From 8bfd0dc6b44438ba6c5d2844ce21fbc2adfe3f1a Mon Sep 17 00:00:00 2001
From: Thomas Vanbesien <tvanbesi@proton.me>
Date: Wed, 18 Feb 2026 23:09:43 +0100
Subject: Add TOFU certificate bootstrap integration test

Make download-cert always use an unsecure client so it can connect to
a server's None discovery endpoint without the server certificate in
the trust store.  Add a cert_bootstrap test that verifies the full
Trust On First Use workflow: find-servers succeeds, get-endpoints fails
(untrusted cert), download-cert retrieves the certificate via None,
then get-endpoints and read-time both succeed.
---
 src/client.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'src/client.c')

diff --git a/src/client.c b/src/client.c
index 011792e..97a9289 100644
--- a/src/client.c
+++ b/src/client.c
@@ -339,7 +339,10 @@ main (int argc, char **argv)
   UA_Client *client = UA_Client_new ();
 
   UA_StatusCode retval;
-  if (sec.certPath)
+  if (op == OP_DOWNLOAD_CERT)
+    retval = createUnsecureClientConfig (UA_Client_getConfig (client),
+                                         applicationUri, NULL);
+  else if (sec.certPath)
     retval = createSecureClientConfig (UA_Client_getConfig (client),
                                        applicationUri, &sec, &auth);
   else
-- 
cgit v1.2.3