#if STELLAOPS_CRYPTO_PRO
using System;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using Microsoft.IdentityModel.Tokens;
using StellaOps.Cryptography;
using StellaOps.Cryptography.Plugin.CryptoPro;
using Xunit;

namespace StellaOps.Cryptography.Tests;

public class CryptoProGostSignerTests
{
    [Fact]
    public void ExportPublicJsonWebKey_ContainsCertificateChain()
    {
        if (!OperatingSystem.IsWindows())
        {
            return; // CryptoPro CSP is Windows-only; skip on other platforms
        }

        if (!string.Equals(Environment.GetEnvironmentVariable("STELLAOPS_CRYPTO_PRO_ENABLED"), "1", StringComparison.Ordinal))
        {
            return; // opt-in only when a Windows agent has CryptoPro CSP installed
        }

        using var ecdsa = ECDsa.Create(ECCurve.NamedCurves.nistP256);
        var request = new CertificateRequest("CN=stellaops.test", ecdsa, HashAlgorithmName.SHA256);
        using var cert = request.CreateSelfSigned(DateTimeOffset.UtcNow.AddDays(-1), DateTimeOffset.UtcNow.AddDays(1));

        var entry = new CryptoProGostKeyEntry(
            "test-key",
            SignatureAlgorithms.GostR3410_2012_256,
            cert,
            "provider",
            containerName: null,
            useMachineKeyStore: false,
            signatureFormat: GostSignatureFormat.Der);

        var signer = new CryptoProGostSigner(entry);

        var jwk = signer.ExportPublicJsonWebKey();

        Assert.Equal("test-key", jwk.Kid);
        Assert.Equal(SignatureAlgorithms.GostR3410_2012_256, jwk.Alg);
        Assert.Equal(JsonWebKeyUseNames.Sig, jwk.Use);
        Assert.Single(jwk.X5c);
        Assert.Equal("EC", jwk.Kty);
    }
}
#endif