using System.Security.Cryptography;

namespace Azaion.E2E.Helpers;

/// <summary>
/// AZ-532 — test helper for loading the same ES256 PEMs the SUT trusts. Used
/// by tests that need to forge a token (expired JWT, alg-confusion attack) so
/// the only failure mode under test is the one being asserted.
/// </summary>
public static class JwtTestSigner
{
    public static ECDsa LoadActive(string keysFolder, string activeKid)
    {
        var path = Path.Combine(keysFolder, $"{activeKid}.pem");
        if (!File.Exists(path))
            throw new FileNotFoundException(
                $"Test key '{path}' not found. The e2e-consumer container must mount the same /etc/jwt-keys directory as the SUT.",
                path);
        var ecdsa = ECDsa.Create();
        ecdsa.ImportFromPem(File.ReadAllText(path));
        return ecdsa;
    }
}