[CmdletBinding()]
param(
  [string]$Source = "https://pki.zhoushicheng.cn/certs/zhousc66-lab-root-ca-2026.cer",
  [string]$ExpectedFingerprint = "CED7279B6FB8F392734848DDB565CEDE15286E72A233E5511898D3A895C28F14"
)

# Install the zhousc66 Lab Root CA on a managed Windows client.
#
# Public-portal default:
#   Downloads the Root CA from https://pki.zhoushicheng.cn/certs/.
#
# Safety:
#   - Must run from an elevated PowerShell session.
#   - Installs only the public Root CA certificate.
#   - Verifies the SHA256 fingerprint before importing into LocalMachine\Root.
#   - Never downloads private keys, PFX files, or passphrases.

$ErrorActionPreference = "Stop"
$CaLabel = "zhousc66 Lab Root CA 2026"

function Assert-Administrator {
  $identity = [Security.Principal.WindowsIdentity]::GetCurrent()
  $principal = [Security.Principal.WindowsPrincipal]::new($identity)
  if (-not $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) {
    throw "Run this script from an elevated PowerShell session."
  }
}

Assert-Administrator

$workDir = Join-Path $env:TEMP ("zhousc66-ca-install-" + [Guid]::NewGuid().ToString("N"))
$cerPath = Join-Path $workDir "root.ca.cert.cer"

New-Item -ItemType Directory -Path $workDir | Out-Null

try {
  Write-Host "Fetching Root CA certificate from: $Source"
  if ($Source -match '^https?://') {
    Invoke-WebRequest -Uri $Source -OutFile $cerPath
  } elseif (Test-Path -LiteralPath $Source) {
    Copy-Item -LiteralPath $Source -Destination $cerPath
  } else {
    scp $Source $cerPath
  }

  $cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new($cerPath)
  $actualFingerprint = $cert.GetCertHashString([System.Security.Cryptography.HashAlgorithmName]::SHA256).ToUpperInvariant()

  Write-Host "Validating certificate fingerprint..."
  if ($actualFingerprint -ne $ExpectedFingerprint.ToUpperInvariant()) {
    throw "Root CA fingerprint mismatch. Expected $ExpectedFingerprint, actual $actualFingerprint"
  }

  Import-Certificate `
    -FilePath $cerPath `
    -CertStoreLocation Cert:\LocalMachine\Root | Out-Host

  Write-Host "Installed and trusted: $CaLabel"
} finally {
  Remove-Item -Recurse -Force $workDir -ErrorAction SilentlyContinue
}