From f565edd76dcd2f9db89c524310d1031052e96cbf Mon Sep 17 00:00:00 2001 From: Skyxim Date: Sat, 25 Feb 2023 22:01:20 +0800 Subject: [PATCH] chore: add custom ca trust --- component/tls/config.go | 48 +++++++++++++--------------------------- config/config.go | 11 ++++----- docs/config.yaml | 5 +++++ hub/executor/executor.go | 6 +++-- 4 files changed, 28 insertions(+), 42 deletions(-) diff --git a/component/tls/config.go b/component/tls/config.go index 39d1b1fd..50daad46 100644 --- a/component/tls/config.go +++ b/component/tls/config.go @@ -11,31 +11,30 @@ import ( "strings" "sync" - CN "github.com/Dreamacro/clash/common/net" - xtls "github.com/xtls/go" ) -var tlsCertificates = make([]tls.Certificate, 0) +var trustCert,_ = x509.SystemCertPool() var mutex sync.RWMutex var errNotMacth error = errors.New("certificate fingerprints do not match") -func AddCertificate(privateKey, certificate string) error { +func AddCertificate(certificate string) error { mutex.Lock() defer mutex.Unlock() - if cert, err := CN.ParseCert(certificate, privateKey); err != nil { - return err - } else { - tlsCertificates = append(tlsCertificates, cert) + if certificate == "" { + return fmt.Errorf("certificate is empty") + } + if ok := trustCert.AppendCertsFromPEM([]byte(certificate)); !ok { + return fmt.Errorf("add certificate failed") } return nil } -func GetCertificates() []tls.Certificate { - mutex.RLock() - defer mutex.RUnlock() - return tlsCertificates +func ResetCertificate(){ + mutex.Lock() + defer mutex.Unlock() + trustCert,_=x509.SystemCertPool() } func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { @@ -87,10 +86,10 @@ func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string) func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config { if tlsConfig == nil { return &tls.Config{ - Certificates: tlsCertificates, + RootCAs: trustCert, } } - tlsConfig.Certificates = append(tlsConfig.Certificates, tlsCertificates...) + tlsConfig.RootCAs = trustCert return tlsConfig } @@ -107,29 +106,12 @@ func GetSpecifiedFingerprintXTLSConfig(tlsConfig *xtls.Config, fingerprint strin } func GetGlobalXTLSConfig(tlsConfig *xtls.Config) *xtls.Config { - xtlsCerts := make([]xtls.Certificate, len(tlsCertificates)) - for _, cert := range tlsCertificates { - tlsSsaList := make([]xtls.SignatureScheme, len(cert.SupportedSignatureAlgorithms)) - for _, ssa := range cert.SupportedSignatureAlgorithms { - tlsSsa := xtls.SignatureScheme(ssa) - tlsSsaList = append(tlsSsaList, tlsSsa) - } - xtlsCert := xtls.Certificate{ - Certificate: cert.Certificate, - PrivateKey: cert.PrivateKey, - OCSPStaple: cert.OCSPStaple, - SignedCertificateTimestamps: cert.SignedCertificateTimestamps, - Leaf: cert.Leaf, - SupportedSignatureAlgorithms: tlsSsaList, - } - xtlsCerts = append(xtlsCerts, xtlsCert) - } if tlsConfig == nil { return &xtls.Config{ - Certificates: xtlsCerts, + RootCAs: trustCert, } } - tlsConfig.Certificates = xtlsCerts + tlsConfig.RootCAs = trustCert return tlsConfig } diff --git a/config/config.go b/config/config.go index 24159d8e..76e5491b 100644 --- a/config/config.go +++ b/config/config.go @@ -120,13 +120,9 @@ type Profile struct { } type TLS struct { - RawCert `yaml:",inline"` - CustomTrustCert []RawCert `yaml:"custom-certifactes"` -} - -type RawCert struct { - Certificate string `yaml:"certificate"` - PrivateKey string `yaml:"private-key"` + Certificate string `yaml:"certificate"` + PrivateKey string `yaml:"private-key"` + CustomTrustCert []string `yaml:"custom-certifactes"` } // IPTables config @@ -447,6 +443,7 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) { } config.General = general + dialer.DefaultInterface.Store(config.General.Interface) proxies, providers, err := parseProxies(rawCfg) if err != nil { return nil, err diff --git a/docs/config.yaml b/docs/config.yaml index f6e9502e..771532d1 100644 --- a/docs/config.yaml +++ b/docs/config.yaml @@ -30,6 +30,11 @@ ipv6: true # 开启 IPv6 总开关,关闭阻断所有 IPv6 链接和屏蔽 DNS tls: certificate: string # 证书 PEM 格式,或者 证书的路径 private-key: string # 证书对应的私钥 PEM 格式,或者私钥路径 + custom-certifactes: + - | + -----BEGIN CERTIFICATE----- + format/pem... + -----END CERTIFICATE----- external-controller: 0.0.0.0:9093 # RESTful API 监听地址 external-controller-tls: 0.0.0.0:9443 # RESTful API HTTPS 监听地址,需要配置 tls 部分配置文件 diff --git a/hub/executor/executor.go b/hub/executor/executor.go index 916f17c7..34f0f1a1 100644 --- a/hub/executor/executor.go +++ b/hub/executor/executor.go @@ -169,9 +169,11 @@ func updateExperimental(c *config.Config) { } func preUpdateExperimental(c *config.Config) { - CTLS.AddCertificate(c.TLS.PrivateKey, c.TLS.Certificate) + CTLS.ResetCertificate() for _, c := range c.TLS.CustomTrustCert { - CTLS.AddCertificate(c.PrivateKey, c.Certificate) + if err := CTLS.AddCertificate(c); err != nil { + log.Warnln("%s\nadd error: %s", c, err.Error()) + } } }