mirror of
https://github.com/MetaCubeX/mihomo.git
synced 2025-12-20 00:50:06 +08:00
cbcacdbb8c
Some checks are pending
Test / test (1.20, macos-15-intel) (push) Waiting to run
Test / test (1.20, macos-latest) (push) Waiting to run
Test / test (1.20, ubuntu-24.04-arm) (push) Waiting to run
Test / test (1.20, ubuntu-latest) (push) Waiting to run
Test / test (1.20, windows-latest) (push) Waiting to run
Test / test (1.21, macos-15-intel) (push) Waiting to run
Test / test (1.21, macos-latest) (push) Waiting to run
Test / test (1.21, ubuntu-24.04-arm) (push) Waiting to run
Test / test (1.21, ubuntu-latest) (push) Waiting to run
Test / test (1.21, windows-latest) (push) Waiting to run
Test / test (1.22, macos-15-intel) (push) Waiting to run
Test / test (1.22, macos-latest) (push) Waiting to run
Test / test (1.22, ubuntu-24.04-arm) (push) Waiting to run
Test / test (1.22, ubuntu-latest) (push) Waiting to run
Test / test (1.22, windows-latest) (push) Waiting to run
Test / test (1.23, macos-15-intel) (push) Waiting to run
Test / test (1.23, macos-latest) (push) Waiting to run
Test / test (1.23, ubuntu-24.04-arm) (push) Waiting to run
Test / test (1.23, ubuntu-latest) (push) Waiting to run
Test / test (1.23, windows-latest) (push) Waiting to run
Test / test (1.24, macos-15-intel) (push) Waiting to run
Test / test (1.24, macos-latest) (push) Waiting to run
Test / test (1.24, ubuntu-24.04-arm) (push) Waiting to run
Test / test (1.24, ubuntu-latest) (push) Waiting to run
Test / test (1.24, windows-latest) (push) Waiting to run
Test / test (1.25, macos-15-intel) (push) Waiting to run
Test / test (1.25, macos-latest) (push) Waiting to run
Test / test (1.25, ubuntu-24.04-arm) (push) Waiting to run
Test / test (1.25, ubuntu-latest) (push) Waiting to run
Test / test (1.25, windows-latest) (push) Waiting to run
Trigger CMFA Update / trigger-CMFA-update (push) Waiting to run
139 lines
4.1 KiB
Go
139 lines
4.1 KiB
Go
package ca
|
|
|
|
import (
|
|
"crypto"
|
|
"crypto/ecdsa"
|
|
"crypto/ed25519"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"crypto/rsa"
|
|
"crypto/x509"
|
|
"encoding/pem"
|
|
"fmt"
|
|
"math/big"
|
|
"os"
|
|
"time"
|
|
|
|
"github.com/metacubex/tls"
|
|
)
|
|
|
|
type Path interface {
|
|
Resolve(path string) string
|
|
IsSafePath(path string) bool
|
|
ErrNotSafePath(path string) error
|
|
}
|
|
|
|
// NewTLSKeyPairLoader creates a loader function for TLS key pairs from the provided certificate and private key data or file paths.
|
|
// If both certificate and privateKey are empty, generates a random TLS RSA key pair.
|
|
// Accepts a Path interface for resolving file paths when necessary.
|
|
func NewTLSKeyPairLoader(certificate, privateKey string, path Path) (func() (*tls.Certificate, error), error) {
|
|
if certificate == "" && privateKey == "" {
|
|
var err error
|
|
certificate, privateKey, _, err = NewRandomTLSKeyPair(KeyPairTypeRSA)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
cert, painTextErr := tls.X509KeyPair([]byte(certificate), []byte(privateKey))
|
|
if painTextErr == nil {
|
|
return func() (*tls.Certificate, error) {
|
|
return &cert, nil
|
|
}, nil
|
|
}
|
|
if path == nil {
|
|
return nil, painTextErr
|
|
}
|
|
|
|
certificate = path.Resolve(certificate)
|
|
privateKey = path.Resolve(privateKey)
|
|
var loadErr error
|
|
if !path.IsSafePath(certificate) {
|
|
loadErr = path.ErrNotSafePath(certificate)
|
|
} else if !path.IsSafePath(privateKey) {
|
|
loadErr = path.ErrNotSafePath(privateKey)
|
|
} else {
|
|
cert, loadErr = tls.LoadX509KeyPair(certificate, privateKey)
|
|
}
|
|
if loadErr != nil {
|
|
return nil, fmt.Errorf("parse certificate failed, maybe format error:%s, or path error: %s", painTextErr.Error(), loadErr.Error())
|
|
}
|
|
return func() (*tls.Certificate, error) {
|
|
return &cert, nil
|
|
}, nil
|
|
}
|
|
|
|
func LoadCertificates(certificate string, path Path) (*x509.CertPool, error) {
|
|
pool := x509.NewCertPool()
|
|
if pool.AppendCertsFromPEM([]byte(certificate)) {
|
|
return pool, nil
|
|
}
|
|
painTextErr := fmt.Errorf("invalid certificate: %s", certificate)
|
|
if path == nil {
|
|
return nil, painTextErr
|
|
}
|
|
|
|
certificate = path.Resolve(certificate)
|
|
var loadErr error
|
|
if !path.IsSafePath(certificate) {
|
|
loadErr = path.ErrNotSafePath(certificate)
|
|
} else {
|
|
certPEMBlock, err := os.ReadFile(certificate)
|
|
if pool.AppendCertsFromPEM(certPEMBlock) {
|
|
return pool, nil
|
|
}
|
|
loadErr = err
|
|
}
|
|
if loadErr != nil {
|
|
return nil, fmt.Errorf("parse certificate failed, maybe format error:%s, or path error: %s", painTextErr.Error(), loadErr.Error())
|
|
}
|
|
return pool, nil
|
|
}
|
|
|
|
type KeyPairType string
|
|
|
|
const (
|
|
KeyPairTypeRSA KeyPairType = "rsa"
|
|
KeyPairTypeP256 KeyPairType = "p256"
|
|
KeyPairTypeP384 KeyPairType = "p384"
|
|
KeyPairTypeEd25519 KeyPairType = "ed25519"
|
|
)
|
|
|
|
// NewRandomTLSKeyPair generates a random TLS key pair based on the specified KeyPairType and returns it with a SHA256 fingerprint.
|
|
// Note: Most browsers do not support KeyPairTypeEd25519 type of certificate, and utls.UConn will also reject this type of certificate.
|
|
func NewRandomTLSKeyPair(keyPairType KeyPairType) (certificate string, privateKey string, fingerprint string, err error) {
|
|
var key crypto.Signer
|
|
switch keyPairType {
|
|
case KeyPairTypeRSA:
|
|
key, err = rsa.GenerateKey(rand.Reader, 2048)
|
|
case KeyPairTypeP256:
|
|
key, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
case KeyPairTypeP384:
|
|
key, err = ecdsa.GenerateKey(elliptic.P384(), rand.Reader)
|
|
case KeyPairTypeEd25519:
|
|
_, key, err = ed25519.GenerateKey(rand.Reader)
|
|
default: // fallback to KeyPairTypeRSA
|
|
key, err = rsa.GenerateKey(rand.Reader, 2048)
|
|
}
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
template := x509.Certificate{
|
|
SerialNumber: big.NewInt(1),
|
|
NotBefore: time.Now().Add(-time.Hour * 24 * 365),
|
|
NotAfter: time.Now().Add(time.Hour * 24 * 365),
|
|
}
|
|
certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, key.Public(), key)
|
|
if err != nil {
|
|
return
|
|
}
|
|
privBytes, err := x509.MarshalPKCS8PrivateKey(key)
|
|
if err != nil {
|
|
return
|
|
}
|
|
fingerprint = CalculateFingerprint(certDER)
|
|
privateKey = string(pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: privBytes}))
|
|
certificate = string(pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: certDER}))
|
|
return
|
|
}
|