From 8d9ca6e1e18d8b429c30e3e30828bb41c6b26c5c Mon Sep 17 00:00:00 2001 From: Thomas Vanbesien Date: Wed, 18 Feb 2026 09:48:51 +0100 Subject: Add aes256_anon test, expand readme certificate section Create test configs for SignAndEncrypt / Aes256_Sha256_RsaPss with anonymous auth. Expand the readme certificate section with an identity table and clearer trust store explanation. --- readme.md | 19 +++++++++++++++---- tests/aes256_anon/client.conf | 9 +++++++++ tests/aes256_anon/server_lds.conf | 11 +++++++++++ tests/aes256_anon/server_register.conf | 12 ++++++++++++ tests/aes256_anon/server_register_client.conf | 12 ++++++++++++ 5 files changed, 59 insertions(+), 4 deletions(-) create mode 100644 tests/aes256_anon/client.conf create mode 100644 tests/aes256_anon/server_lds.conf create mode 100644 tests/aes256_anon/server_register.conf create mode 100644 tests/aes256_anon/server_register_client.conf diff --git a/readme.md b/readme.md index c524bc2..6011d40 100644 --- a/readme.md +++ b/readme.md @@ -28,8 +28,11 @@ cd opcua_c The programs use TLS certificates for mutual authentication. ServerLDS and ServerRegister can also run without certificates (SecurityPolicy#None only) by omitting the `certificate`, `privateKey`, and `trustStore` keys from their -config files. For encrypted operation, four identities are needed — run these -from the project root: +config files. + +For encrypted operation, four identities are needed. Each call to +`tools/generate_certificate.sh` creates a self-signed RSA-2048 certificate +(`_cert.der`) and private key (`_key.der`) in the given directory: ```sh tools/generate_certificate.sh certs ServerLDS @@ -38,10 +41,18 @@ tools/generate_certificate.sh certs ServerRegisterClient tools/generate_certificate.sh certs ClientFindServers ``` +| Identity | Used by | Purpose | +|----------|---------|---------| +| `ServerLDS` | ServerLDS | Server certificate for the LDS | +| `ServerRegister` | ServerRegister | Server certificate for the registering server | +| `ServerRegisterClient` | ServerRegister | Client certificate used when connecting to the LDS | +| `ClientFindServers` | Client | Client certificate for all client operations | + ### Populate the trust stores -Each program trusts a specific set of peers. Create symlinks to the -certificates in the trust store directories so they can find each other: +OPC UA applications only accept connections from peers whose certificate is in +their trust store. Create the trust store directories and symlink each peer's +certificate: ```sh mkdir -p certs/trust/{server_lds,server_register,server_register_client,client} diff --git a/tests/aes256_anon/client.conf b/tests/aes256_anon/client.conf new file mode 100644 index 0000000..2818355 --- /dev/null +++ b/tests/aes256_anon/client.conf @@ -0,0 +1,9 @@ +# Client — test: aes256_anon + +applicationUri = urn:localhost:bobink:ClientFindServers +certificate = certs/ClientFindServers_cert.der +privateKey = certs/ClientFindServers_key.der +securityMode = SignAndEncrypt +securityPolicy = Aes256_Sha256_RsaPss +authMode = anonymous +trustStore = certs/trust/client diff --git a/tests/aes256_anon/server_lds.conf b/tests/aes256_anon/server_lds.conf new file mode 100644 index 0000000..587820f --- /dev/null +++ b/tests/aes256_anon/server_lds.conf @@ -0,0 +1,11 @@ +# ServerLDS — test: aes256_anon + +port = 14840 +applicationUri = urn:localhost:bobink:ServerLDS +certificate = certs/ServerLDS_cert.der +privateKey = certs/ServerLDS_key.der +cleanupTimeout = 60 + +authMode = anonymous + +trustStore = certs/trust/server_lds diff --git a/tests/aes256_anon/server_register.conf b/tests/aes256_anon/server_register.conf new file mode 100644 index 0000000..a2ce852 --- /dev/null +++ b/tests/aes256_anon/server_register.conf @@ -0,0 +1,12 @@ +# ServerRegister server config — test: aes256_anon + +port = 14841 +applicationUri = urn:localhost:bobink:ServerRegister +certificate = certs/ServerRegister_cert.der +privateKey = certs/ServerRegister_key.der + +registerInterval = 10 + +authMode = anonymous + +trustStore = certs/trust/server_register diff --git a/tests/aes256_anon/server_register_client.conf b/tests/aes256_anon/server_register_client.conf new file mode 100644 index 0000000..46e8659 --- /dev/null +++ b/tests/aes256_anon/server_register_client.conf @@ -0,0 +1,12 @@ +# ServerRegister client config — test: aes256_anon + +applicationUri = urn:localhost:bobink:ServerRegister +certificate = certs/ServerRegisterClient_cert.der +privateKey = certs/ServerRegisterClient_key.der + +securityMode = SignAndEncrypt +securityPolicy = Aes256_Sha256_RsaPss + +authMode = anonymous + +trustStore = certs/trust/server_register_client -- cgit v1.2.3