chore: cleanup internal ca using

2026-02-27 01:07:10 +00:00 · 2025-09-13 14:07:49 +08:00
parent 08fc100c85
commit 57e14e5b62
21 changed files with 212 additions and 152 deletions
--- a/component/ca/config.go
+++ b/component/ca/config.go
@@ -10,6 +10,7 @@ import (
 	"strconv"
 	"sync"

+	"github.com/metacubex/mihomo/common/once"
 	C "github.com/metacubex/mihomo/constant"
 )

@@ -65,18 +66,6 @@ func ResetCertificate() {
 	initializeCertPool()
 }

-func getCertPool() *x509.CertPool {
-	if globalCertPool == nil {
-		mutex.Lock()
-		defer mutex.Unlock()
-		if globalCertPool != nil {
-			return globalCertPool
-		}
-		initializeCertPool()
-	}
-	return globalCertPool
-}
-
 func GetCertPool(customCA string, customCAString string) (*x509.CertPool, error) {
 	var certificate []byte
 	var err error
@@ -99,22 +88,40 @@ func GetCertPool(customCA string, customCAString string) (*x509.CertPool, error)
 		}
 		return certPool, nil
 	} else {
-		return getCertPool(), nil
+		mutex.Lock()
+		defer mutex.Unlock()
+		if globalCertPool == nil {
+			initializeCertPool()
+		}
+		return globalCertPool, nil
 	}
 }

-// GetTLSConfig specified fingerprint, customCA and customCAString
-func GetTLSConfig(tlsConfig *tls.Config, fingerprint string, customCA string, customCAString string) (_ *tls.Config, err error) {
+type Option struct {
+	TLSConfig      *tls.Config
+	Fingerprint    string
+	CustomCA       string
+	CustomCAString string
+	ZeroTrust      bool
+}
+
+func GetTLSConfig(opt Option) (tlsConfig *tls.Config, err error) {
+	tlsConfig = opt.TLSConfig
 	if tlsConfig == nil {
 		tlsConfig = &tls.Config{}
 	}
-	tlsConfig.RootCAs, err = GetCertPool(customCA, customCAString)
-	if err != nil {
-		return nil, err
+
+	if opt.ZeroTrust {
+		tlsConfig.RootCAs = zeroTrustCertPool()
+	} else {
+		tlsConfig.RootCAs, err = GetCertPool(opt.CustomCA, opt.CustomCAString)
+		if err != nil {
+			return nil, err
+		}
 	}

-	if len(fingerprint) > 0 {
-		tlsConfig.VerifyPeerCertificate, err = NewFingerprintVerifier(fingerprint)
+	if len(opt.Fingerprint) > 0 {
+		tlsConfig.VerifyPeerCertificate, err = NewFingerprintVerifier(opt.Fingerprint)
 		if err != nil {
 			return nil, err
 		}
@@ -123,12 +130,12 @@ func GetTLSConfig(tlsConfig *tls.Config, fingerprint string, customCA string, cu
 	return tlsConfig, nil
 }

-// GetSpecifiedFingerprintTLSConfig specified fingerprint
-func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string) (*tls.Config, error) {
-	return GetTLSConfig(tlsConfig, fingerprint, "", "")
-}
-
-func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config {
-	tlsConfig, _ = GetTLSConfig(tlsConfig, "", "", "")
-	return tlsConfig
-}
+var zeroTrustCertPool = once.OnceValue(func() *x509.CertPool {
+	if len(_CaCertificates) != 0 { // always using embed cert first
+		zeroTrustCertPool := x509.NewCertPool()
+		if zeroTrustCertPool.AppendCertsFromPEM(_CaCertificates) {
+			return zeroTrustCertPool
+		}
+	}
+	return nil // fallback to system pool
+})
--- a/component/http/http.go
+++ b/component/http/http.go
@@ -2,7 +2,6 @@ package http

 import (
 	"context"
-	"crypto/tls"
 	"io"
 	"net"
 	"net/http"
@@ -28,11 +27,11 @@ func SetUA(UA string) {
 	ua = UA
 }

-func HttpRequest(ctx context.Context, url, method string, header map[string][]string, body io.Reader) (*http.Response, error) {
-	return HttpRequestWithProxy(ctx, url, method, header, body, "")
-}
-
-func HttpRequestWithProxy(ctx context.Context, url, method string, header map[string][]string, body io.Reader, specialProxy string) (*http.Response, error) {
+func HttpRequest(ctx context.Context, url, method string, header map[string][]string, body io.Reader, options ...Option) (*http.Response, error) {
+	opt := option{}
+	for _, o := range options {
+		o(&opt)
+	}
 	method = strings.ToUpper(method)
 	urlRes, err := URL.Parse(url)
 	if err != nil {
@@ -40,6 +39,10 @@ func HttpRequestWithProxy(ctx context.Context, url, method string, header map[st
 	}

 	req, err := http.NewRequest(method, urlRes.String(), body)
+	if err != nil {
+		return nil, err
+	}
+
 	for k, v := range header {
 		for _, v := range v {
 			req.Header.Add(k, v)
@@ -50,10 +53,6 @@ func HttpRequestWithProxy(ctx context.Context, url, method string, header map[st
 		req.Header.Set("User-Agent", UA())
 	}

-	if err != nil {
-		return nil, err
-	}
-
 	if user := urlRes.User; user != nil {
 		password, _ := user.Password()
 		req.SetBasicAuth(user.Username(), password)
@@ -61,6 +60,11 @@ func HttpRequestWithProxy(ctx context.Context, url, method string, header map[st

 	req = req.WithContext(ctx)

+	tlsConfig, err := ca.GetTLSConfig(opt.caOption)
+	if err != nil {
+		return nil, err
+	}
+
 	transport := &http.Transport{
 		// from http.DefaultTransport
 		DisableKeepAlives:     runtime.GOOS == "android",
@@ -69,15 +73,34 @@ func HttpRequestWithProxy(ctx context.Context, url, method string, header map[st
 		TLSHandshakeTimeout:   10 * time.Second,
 		ExpectContinueTimeout: 1 * time.Second,
 		DialContext: func(ctx context.Context, network, address string) (net.Conn, error) {
-			if conn, err := inner.HandleTcp(inner.GetTunnel(), address, specialProxy); err == nil {
+			if conn, err := inner.HandleTcp(inner.GetTunnel(), address, opt.specialProxy); err == nil {
 				return conn, nil
 			} else {
 				return dialer.DialContext(ctx, network, address)
 			}
 		},
-		TLSClientConfig: ca.GetGlobalTLSConfig(&tls.Config{}),
+		TLSClientConfig: tlsConfig,
 	}

 	client := http.Client{Transport: transport}
 	return client.Do(req)
 }
+
+type Option func(opt *option)
+
+type option struct {
+	specialProxy string
+	caOption     ca.Option
+}
+
+func WithSpecialProxy(name string) Option {
+	return func(opt *option) {
+		opt.specialProxy = name
+	}
+}
+
+func WithCAOption(caOption ca.Option) Option {
+	return func(opt *option) {
+		opt.caOption = caOption
+	}
+}
--- a/component/resource/vehicle.go
+++ b/component/resource/vehicle.go
@@ -135,7 +135,7 @@ func (h *HTTPVehicle) Read(ctx context.Context, oldHash utils.HashType) (buf []b
 			setIfNoneMatch = true
 		}
 	}
-	resp, err := mihomoHttp.HttpRequestWithProxy(ctx, h.url, http.MethodGet, header, nil, h.proxy)
+	resp, err := mihomoHttp.HttpRequest(ctx, h.url, http.MethodGet, header, nil, mihomoHttp.WithSpecialProxy(h.proxy))
 	if err != nil {
 		return
 	}
--- a/component/updater/update_core.go
+++ b/component/updater/update_core.go
@@ -15,6 +15,7 @@ import (
 	"sync"
 	"time"

+	"github.com/metacubex/mihomo/component/ca"
 	mihomoHttp "github.com/metacubex/mihomo/component/http"
 	C "github.com/metacubex/mihomo/constant"
 	"github.com/metacubex/mihomo/constant/features"
@@ -171,7 +172,7 @@ func (u *CoreUpdater) Update(currentExePath string, channel string, force bool)
 func (u *CoreUpdater) getLatestVersion(versionURL string) (version string, err error) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*5)
 	defer cancel()
-	resp, err := mihomoHttp.HttpRequest(ctx, versionURL, http.MethodGet, nil, nil)
+	resp, err := mihomoHttp.HttpRequest(ctx, versionURL, http.MethodGet, nil, nil, mihomoHttp.WithCAOption(ca.Option{ZeroTrust: true}))
 	if err != nil {
 		return "", err
 	}
@@ -194,7 +195,7 @@ func (u *CoreUpdater) getLatestVersion(versionURL string) (version string, err e
 func (u *CoreUpdater) download(updateDir, packagePath, packageURL string) (err error) {
 	ctx, cancel := context.WithTimeout(context.Background(), time.Second*90)
 	defer cancel()
-	resp, err := mihomoHttp.HttpRequest(ctx, packageURL, http.MethodGet, nil, nil)
+	resp, err := mihomoHttp.HttpRequest(ctx, packageURL, http.MethodGet, nil, nil, mihomoHttp.WithCAOption(ca.Option{ZeroTrust: true}))
 	if err != nil {
 		return fmt.Errorf("http request failed: %w", err)
 	}