Verify peer cert function for better man in the middle prevention (#746)

* verify peer cert function for better man in the middle prevention * publish cert chain hash generation algorithm * added calculation of certificate hash as separate command and tlsping, use base64 to represent fingerprint to align with jsonPb * apply coding style * added test case for pinned certificates * refactored cert pin * pinned cert test * added json loading of the PinnedPeerCertificateChainSha256 * removed tool to prepare for v5 * Add server cert pinning for Xtls Change command "xray tls certChainHash" to xray style Co-authored-by: Shelikhoo <xiaokangwang@outlook.com>
2025-04-29 16:58:34 +00:00 · 2021-10-22 00:04:06 -04:00 · 2021-10-22 00:04:06 -04:00 · acb81ebe3d
commit acb81ebe3d
parent 6a60332700
13 changed files with 447 additions and 35 deletions
--- a/transport/internet/tls/pin.go
+++ b/transport/internet/tls/pin.go
@ -0,0 +1,36 @@
+package tls
+
+import (
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/pem"
+)
+
+func CalculatePEMCertChainSHA256Hash(certContent []byte) string {
+	var certChain [][]byte
+	for {
+		block, remain := pem.Decode(certContent)
+		if block == nil {
+			break
+		}
+		certChain = append(certChain, block.Bytes)
+		certContent = remain
+	}
+	certChainHash := GenerateCertChainHash(certChain)
+	certChainHashB64 := base64.StdEncoding.EncodeToString(certChainHash)
+	return certChainHashB64
+}
+
+func GenerateCertChainHash(rawCerts [][]byte) []byte {
+	var hashValue []byte
+	for _, certValue := range rawCerts {
+		out := sha256.Sum256(certValue)
+		if hashValue == nil {
+			hashValue = out[:]
+		} else {
+			newHashValue := sha256.Sum256(append(hashValue, out[:]...))
+			hashValue = newHashValue[:]
+		}
+	}
+	return hashValue
+}