From f565edd76dcd2f9db89c524310d1031052e96cbf Mon Sep 17 00:00:00 2001
From: Skyxim <me@skyxim.dev>
Date: Sat, 25 Feb 2023 22:01:20 +0800
Subject: [PATCH] chore: add custom ca trust

---
 component/tls/config.go  | 48 +++++++++++++---------------------------
 config/config.go         | 11 ++++-----
 docs/config.yaml         |  5 +++++
 hub/executor/executor.go |  6 +++--
 4 files changed, 28 insertions(+), 42 deletions(-)

diff --git a/component/tls/config.go b/component/tls/config.go
index 39d1b1fd..50daad46 100644
--- a/component/tls/config.go
+++ b/component/tls/config.go
@@ -11,31 +11,30 @@ import (
 	"strings"
 	"sync"
 
-	CN "github.com/Dreamacro/clash/common/net"
-
 	xtls "github.com/xtls/go"
 )
 
-var tlsCertificates = make([]tls.Certificate, 0)
+var trustCert,_ = x509.SystemCertPool()
 
 var mutex sync.RWMutex
 var errNotMacth error = errors.New("certificate fingerprints do not match")
 
-func AddCertificate(privateKey, certificate string) error {
+func AddCertificate(certificate string) error {
 	mutex.Lock()
 	defer mutex.Unlock()
-	if cert, err := CN.ParseCert(certificate, privateKey); err != nil {
-		return err
-	} else {
-		tlsCertificates = append(tlsCertificates, cert)
+	if certificate == "" {
+		return fmt.Errorf("certificate is empty")
+	}
+	if ok := trustCert.AppendCertsFromPEM([]byte(certificate)); !ok {
+		return fmt.Errorf("add certificate failed")
 	}
 	return nil
 }
 
-func GetCertificates() []tls.Certificate {
-	mutex.RLock()
-	defer mutex.RUnlock()
-	return tlsCertificates
+func ResetCertificate(){
+	mutex.Lock()
+	defer mutex.Unlock()
+	trustCert,_=x509.SystemCertPool()
 }
 
 func verifyFingerprint(fingerprint *[32]byte) func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
@@ -87,10 +86,10 @@ func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string)
 func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config {
 	if tlsConfig == nil {
 		return &tls.Config{
-			Certificates: tlsCertificates,
+			RootCAs: trustCert,
 		}
 	}
-	tlsConfig.Certificates = append(tlsConfig.Certificates, tlsCertificates...)
+	tlsConfig.RootCAs = trustCert
 	return tlsConfig
 }
 
@@ -107,29 +106,12 @@ func GetSpecifiedFingerprintXTLSConfig(tlsConfig *xtls.Config, fingerprint strin
 }
 
 func GetGlobalXTLSConfig(tlsConfig *xtls.Config) *xtls.Config {
-	xtlsCerts := make([]xtls.Certificate, len(tlsCertificates))
-	for _, cert := range tlsCertificates {
-		tlsSsaList := make([]xtls.SignatureScheme, len(cert.SupportedSignatureAlgorithms))
-		for _, ssa := range cert.SupportedSignatureAlgorithms {
-			tlsSsa := xtls.SignatureScheme(ssa)
-			tlsSsaList = append(tlsSsaList, tlsSsa)
-		}
-		xtlsCert := xtls.Certificate{
-			Certificate:                  cert.Certificate,
-			PrivateKey:                   cert.PrivateKey,
-			OCSPStaple:                   cert.OCSPStaple,
-			SignedCertificateTimestamps:  cert.SignedCertificateTimestamps,
-			Leaf:                         cert.Leaf,
-			SupportedSignatureAlgorithms: tlsSsaList,
-		}
-		xtlsCerts = append(xtlsCerts, xtlsCert)
-	}
 	if tlsConfig == nil {
 		return &xtls.Config{
-			Certificates: xtlsCerts,
+			RootCAs: trustCert,
 		}
 	}
 
-	tlsConfig.Certificates = xtlsCerts
+	tlsConfig.RootCAs = trustCert
 	return tlsConfig
 }
diff --git a/config/config.go b/config/config.go
index 24159d8e..76e5491b 100644
--- a/config/config.go
+++ b/config/config.go
@@ -120,13 +120,9 @@ type Profile struct {
 }
 
 type TLS struct {
-	RawCert         `yaml:",inline"`
-	CustomTrustCert []RawCert `yaml:"custom-certifactes"`
-}
-
-type RawCert struct {
-	Certificate string `yaml:"certificate"`
-	PrivateKey  string `yaml:"private-key"`
+	Certificate     string   `yaml:"certificate"`
+	PrivateKey      string   `yaml:"private-key"`
+	CustomTrustCert []string `yaml:"custom-certifactes"`
 }
 
 // IPTables config
@@ -447,6 +443,7 @@ func ParseRawConfig(rawCfg *RawConfig) (*Config, error) {
 	}
 	config.General = general
 
+	dialer.DefaultInterface.Store(config.General.Interface)
 	proxies, providers, err := parseProxies(rawCfg)
 	if err != nil {
 		return nil, err
diff --git a/docs/config.yaml b/docs/config.yaml
index f6e9502e..771532d1 100644
--- a/docs/config.yaml
+++ b/docs/config.yaml
@@ -30,6 +30,11 @@ ipv6: true # 开启 IPv6 总开关，关闭阻断所有 IPv6 链接和屏蔽 DNS
 tls:
   certificate: string # 证书 PEM 格式，或者 证书的路径
   private-key: string # 证书对应的私钥 PEM 格式，或者私钥路径
+  custom-certifactes:
+    - |
+      -----BEGIN CERTIFICATE-----
+      format/pem...
+      -----END CERTIFICATE-----
 
 external-controller: 0.0.0.0:9093 # RESTful API 监听地址
 external-controller-tls: 0.0.0.0:9443 # RESTful API HTTPS 监听地址，需要配置 tls 部分配置文件
diff --git a/hub/executor/executor.go b/hub/executor/executor.go
index 916f17c7..34f0f1a1 100644
--- a/hub/executor/executor.go
+++ b/hub/executor/executor.go
@@ -169,9 +169,11 @@ func updateExperimental(c *config.Config) {
 }
 
 func preUpdateExperimental(c *config.Config) {
-	CTLS.AddCertificate(c.TLS.PrivateKey, c.TLS.Certificate)
+	CTLS.ResetCertificate()
 	for _, c := range c.TLS.CustomTrustCert {
-		CTLS.AddCertificate(c.PrivateKey, c.Certificate)
+		if err := CTLS.AddCertificate(c); err != nil {
+			log.Warnln("%s\nadd error: %s", c, err.Error())
+		}
 	}
 }