#!/usr/bin/env bash
set -euo pipefail

# Auto elevate to sudo
if [[ "${EUID}" -ne 0 ]]; then
  if command -v sudo >/dev/null 2>&1; then
    exec sudo -E bash "$0" "$@"
  else
    echo "ERROR: this script requires root privileges, but sudo was not found."
    exit 1
  fi
fi

ACTION="${1:-install}"

CERT_NAME="h3c-root-ca"
CERT_FILE="/tmp/${CERT_NAME}.crt"
EXPECTED_SHA1="C1E8C7F0E05239FF8C051896CC4B838EF05EB8BA"

DEBIAN_TARGET="/usr/local/share/ca-certificates/${CERT_NAME}.crt"
RHEL_TARGET="/etc/pki/ca-trust/source/anchors/${CERT_NAME}.crt"

usage() {
  echo "Usage:"
  echo "  $0                  # install certificate"
  echo "  $0 install          # install certificate"
  echo "  $0 --delete         # delete certificate"
  echo "  $0 delete           # delete certificate"
}

write_cert() {
cat > "$CERT_FILE" <<'EOF'
-----BEGIN CERTIFICATE-----
MIIFGjCCBAKgAwIBAgIQHL7ZrXeR4YZIzRO5fAITvjANBgkqhkiG9w0BAQsFADBC
MRMwEQYKCZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDaDNjMRYwFAYD
VQQDEw1IM0MgQ0EgU2VydmVyMCAXDTA3MDgwMzAwMjYzNFoYDzIwNzQxMjE3MTA1
NDQwWjBCMRMwEQYKCZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDaDNj
MRYwFAYDVQQDEw1IM0MgQ0EgU2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAr5FOXjag2vYwNxB5G0iciVaXJII/xluoDczF+JrKgNan6x7wtW8d
9//0UVTYoT7IrfRf8Lp86ZPPRtrn+56o5dJmIjoBy5klZrbdqmTfyUHcAtxdEwbU
/JKqBBylLYa8vFobvuM/BcsYx6k5VKfURCTdOr2erixVtlBs4M2xNH2tTMTk0ayD
DvSbTevxMbVOUWcnGRqG9olMED9hY3HQuRqkgCyzQugCq14/i6q/whP1DL/rFCn1
mzj271z88Xel7JLpfA/fIN5/njg4Np5truGcyd7yeQxgzstf2xQvbnGI9r8QKyoX
j+C+f4vrn6GzqiINM/zvUlvUqAt8II8LfwIDAQABo4ICCDCCAgQwEwYJKwYBBAGC
NxQCBAYeBABDAEEwCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
BBYEFKK45vGLi5SLNeIX/KadeSzBasc1MIIBdwYDVR0fBIIBbjCCAWowggFmoIIB
YqCCAV6GgcpsZGFwOi8vL0NOPUgzQyUyMENBJTIwU2VydmVyLENOPWgzY2NhMDEt
bnQsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2Vz
LENOPUNvbmZpZ3VyYXRpb24sREM9aDNjcm9vdCxEQz1odWF3ZWktM2NvbSxEQz1j
b20/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNS
TERpc3RyaWJ1dGlvblBvaW50hkZodHRwOi8vaDNjY2EwMS1udC5oM2MuaHVhd2Vp
LTNjb20uY29tL0NlcnRFbnJvbGwvSDNDJTIwQ0ElMjBTZXJ2ZXIuY3JshihodHRw
Oi8vY2VydC5oM2MuY29tL0NlcnRFbnJvbGwvaDNjY2EuY3Jshh1odHRwOi8vY3Js
LmgzYy5jb20vcm9vdGNhLmNybDAQBgkrBgEEAYI3FQEEAwIBBDAjBgkrBgEEAYI3
FQIEFgQUl+FBQMdMcFmJznTH62Lu1FNT0JMwDQYJKoZIhvcNAQELBQADggEBADW3
xXTxOmMreoRNtZ3qHkTJ/Zif9tsXCRDGRM+DL7fvw1uk32AcAg+Vno9TK7dB2PNe
iRtEzYKFUYxOu67uKZ2Fjmlp3Nrie/meoP4OhIDY4mUjnmXa5gRL2u/9rtdXJPJY
5WoRnjaU+i8YK29mn0ypTCKVGXccvbY/Fv4DOYXySZ6vjgdZRs9zT1NsuXdSf5M3
jHi8adJdXjVOb0ArU2jhModyK0sZvyOVcNj5s+wrEs7qpR312ZzM/vedCWoy5yFG
Xy6XMzYnjLOUJCM5DKcuXIaVNeZR6VAYeMWarQXH8wltC9ANwi+gCuS9F+NiGXLU
KdnPGhPxUGuJHxukisw=
-----END CERTIFICATE-----
EOF
}

refresh_ca_store() {
  if command -v update-ca-certificates >/dev/null 2>&1; then
    update-ca-certificates
  elif command -v update-ca-trust >/dev/null 2>&1; then
    update-ca-trust extract
  fi
}

install_cert() {
  write_cert

  ACTUAL_SHA1="$(openssl x509 -in "$CERT_FILE" -noout -fingerprint -sha1 | cut -d= -f2 | tr -d ':' | tr 'a-f' 'A-F')"
  EXPIRE_DATE="$(openssl x509 -in "$CERT_FILE" -noout -enddate | cut -d= -f2)"

  if [[ "$ACTUAL_SHA1" != "$EXPECTED_SHA1" ]]; then
    echo "ERROR: certificate SHA1 mismatch."
    rm -f "$CERT_FILE"
    exit 1
  fi

  echo "H3C Root CA fingerprint verified."
  echo "Expiration date: $EXPIRE_DATE"

  if command -v update-ca-certificates >/dev/null 2>&1; then
    TARGET="$DEBIAN_TARGET"

    if [[ -f "$TARGET" ]]; then
      echo "Certificate already exists: $TARGET"
    else
      cp "$CERT_FILE" "$TARGET"
      update-ca-certificates
      echo "H3C Root CA installed: $TARGET"
    fi

  elif command -v update-ca-trust >/dev/null 2>&1; then
    TARGET="$RHEL_TARGET"

    if [[ -f "$TARGET" ]]; then
      echo "Certificate already exists: $TARGET"
    else
      cp "$CERT_FILE" "$TARGET"
      update-ca-trust extract
      echo "H3C Root CA installed: $TARGET"
    fi

  elif command -v trust >/dev/null 2>&1; then
    trust anchor "$CERT_FILE"
    echo "H3C Root CA installed by p11-kit trust."

  else
    echo "ERROR: unsupported Linux distribution."
    rm -f "$CERT_FILE"
    exit 1
  fi

  rm -f "$CERT_FILE"
}

delete_cert() {
  REMOVED=0

  if [[ -f "$DEBIAN_TARGET" ]]; then
    rm -f "$DEBIAN_TARGET"
    REMOVED=1
    echo "Removed: $DEBIAN_TARGET"
  fi

  if [[ -f "$RHEL_TARGET" ]]; then
    rm -f "$RHEL_TARGET"
    REMOVED=1
    echo "Removed: $RHEL_TARGET"
  fi

  if command -v trust >/dev/null 2>&1; then
    write_cert
    trust anchor --remove "$CERT_FILE" >/dev/null 2>&1 || true
    rm -f "$CERT_FILE"
  fi

  refresh_ca_store

  if [[ "$REMOVED" -eq 1 ]]; then
    echo "H3C Root CA deleted."
  else
    echo "H3C Root CA was not found in common Linux CA paths."
  fi
}

case "$ACTION" in
  install|--install)
    install_cert
    ;;
  delete|remove|uninstall|--delete|--remove|--uninstall)
    delete_cert
    ;;
  -h|--help|help)
    usage
    ;;
  *)
    echo "Unknown argument: $ACTION"
    usage
    exit 1
    ;;
esac