From 787119904b84ce389332edd71794691e12e5522e Mon Sep 17 00:00:00 2001
From: Tobias Kronthaler <kronthto@gmail.com>
Date: Sat, 23 Aug 2025 21:41:19 +0200
Subject: [PATCH] Enhance tests: Negative assertions on invalid signatures
 Follow-up on a93b61c48fb587855f64a9ec11ad7b60e867cb15

---
 tests/Algorithm/Signature/ECDSA/ECDSATest.php | 24 ++++++++++++++++++
 tests/Algorithm/Signature/EdDSA/EdDSATest.php | 25 +++++++++++++++++++
 2 files changed, 49 insertions(+)

diff --git a/tests/Algorithm/Signature/ECDSA/ECDSATest.php b/tests/Algorithm/Signature/ECDSA/ECDSATest.php
index 7acffd1..3ea70ac 100644
--- a/tests/Algorithm/Signature/ECDSA/ECDSATest.php
+++ b/tests/Algorithm/Signature/ECDSA/ECDSATest.php
@@ -260,4 +260,28 @@ public static function getVectors(): iterable
             ),
         ];
     }
+
+    #[Test]
+    public function anInvalidSignatureCannotBeVerified(): void
+    {
+        // Given
+        $algorithm = ES256::create();
+        $key = Ec2Key::create([
+            Ec2Key::DATA_X => hex2bin('60FED4BA255A9D31C961EB74C6356D68C049B8923B61FA6CE669622E60F29FB6'),
+            Ec2Key::DATA_Y => hex2bin('7903FE1008B8BC99A41AE9E95628BC64F2F1B20C2D7E9F5177A3C294D4462299'),
+            Ec2Key::DATA_D => hex2bin('C9AFA9D845BA75166B5C215767B1D6934E50C3DB36E89B127B8A622B120F6721'),
+            Ec2Key::DATA_CURVE => Ec2Key::CURVE_P256,
+            Ec2Key::TYPE => Ec2Key::TYPE_EC2,
+        ]);
+        $data = 'sample';
+        $signature = hex2bin(
+            'EFD48B2AACB6A8FD1140DD9CD45E81D69D2C877B56AAF991C34D0EA84EAF3716F7CB1C942D657C41D436C7A1B6E29F65F3E900DBB9AFF4064DC4AB2F843ACDA8'
+        );
+        $invalidSignature = $signature;
+        $invalidSignature[0] = $invalidSignature[0] ^ "\x01"; // Corrupt the signature
+        // When
+        $isValid = $algorithm->verify($data, $key, $invalidSignature);
+        // Then
+        static::assertFalse($isValid);
+    }
 }
diff --git a/tests/Algorithm/Signature/EdDSA/EdDSATest.php b/tests/Algorithm/Signature/EdDSA/EdDSATest.php
index c403e82..676d3f0 100644
--- a/tests/Algorithm/Signature/EdDSA/EdDSATest.php
+++ b/tests/Algorithm/Signature/EdDSA/EdDSATest.php
@@ -94,4 +94,29 @@ public static function getVectors(): iterable
             ),
         ];
     }
+
+    #[Test]
+    public function anInvalidSignatureCannotBeVerified(): void
+    {
+        // Given
+        $algorithm = Ed25519::create();
+
+        $key = OkpKey::create([
+            OkpKey::DATA_X => base64_decode('11qYAYKxCrfVS/7TyWQHOg7hcvPapiMlrwIaaPcHURo', true),
+            OkpKey::DATA_D => base64_decode('nWGxne/9WmC6hEr0kuwsxERJxWl7MmkZcDusAxyuf2A', true),
+            OkpKey::DATA_CURVE => OkpKey::CURVE_ED25519,
+            OkpKey::TYPE => OkpKey::TYPE_OKP,
+        ]);
+        $data = 'eyJhbGciOiJFZERTQSJ9.RXhhbXBsZSBvZiBFZDI1NTE5IHNpZ25pbmc';
+        $signature = base64_decode(
+            'hgyY0il/MGCjP0JzlnLWG1PPOt7+09PGcvMg3AIbQR6dWbhijcNR4ki4iylGjg5BhVsPt9g7sVvpAr/MuM0KAg',
+            true
+        );
+        $invalidSignature = $signature;
+        $invalidSignature[0] = $invalidSignature[0] ^ "\x01"; // Corrupt the signature
+        // When
+        $isValid = $algorithm->verify($data, $key, $invalidSignature);
+        // Then
+        static::assertFalse($isValid);
+    }
 }