From deaabd1464784a6fddbfa9e1ac6cb0e1148a8c34 Mon Sep 17 00:00:00 2001
From: Thomas Vanbesien <tvanbesi@proton.me>
Date: Wed, 18 Feb 2026 21:44:17 +0100
Subject: Add X509 certificate identity token authentication

Support authMode=cert alongside anonymous and user. The client
reuses its application certificate as the X509 identity token
(open62541 requires both to match). Server-side access control
advertises the certificate token policy automatically when
sessionPKI is configured.
---
 tests/secure_cert/client.conf                 | 13 +++++++++++++
 tests/secure_cert/server_lds.conf             | 13 +++++++++++++
 tests/secure_cert/server_register.conf        | 13 +++++++++++++
 tests/secure_cert/server_register_client.conf | 13 +++++++++++++
 4 files changed, 52 insertions(+)
 create mode 100644 tests/secure_cert/client.conf
 create mode 100644 tests/secure_cert/server_lds.conf
 create mode 100644 tests/secure_cert/server_register.conf
 create mode 100644 tests/secure_cert/server_register_client.conf

(limited to 'tests')

diff --git a/tests/secure_cert/client.conf b/tests/secure_cert/client.conf
new file mode 100644
index 0000000..0abd582
--- /dev/null
+++ b/tests/secure_cert/client.conf
@@ -0,0 +1,13 @@
+# Client — test: secure_cert
+# Authenticates to ServerRegister with X509 certificate identity token.
+
+applicationUri = urn:localhost:bobink:Client
+
+certificate = certs/Client_cert.der
+privateKey = certs/Client_key.der
+trustStore = certs/trust/client
+
+securityMode = SignAndEncrypt
+securityPolicy = Basic256Sha256
+
+authMode = cert
diff --git a/tests/secure_cert/server_lds.conf b/tests/secure_cert/server_lds.conf
new file mode 100644
index 0000000..ca1f8a6
--- /dev/null
+++ b/tests/secure_cert/server_lds.conf
@@ -0,0 +1,13 @@
+# ServerLDS — test: secure_cert
+# Secured LDS with discovery-only None endpoint.
+
+port = 14840
+applicationUri = urn:localhost:bobink:ServerLDS
+
+certificate = certs/ServerLDS_cert.der
+privateKey = certs/ServerLDS_key.der
+trustStore = certs/trust/server_lds
+
+authMode = anonymous
+
+cleanupTimeout = 60
diff --git a/tests/secure_cert/server_register.conf b/tests/secure_cert/server_register.conf
new file mode 100644
index 0000000..ba6de55
--- /dev/null
+++ b/tests/secure_cert/server_register.conf
@@ -0,0 +1,13 @@
+# ServerRegister server config — test: secure_cert
+# Requires X509 certificate identity token for session auth.
+
+port = 14841
+applicationUri = urn:localhost:bobink:ServerRegister
+
+certificate = certs/ServerRegister_cert.der
+privateKey = certs/ServerRegister_key.der
+trustStore = certs/trust/server_register
+
+authMode = cert
+
+registerInterval = 10
diff --git a/tests/secure_cert/server_register_client.conf b/tests/secure_cert/server_register_client.conf
new file mode 100644
index 0000000..7542bdf
--- /dev/null
+++ b/tests/secure_cert/server_register_client.conf
@@ -0,0 +1,13 @@
+# ServerRegister client config — test: secure_cert
+# Registers with the LDS (anonymous — LDS does not require cert auth).
+
+applicationUri = urn:localhost:bobink:ServerRegister
+
+certificate = certs/ServerRegisterClient_cert.der
+privateKey = certs/ServerRegisterClient_key.der
+trustStore = certs/trust/server_register_client
+
+securityMode = SignAndEncrypt
+securityPolicy = Basic256Sha256
+
+authMode = anonymous
-- 
cgit v1.2.3