Clash.Meta/component/ca/config.go

package ca

import (
	"crypto/tls"
	"crypto/x509"
	_ "embed"
	"errors"
	"fmt"
	"os"
	"strconv"
	"sync"

	C "github.com/metacubex/mihomo/constant"
)

var globalCertPool *x509.CertPool
var mutex sync.RWMutex
var errNotMatch = errors.New("certificate fingerprints do not match")

//go:embed ca-certificates.crt
var _CaCertificates []byte
var DisableEmbedCa, _ = strconv.ParseBool(os.Getenv("DISABLE_EMBED_CA"))
var DisableSystemCa, _ = strconv.ParseBool(os.Getenv("DISABLE_SYSTEM_CA"))

func AddCertificate(certificate string) error {
	mutex.Lock()
	defer mutex.Unlock()

	if certificate == "" {
		return fmt.Errorf("certificate is empty")
	}

	if globalCertPool == nil {
		initializeCertPool()
	}

	if globalCertPool.AppendCertsFromPEM([]byte(certificate)) {
		return nil
	} else if cert, err := x509.ParseCertificate([]byte(certificate)); err == nil {
		globalCertPool.AddCert(cert)
		return nil
	} else {
		return fmt.Errorf("add certificate failed")
	}
}

func initializeCertPool() {
	var err error
	if DisableSystemCa {
		globalCertPool = x509.NewCertPool()
	} else {
		globalCertPool, err = x509.SystemCertPool()
		if err != nil {
			globalCertPool = x509.NewCertPool()
		}
	}
	if !DisableEmbedCa {
		globalCertPool.AppendCertsFromPEM(_CaCertificates)
	}
}

func ResetCertificate() {
	mutex.Lock()
	defer mutex.Unlock()
	initializeCertPool()
}

func getCertPool() *x509.CertPool {
	if globalCertPool == nil {
		mutex.Lock()
		defer mutex.Unlock()
		if globalCertPool != nil {
			return globalCertPool
		}
		initializeCertPool()
	}
	return globalCertPool
}

func GetCertPool(customCA string, customCAString string) (*x509.CertPool, error) {
	var certificate []byte
	var err error
	if len(customCA) > 0 {
		path := C.Path.Resolve(customCA)
		if !C.Path.IsSafePath(path) {
			return nil, fmt.Errorf("path is not subpath of home directory: %s", path)
		}
		certificate, err = os.ReadFile(path)
		if err != nil {
			return nil, fmt.Errorf("load ca error: %w", err)
		}
	} else if customCAString != "" {
		certificate = []byte(customCAString)
	}
	if len(certificate) > 0 {
		certPool := x509.NewCertPool()
		if !certPool.AppendCertsFromPEM(certificate) {
			return nil, fmt.Errorf("failed to parse certificate:\n\n %s", certificate)
		}
		return certPool, nil
	} else {
		return getCertPool(), nil
	}
}

// GetTLSConfig specified fingerprint, customCA and customCAString
func GetTLSConfig(tlsConfig *tls.Config, fingerprint string, customCA string, customCAString string) (_ *tls.Config, err error) {
	if tlsConfig == nil {
		tlsConfig = &tls.Config{}
	}
	tlsConfig.RootCAs, err = GetCertPool(customCA, customCAString)
	if err != nil {
		return nil, err
	}

	if len(fingerprint) > 0 {
		tlsConfig.VerifyPeerCertificate, err = NewFingerprintVerifier(fingerprint)
		if err != nil {
			return nil, err
		}
		tlsConfig.InsecureSkipVerify = true
	}
	return tlsConfig, nil
}

// GetSpecifiedFingerprintTLSConfig specified fingerprint
func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string) (*tls.Config, error) {
	return GetTLSConfig(tlsConfig, fingerprint, "", "")
}

func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config {
	tlsConfig, _ = GetTLSConfig(tlsConfig, "", "", "")
	return tlsConfig
}
chore: rebuild ca parsing 2023-09-22 14:45:34 +08:00			`package ca`
feat: add fingerprint for tls verify 2022-07-10 20:44:24 +08:00
			`import (`
			`"crypto/tls"`
			`"crypto/x509"`
chore: embed ca-certificates.crt 2024-03-28 19:26:41 +08:00			`_ "embed"`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 21:08:06 +08:00			`"errors"`
feat: add fingerprint for tls verify 2022-07-10 20:44:24 +08:00			`"fmt"`
chore: rebuild ca parsing 2023-09-22 14:45:34 +08:00			`"os"`
chore: embed ca-certificates.crt 2024-03-28 19:26:41 +08:00			`"strconv"`
feat: add fingerprint for tls verify 2022-07-10 20:44:24 +08:00			`"sync"`
Chore: Let CA read following homeDir 2024-04-20 22:22:17 +08:00
			`C "github.com/metacubex/mihomo/constant"`
feat: add fingerprint for tls verify 2022-07-10 20:44:24 +08:00			`)`

chore: rebuild ca parsing 2023-09-22 14:45:34 +08:00			`var globalCertPool *x509.CertPool`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 21:08:06 +08:00			`var mutex sync.RWMutex`
[Feature] Proxy stores delay data of different URLs. And supports specifying different test URLs and expected statue by group (#588) Co-authored-by: Larvan2 <78135608+Larvan2@users.noreply.github.com> Co-authored-by: wwqgtxx <wwqgtxx@gmail.com> 2023-06-04 11:51:30 +08:00			`var errNotMatch = errors.New("certificate fingerprints do not match")`
feat: add fingerprint for tls verify 2022-07-10 20:44:24 +08:00
chore: embed ca-certificates.crt 2024-03-28 19:26:41 +08:00			`//go:embed ca-certificates.crt`
			`var _CaCertificates []byte`
			`var DisableEmbedCa, _ = strconv.ParseBool(os.Getenv("DISABLE_EMBED_CA"))`
			`var DisableSystemCa, _ = strconv.ParseBool(os.Getenv("DISABLE_SYSTEM_CA"))`

chore: add custom ca trust 2023-02-25 22:01:20 +08:00			`func AddCertificate(certificate string) error {`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 21:08:06 +08:00			`mutex.Lock()`
			`defer mutex.Unlock()`
fix: the trustcerts not add to globalCerts after ca.ResetCertificate (#1801) support PEM format for custom-certificates too 2025-01-20 23:01:26 +08:00
chore: add custom ca trust 2023-02-25 22:01:20 +08:00			`if certificate == "" {`
			`return fmt.Errorf("certificate is empty")`
			`}`
fix: the trustcerts not add to globalCerts after ca.ResetCertificate (#1801) support PEM format for custom-certificates too 2025-01-20 23:01:26 +08:00
			`if globalCertPool == nil {`
			`initializeCertPool()`
			`}`

			`if globalCertPool.AppendCertsFromPEM([]byte(certificate)) {`
			`return nil`
			`} else if cert, err := x509.ParseCertificate([]byte(certificate)); err == nil {`
			`globalCertPool.AddCert(cert)`
chore: adjust trust cert 2023-03-27 22:27:59 +08:00			`return nil`
			`} else {`
chore: add custom ca trust 2023-02-25 22:01:20 +08:00			`return fmt.Errorf("add certificate failed")`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 21:08:06 +08:00			`}`
			`}`

fix: TLS certificate pool initialize Co-authored-by: Skyxim <noreply@skyxim.dev> 2023-05-14 00:21:59 +08:00			`func initializeCertPool() {`
			`var err error`
chore: embed ca-certificates.crt 2024-03-28 19:26:41 +08:00			`if DisableSystemCa {`
chore: rebuild ca parsing 2023-09-22 14:45:34 +08:00			`globalCertPool = x509.NewCertPool()`
chore: embed ca-certificates.crt 2024-03-28 19:26:41 +08:00			`} else {`
			`globalCertPool, err = x509.SystemCertPool()`
			`if err != nil {`
			`globalCertPool = x509.NewCertPool()`
			`}`
fix: TLS certificate pool initialize Co-authored-by: Skyxim <noreply@skyxim.dev> 2023-05-14 00:21:59 +08:00			`}`
chore: embed ca-certificates.crt 2024-03-28 19:26:41 +08:00			`if !DisableEmbedCa {`
			`globalCertPool.AppendCertsFromPEM(_CaCertificates)`
			`}`
fix: TLS certificate pool initialize Co-authored-by: Skyxim <noreply@skyxim.dev> 2023-05-14 00:21:59 +08:00			`}`

chore: format code 2023-02-26 20:38:32 +08:00			`func ResetCertificate() {`
chore: add custom ca trust 2023-02-25 22:01:20 +08:00			`mutex.Lock()`
			`defer mutex.Unlock()`
fix: TLS certificate pool initialize Co-authored-by: Skyxim <noreply@skyxim.dev> 2023-05-14 00:21:59 +08:00			`initializeCertPool()`
chore: adjust trust cert 2023-03-27 22:27:59 +08:00			`}`

			`func getCertPool() *x509.CertPool {`
chore: rebuild ca parsing 2023-09-22 14:45:34 +08:00			`if globalCertPool == nil {`
feat: `nameserver-policy` support use rule-providers and reduce domain-set memory 2023-04-01 11:53:39 +08:00			`mutex.Lock()`
			`defer mutex.Unlock()`
chore: rebuild ca parsing 2023-09-22 14:45:34 +08:00			`if globalCertPool != nil {`
			`return globalCertPool`
feat: `nameserver-policy` support use rule-providers and reduce domain-set memory 2023-04-01 11:53:39 +08:00			`}`
fix: TLS certificate pool initialize Co-authored-by: Skyxim <noreply@skyxim.dev> 2023-05-14 00:21:59 +08:00			`initializeCertPool()`
chore: adjust trust cert 2023-03-27 22:27:59 +08:00			`}`
chore: rebuild ca parsing 2023-09-22 14:45:34 +08:00			`return globalCertPool`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 21:08:06 +08:00			`}`

chore: update utls to 1.7.0 2025-04-21 12:07:33 +08:00			`func GetCertPool(customCA string, customCAString string) (*x509.CertPool, error) {`
chore: rebuild ca parsing 2023-09-22 14:45:34 +08:00			`var certificate []byte`
			`var err error`
			`if len(customCA) > 0 {`
chore: better path checks 2025-04-30 23:21:13 +08:00			`path := C.Path.Resolve(customCA)`
			`if !C.Path.IsSafePath(path) {`
			`return nil, fmt.Errorf("path is not subpath of home directory: %s", path)`
			`}`
			`certificate, err = os.ReadFile(path)`
chore: rebuild ca parsing 2023-09-22 14:45:34 +08:00			`if err != nil {`
			`return nil, fmt.Errorf("load ca error: %w", err)`
			`}`
			`} else if customCAString != "" {`
			`certificate = []byte(customCAString)`
			`}`
			`if len(certificate) > 0 {`
			`certPool := x509.NewCertPool()`
			`if !certPool.AppendCertsFromPEM(certificate) {`
			`return nil, fmt.Errorf("failed to parse certificate:\n\n %s", certificate)`
			`}`
chore: update utls to 1.7.0 2025-04-21 12:07:33 +08:00			`return certPool, nil`
feat: Prepare to specify the fingerprint function 2022-07-10 21:56:33 +08:00			`} else {`
chore: update utls to 1.7.0 2025-04-21 12:07:33 +08:00			`return getCertPool(), nil`
			`}`
			`}`

			`// GetTLSConfig specified fingerprint, customCA and customCAString`
			`func GetTLSConfig(tlsConfig tls.Config, fingerprint string, customCA string, customCAString string) (_ tls.Config, err error) {`
			`if tlsConfig == nil {`
			`tlsConfig = &tls.Config{}`
			`}`
			`tlsConfig.RootCAs, err = GetCertPool(customCA, customCAString)`
			`if err != nil {`
			`return nil, err`
			`}`

chore: rebuild ca parsing 2023-09-22 14:45:34 +08:00			`if len(fingerprint) > 0 {`
chore: update utls to 1.7.0 2025-04-21 12:07:33 +08:00			`tlsConfig.VerifyPeerCertificate, err = NewFingerprintVerifier(fingerprint)`
chore: rebuild ca parsing 2023-09-22 14:45:34 +08:00			`if err != nil {`
			`return nil, err`
			`}`
refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 21:08:06 +08:00			`tlsConfig.InsecureSkipVerify = true`
feat: Prepare to specify the fingerprint function 2022-07-10 21:56:33 +08:00			`}`
chore: rebuild ca parsing 2023-09-22 14:45:34 +08:00			`return tlsConfig, nil`
			`}`

			`// GetSpecifiedFingerprintTLSConfig specified fingerprint`
			`func GetSpecifiedFingerprintTLSConfig(tlsConfig tls.Config, fingerprint string) (tls.Config, error) {`
			`return GetTLSConfig(tlsConfig, fingerprint, "", "")`
feat: add fingerprint for tls verify 2022-07-10 20:44:24 +08:00			`}`

refactor: replace experimental.fingerprints with custom-certificates and Change the fingerprint verification logic to SSL pinning 2023-01-14 21:08:06 +08:00			`func GetGlobalTLSConfig(tlsConfig tls.Config) tls.Config {`
chore: rebuild ca parsing 2023-09-22 14:45:34 +08:00			`tlsConfig, _ = GetTLSConfig(tlsConfig, "", "", "")`
feat: add fingerprint for tls verify 2022-07-10 20:44:24 +08:00			`return tlsConfig`
			`}`