chore: cleanup internal ca using

2026-02-26 16:57:08 +00:00 · 2025-09-13 14:07:49 +08:00
parent 08fc100c85
commit 57e14e5b62
21 changed files with 212 additions and 152 deletions
--- a/component/ca/config.go
+++ b/component/ca/config.go
@@ -10,6 +10,7 @@ import (
 	"strconv"
 	"sync"

+	"github.com/metacubex/mihomo/common/once"
 	C "github.com/metacubex/mihomo/constant"
 )

@@ -65,18 +66,6 @@ func ResetCertificate() {
 	initializeCertPool()
 }

-func getCertPool() *x509.CertPool {
-	if globalCertPool == nil {
-		mutex.Lock()
-		defer mutex.Unlock()
-		if globalCertPool != nil {
-			return globalCertPool
-		}
-		initializeCertPool()
-	}
-	return globalCertPool
-}
-
 func GetCertPool(customCA string, customCAString string) (*x509.CertPool, error) {
 	var certificate []byte
 	var err error
@@ -99,22 +88,40 @@ func GetCertPool(customCA string, customCAString string) (*x509.CertPool, error)
 		}
 		return certPool, nil
 	} else {
-		return getCertPool(), nil
+		mutex.Lock()
+		defer mutex.Unlock()
+		if globalCertPool == nil {
+			initializeCertPool()
+		}
+		return globalCertPool, nil
 	}
 }

-// GetTLSConfig specified fingerprint, customCA and customCAString
-func GetTLSConfig(tlsConfig *tls.Config, fingerprint string, customCA string, customCAString string) (_ *tls.Config, err error) {
+type Option struct {
+	TLSConfig      *tls.Config
+	Fingerprint    string
+	CustomCA       string
+	CustomCAString string
+	ZeroTrust      bool
+}
+
+func GetTLSConfig(opt Option) (tlsConfig *tls.Config, err error) {
+	tlsConfig = opt.TLSConfig
 	if tlsConfig == nil {
 		tlsConfig = &tls.Config{}
 	}
-	tlsConfig.RootCAs, err = GetCertPool(customCA, customCAString)
-	if err != nil {
-		return nil, err
+
+	if opt.ZeroTrust {
+		tlsConfig.RootCAs = zeroTrustCertPool()
+	} else {
+		tlsConfig.RootCAs, err = GetCertPool(opt.CustomCA, opt.CustomCAString)
+		if err != nil {
+			return nil, err
+		}
 	}

-	if len(fingerprint) > 0 {
-		tlsConfig.VerifyPeerCertificate, err = NewFingerprintVerifier(fingerprint)
+	if len(opt.Fingerprint) > 0 {
+		tlsConfig.VerifyPeerCertificate, err = NewFingerprintVerifier(opt.Fingerprint)
 		if err != nil {
 			return nil, err
 		}
@@ -123,12 +130,12 @@ func GetTLSConfig(tlsConfig *tls.Config, fingerprint string, customCA string, cu
 	return tlsConfig, nil
 }

-// GetSpecifiedFingerprintTLSConfig specified fingerprint
-func GetSpecifiedFingerprintTLSConfig(tlsConfig *tls.Config, fingerprint string) (*tls.Config, error) {
-	return GetTLSConfig(tlsConfig, fingerprint, "", "")
-}
-
-func GetGlobalTLSConfig(tlsConfig *tls.Config) *tls.Config {
-	tlsConfig, _ = GetTLSConfig(tlsConfig, "", "", "")
-	return tlsConfig
-}
+var zeroTrustCertPool = once.OnceValue(func() *x509.CertPool {
+	if len(_CaCertificates) != 0 { // always using embed cert first
+		zeroTrustCertPool := x509.NewCertPool()
+		if zeroTrustCertPool.AppendCertsFromPEM(_CaCertificates) {
+			return zeroTrustCertPool
+		}
+	}
+	return nil // fallback to system pool
+})