chore: add custom ca trust

This commit is contained in:
Skyxim 2023-02-25 22:01:20 +08:00
parent a3b8c9c233
commit f565edd76d
4 changed files with 28 additions and 42 deletions

View file

@ -11,31 +11,30 @@ import (
"strings" "strings"
"sync" "sync"
CN "github.com/Dreamacro/clash/common/net"
xtls "github.com/xtls/go" xtls "github.com/xtls/go"
) )
var tlsCertificates = make([]tls.Certificate, 0) var trustCert,_ = x509.SystemCertPool()
var mutex sync.RWMutex var mutex sync.RWMutex
var errNotMacth error = errors.New("certificate fingerprints do not match") var errNotMacth error = errors.New("certificate fingerprints do not match")
func AddCertificate(privateKey, certificate string) error { func AddCertificate(certificate string) error {
mutex.Lock() mutex.Lock()
defer mutex.Unlock() defer mutex.Unlock()
if cert, err := CN.ParseCert(certificate, privateKey); err != nil { if certificate == "" {
return err return fmt.Errorf("certificate is empty")
} else { }
tlsCertificates = append(tlsCertificates, cert) if ok := trustCert.AppendCertsFromPEM([]byte(certificate)); !ok {
return fmt.Errorf("add certificate failed")
} }
return nil return nil
} }
func GetCertificates() []tls.Certificate { func ResetCertificate(){
mutex.RLock() mutex.Lock()
defer mutex.RUnlock() defer mutex.Unlock()
return tlsCertificates trustCert,_=x509.SystemCertPool()
} }
func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error { func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
@ -87,10 +86,10 @@ func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string)
func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config { func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config {
if tlsConfig == nil { if tlsConfig == nil {
return &tls.Config{ return &tls.Config{
Certificates: tlsCertificates, RootCAs: trustCert,
} }
} }
tlsConfig.Certificates = append(tlsConfig.Certificates, tlsCertificates...) tlsConfig.RootCAs = trustCert
return tlsConfig return tlsConfig
} }
@ -107,29 +106,12 @@ func GetSpecifiedFingerprintXTLSConfig(tlsConfig *xtls.Config, fingerprint strin
} }
func GetGlobalXTLSConfig(tlsConfig *xtls.Config) *xtls.Config { func GetGlobalXTLSConfig(tlsConfig *xtls.Config) *xtls.Config {
xtlsCerts := make([]xtls.Certificate, len(tlsCertificates))
for _, cert := range tlsCertificates {
tlsSsaList := make([]xtls.SignatureScheme, len(cert.SupportedSignatureAlgorithms))
for _, ssa := range cert.SupportedSignatureAlgorithms {
tlsSsa := xtls.SignatureScheme(ssa)
tlsSsaList = append(tlsSsaList, tlsSsa)
}
xtlsCert := xtls.Certificate{
Certificate: cert.Certificate,
PrivateKey: cert.PrivateKey,
OCSPStaple: cert.OCSPStaple,
SignedCertificateTimestamps: cert.SignedCertificateTimestamps,
Leaf: cert.Leaf,
SupportedSignatureAlgorithms: tlsSsaList,
}
xtlsCerts = append(xtlsCerts, xtlsCert)
}
if tlsConfig == nil { if tlsConfig == nil {
return &xtls.Config{ return &xtls.Config{
Certificates: xtlsCerts, RootCAs: trustCert,
} }
} }
tlsConfig.Certificates = xtlsCerts tlsConfig.RootCAs = trustCert
return tlsConfig return tlsConfig
} }

View file

@ -120,13 +120,9 @@ type Profile struct {
} }
type TLS struct { type TLS struct {
RawCert `yaml:",inline"`
CustomTrustCert []RawCert `yaml:"custom-certifactes"`
}
type RawCert struct {
Certificate string `yaml:"certificate"` Certificate string `yaml:"certificate"`
PrivateKey string `yaml:"private-key"` PrivateKey string `yaml:"private-key"`
CustomTrustCert []string `yaml:"custom-certifactes"`
} }
// IPTables config // IPTables config
@ -447,6 +443,7 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
} }
config.General = general config.General = general
dialer.DefaultInterface.Store(config.General.Interface)
proxies, providers, err := parseProxies(rawCfg) proxies, providers, err := parseProxies(rawCfg)
if err != nil { if err != nil {
return nil, err return nil, err

View file

@ -30,6 +30,11 @@ ipv6: true # 开启 IPv6 总开关,关闭阻断所有 IPv6 链接和屏蔽 DNS
tls: tls:
certificate: string # 证书 PEM 格式,或者 证书的路径 certificate: string # 证书 PEM 格式,或者 证书的路径
private-key: string # 证书对应的私钥 PEM 格式,或者私钥路径 private-key: string # 证书对应的私钥 PEM 格式,或者私钥路径
custom-certifactes:
- |
-----BEGIN CERTIFICATE-----
format/pem...
-----END CERTIFICATE-----
external-controller: 0.0.0.0:9093 # RESTful API 监听地址 external-controller: 0.0.0.0:9093 # RESTful API 监听地址
external-controller-tls: 0.0.0.0:9443 # RESTful API HTTPS 监听地址,需要配置 tls 部分配置文件 external-controller-tls: 0.0.0.0:9443 # RESTful API HTTPS 监听地址,需要配置 tls 部分配置文件

View file

@ -169,9 +169,11 @@ func updateExperimental(c *config.Config) {
} }
func preUpdateExperimental(c *config.Config) { func preUpdateExperimental(c *config.Config) {
CTLS.AddCertificate(c.TLS.PrivateKey, c.TLS.Certificate) CTLS.ResetCertificate()
for _, c := range c.TLS.CustomTrustCert { for _, c := range c.TLS.CustomTrustCert {
CTLS.AddCertificate(c.PrivateKey, c.Certificate) if err := CTLS.AddCertificate(c); err != nil {
log.Warnln("%s\nadd error: %s", c, err.Error())
}
} }
} }