diff options
| author | Thomas Vanbesien <tvanbesi@proton.me> | 2026-02-18 21:44:17 +0100 |
|---|---|---|
| committer | Thomas Vanbesien <tvanbesi@proton.me> | 2026-02-18 21:44:17 +0100 |
| commit | deaabd1464784a6fddbfa9e1ac6cb0e1148a8c34 (patch) | |
| tree | 93b6614e554db2e8c7ac0becfb0b8129ab49e141 /src/server_register.c | |
| parent | 70381b3381d77845dbc04fd521b729b7098134a5 (diff) | |
| download | BobinkCOpcUa-deaabd1464784a6fddbfa9e1ac6cb0e1148a8c34.tar.gz BobinkCOpcUa-deaabd1464784a6fddbfa9e1ac6cb0e1148a8c34.zip | |
Add X509 certificate identity token authentication
Support authMode=cert alongside anonymous and user. The client
reuses its application certificate as the X509 identity token
(open62541 requires both to match). Server-side access control
advertises the certificate token policy automatically when
sessionPKI is configured.
Diffstat (limited to 'src/server_register.c')
| -rw-r--r-- | src/server_register.c | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/src/server_register.c b/src/server_register.c index 8f23d1c..705fc18 100644 --- a/src/server_register.c +++ b/src/server_register.c @@ -50,6 +50,7 @@ typedef struct int logLevel; const char *username; const char *password; + UA_Boolean certAuth; } LdsClientParams; /** @@ -65,9 +66,9 @@ makeLdsClientConfig (UA_ClientConfig *cc, const LdsClientParams *p) UA_StatusCode rv; if (p->certPath) { - rv = createSecureClientConfig (cc, p->appUri, p->certPath, p->keyPath, - p->trustPaths, p->trustSize, - p->securityMode, p->securityPolicyUri); + rv = createSecureClientConfig ( + cc, p->appUri, p->certPath, p->keyPath, p->trustPaths, p->trustSize, + p->securityMode, p->securityPolicyUri, p->certAuth); } else { @@ -157,7 +158,7 @@ main (int argc, char **argv) UA_Boolean serverAllowAnonymous; const char *serverUsername = NULL, *serverPassword = NULL; if (parseAuthConfig (&serverCfg, "ServerRegister", &serverAllowAnonymous, - &serverUsername, &serverPassword) + &serverUsername, &serverPassword, NULL) != 0) goto cleanup; @@ -230,8 +231,9 @@ main (int argc, char **argv) } const char *clientUsername = NULL, *clientPassword = NULL; + UA_Boolean clientCertAuth = false; if (parseAuthConfig (&clientCfg, "ServerRegister", NULL, &clientUsername, - &clientPassword) + &clientPassword, &clientCertAuth) != 0) goto cleanup; @@ -254,13 +256,20 @@ main (int argc, char **argv) { retval = UA_AccessControl_default (serverConfig, true, NULL, 0, NULL); } - else + else if (serverUsername) { UA_UsernamePasswordLogin logins[1]; logins[0].username = UA_STRING ((char *)serverUsername); logins[0].password = UA_STRING ((char *)serverPassword); retval = UA_AccessControl_default (serverConfig, false, NULL, 1, logins); } + else + { + /* cert auth — sessionPKI.verifyCertificate is set by createServer + via setDefaultWithSecureSecurityPolicies, so UA_AccessControl_default + will automatically advertise the X509 certificate token policy. */ + retval = UA_AccessControl_default (serverConfig, false, NULL, 0, NULL); + } if (retval != UA_STATUSCODE_GOOD) goto cleanup; @@ -278,6 +287,7 @@ main (int argc, char **argv) .logLevel = logLevel, .username = clientUsername, .password = clientPassword, + .certAuth = clientCertAuth, }; /* Use run_startup + manual event loop (instead of UA_Server_run) so we |