Phase 3 PR 71 -- OpcUaAuthType.Certificate user authentication. Implements the third user-token type in the OPC UA spec (Anonymous + UserName + Certificate). Before this PR the Certificate branch threw NotSupportedException. Adds OpcUaClientDriverOptions.UserCertificatePath + UserCertificatePassword knobs for the PFX on disk. The InitializeAsync user-identity switch now calls BuildCertificateIdentity for AuthType=Certificate. Load path uses X509CertificateLoader.LoadPkcs12FromFile -- the non-obsolete .NET 9+ API; the legacy X509Certificate2 PFX ctors are deprecated on net10. Validation up-front: empty UserCertificatePath throws InvalidOperationException naming the missing field; non-existent file throws FileNotFoundException with path; private-key-missing throws InvalidOperationException explaining the private key is required to sign the OPC UA user-token challenge at session activation. Each failure mode is an operator-actionable config problem rather than a mysterious ServiceResultException during session open. UserIdentity(X509Certificate2) ctor carries the cert directly; the SDK sets TokenType=Certificate + wires the cert's public key into the activate-session payload. Private key stays in-memory on the OpenSSL / .NET crypto boundary. Unit tests (OpcUaClientCertAuthTests, 3 facts): BuildCertificateIdentity_rejects_missing_path (error message mentions UserCertificatePath so the fix is obvious); BuildCertificateIdentity_rejects_nonexistent_file (FileNotFoundException); BuildCertificateIdentity_loads_a_valid_PFX_with_private_key -- generates a self-signed RSA-2048 cert on the fly with CertificateRequest.CreateSelfSigned, exports to temp PFX with a password, loads it through the helper, asserts TokenType=Certificate. Test cleans up the temp file in a finally block (best-effort; Windows file locking can leave orphans which is acceptable for %TEMP%). Self-signed cert-on-the-fly avoids shipping a static test PFX that could be flagged by secret-scanners and keeps the test hermetic across dev boxes. 26/26 OpcUaClient.Tests pass (23 prior + 3 cert auth). dotnet build clean. Feature: Anonymous + Username + Certificate all work -- driver-specs.md \u00A78 auth story complete.

2026-04-19 01:47:18 -04:00
parent a5299a2fee
commit a79c5f3008
3 changed files with 110 additions and 2 deletions
--- a/src/ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient/OpcUaClientDriverOptions.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Driver.OpcUaClient/OpcUaClientDriverOptions.cs
@@ -39,6 +39,23 @@ public sealed class OpcUaClientDriverOptions
    /// <summary>Password (required only for <see cref="OpcUaAuthType.Username"/>).</summary>
    public string? Password { get; init; }

+    /// <summary>
+    ///     Filesystem path to the user-identity certificate (PFX/PEM). Required when
+    ///     <see cref="AuthType"/> is <see cref="OpcUaAuthType.Certificate"/>. The driver
+    ///     loads the cert + private key, which the remote server validates against its
+    ///     <c>TrustedUserCertificates</c> store to authenticate the session's user token.
+    ///     Leave unset to use the driver's application-instance certificate as the user
+    ///     token (not typical — most deployments have a separate user cert).
+    /// </summary>
+    public string? UserCertificatePath { get; init; }
+
+    /// <summary>
+    ///     Optional password that unlocks <see cref="UserCertificatePath"/> when the PFX is
+    ///     protected. PEM files generally have their password on the adjacent key file; this
+    ///     knob only applies to password-locked PFX.
+    /// </summary>
+    public string? UserCertificatePassword { get; init; }
+
    /// <summary>Server-negotiated session timeout. Default 120s per driver-specs.md §8.</summary>
    public TimeSpan SessionTimeout { get; init; } = TimeSpan.FromSeconds(120);