using System.Text.Json;

namespace StellaOps.AirGap.Bundle.Services;

public sealed partial class SnapshotManifestSigner
{
    /// <summary>
    /// Verifies a DSSE envelope signature.
    /// </summary>
    public async Task<ManifestVerificationResult> VerifyAsync(
        ManifestVerificationRequest request,
        CancellationToken cancellationToken = default)
    {
        ArgumentNullException.ThrowIfNull(request);
        ArgumentNullException.ThrowIfNull(request.EnvelopeBytes);

        try
        {
            using var envelope = JsonDocument.Parse(request.EnvelopeBytes);
            var root = envelope.RootElement;

            if (!TryReadEnvelope(root, out var parts, out var error))
            {
                return new ManifestVerificationResult
                {
                    Success = false,
                    Error = error
                };
            }

            var payloadDigest = ComputeSha256(parts.PayloadBytes);
            var verifiedSignatures = await VerifySignaturesAsync(
                    parts.SignaturesElement,
                    request.PublicKey,
                    parts.PaeBytes,
                    cancellationToken)
                .ConfigureAwait(false);

            return new ManifestVerificationResult
            {
                Success = true,
                PayloadDigest = payloadDigest,
                SignatureCount = parts.SignatureCount,
                VerifiedSignatures = verifiedSignatures,
                PayloadType = parts.PayloadType
            };
        }
        catch (JsonException ex)
        {
            return new ManifestVerificationResult
            {
                Success = false,
                Error = $"Failed to parse envelope: {ex.Message}"
            };
        }
    }
}