using System.Security.Cryptography;
using System.Security.Cryptography.Pkcs;
using System.Security.Cryptography.X509Certificates;
using StellaOps.AirGap.Time.Models;
using StellaOps.AirGap.Time.Services;

namespace StellaOps.AirGap.Time.Tests;

public class Rfc3161VerifierTests
{
    [Fact]
    public void SignedCmsTokenVerifies()
    {
        using var rsa = RSA.Create(2048);
        var req = new CertificateRequest("CN=tsa", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
        var cert = req.CreateSelfSigned(DateTimeOffset.UtcNow.AddMinutes(-1), DateTimeOffset.UtcNow.AddHours(1));

        var content = new ContentInfo(new byte[] { 0x01, 0x02, 0x03 });
        var cms = new SignedCms(content, detached: false);
        cms.ComputeSignature(new CmsSigner(cert));
        var tokenBytes = cms.Encode();

        var verifier = new Rfc3161Verifier();
        var trust = new[] { new TimeTrustRoot("tsa-root", cert.GetPublicKey(), "rsa-pkcs1-sha256") };

        var result = verifier.Verify(tokenBytes, trust, out var anchor);

        Assert.True(result.IsValid);
        Assert.Equal("rfc3161-verified", result.Reason);
        Assert.Equal("RFC3161", anchor.Format);
    }
}