# BobinkCOpcUa A small C project that demonstrates OPC UA server discovery using the [open62541](https://www.open62541.org/) library. Three programs work together: - **bobink_opcua_discovery_server** — Local Discovery Server that other servers register with - **bobink_opcua_server** — a server that periodically registers itself with the LDS - **bobink_opcua_client** — queries the LDS for servers, lists endpoints, reads the current time, or downloads a server's certificate ## Prerequisites - CMake 3.17+ - A C11 compiler (GCC or Clang) - OpenSSL development libraries (`libssl-dev` / `openssl-devel`) - `openssl` CLI (for generating certificates) ## Getting started Clone the repository with its submodule: ```sh git clone --recursive https://git.tvcloud.fr/opcua_c cd opcua_c ``` ### Certificates Test certificates are pre-generated and committed under each test directory (e.g. `tests/secure_anonymous/certs/`). Each secure test has per-identity subdirectories (`ServerLDS/`, `ServerRegister/`, `ServerRegisterClient/`, `Client/`) containing `cert.der` and `key.der`, plus a shared `trust/` directory with all certificates. Programs can also run without certificates (SecurityPolicy#None only) by omitting the `certificate`, `privateKey`, and `trustStore` keys from their config files. To generate new certificates, use `tools/generate_certificate.sh [uri]`. ### Build ```sh cmake -B build cmake --build build --parallel ``` open62541 is fetched from the submodule and built automatically — the first build takes a bit longer. ## Running Start the programs in order, each in its own terminal, from the project root. Configuration files live in `tests/` (one directory per test scenario — see [Tests](#tests) below). The examples below use `tests/secure_user/`: ```sh # 1. Local Discovery Server build/bobink_opcua_discovery_server tests/secure_user/server_lds.conf # 2. Register Server (connects to the LDS on port 14840) build/bobink_opcua_server tests/secure_user/server_register.conf \ tests/secure_user/server_register_client.conf opc.tcp://localhost:14840 # 3. Find registered servers via the LDS build/bobink_opcua_client tests/secure_user/client.conf find-servers opc.tcp://localhost:14840 # 4. List endpoints on the registered server build/bobink_opcua_client tests/secure_user/client.conf get-endpoints opc.tcp://localhost:14841 # 5. Read the current time from the registered server build/bobink_opcua_client tests/secure_user/client.conf read-time opc.tcp://localhost:14841 # 6. Download the server's certificate to a local file build/bobink_opcua_client tests/secure_user/client.conf download-cert opc.tcp://localhost:14841 server.der ``` All three programs accept an optional log level as the last argument (`trace`, `debug`, `info`, `warning`, `error`, `fatal`). The default is `info`. ## Tests Integration tests exercise four combinations of security and authentication: | Test | Security | Auth | |------|----------|------| | `unsecure_anonymous` | None / None | anonymous | | `secure_anonymous` | SignAndEncrypt / Aes256_Sha256_RsaPss | anonymous | | `secure_user` | SignAndEncrypt / Aes256_Sha256_RsaPss | user/password | | `secure_cert` | SignAndEncrypt / Aes256_Sha256_RsaPss | X509 certificate | | `download_cert` | SignAndEncrypt / Aes256_Sha256_RsaPss | anonymous (download-cert) | Run all tests: ```sh ctest --test-dir build --output-on-failure ``` ### Memory leak check Rebuild with AddressSanitizer, run the tests, then switch back: ```sh # ASan build cmake -B build \ -DCMAKE_C_FLAGS="-fsanitize=address -fno-omit-frame-pointer" \ -DCMAKE_EXE_LINKER_FLAGS="-fsanitize=address" cmake --build build --parallel ASAN_OPTIONS="detect_leaks=1" ctest --test-dir build --output-on-failure # Restore normal build cmake -B build -DCMAKE_C_FLAGS="" -DCMAKE_EXE_LINKER_FLAGS="" cmake --build build --parallel ``` ## Configuration Programs are configured through plain text files (`key = value`, one per line). See the `tests/` directories for working examples. Three authentication modes are supported via the `authMode` key: - **anonymous** — no user identity - **user** — username and password (requires `username` and `password` keys) - **cert** — X509 certificate identity token (reuses the application certificate; requires encryption to be configured)