#! /bin/sh

set -eu

rm -f tmp.*

die () {
    echo "$@" >&2
    exit 1
}

echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIED9b/Q/ND3SFM8NGh9f6a+wy35KMOk0YAIwICC4ChsH sigsum key" > tmp.key.pub
echo "foo" > tmp.msg
cat > tmp.proof <<EOF
version=2
log=1643169b32bef33a3f54f8a353b87c475d19b6223cbb106390d10a29978e1cba
leaf=212c03319b3d14f5a8b19f1e8afda476c6f9fb675387fbf2f728e48d51def548 e8dd4dcfa50f680fa15c17452057f1808870b95723735cd4967e2874ca8fbea825702c1dd9daf4db22ba270cba2565b672ef5774b515db3d718618da2f47e106

size=381341
root_hash=5b5f28bb3c3c1bff458edfab9058e3759515be53720c5eeaaa89e3d7242ca304
signature=0a87882cc7fb10954643fc870b87174508a59e2c34c4676662fdbe43edecd3f6cd381123075e756c26305cbca6e770f8f36352f9f7c8d59e6787ee9efa17270b
cosignature=d960fcff859a34d677343e4789c6843e897c9ff195ea7140a6ef382566df3b65 1768899671 94389801d8a9c2ec503a21442ce8964cc32a3b51e69d20da6bc1fe573af4c26f50f768fbab08a22bba765da2835c3e1351eb12f304912a817b8a8ae14206b109
cosignature=e4a6a1e4657d8d7a187cc0c20ed51055d88c72f340d29534939aee32d86b4021 1768899671 ecaaf54008cefdeb3ec0d1ea8235d7c929c52e23b98eed4cd4c9a936266c7d2cb07794155870aad0db93395312c02ddbaced4fada4cd3d7f395f0e3b72c2a004
cosignature=42351ad474b29c04187fd0c8c7670656386f323f02e9a4ef0a0055ec061ecac8 1768899671 64dfed8b857cc6576184e99a46a80cac452a435d9328b027a9a55e37da1b6ca433385d6d8a8e27db4964c12b1d8df77c9bd1ce919f403ec09afa00e6dfaf8e06
cosignature=1c997261f16e6e81d13f420900a2542a4b6a049c2d996324ee5d82a90ca3360c 1768899671 44775d9f8efb93c4fd1e7a71c0ed8199a4f58c404b909a8c193d541249c6ca5af0067087459a81faa2ac9cb71082efafd224c3c462a3eb854056fb8b7eaa2a02
cosignature=49c4cd6124b7c572f3354d854d50b2a4b057a750f786cf03103c09de339c4ea3 1768899671 4932c647db4ba9807f26306e53d42b7b9ac80e7949588f5d8d7ad01b4ecde528dd1fded9bed291db1c226143a066ec7dbe2bf71153af3f23b304e0ae2590a604
cosignature=86b5414ae57f45c2953a074640bb5bedebad023925d4dc91a31de1350b710089 1768899671 55b5f5c88faf6bbc10b6f5b8bc68384e10f68fa7395da8cce574b6b022a0606aad269ce7cb5d6e27c8c3451c24bdef91cdc0ef65aa4baa3c87359d3a5ba0120a
cosignature=70b861a010f25030de6ff6a5267e0b951e70c04b20ba4a3ce41e7fba7b9b7dfc 1768899671 c9216f95b525cfd5435e87cff759c64958d74e92bc69a2c17bbe04ea3286d6cc3bdaa2b13302cbddf126b87425079319cb68efcdf396d457c3fcf28a027afa06
cosignature=c1d2d6935c2fb43bef395792b1f3c1dfe4072d4c6cadd05e0cc90b28d7141ed3 1768899671 8746eec32a7f4097b388b1d16d0c601a8427fc8cfe4ddaa126106c1137e7621162e065b59541db651ab951b7a8b92f6f4bf8e4b784433c245d0e74d4f772c404

leaf_index=381340
node_hash=291d240b80a97d601166e481bdb8ae7f32b1c230defd55e3bfed5a91c72b9639
node_hash=25641207cde6c9c334864e0d989e040d1cf52b9e08cc57e9a074093b7e981e7f
node_hash=99ec6410aec1e5226ebb4dd29a238268aa71ab72b72a5e3144af4f011e439c08
node_hash=f77bc4db00e509149b6e2fc0028d7107dd415929dc9972f32fe758ce39bcc9a0
node_hash=3acb38f01c633d917b899ed4e522a49a02bf20d358f98ca530e3a3065591e7f2
node_hash=889de80c543a5ae8e35430988dc120ac7edde74b776f9082f814ea88190a601f
node_hash=199f812b9f3667dec31f964098e32652477a2f3d458019b6f8f4acc645cf0131
node_hash=084580f8f6324d4ae42dbcb779502ab9fab77e0c2b92519fe089be72e38d60ed
node_hash=9ddbece4939d621df53f31e2729d5fa7802fd82f3edfb784483d8b7fa9cf41e2
node_hash=e1c7a90c09949c263807e5970aef47f9a06164b759995ab814aff94aff9dcd00
EOF

policy="${srcdir:-.}/sigsum-test-2025-3.builtin-policy"
../tools/sigsum-c-verify -k tmp.key.pub -p "${policy}" tmp.proof < tmp.msg \
    || die "Valid proof rejected"

echo bar > tmp.msg.2
! ../tools/sigsum-c-verify -k tmp.key.pub -p "${policy}" tmp.proof < tmp.msg.2 2>tmp.error \
    || die "Bad message was accepted"

for mod in 's/^version=2/version=1/' \
	   's/^log=1/log=2/' \
	   's/^leaf=2/leaf=3/' \
	   's/^size=381341/size=381342/' \
	   '/^cosignature=/s/4$/5/' \
	   's/^node_hash=19/node_hash=18/'; do
    sed "$mod" < tmp.proof > tmp.proof.2
    ! ../tools/sigsum-c-verify -k tmp.key.pub -p "${policy}" tmp.proof.2 < tmp.msg 2>tmp.error \
	|| die "Bad proof accepted, mod: $mod"
done
