#!/bin/bash
set -euo pipefail

CERT_URL="https://pki.charliehub.net/ca.crt"
EXPECTED_FP="B5:2B:38:F9:58:D0:B6:BD:58:BD:39:BD:6C:73:00:A9:B3:61:ED:2D:50:D4:27:87:C8:49:AD:BC:7B:A3:E3:2C"
TMPFILE=$(mktemp /tmp/charliehub-ca.XXXXXX.crt)
trap "rm -f $TMPFILE" EXIT

echo "Downloading CA certificate..."
curl -sf -o "$TMPFILE" "$CERT_URL"

echo "Verifying fingerprint..."
ACTUAL_FP=$(openssl x509 -in "$TMPFILE" -noout -fingerprint -sha256 | cut -d= -f2)
if [ "$ACTUAL_FP" != "$EXPECTED_FP" ]; then
    echo "ERROR: Fingerprint mismatch!"
    echo "  Expected: $EXPECTED_FP"
    echo "  Got:      $ACTUAL_FP"
    exit 1
fi
echo "Fingerprint OK."

echo "Installing to System keychain with trustRoot..."
security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$TMPFILE"

echo "Removing old copy from login keychain (if present)..."
security delete-certificate -c "CharlieHub Internal CA" "$HOME/Library/Keychains/login.keychain-db" 2>/dev/null || true

echo "Done. CharlieHub Internal CA is now trusted system-wide."