chore: add custom ca trust

This commit is contained in:
Skyxim 2023-02-25 22:01:20 +08:00
parent a3b8c9c233
commit f565edd76d
4 changed files with 28 additions and 42 deletions

View file

@ -11,31 +11,30 @@ import (
"strings"
"sync"
CN "github.com/Dreamacro/clash/common/net"
xtls "github.com/xtls/go"
)
var tlsCertificates = make([]tls.Certificate, 0)
var trustCert,_ = x509.SystemCertPool()
var mutex sync.RWMutex
var errNotMacth error = errors.New("certificate fingerprints do not match")
func AddCertificate(privateKey, certificate string) error {
func AddCertificate(certificate string) error {
mutex.Lock()
defer mutex.Unlock()
if cert, err := CN.ParseCert(certificate, privateKey); err != nil {
return err
} else {
tlsCertificates = append(tlsCertificates, cert)
if certificate == "" {
return fmt.Errorf("certificate is empty")
}
if ok := trustCert.AppendCertsFromPEM([]byte(certificate)); !ok {
return fmt.Errorf("add certificate failed")
}
return nil
}
func GetCertificates() []tls.Certificate {
mutex.RLock()
defer mutex.RUnlock()
return tlsCertificates
func ResetCertificate(){
mutex.Lock()
defer mutex.Unlock()
trustCert,_=x509.SystemCertPool()
}
func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
@ -87,10 +86,10 @@ func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string)
func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config {
if tlsConfig == nil {
return &tls.Config{
Certificates: tlsCertificates,
RootCAs: trustCert,
}
}
tlsConfig.Certificates = append(tlsConfig.Certificates, tlsCertificates...)
tlsConfig.RootCAs = trustCert
return tlsConfig
}
@ -107,29 +106,12 @@ func GetSpecifiedFingerprintXTLSConfig(tlsConfig *xtls.Config, fingerprint strin
}
func GetGlobalXTLSConfig(tlsConfig *xtls.Config) *xtls.Config {
xtlsCerts := make([]xtls.Certificate, len(tlsCertificates))
for _, cert := range tlsCertificates {
tlsSsaList := make([]xtls.SignatureScheme, len(cert.SupportedSignatureAlgorithms))
for _, ssa := range cert.SupportedSignatureAlgorithms {
tlsSsa := xtls.SignatureScheme(ssa)
tlsSsaList = append(tlsSsaList, tlsSsa)
}
xtlsCert := xtls.Certificate{
Certificate: cert.Certificate,
PrivateKey: cert.PrivateKey,
OCSPStaple: cert.OCSPStaple,
SignedCertificateTimestamps: cert.SignedCertificateTimestamps,
Leaf: cert.Leaf,
SupportedSignatureAlgorithms: tlsSsaList,
}
xtlsCerts = append(xtlsCerts, xtlsCert)
}
if tlsConfig == nil {
return &xtls.Config{
Certificates: xtlsCerts,
RootCAs: trustCert,
}
}
tlsConfig.Certificates = xtlsCerts
tlsConfig.RootCAs = trustCert
return tlsConfig
}

View file

@ -120,13 +120,9 @@ type Profile struct {
}
type TLS struct {
RawCert `yaml:",inline"`
CustomTrustCert []RawCert `yaml:"custom-certifactes"`
}
type RawCert struct {
Certificate string `yaml:"certificate"`
PrivateKey string `yaml:"private-key"`
CustomTrustCert []string `yaml:"custom-certifactes"`
}
// IPTables config
@ -447,6 +443,7 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
}
config.General = general
dialer.DefaultInterface.Store(config.General.Interface)
proxies, providers, err := parseProxies(rawCfg)
if err != nil {
return nil, err

View file

@ -30,6 +30,11 @@ ipv6: true # 开启 IPv6 总开关,关闭阻断所有 IPv6 链接和屏蔽 DNS
tls:
certificate: string # 证书 PEM 格式,或者 证书的路径
private-key: string # 证书对应的私钥 PEM 格式,或者私钥路径
custom-certifactes:
- |
-----BEGIN CERTIFICATE-----
format/pem...
-----END CERTIFICATE-----
external-controller: 0.0.0.0:9093 # RESTful API 监听地址
external-controller-tls: 0.0.0.0:9443 # RESTful API HTTPS 监听地址,需要配置 tls 部分配置文件

View file

@ -169,9 +169,11 @@ func updateExperimental(c *config.Config) {
}
func preUpdateExperimental(c *config.Config) {
CTLS.AddCertificate(c.TLS.PrivateKey, c.TLS.Certificate)
CTLS.ResetCertificate()
for _, c := range c.TLS.CustomTrustCert {
CTLS.AddCertificate(c.PrivateKey, c.Certificate)
if err := CTLS.AddCertificate(c); err != nil {
log.Warnln("%s\nadd error: %s", c, err.Error())
}
}
}