package main

import (
	"crypto"
	"testing"

	"github.com/letsencrypt/boulder/core"
	"github.com/letsencrypt/boulder/test"
)

func TestKeyBlocking(t *testing.T) {
	testCases := []struct {
		name     string
		certPath string
		jwkPath  string
		expected string
	}{
		// NOTE(@cpu): The JWKs and certificates were generated with the same
		// keypair within an algorithm/parameter family. E.g. the RSA JWK public key
		// matches the RSA certificate public key. The ECDSA JWK public key matches
		// the ECDSA certificate public key.
		{
			name:     "P-256 ECDSA JWK",
			jwkPath:  "test/test.ecdsa.jwk.json",
			expected: "cuwGhNNI6nfob5aqY90e7BleU6l7rfxku4X3UTJ3Z7M=",
		},
		{
			name:     "2048 RSA JWK",
			jwkPath:  "test/test.rsa.jwk.json",
			expected: "Qebc1V3SkX3izkYRGNJilm9Bcuvf0oox4U2Rn+b4JOE=",
		},
		{
			name:     "P-256 ECDSA Certificate",
			certPath: "test/test.ecdsa.cert.pem",
			expected: "cuwGhNNI6nfob5aqY90e7BleU6l7rfxku4X3UTJ3Z7M=",
		},
		{
			name:     "2048 RSA Certificate",
			certPath: "test/test.rsa.cert.pem",
			expected: "Qebc1V3SkX3izkYRGNJilm9Bcuvf0oox4U2Rn+b4JOE=",
		},
	}

	for _, tc := range testCases {
		t.Run(tc.name, func(t *testing.T) {
			var key crypto.PublicKey
			var err error
			if tc.jwkPath != "" {
				key, err = keyFromJWK(tc.jwkPath)
			} else {
				key, err = keyFromCert(tc.certPath)
			}
			test.AssertNotError(t, err, "error getting key from input file")
			spkiHash, err := core.KeyDigestB64(key)
			test.AssertNotError(t, err, "error computing spki hash")
			test.AssertEquals(t, spkiHash, tc.expected)
		})
	}
}