From 8bfd0dc6b44438ba6c5d2844ce21fbc2adfe3f1a Mon Sep 17 00:00:00 2001
From: Thomas Vanbesien <tvanbesi@proton.me>
Date: Wed, 18 Feb 2026 23:09:43 +0100
Subject: Add TOFU certificate bootstrap integration test

Make download-cert always use an unsecure client so it can connect to
a server's None discovery endpoint without the server certificate in
the trust store.  Add a cert_bootstrap test that verifies the full
Trust On First Use workflow: find-servers succeeds, get-endpoints fails
(untrusted cert), download-cert retrieves the certificate via None,
then get-endpoints and read-time both succeed.
---
 CMakeLists.txt | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'CMakeLists.txt')

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 5b117b6..77d4ffb 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -84,3 +84,10 @@ add_test(NAME "download_cert"
                  "tests/secure_anonymous")
 set_tests_properties(
   "download_cert" PROPERTIES WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}" TIMEOUT 30)
+
+add_test(NAME "cert_bootstrap"
+         COMMAND bash "${CMAKE_SOURCE_DIR}/tests/run_cert_bootstrap_test.sh"
+                 "tests/cert_bootstrap")
+set_tests_properties(
+  "cert_bootstrap" PROPERTIES WORKING_DIRECTORY "${CMAKE_SOURCE_DIR}" TIMEOUT
+                              30)
-- 
cgit v1.2.3