From deaabd1464784a6fddbfa9e1ac6cb0e1148a8c34 Mon Sep 17 00:00:00 2001
From: Thomas Vanbesien <tvanbesi@proton.me>
Date: Wed, 18 Feb 2026 21:44:17 +0100
Subject: Add X509 certificate identity token authentication

Support authMode=cert alongside anonymous and user. The client
reuses its application certificate as the X509 identity token
(open62541 requires both to match). Server-side access control
advertises the certificate token policy automatically when
sessionPKI is configured.
---
 src/common.c | 26 +++++++++++++++++++++++---
 1 file changed, 23 insertions(+), 3 deletions(-)

(limited to 'src/common.c')

diff --git a/src/common.c b/src/common.c
index 67ea135..865fc55 100644
--- a/src/common.c
+++ b/src/common.c
@@ -174,7 +174,7 @@ parseLogLevel (const char *name)
 int
 parseAuthConfig (const Config *cfg, const char *program,
                  UA_Boolean *allowAnonymous, const char **username,
-                 const char **password)
+                 const char **password, UA_Boolean *certAuth)
 {
   const char *authMode = configRequire (cfg, "authMode", program);
   if (!authMode)
@@ -182,6 +182,8 @@ parseAuthConfig (const Config *cfg, const char *program,
 
   *username = NULL;
   *password = NULL;
+  if (certAuth)
+    *certAuth = false;
 
   if (strcmp (authMode, "anonymous") == 0)
     {
@@ -201,8 +203,18 @@ parseAuthConfig (const Config *cfg, const char *program,
       return 0;
     }
 
+  if (strcmp (authMode, "cert") == 0)
+    {
+      if (allowAnonymous)
+        *allowAnonymous = false;
+      if (certAuth)
+        *certAuth = true;
+      return 0;
+    }
+
   UA_LOG_FATAL (UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
-                "%s: unknown auth mode '%s' (expected 'anonymous' or 'user')",
+                "%s: unknown auth mode '%s' "
+                "(expected 'anonymous', 'user', or 'cert')",
                 program, authMode);
   return -1;
 }
@@ -422,7 +434,7 @@ createSecureClientConfig (UA_ClientConfig *cc, const char *applicationUri,
                           const char *certPath, const char *keyPath,
                           char **trustPaths, size_t trustSize,
                           UA_MessageSecurityMode securityMode,
-                          const char *securityPolicyUri)
+                          const char *securityPolicyUri, UA_Boolean certAuth)
 {
   UA_ByteString certificate = loadFile (certPath);
   UA_ByteString privateKey = loadFile (keyPath);
@@ -435,6 +447,14 @@ createSecureClientConfig (UA_ClientConfig *cc, const char *applicationUri,
   UA_StatusCode retval = UA_ClientConfig_setDefaultEncryption (
       cc, certificate, privateKey, trustList, trustSize, NULL, 0);
 
+  /* X509 identity token: reuse the application certificate.  open62541
+     requires that the identity cert matches the SecureChannel cert, so
+     a separate user cert cannot be used.  Call before clearing the local
+     buffers since setAuthenticationCert makes its own copy. */
+  if (retval == UA_STATUSCODE_GOOD && certAuth)
+    retval
+        = UA_ClientConfig_setAuthenticationCert (cc, certificate, privateKey);
+
   UA_ByteString_clear (&certificate);
   UA_ByteString_clear (&privateKey);
   for (size_t i = 0; i < trustSize; i++)
-- 
cgit v1.2.3