/common.h
+++ b/src/common.h
@@ -91,22 +91,25 @@ int parseLogLevel (const char *name);
 /**
  * @brief Parses the authMode key from a configuration file.
  *
- * When authMode is "anonymous", sets *allowAnonymous to true and
- * *username / *password to NULL.  When authMode is "user", sets
- * *allowAnonymous to false and loads the username/password keys.
+ * When authMode is "anonymous", sets *allowAnonymous to true and leaves
+ * *username / *password as NULL.  When authMode is "user", sets
+ * *allowAnonymous to false and loads the username/password keys.  When
+ * authMode is "cert", sets *allowAnonymous to false and *certAuth to true.
  * Logs errors internally.
  *
  * @param cfg            Parsed configuration.
  * @param program        Program name (for error messages).
- * @param allowAnonymous Output: true for anonymous, false for user.
+ * @param allowAnonymous Output: true for anonymous, false otherwise.
  *                       May be NULL (ignored — useful for client callers).
  * @param username       Output: username string (owned by cfg), or NULL.
  * @param password       Output: password string (owned by cfg), or NULL.
+ * @param certAuth       Output: true when authMode is "cert", false otherwise.
+ *                       May be NULL (ignored — useful for server callers).
  * @return 0 on success, -1 on error.
  */
 int parseAuthConfig (const Config *cfg, const char *program,
                      UA_Boolean *allowAnonymous, const char **username,
-                     const char **password);
+                     const char **password, UA_Boolean *certAuth);
 
 /**
  * @brief Parses a security mode name into the corresponding enum value.
@@ -149,7 +152,9 @@ UA_StatusCode createUnsecureClientConfig (UA_ClientConfig *cc,
  *
  * The config must be zero-initialized by the caller before calling this
  * function. Loads the certificate, private key, and trustlist, then applies
- * default encryption settings.
+ * default encryption settings.  When @p certAuth is true, also configures
+ * X509 certificate identity-token authentication using the same application
+ * certificate (mutually exclusive with username/password authentication).
  *
  * @param cc Pointer to a zero-initialized UA_ClientConfig.
  * @param applicationUri OPC UA application URI.
@@ -161,12 +166,16 @@ UA_StatusCode createUnsecureClientConfig (UA_ClientConfig *cc,
  * @param securityMode Requested message security mode.
  * @param securityPolicyUri Security policy URI string (e.g.
  * "http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256").
+ * @param certAuth When true, use the application certificate as X509 identity
+ * token.
  * @return UA_STATUSCODE_GOOD on success, error code otherwise.
  */
-UA_StatusCode createSecureClientConfig (
-    UA_ClientConfig *cc, const char *applicationUri, const char *certPath,
-    const char *keyPath, char **trustPaths, size_t trustSize,
-    UA_MessageSecurityMode securityMode, const char *securityPolicyUri);
+UA_StatusCode
+createSecureClientConfig (UA_ClientConfig *cc, const char *applicationUri,
+                          const char *certPath, const char *keyPath,
+                          char **trustPaths, size_t trustSize,
+                          UA_MessageSecurityMode securityMode,
+                          const char *securityPolicyUri, UA_Boolean certAuth);
 
 /**
  * @brief Logs a UA_ApplicationDescription (server info from FindServers).