Xray-core/transport/internet/tls/pin.go

package tls

import (
	"crypto/sha256"
	"crypto/x509"
	"encoding/base64"
	"encoding/pem"
)

func CalculatePEMCertChainSHA256Hash(certContent []byte) string {
	var certChain [][]byte
	for {
		block, remain := pem.Decode(certContent)
		if block == nil {
			break
		}
		certChain = append(certChain, block.Bytes)
		certContent = remain
	}
	certChainHash := GenerateCertChainHash(certChain)
	certChainHashB64 := base64.StdEncoding.EncodeToString(certChainHash)
	return certChainHashB64
}

func GenerateCertChainHash(rawCerts [][]byte) []byte {
	var hashValue []byte
	for _, certValue := range rawCerts {
		out := sha256.Sum256(certValue)
		if hashValue == nil {
			hashValue = out[:]
		} else {
			newHashValue := sha256.Sum256(append(hashValue, out[:]...))
			hashValue = newHashValue[:]
		}
	}
	return hashValue
}

func GenerateCertPublicKeyHash(cert *x509.Certificate) []byte {
	out := sha256.Sum256(cert.RawSubjectPublicKeyInfo)
	return out[:]
}
Verify peer cert function for better man in the middle prevention (#746) * verify peer cert function for better man in the middle prevention * publish cert chain hash generation algorithm * added calculation of certificate hash as separate command and tlsping, use base64 to represent fingerprint to align with jsonPb * apply coding style * added test case for pinned certificates * refactored cert pin * pinned cert test * added json loading of the PinnedPeerCertificateChainSha256 * removed tool to prepare for v5 * Add server cert pinning for Xtls Change command "xray tls certChainHash" to xray style Co-authored-by: Shelikhoo <xiaokangwang@outlook.com> 2021-10-22 04:04:06 +00:00			`package tls`

			`import (`
			`"crypto/sha256"`
Support SPKI Fingerprint Pinning Support SPKI Fingerprint Pinning for TLSObject 2023-02-17 08:01:24 +00:00			`"crypto/x509"`
Verify peer cert function for better man in the middle prevention (#746) * verify peer cert function for better man in the middle prevention * publish cert chain hash generation algorithm * added calculation of certificate hash as separate command and tlsping, use base64 to represent fingerprint to align with jsonPb * apply coding style * added test case for pinned certificates * refactored cert pin * pinned cert test * added json loading of the PinnedPeerCertificateChainSha256 * removed tool to prepare for v5 * Add server cert pinning for Xtls Change command "xray tls certChainHash" to xray style Co-authored-by: Shelikhoo <xiaokangwang@outlook.com> 2021-10-22 04:04:06 +00:00			`"encoding/base64"`
			`"encoding/pem"`
			`)`

			`func CalculatePEMCertChainSHA256Hash(certContent []byte) string {`
			`var certChain [][]byte`
			`for {`
			`block, remain := pem.Decode(certContent)`
			`if block == nil {`
			`break`
			`}`
			`certChain = append(certChain, block.Bytes)`
			`certContent = remain`
			`}`
			`certChainHash := GenerateCertChainHash(certChain)`
			`certChainHashB64 := base64.StdEncoding.EncodeToString(certChainHash)`
			`return certChainHashB64`
			`}`

			`func GenerateCertChainHash(rawCerts [][]byte) []byte {`
			`var hashValue []byte`
			`for _, certValue := range rawCerts {`
			`out := sha256.Sum256(certValue)`
			`if hashValue == nil {`
			`hashValue = out[:]`
			`} else {`
			`newHashValue := sha256.Sum256(append(hashValue, out[:]...))`
			`hashValue = newHashValue[:]`
			`}`
			`}`
			`return hashValue`
			`}`
Support SPKI Fingerprint Pinning Support SPKI Fingerprint Pinning for TLSObject 2023-02-17 08:01:24 +00:00
			`func GenerateCertPublicKeyHash(cert *x509.Certificate) []byte {`
			`out := sha256.Sum256(cert.RawSubjectPublicKeyInfo)`
			`return out[:]`
			`}`