Make client/server encryption optional, rename tests to full names

Make encryption optional for both ServerRegister's LDS client connection and the server side of ServerLDS/ServerRegister: when certificate, privateKey, and trustStore are omitted the programs run with SecurityPolicy#None only. Secure servers also add a discovery-only None endpoint so unencrypted clients can still call FindServers and GetEndpoints. Consolidate tests from 5 policy-specific cases (nosec_anon, none_user, basic256sha256_anon, aes256_anon, aes128_user) down to 3 that cover the important axes: unsecure_anonymous, secure_anonymous, secure_user. Rename directories to use full names. Auto-generate certificates and trust stores in run_test.sh. Update readme and CLAUDE.md to reflect the current program interface (unified Client binary, split ServerRegister configs) and the new test names.
author: Thomas Vanbesien <tvanbesi@proton.me> 2026-02-18 15:39:29 +0100
committer: Thomas Vanbesien <tvanbesi@proton.me> 2026-02-18 15:39:29 +0100
commit: 99b5b4416193fafaa815746ea756900d2ab26917 (patch)
tree: 7d1ab48fcc2e8406df8d2606b691ee9e6911dcd0 /tests
parent: 12989671c9f43707701a8cef8e77e34b1bf24a37 (diff)
download: BobinkCOpcUa-99b5b4416193fafaa815746ea756900d2ab26917.tar.gz
BobinkCOpcUa-99b5b4416193fafaa815746ea756900d2ab26917.zip
23 files changed, 64 insertions, 142 deletions
diff --git a/tests/aes128_user/server_lds.conf b/tests/aes128_user/server_lds.conf
deleted file mode 100644
index 86bf196..0000000
--- a/tests/aes128_user/server_lds.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# ServerLDS — test: aes128_user
-
-port = 14840
-applicationUri = urn:localhost:bobink:ServerLDS
-
-certificate = certs/ServerLDS_cert.der
-privateKey = certs/ServerLDS_key.der
-trustStore = certs/trust/server_lds
-
-authMode = user
-username = user
-password = password
-
-cleanupTimeout = 60
diff --git a/tests/aes128_user/server_register_client.conf b/tests/aes128_user/server_register_client.conf
deleted file mode 100644
index 3e976be..0000000
--- a/tests/aes128_user/server_register_client.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# ServerRegister client config — test: aes128_user
-
-applicationUri = urn:localhost:bobink:ServerRegister
-
-certificate = certs/ServerRegisterClient_cert.der
-privateKey = certs/ServerRegisterClient_key.der
-trustStore = certs/trust/server_register_client
-
-securityMode = SignAndEncrypt
-securityPolicy = Aes128_Sha256_RsaOaep
-
-authMode = user
-username = user
-password = password
diff --git a/tests/aes256_anon/client.conf b/tests/aes256_anon/client.conf
deleted file mode 100644
index 5141e2c..0000000
--- a/tests/aes256_anon/client.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# Client — test: aes256_anon
-
-applicationUri = urn:localhost:bobink:Client
-
-certificate = certs/Client_cert.der
-privateKey = certs/Client_key.der
-trustStore = certs/trust/client
-
-securityMode = SignAndEncrypt
-securityPolicy = Aes256_Sha256_RsaPss
-
-authMode = anonymous
diff --git a/tests/basic256sha256_anon/server_register.conf b/tests/basic256sha256_anon/server_register.conf
deleted file mode 100644
index 6a47796..0000000
--- a/tests/basic256sha256_anon/server_register.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# ServerRegister server config — test: basic256sha256_anon
-
-port = 14841
-applicationUri = urn:localhost:bobink:ServerRegister
-
-certificate = certs/ServerRegister_cert.der
-privateKey = certs/ServerRegister_key.der
-trustStore = certs/trust/server_register
-
-authMode = anonymous
-
-registerInterval = 10
diff --git a/tests/none_user/client.conf b/tests/none_user/client.conf
deleted file mode 100644
index eba232e..0000000
--- a/tests/none_user/client.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# Client — test: none_user
-
-applicationUri = urn:localhost:bobink:Client
-
-certificate = certs/Client_cert.der
-privateKey = certs/Client_key.der
-trustStore = certs/trust/client
-
-securityMode = None
-securityPolicy = None
-
-authMode = user
-username = user
-password = password
diff --git a/tests/none_user/server_lds.conf b/tests/none_user/server_lds.conf
deleted file mode 100644
index 5da2c50..0000000
--- a/tests/none_user/server_lds.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# ServerLDS — test: none_user
-
-port = 14840
-applicationUri = urn:localhost:bobink:ServerLDS
-
-certificate = certs/ServerLDS_cert.der
-privateKey = certs/ServerLDS_key.der
-trustStore = certs/trust/server_lds
-
-authMode = user
-username = user
-password = password
-
-cleanupTimeout = 60
diff --git a/tests/none_user/server_register.conf b/tests/none_user/server_register.conf
deleted file mode 100644
index c44c0e6..0000000
--- a/tests/none_user/server_register.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# ServerRegister server config — test: none_user
-
-port = 14841
-applicationUri = urn:localhost:bobink:ServerRegister
-
-certificate = certs/ServerRegister_cert.der
-privateKey = certs/ServerRegister_key.der
-trustStore = certs/trust/server_register
-
-authMode = user
-username = user
-password = password
-
-registerInterval = 10
diff --git a/tests/none_user/server_register_client.conf b/tests/none_user/server_register_client.conf
deleted file mode 100644
index bfc4ce2..0000000
--- a/tests/none_user/server_register_client.conf
+++ /dev/null
@@ -1,14 +0,0 @@
-# ServerRegister client config — test: none_user
-
-applicationUri = urn:localhost:bobink:ServerRegister
-
-certificate = certs/ServerRegisterClient_cert.der
-privateKey = certs/ServerRegisterClient_key.der
-trustStore = certs/trust/server_register_client
-
-securityMode = None
-securityPolicy = None
-
-authMode = user
-username = user
-password = password
diff --git a/tests/nosec_anon/client.conf b/tests/nosec_anon/client.conf
deleted file mode 100644
index 2c74f5e..0000000
--- a/tests/nosec_anon/client.conf
+++ /dev/null
@@ -1,12 +0,0 @@
-# Client — test: nosec_anon
-
-applicationUri = urn:localhost:bobink:Client
-
-certificate = certs/Client_cert.der
-privateKey = certs/Client_key.der
-trustStore = certs/trust/client
-
-securityMode = None
-securityPolicy = None
-
-authMode = anonymous
diff --git a/tests/nosec_anon/server_lds.conf b/tests/nosec_anon/server_lds.conf
deleted file mode 100644
index a4598a0..0000000
--- a/tests/nosec_anon/server_lds.conf
+++ /dev/null
@@ -1,9 +0,0 @@
-# ServerLDS — test: nosec_anon
-# No certificate/privateKey/trustStore: runs with SecurityPolicy#None only.
-
-port = 14840
-applicationUri = urn:localhost:bobink:ServerLDS
-
-authMode = anonymous
-
-cleanupTimeout = 60
diff --git a/tests/run_test.sh b/tests/run_test.sh
index fc44ad6..2767919 100755
--- a/tests/run_test.sh
+++ b/tests/run_test.sh
@@ -28,6 +28,25 @@ SR_PID=""
 TMPFILE=""
 FAILURES=0
 
+# ── ensure certificates exist ─────────────────────────────────
+CERT_DIR=certs
+GEN_CERT=tools/generate_certificate.sh
+
+for identity in ServerLDS ServerRegister ServerRegisterClient Client; do
+  if [ ! -f "$CERT_DIR/${identity}_cert.der" ]; then
+    "$GEN_CERT" "$CERT_DIR" "$identity"
+  fi
+done
+
+# Populate trust stores: each identity trusts every other identity.
+for store in server_lds server_register server_register_client client; do
+  mkdir -p "$CERT_DIR/trust/$store"
+  for identity in ServerLDS ServerRegister ServerRegisterClient Client; do
+    cert="$CERT_DIR/${identity}_cert.der"
+    [ -f "$cert" ] && cp -n "$cert" "$CERT_DIR/trust/$store/"
+  done
+done
+
 # ── cleanup ────────────────────────────────────────────────────
 cleanup() {
   [ -n "$LDS_PID" ] && kill "$LDS_PID" 2>/dev/null && wait "$LDS_PID" 2>/dev/null
diff --git a/tests/basic256sha256_anon/client.conf b/tests/secure_anonymous/client.conf
index 26cd1cc..755edec 100644
--- a/tests/basic256sha256_anon/client.conf
+++ b/tests/secure_anonymous/client.conf
@@ -1,4 +1,4 @@
-# Client — test: basic256sha256_anon
+# Client — test: secure_anonymous
 
 applicationUri = urn:localhost:bobink:Client
 
diff --git a/tests/aes256_anon/server_lds.conf b/tests/secure_anonymous/server_lds.conf
index 763ec54..f92b803 100644
--- a/tests/aes256_anon/server_lds.conf
+++ b/tests/secure_anonymous/server_lds.conf
@@ -1,4 +1,5 @@
-# ServerLDS — test: aes256_anon
+# ServerLDS — test: secure_anonymous
+# Secured LDS with discovery-only None endpoint.
 
 port = 14840
 applicationUri = urn:localhost:bobink:ServerLDS
diff --git a/tests/aes256_anon/server_register.conf b/tests/secure_anonymous/server_register.conf
index 7f08405..31df277 100644
--- a/tests/aes256_anon/server_register.conf
+++ b/tests/secure_anonymous/server_register.conf
@@ -1,4 +1,4 @@
-# ServerRegister server config — test: aes256_anon
+# ServerRegister server config — test: secure_anonymous
 
 port = 14841
 applicationUri = urn:localhost:bobink:ServerRegister
diff --git a/tests/aes256_anon/server_register_client.conf b/tests/secure_anonymous/server_register_client.conf
index 0a79338..a9c3419 100644
--- a/tests/aes256_anon/server_register_client.conf
+++ b/tests/secure_anonymous/server_register_client.conf
@@ -1,4 +1,5 @@
-# ServerRegister client config — test: aes256_anon
+# ServerRegister client config — test: secure_anonymous
+# Registers with the secured LDS over an encrypted channel.
 
 applicationUri = urn:localhost:bobink:ServerRegister
 
@@ -7,6 +8,6 @@ privateKey = certs/ServerRegisterClient_key.der
 trustStore = certs/trust/server_register_client
 
 securityMode = SignAndEncrypt
-securityPolicy = Aes256_Sha256_RsaPss
+securityPolicy = Basic256Sha256
 
 authMode = anonymous
diff --git a/tests/aes128_user/client.conf b/tests/secure_user/client.conf
index 77b43d2..85c12e9 100644
--- a/tests/aes128_user/client.conf
+++ b/tests/secure_user/client.conf
@@ -1,4 +1,4 @@
-# Client — test: aes128_user
+# Client — test: secure_user
 
 applicationUri = urn:localhost:bobink:Client
 
@@ -7,7 +7,7 @@ privateKey = certs/Client_key.der
 trustStore = certs/trust/client
 
 securityMode = SignAndEncrypt
-securityPolicy = Aes128_Sha256_RsaOaep
+securityPolicy = Basic256Sha256
 
 authMode = user
 username = user
diff --git a/tests/basic256sha256_anon/server_lds.conf b/tests/secure_user/server_lds.conf
index 4560153..3babf37 100644
--- a/tests/basic256sha256_anon/server_lds.conf
+++ b/tests/secure_user/server_lds.conf
@@ -1,4 +1,5 @@
-# ServerLDS — test: basic256sha256_anon
+# ServerLDS — test: secure_user
+# Secured LDS with discovery-only None endpoint.
 
 port = 14840
 applicationUri = urn:localhost:bobink:ServerLDS
diff --git a/tests/aes128_user/server_register.conf b/tests/secure_user/server_register.conf
index 3c4c88a..65e69d8 100644
--- a/tests/aes128_user/server_register.conf
+++ b/tests/secure_user/server_register.conf
@@ -1,4 +1,4 @@
-# ServerRegister server config — test: aes128_user
+# ServerRegister server config — test: secure_user
 
 port = 14841
 applicationUri = urn:localhost:bobink:ServerRegister
diff --git a/tests/basic256sha256_anon/server_register_client.conf b/tests/secure_user/server_register_client.conf
index aa0339c..c924d8d 100644
--- a/tests/basic256sha256_anon/server_register_client.conf
+++ b/tests/secure_user/server_register_client.conf
@@ -1,4 +1,5 @@
-# ServerRegister client config — test: basic256sha256_anon
+# ServerRegister client config — test: secure_user
+# Registers with the secured LDS over an encrypted channel.
 
 applicationUri = urn:localhost:bobink:ServerRegister
 
diff --git a/tests/unsecure_anonymous/client.conf b/tests/unsecure_anonymous/client.conf
new file mode 100644
index 0000000..d93000e
--- /dev/null
+++ b/tests/unsecure_anonymous/client.conf
@@ -0,0 +1,15 @@
+# Client — test: unsecure_anonymous
+# Has certs for encryption support (needed to negotiate with the secured
+# LDS) but no securityMode/securityPolicy — lets the client auto-select
+# the best available endpoint on each server.
+
+applicationUri = urn:localhost:bobink:Client
+
+# certificate = certs/Client_cert.der
+# privateKey = certs/Client_key.der
+# trustStore = certs/trust/client
+#
+securityMode = None
+securityPolicy = None
+
+authMode = anonymous
diff --git a/tests/unsecure_anonymous/server_lds.conf b/tests/unsecure_anonymous/server_lds.conf
new file mode 100644
index 0000000..b50d03f
--- /dev/null
+++ b/tests/unsecure_anonymous/server_lds.conf
@@ -0,0 +1,13 @@
+# ServerLDS — test: unsecure_anonymous
+# Secured LDS with discovery-only None endpoint.
+
+port = 14840
+applicationUri = urn:localhost:bobink:ServerLDS
+
+# certificate = certs/ServerLDS_cert.der
+# privateKey = certs/ServerLDS_key.der
+# trustStore = certs/trust/server_lds
+
+authMode = anonymous
+
+cleanupTimeout = 60
diff --git a/tests/nosec_anon/server_register.conf b/tests/unsecure_anonymous/server_register.conf
index 8a2e0c9..db96fa7 100644
--- a/tests/nosec_anon/server_register.conf
+++ b/tests/unsecure_anonymous/server_register.conf
@@ -1,4 +1,4 @@
-# ServerRegister server config — test: nosec_anon
+# ServerRegister server config — test: unsecure_anonymous
 
 port = 14841
 applicationUri = urn:localhost:bobink:ServerRegister
diff --git a/tests/nosec_anon/server_register_client.conf b/tests/unsecure_anonymous/server_register_client.conf
index cc81a64..c2ae348 100644
--- a/tests/nosec_anon/server_register_client.conf
+++ b/tests/unsecure_anonymous/server_register_client.conf
@@ -1,5 +1,5 @@
-# ServerRegister client config — test: nosec_anon
-# Connects to an unsecured LDS, so no trust store for the LDS cert is needed.
+# ServerRegister client config — test: unsecure_anonymous
+# Registers with the secured LDS over an encrypted channel.
 
 applicationUri = urn:localhost:bobink:ServerRegister
author	Thomas Vanbesien <tvanbesi@proton.me>	2026-02-18 15:39:29 +0100
committer	Thomas Vanbesien <tvanbesi@proton.me>	2026-02-18 15:39:29 +0100
commit	99b5b4416193fafaa815746ea756900d2ab26917 (patch)
tree	7d1ab48fcc2e8406df8d2606b691ee9e6911dcd0 /tests
parent	12989671c9f43707701a8cef8e77e34b1bf24a37 (diff)
download	BobinkCOpcUa-99b5b4416193fafaa815746ea756900d2ab26917.tar.gz BobinkCOpcUa-99b5b4416193fafaa815746ea756900d2ab26917.zip