From 5f5e172cd2392952162398c85b07e6f6b7e69398 Mon Sep 17 00:00:00 2001 From: Thomas Vanbesien Date: Wed, 18 Feb 2026 22:30:06 +0100 Subject: Move certificates into per-test directories Each secure test now has its own certs/ subfolder with per-identity subdirectories and a single shared trust store. Configs reference paths relative to the project root (e.g. tests/secure_anonymous/ certs/ServerLDS/cert.der). Cert generation logic removed from test scripts since certs are now pre-generated and committed. --- readme.md | 57 ++++++++++++++------------------------------------------- 1 file changed, 14 insertions(+), 43 deletions(-) (limited to 'readme.md') diff --git a/readme.md b/readme.md index f6a7916..bc5d4c0 100644 --- a/readme.md +++ b/readme.md @@ -5,7 +5,7 @@ A small C project that demonstrates OPC UA server discovery using the - **ServerLDS** — Local Discovery Server that other servers register with - **ServerRegister** — a server that periodically registers itself with the LDS -- **Client** — queries the LDS for servers, lists endpoints, or reads the current time from a server +- **Client** — queries the LDS for servers, lists endpoints, reads the current time, or downloads a server's certificate ## Prerequisites @@ -23,52 +23,19 @@ git clone --recursive https://git.tvcloud.fr/opcua_c cd opcua_c ``` -### Generate certificates +### Certificates -The programs use TLS certificates for mutual authentication. ServerLDS and -ServerRegister can also run without certificates (SecurityPolicy#None only) by +Test certificates are pre-generated and committed under each test directory +(e.g. `tests/secure_anonymous/certs/`). Each secure test has per-identity +subdirectories (`ServerLDS/`, `ServerRegister/`, `ServerRegisterClient/`, +`Client/`) containing `cert.der` and `key.der`, plus a shared `trust/` +directory with all certificates. + +Programs can also run without certificates (SecurityPolicy#None only) by omitting the `certificate`, `privateKey`, and `trustStore` keys from their config files. -For encrypted operation, four identities are needed. Each call to -`tools/generate_certificate.sh` creates a self-signed RSA-2048 certificate -(`_cert.der`) and private key (`_key.der`) in the given directory: - -```sh -tools/generate_certificate.sh certs ServerLDS -tools/generate_certificate.sh certs ServerRegister -tools/generate_certificate.sh certs ServerRegisterClient -tools/generate_certificate.sh certs Client -``` - -| Identity | Used by | Purpose | -|----------|---------|---------| -| `ServerLDS` | ServerLDS | Server certificate for the LDS | -| `ServerRegister` | ServerRegister | Server certificate for the registering server | -| `ServerRegisterClient` | ServerRegister | Client certificate used when connecting to the LDS | -| `Client` | Client | Client certificate for all client operations | - -### Populate the trust stores - -OPC UA applications only accept connections from peers whose certificate is in -their trust store. Create the trust store directories and symlink each peer's -certificate: - -```sh -mkdir -p certs/trust/{server_lds,server_register,server_register_client,client} - -ln -s ../../ServerRegisterClient_cert.der ../../Client_cert.der \ - certs/trust/server_lds/ - -ln -s ../../ServerLDS_cert.der ../../Client_cert.der \ - certs/trust/server_register/ - -ln -s ../../ServerLDS_cert.der \ - certs/trust/server_register_client/ - -ln -s ../../ServerLDS_cert.der ../../ServerRegister_cert.der \ - certs/trust/client/ -``` +To generate new certificates, use `tools/generate_certificate.sh [uri]`. ### Build @@ -102,6 +69,9 @@ build/Client tests/secure_user/client.conf get-endpoints opc.tcp://localhost:148 # 5. Read the current time from the registered server build/Client tests/secure_user/client.conf read-time opc.tcp://localhost:14841 + +# 6. Download the server's certificate to a local file +build/Client tests/secure_user/client.conf download-cert opc.tcp://localhost:14841 server.der ``` All three programs accept an optional log level as the last argument @@ -117,6 +87,7 @@ Integration tests exercise four combinations of security and authentication: | `secure_anonymous` | SignAndEncrypt / Aes256_Sha256_RsaPss | anonymous | | `secure_user` | SignAndEncrypt / Aes256_Sha256_RsaPss | user/password | | `secure_cert` | SignAndEncrypt / Aes256_Sha256_RsaPss | X509 certificate | +| `download_cert` | SignAndEncrypt / Aes256_Sha256_RsaPss | anonymous (download-cert) | Run all tests: -- cgit v1.2.3