use rpki::data_model::rc::ResourceCertificate;
use rpki::data_model::ta::{TaCertificate, TaCertificateVerifyError};

#[test]
fn ta_verify_self_signature_succeeds_for_fixture() {
    let der = std::fs::read("tests/fixtures/ta/apnic-ta.cer").expect("read apnic ta");
    let ta = TaCertificate::decode_der(&der).expect("decode TA");
    ta.verify_self_signature().expect("verify self signature");
}

#[test]
fn ta_verify_self_signature_rejects_trailing_bytes() {
    let der = std::fs::read("tests/fixtures/ta/apnic-ta.cer").expect("read apnic ta");
    let rc_ca = ResourceCertificate::decode_der(&der).expect("decode rc");

    let mut raw_with_trailing = der.clone();
    raw_with_trailing.extend_from_slice(&[0u8, 1u8, 2u8]);

    let ta = TaCertificate {
        raw_der: raw_with_trailing,
        rc_ca,
    };
    let err = ta.verify_self_signature().unwrap_err();
    assert!(matches!(err, TaCertificateVerifyError::TrailingBytes(3)));
}

#[test]
fn ta_verify_self_signature_rejects_tampered_signature() {
    let der = std::fs::read("tests/fixtures/ta/apnic-ta.cer").expect("read apnic ta");
    let rc_ca = ResourceCertificate::decode_der(&der).expect("decode rc");

    let mut tampered = der.clone();
    if let Some(last) = tampered.last_mut() {
        *last ^= 0x01;
    }
    let ta = TaCertificate {
        raw_der: tampered,
        rc_ca,
    };

    let err = ta.verify_self_signature().unwrap_err();
    assert!(matches!(
        err,
        TaCertificateVerifyError::InvalidSelfSignature(_) | TaCertificateVerifyError::Parse(_)
    ));
}