Verify peer cert function for better man in the middle prevention (#746)

* verify peer cert function for better man in the middle prevention * publish cert chain hash generation algorithm * added calculation of certificate hash as separate command and tlsping, use base64 to represent fingerprint to align with jsonPb * apply coding style * added test case for pinned certificates * refactored cert pin * pinned cert test * added json loading of the PinnedPeerCertificateChainSha256 * removed tool to prepare for v5 * Add server cert pinning for Xtls Change command "xray tls certChainHash" to xray style Co-authored-by: Shelikhoo <xiaokangwang@outlook.com>
2025-04-29 16:58:34 +00:00 · 2021-10-22 00:04:06 -04:00 · 2021-10-22 00:04:06 -04:00 · acb81ebe3d
commit acb81ebe3d
parent 6a60332700
13 changed files with 447 additions and 35 deletions
--- a/infra/conf/transport_internet.go
+++ b/infra/conf/transport_internet.go
@ -1,6 +1,7 @@
 package conf

 import (
+	"encoding/base64"
 	"encoding/json"
 	"math"
 	"net/url"
@ -338,18 +339,19 @@ func (c *TLSCertConfig) Build() (*tls.Certificate, error) {
 }

 type TLSConfig struct {
-	Insecure                 bool             `json:"allowInsecure"`
-	Certs                    []*TLSCertConfig `json:"certificates"`
-	ServerName               string           `json:"serverName"`
-	ALPN                     *StringList      `json:"alpn"`
-	EnableSessionResumption  bool             `json:"enableSessionResumption"`
-	DisableSystemRoot        bool             `json:"disableSystemRoot"`
-	MinVersion               string           `json:"minVersion"`
-	MaxVersion               string           `json:"maxVersion"`
-	CipherSuites             string           `json:"cipherSuites"`
-	PreferServerCipherSuites bool             `json:"preferServerCipherSuites"`
-	Fingerprint              string           `json:"fingerprint"`
-	RejectUnknownSNI         bool             `json:"rejectUnknownSni"`
+	Insecure                         bool             `json:"allowInsecure"`
+	Certs                            []*TLSCertConfig `json:"certificates"`
+	ServerName                       string           `json:"serverName"`
+	ALPN                             *StringList      `json:"alpn"`
+	EnableSessionResumption          bool             `json:"enableSessionResumption"`
+	DisableSystemRoot                bool             `json:"disableSystemRoot"`
+	MinVersion                       string           `json:"minVersion"`
+	MaxVersion                       string           `json:"maxVersion"`
+	CipherSuites                     string           `json:"cipherSuites"`
+	PreferServerCipherSuites         bool             `json:"preferServerCipherSuites"`
+	Fingerprint                      string           `json:"fingerprint"`
+	RejectUnknownSNI                 bool             `json:"rejectUnknownSni"`
+	PinnedPeerCertificateChainSha256 *[]string        `json:"pinnedPeerCertificateChainSha256"`
 }

 // Build implements Buildable.
@ -379,6 +381,18 @@ func (c *TLSConfig) Build() (proto.Message, error) {
 	config.PreferServerCipherSuites = c.PreferServerCipherSuites
 	config.Fingerprint = strings.ToLower(c.Fingerprint)
 	config.RejectUnknownSni = c.RejectUnknownSNI
+
+	if c.PinnedPeerCertificateChainSha256 != nil {
+		config.PinnedPeerCertificateChainSha256 = [][]byte{}
+		for _, v := range *c.PinnedPeerCertificateChainSha256 {
+			hashValue, err := base64.StdEncoding.DecodeString(v)
+			if err != nil {
+				return nil, err
+			}
+			config.PinnedPeerCertificateChainSha256 = append(config.PinnedPeerCertificateChainSha256, hashValue)
+		}
+	}
+
 	return config, nil
 }

@ -432,17 +446,18 @@ func (c *XTLSCertConfig) Build() (*xtls.Certificate, error) {
 }

 type XTLSConfig struct {
-	Insecure                 bool              `json:"allowInsecure"`
-	Certs                    []*XTLSCertConfig `json:"certificates"`
-	ServerName               string            `json:"serverName"`
-	ALPN                     *StringList       `json:"alpn"`
-	EnableSessionResumption  bool              `json:"enableSessionResumption"`
-	DisableSystemRoot        bool              `json:"disableSystemRoot"`
-	MinVersion               string            `json:"minVersion"`
-	MaxVersion               string            `json:"maxVersion"`
-	CipherSuites             string            `json:"cipherSuites"`
-	PreferServerCipherSuites bool              `json:"preferServerCipherSuites"`
-	RejectUnknownSNI         bool              `json:"rejectUnknownSni"`
+	Insecure                         bool              `json:"allowInsecure"`
+	Certs                            []*XTLSCertConfig `json:"certificates"`
+	ServerName                       string            `json:"serverName"`
+	ALPN                             *StringList       `json:"alpn"`
+	EnableSessionResumption          bool              `json:"enableSessionResumption"`
+	DisableSystemRoot                bool              `json:"disableSystemRoot"`
+	MinVersion                       string            `json:"minVersion"`
+	MaxVersion                       string            `json:"maxVersion"`
+	CipherSuites                     string            `json:"cipherSuites"`
+	PreferServerCipherSuites         bool              `json:"preferServerCipherSuites"`
+	RejectUnknownSNI                 bool              `json:"rejectUnknownSni"`
+	PinnedPeerCertificateChainSha256 *[]string         `json:"pinnedPeerCertificateChainSha256"`
 }

 // Build implements Buildable.
@ -471,6 +486,18 @@ func (c *XTLSConfig) Build() (proto.Message, error) {
 	config.CipherSuites = c.CipherSuites
 	config.PreferServerCipherSuites = c.PreferServerCipherSuites
 	config.RejectUnknownSni = c.RejectUnknownSNI
+
+	if c.PinnedPeerCertificateChainSha256 != nil {
+		config.PinnedPeerCertificateChainSha256 = [][]byte{}
+		for _, v := range *c.PinnedPeerCertificateChainSha256 {
+			hashValue, err := base64.StdEncoding.DecodeString(v)
+			if err != nil {
+				return nil, err
+			}
+			config.PinnedPeerCertificateChainSha256 = append(config.PinnedPeerCertificateChainSha256, hashValue)
+		}
+	}
+
 	return config, nil
 }