From 8bfd0dc6b44438ba6c5d2844ce21fbc2adfe3f1a Mon Sep 17 00:00:00 2001
From: Thomas Vanbesien <tvanbesi@proton.me>
Date: Wed, 18 Feb 2026 23:09:43 +0100
Subject: Add TOFU certificate bootstrap integration test

Make download-cert always use an unsecure client so it can connect to
a server's None discovery endpoint without the server certificate in
the trust store.  Add a cert_bootstrap test that verifies the full
Trust On First Use workflow: find-servers succeeds, get-endpoints fails
(untrusted cert), download-cert retrieves the certificate via None,
then get-endpoints and read-time both succeed.
---
 tests/cert_bootstrap/server_register_client.conf | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 tests/cert_bootstrap/server_register_client.conf

(limited to 'tests/cert_bootstrap/server_register_client.conf')

diff --git a/tests/cert_bootstrap/server_register_client.conf b/tests/cert_bootstrap/server_register_client.conf
new file mode 100644
index 0000000..e1cff06
--- /dev/null
+++ b/tests/cert_bootstrap/server_register_client.conf
@@ -0,0 +1,13 @@
+# ServerRegister client config — test: cert_bootstrap
+# Registers with the secured LDS over an encrypted channel.
+
+applicationUri = urn:localhost:bobink:ServerRegister
+
+certificate = tests/cert_bootstrap/certs/ServerRegisterClient/cert.der
+privateKey = tests/cert_bootstrap/certs/ServerRegisterClient/key.der
+trustStore = tests/cert_bootstrap/certs/trust
+
+securityMode = SignAndEncrypt
+securityPolicy = Aes256_Sha256_RsaPss
+
+authMode = anonymous
-- 
cgit v1.2.3