From 95f40458a9dd927fba35624564b64b5f973dd9fe Mon Sep 17 00:00:00 2001
From: Thomas Vanbesien <tvanbesi@proton.me>
Date: Wed, 18 Feb 2026 22:07:07 +0100
Subject: Remove redundant config/ dir, use Aes256_Sha256_RsaPss everywhere

The config/ example files duplicated the test configs. Remove them and
point the Running docs at tests/secure_user/ instead.  Switch the
security policy from Basic256Sha256 to Aes256_Sha256_RsaPss in all
test configs, CMakeLists.txt, and readme.md.
---
 CMakeLists.txt                                     |  3 ++-
 config/client.conf                                 | 26 ---------------------
 config/server_lds.conf                             | 25 --------------------
 config/server_register.conf                        | 25 --------------------
 config/server_register_client.conf                 | 27 ----------------------
 readme.md                                          | 26 +++++++++++----------
 tests/secure_anonymous/client.conf                 |  2 +-
 tests/secure_anonymous/server_register_client.conf |  2 +-
 tests/secure_cert/client.conf                      |  2 +-
 tests/secure_cert/server_register_client.conf      |  2 +-
 tests/secure_user/client.conf                      |  2 +-
 tests/secure_user/server_register_client.conf      |  2 +-
 12 files changed, 22 insertions(+), 122 deletions(-)
 delete mode 100644 config/client.conf
 delete mode 100644 config/server_lds.conf
 delete mode 100644 config/server_register.conf
 delete mode 100644 config/server_register_client.conf

diff --git a/CMakeLists.txt b/CMakeLists.txt
index b5da8b8..78b8711 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -69,7 +69,8 @@ set(_test_script "${CMAKE_SOURCE_DIR}/tests/run_test.sh")
 
 set(_test_names unsecure_anonymous secure_anonymous secure_user secure_cert)
 
-set(_test_policies None Basic256Sha256 Basic256Sha256 Basic256Sha256)
+set(_test_policies None Aes256_Sha256_RsaPss Aes256_Sha256_RsaPss
+                   Aes256_Sha256_RsaPss)
 
 foreach(_name _policy IN ZIP_LISTS _test_names _test_policies)
   add_test(NAME "${_name}" COMMAND bash "${_test_script}" "tests/${_name}"
diff --git a/config/client.conf b/config/client.conf
deleted file mode 100644
index 348bd6b..0000000
--- a/config/client.conf
+++ /dev/null
@@ -1,26 +0,0 @@
-# Client configuration
-#
-# Keys:
-#   applicationUri    OPC UA application URI
-#   certificate       Path to client certificate (.der)
-#   privateKey        Path to client private key (.der)
-#   trustStore        Directory containing trusted certificates (.der)
-#   securityMode      None, Sign, or SignAndEncrypt
-#   securityPolicy    None, Basic256Sha256, Aes256_Sha256_RsaPss,
-#                     Aes128_Sha256_RsaOaep, or ECC_nistP256
-#   authMode          "anonymous" or "user" (read-time only)
-#   username          Username (required when authMode = user)
-#   password          Password (required when authMode = user)
-
-applicationUri = urn:localhost:bobink:Client
-
-certificate = certs/Client_cert.der
-privateKey = certs/Client_key.der
-trustStore = certs/trust/client
-
-securityMode = SignAndEncrypt
-securityPolicy = Aes256_Sha256_RsaPss
-
-authMode = user
-username = user
-password = password
diff --git a/config/server_lds.conf b/config/server_lds.conf
deleted file mode 100644
index 54e0457..0000000
--- a/config/server_lds.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# ServerLDS configuration
-#
-# Keys:
-#   port              Server port number
-#   applicationUri    OPC UA application URI
-#   certificate       Path to server certificate (.der)
-#   privateKey        Path to server private key (.der)
-#   trustStore        Directory containing trusted certificates (.der)
-#   authMode          "anonymous" or "user"
-#   username          Username (required when authMode = user)
-#   password          Password (required when authMode = user)
-#   cleanupTimeout    Seconds before stale registrations are removed (must be > 10)
-
-port = 4840
-applicationUri = urn:localhost:bobink:ServerLDS
-
-certificate = certs/ServerLDS_cert.der
-privateKey = certs/ServerLDS_key.der
-trustStore = certs/trust/server_lds
-
-authMode = user
-username = user
-password = password
-
-cleanupTimeout = 60
diff --git a/config/server_register.conf b/config/server_register.conf
deleted file mode 100644
index b3f9290..0000000
--- a/config/server_register.conf
+++ /dev/null
@@ -1,25 +0,0 @@
-# ServerRegister — server configuration
-#
-# Keys:
-#   port              Server port number
-#   applicationUri    OPC UA application URI
-#   certificate       Path to server certificate (.der)
-#   privateKey        Path to server private key (.der)
-#   trustStore        Directory containing trusted certificates (.der)
-#   authMode          "anonymous" or "user"
-#   username          Username (required when authMode = user)
-#   password          Password (required when authMode = user)
-#   registerInterval  Seconds between re-registrations with the LDS
-
-port = 4841
-applicationUri = urn:localhost:bobink:ServerRegister
-
-certificate = certs/ServerRegister_cert.der
-privateKey = certs/ServerRegister_key.der
-trustStore = certs/trust/server_register
-
-authMode = user
-username = user
-password = password
-
-registerInterval = 10
diff --git a/config/server_register_client.conf b/config/server_register_client.conf
deleted file mode 100644
index f0cc0b8..0000000
--- a/config/server_register_client.conf
+++ /dev/null
@@ -1,27 +0,0 @@
-# ServerRegister — client configuration for LDS registration
-#
-# Keys:
-#   applicationUri    OPC UA application URI
-#   certificate       Path to client certificate (.der)
-#   privateKey        Path to client private key (.der)
-#   trustStore        Directory containing trusted certificates (.der)
-#   securityMode      None, Sign, or SignAndEncrypt
-#   securityPolicy    None, Basic256Sha256, Aes256_Sha256_RsaPss,
-#                     Aes128_Sha256_RsaOaep, or ECC_nistP256
-#   authMode          "anonymous" or "user"
-#   username          Username (required when authMode = user)
-#   password          Password (required when authMode = user)
-
-
-applicationUri = urn:localhost:bobink:ServerRegister
-
-certificate = certs/ServerRegisterClient_cert.der
-privateKey = certs/ServerRegisterClient_key.der
-trustStore = certs/trust/server_register_client
-
-securityMode = SignAndEncrypt
-securityPolicy = Aes256_Sha256_RsaPss
-
-authMode = user
-username = user
-password = password
diff --git a/readme.md b/readme.md
index dcdf8a1..f6a7916 100644
--- a/readme.md
+++ b/readme.md
@@ -82,24 +82,26 @@ build takes a bit longer.
 
 ## Running
 
-Start the programs in order, each in its own terminal, from the project root:
+Start the programs in order, each in its own terminal, from the project root.
+Configuration files live in `tests/` (one directory per test scenario — see
+[Tests](#tests) below). The examples below use `tests/secure_user/`:
 
 ```sh
 # 1. Local Discovery Server
-build/ServerLDS config/server_lds.conf
+build/ServerLDS tests/secure_user/server_lds.conf
 
-# 2. Register Server (connects to the LDS on port 4840)
-build/ServerRegister config/server_register.conf \
-  config/server_register_client.conf opc.tcp://localhost:4840
+# 2. Register Server (connects to the LDS on port 14840)
+build/ServerRegister tests/secure_user/server_register.conf \
+  tests/secure_user/server_register_client.conf opc.tcp://localhost:14840
 
 # 3. Find registered servers via the LDS
-build/Client config/client.conf find-servers opc.tcp://localhost:4840
+build/Client tests/secure_user/client.conf find-servers opc.tcp://localhost:14840
 
 # 4. List endpoints on the registered server
-build/Client config/client.conf get-endpoints opc.tcp://localhost:4841
+build/Client tests/secure_user/client.conf get-endpoints opc.tcp://localhost:14841
 
 # 5. Read the current time from the registered server
-build/Client config/client.conf read-time opc.tcp://localhost:4841
+build/Client tests/secure_user/client.conf read-time opc.tcp://localhost:14841
 ```
 
 All three programs accept an optional log level as the last argument
@@ -112,9 +114,9 @@ Integration tests exercise four combinations of security and authentication:
 | Test | Security | Auth |
 |------|----------|------|
 | `unsecure_anonymous` | None / None | anonymous |
-| `secure_anonymous` | SignAndEncrypt / Basic256Sha256 | anonymous |
-| `secure_user` | SignAndEncrypt / Basic256Sha256 | user/password |
-| `secure_cert` | SignAndEncrypt / Basic256Sha256 | X509 certificate |
+| `secure_anonymous` | SignAndEncrypt / Aes256_Sha256_RsaPss | anonymous |
+| `secure_user` | SignAndEncrypt / Aes256_Sha256_RsaPss | user/password |
+| `secure_cert` | SignAndEncrypt / Aes256_Sha256_RsaPss | X509 certificate |
 
 Run all tests:
 
@@ -143,7 +145,7 @@ cmake --build build --parallel
 ## Configuration
 
 Programs are configured through plain text files (`key = value`, one per line).
-Example configs are in `config/`.
+See the `tests/` directories for working examples.
 
 Three authentication modes are supported via the `authMode` key:
 
diff --git a/tests/secure_anonymous/client.conf b/tests/secure_anonymous/client.conf
index 755edec..2a059fa 100644
--- a/tests/secure_anonymous/client.conf
+++ b/tests/secure_anonymous/client.conf
@@ -7,6 +7,6 @@ privateKey = certs/Client_key.der
 trustStore = certs/trust/client
 
 securityMode = SignAndEncrypt
-securityPolicy = Basic256Sha256
+securityPolicy = Aes256_Sha256_RsaPss
 
 authMode = anonymous
diff --git a/tests/secure_anonymous/server_register_client.conf b/tests/secure_anonymous/server_register_client.conf
index a9c3419..e7c34c7 100644
--- a/tests/secure_anonymous/server_register_client.conf
+++ b/tests/secure_anonymous/server_register_client.conf
@@ -8,6 +8,6 @@ privateKey = certs/ServerRegisterClient_key.der
 trustStore = certs/trust/server_register_client
 
 securityMode = SignAndEncrypt
-securityPolicy = Basic256Sha256
+securityPolicy = Aes256_Sha256_RsaPss
 
 authMode = anonymous
diff --git a/tests/secure_cert/client.conf b/tests/secure_cert/client.conf
index 0abd582..68a14aa 100644
--- a/tests/secure_cert/client.conf
+++ b/tests/secure_cert/client.conf
@@ -8,6 +8,6 @@ privateKey = certs/Client_key.der
 trustStore = certs/trust/client
 
 securityMode = SignAndEncrypt
-securityPolicy = Basic256Sha256
+securityPolicy = Aes256_Sha256_RsaPss
 
 authMode = cert
diff --git a/tests/secure_cert/server_register_client.conf b/tests/secure_cert/server_register_client.conf
index 7542bdf..ddba01d 100644
--- a/tests/secure_cert/server_register_client.conf
+++ b/tests/secure_cert/server_register_client.conf
@@ -8,6 +8,6 @@ privateKey = certs/ServerRegisterClient_key.der
 trustStore = certs/trust/server_register_client
 
 securityMode = SignAndEncrypt
-securityPolicy = Basic256Sha256
+securityPolicy = Aes256_Sha256_RsaPss
 
 authMode = anonymous
diff --git a/tests/secure_user/client.conf b/tests/secure_user/client.conf
index 85c12e9..5059ca9 100644
--- a/tests/secure_user/client.conf
+++ b/tests/secure_user/client.conf
@@ -7,7 +7,7 @@ privateKey = certs/Client_key.der
 trustStore = certs/trust/client
 
 securityMode = SignAndEncrypt
-securityPolicy = Basic256Sha256
+securityPolicy = Aes256_Sha256_RsaPss
 
 authMode = user
 username = user
diff --git a/tests/secure_user/server_register_client.conf b/tests/secure_user/server_register_client.conf
index c924d8d..b2edd24 100644
--- a/tests/secure_user/server_register_client.conf
+++ b/tests/secure_user/server_register_client.conf
@@ -8,6 +8,6 @@ privateKey = certs/ServerRegisterClient_key.der
 trustStore = certs/trust/server_register_client
 
 securityMode = SignAndEncrypt
-securityPolicy = Basic256Sha256
+securityPolicy = Aes256_Sha256_RsaPss
 
 authMode = anonymous
-- 
cgit v1.2.3