1 files changed, 36 insertions, 131 deletions

diff --git a/src/server_register.c b/src/server_register.c
index 705fc18..8a64d08 100644
--- a/src/server_register.c
+++ b/src/server_register.c
@@ -41,16 +41,9 @@ stopHandler (int sign)
 typedef struct
 {
   const char *appUri;
-  const char *certPath;
-  const char *keyPath;
-  char **trustPaths;
-  size_t trustSize;
-  UA_MessageSecurityMode securityMode;
-  const char *securityPolicyUri;
+  SecurityConfig sec;
+  AuthConfig auth;
   int logLevel;
-  const char *username;
-  const char *password;
-  UA_Boolean certAuth;
 } LdsClientParams;
 
 /**
@@ -64,21 +57,13 @@ makeLdsClientConfig (UA_ClientConfig *cc, const LdsClientParams *p)
 {
   memset (cc, 0, sizeof (UA_ClientConfig));
   UA_StatusCode rv;
-  if (p->certPath)
-    {
-      rv = createSecureClientConfig (
-          cc, p->appUri, p->certPath, p->keyPath, p->trustPaths, p->trustSize,
-          p->securityMode, p->securityPolicyUri, p->certAuth);
-    }
+  if (p->sec.certPath)
+    rv = createSecureClientConfig (cc, p->appUri, &p->sec, &p->auth);
   else
-    {
-      rv = createUnsecureClientConfig (cc, p->appUri);
-    }
+    rv = createUnsecureClientConfig (cc, p->appUri, &p->auth);
   if (rv != UA_STATUSCODE_GOOD)
     return rv;
   cc->logging->context = (void *)(uintptr_t)p->logLevel;
-  if (p->username)
-    UA_ClientConfig_setAuthenticationUsername (cc, p->username, p->password);
   return UA_STATUSCODE_GOOD;
 }
 
@@ -119,10 +104,8 @@ main (int argc, char **argv)
   int rc = EXIT_FAILURE;
   Config serverCfg = { 0 };
   Config clientCfg = { 0 };
-  char **serverTrustPaths = NULL;
-  size_t serverTrustSize = 0;
-  char **clientTrustPaths = NULL;
-  size_t clientTrustSize = 0;
+  SecurityConfig serverSec = { 0 };
+  SecurityConfig clientSec = { 0 };
   UA_Server *server = NULL;
 
   if (configLoad (argv[1], &serverCfg) != 0)
@@ -137,34 +120,12 @@ main (int argc, char **argv)
   if (!applicationUri || port < 0 || registerInterval < 0)
     goto cleanup;
 
-  /* Security configuration (optional).  When certificate, privateKey, and
-     trustStore are all omitted the server runs with SecurityPolicy#None
-     only.  When any of the three is present, all three are required. */
-  const char *serverCertPath = configGet (&serverCfg, "certificate");
-  const char *serverKeyPath = configGet (&serverCfg, "privateKey");
-  const char *serverTrustStore = configGet (&serverCfg, "trustStore");
-  UA_Boolean serverSecure = (serverCertPath != NULL || serverKeyPath != NULL
-                             || serverTrustStore != NULL);
-
-  if (serverSecure && (!serverCertPath || !serverKeyPath || !serverTrustStore))
-    {
-      UA_LOG_FATAL (UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
-                    "Incomplete server security config: certificate, "
-                    "privateKey, and trustStore must all be set, or all "
-                    "omitted");
-      goto cleanup;
-    }
-
-  UA_Boolean serverAllowAnonymous;
-  const char *serverUsername = NULL, *serverPassword = NULL;
-  if (parseAuthConfig (&serverCfg, "ServerRegister", &serverAllowAnonymous,
-                       &serverUsername, &serverPassword, NULL)
+  if (parseSecurityConfig (&serverCfg, "ServerRegister", false, &serverSec)
       != 0)
     goto cleanup;
 
-  if (serverSecure
-      && loadTrustStore (serverTrustStore, &serverTrustPaths, &serverTrustSize)
-             != 0)
+  AuthConfig serverAuth;
+  if (parseAuthConfig (&serverCfg, "ServerRegister", &serverAuth) != 0)
     goto cleanup;
 
   /* ── Load client config ─────────────────────────────────────── */
@@ -177,72 +138,20 @@ main (int argc, char **argv)
   if (!clientAppUri)
     goto cleanup;
 
-  /* Security configuration (optional).  When certificate, privateKey, and
-     trustStore are all omitted the client connects without encryption.
-     When any of the three is present, all three are required. */
-  const char *clientCertPath = configGet (&clientCfg, "certificate");
-  const char *clientKeyPath = configGet (&clientCfg, "privateKey");
-  const char *clientTrustStore = configGet (&clientCfg, "trustStore");
-  UA_Boolean clientSecure = (clientCertPath != NULL || clientKeyPath != NULL
-                             || clientTrustStore != NULL);
-
-  if (clientSecure && (!clientCertPath || !clientKeyPath || !clientTrustStore))
-    {
-      UA_LOG_FATAL (UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
-                    "Incomplete client security config: certificate, "
-                    "privateKey, and trustStore must all be set, or all "
-                    "omitted");
-      goto cleanup;
-    }
-
-  UA_MessageSecurityMode securityMode = UA_MESSAGESECURITYMODE_NONE;
-  const char *securityPolicyUri
-      = "http://opcfoundation.org/UA/SecurityPolicy#None";
-
-  if (clientSecure)
-    {
-      const char *securityModeStr
-          = configRequire (&clientCfg, "securityMode", "ServerRegister");
-      const char *securityPolicyStr
-          = configRequire (&clientCfg, "securityPolicy", "ServerRegister");
-      if (!securityModeStr || !securityPolicyStr)
-        goto cleanup;
-
-      securityMode = parseSecurityMode (securityModeStr);
-      if (securityMode == UA_MESSAGESECURITYMODE_INVALID)
-        {
-          UA_LOG_FATAL (UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
-                        "Unknown security mode: %s", securityModeStr);
-          goto cleanup;
-        }
-
-      securityPolicyUri = resolveSecurityPolicyUri (securityPolicyStr);
-      if (!securityPolicyUri)
-        {
-          UA_LOG_FATAL (UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
-                        "Unknown security policy: %s", securityPolicyStr);
-          goto cleanup;
-        }
-
-      if (loadTrustStore (clientTrustStore, &clientTrustPaths,
-                          &clientTrustSize)
-          != 0)
-        goto cleanup;
-    }
-
-  const char *clientUsername = NULL, *clientPassword = NULL;
-  UA_Boolean clientCertAuth = false;
-  if (parseAuthConfig (&clientCfg, "ServerRegister", NULL, &clientUsername,
-                       &clientPassword, &clientCertAuth)
+  if (parseSecurityConfig (&clientCfg, "ServerRegister", true, &clientSec)
       != 0)
     goto cleanup;
 
+  AuthConfig clientAuth;
+  if (parseAuthConfig (&clientCfg, "ServerRegister", &clientAuth) != 0)
+    goto cleanup;
+
   /* ── Create and configure server ────────────────────────────── */
 
   UA_StatusCode retval;
-  server = createServer ((UA_UInt16)port, applicationUri, serverCertPath,
-                         serverKeyPath, serverTrustPaths, serverTrustSize,
-                         true, &retval);
+  server
+      = createServer ((UA_UInt16)port, applicationUri,
+                      serverSec.certPath ? &serverSec : NULL, true, &retval);
   if (!server)
     goto cleanup;
 
@@ -252,23 +161,26 @@ main (int argc, char **argv)
   /* Configure access control.  UA_ServerConfig_setDefaultWithSecure-
      SecurityPolicies sets certificate-only auth by default, so we must
      always call UA_AccessControl_default to get the desired policy. */
-  if (serverAllowAnonymous)
+  switch (serverAuth.mode)
     {
+    case AUTH_ANONYMOUS:
       retval = UA_AccessControl_default (serverConfig, true, NULL, 0, NULL);
-    }
-  else if (serverUsername)
-    {
-      UA_UsernamePasswordLogin logins[1];
-      logins[0].username = UA_STRING ((char *)serverUsername);
-      logins[0].password = UA_STRING ((char *)serverPassword);
-      retval = UA_AccessControl_default (serverConfig, false, NULL, 1, logins);
-    }
-  else
-    {
+      break;
+    case AUTH_USER:
+      {
+        UA_UsernamePasswordLogin logins[1];
+        logins[0].username = UA_STRING ((char *)serverAuth.user.username);
+        logins[0].password = UA_STRING ((char *)serverAuth.user.password);
+        retval
+            = UA_AccessControl_default (serverConfig, false, NULL, 1, logins);
+        break;
+      }
+    case AUTH_CERT:
       /* cert auth — sessionPKI.verifyCertificate is set by createServer
          via setDefaultWithSecureSecurityPolicies, so UA_AccessControl_default
          will automatically advertise the X509 certificate token policy. */
       retval = UA_AccessControl_default (serverConfig, false, NULL, 0, NULL);
+      break;
     }
   if (retval != UA_STATUSCODE_GOOD)
     goto cleanup;
@@ -278,16 +190,9 @@ main (int argc, char **argv)
 
   LdsClientParams ldsParams = {
     .appUri = clientAppUri,
-    .certPath = clientCertPath,
-    .keyPath = clientKeyPath,
-    .trustPaths = clientTrustPaths,
-    .trustSize = clientTrustSize,
-    .securityMode = securityMode,
-    .securityPolicyUri = securityPolicyUri,
+    .sec = clientSec,
+    .auth = clientAuth,
     .logLevel = logLevel,
-    .username = clientUsername,
-    .password = clientPassword,
-    .certAuth = clientCertAuth,
   };
 
   /* Use run_startup + manual event loop (instead of UA_Server_run) so we
@@ -360,8 +265,8 @@ main (int argc, char **argv)
 cleanup:
   if (server)
     UA_Server_delete (server);
-  freeTrustStore (clientTrustPaths, clientTrustSize);
-  freeTrustStore (serverTrustPaths, serverTrustSize);
+  freeTrustStore (clientSec.trustPaths, clientSec.trustSize);
+  freeTrustStore (serverSec.trustPaths, serverSec.trustSize);
   configFree (&clientCfg);
   configFree (&serverCfg);
   return rc;