Feature: MITM rewrite

common/cert/cert.go

@@ -0,0 +1,282 @@
+package cert
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/sha1"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"net"
+	"os"
+	"sync/atomic"
+	"time"
+)
+
+var currentSerialNumber = time.Now().Unix()
+
+type Config struct {
+	ca           *x509.Certificate
+	caPrivateKey *rsa.PrivateKey
+
+	roots *x509.CertPool
+
+	privateKey *rsa.PrivateKey
+
+	validity     time.Duration
+	keyID        []byte
+	organization string
+
+	certsStorage CertsStorage
+}
+
+type CertsStorage interface {
+	Get(key string) (*tls.Certificate, bool)
+
+	Set(key string, cert *tls.Certificate)
+}
+
+type CertsCache struct {
+	certsCache map[string]*tls.Certificate
+}
+
+func (c *CertsCache) Get(key string) (*tls.Certificate, bool) {
+	v, ok := c.certsCache[key]
+	return v, ok
+}
+
+func (c *CertsCache) Set(key string, cert *tls.Certificate) {
+	c.certsCache[key] = cert
+}
+
+func NewAuthority(name, organization string, validity time.Duration) (*x509.Certificate, *rsa.PrivateKey, error) {
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, nil, err
+	}
+	pub := privateKey.Public()
+
+	pkixPub, err := x509.MarshalPKIXPublicKey(pub)
+	if err != nil {
+		return nil, nil, err
+	}
+	h := sha1.New()
+	_, err = h.Write(pkixPub)
+	if err != nil {
+		return nil, nil, err
+	}
+	keyID := h.Sum(nil)
+
+	serial := atomic.AddInt64(&currentSerialNumber, 1)
+
+	tmpl := &x509.Certificate{
+		SerialNumber: big.NewInt(serial),
+		Subject: pkix.Name{
+			CommonName:   name,
+			Organization: []string{organization},
+		},
+		SubjectKeyId:          keyID,
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		NotBefore:             time.Now().Add(-validity),
+		NotAfter:              time.Now().Add(validity),
+		DNSNames:              []string{name},
+		IsCA:                  true,
+	}
+
+	raw, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, pub, privateKey)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	x509c, err := x509.ParseCertificate(raw)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return x509c, privateKey, nil
+}
+
+func NewConfig(ca *x509.Certificate, caPrivateKey *rsa.PrivateKey, storage CertsStorage) (*Config, error) {
+	roots := x509.NewCertPool()
+	roots.AddCert(ca)
+
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, err
+	}
+	pub := privateKey.Public()
+
+	pkixPub, err := x509.MarshalPKIXPublicKey(pub)
+	if err != nil {
+		return nil, err
+	}
+	h := sha1.New()
+	_, err = h.Write(pkixPub)
+	if err != nil {
+		return nil, err
+	}
+	keyID := h.Sum(nil)
+
+	if storage == nil {
+		storage = &CertsCache{certsCache: make(map[string]*tls.Certificate)}
+	}
+
+	return &Config{
+		ca:           ca,
+		caPrivateKey: caPrivateKey,
+		privateKey:   privateKey,
+		keyID:        keyID,
+		validity:     time.Hour,
+		organization: "Clash",
+		certsStorage: storage,
+		roots:        roots,
+	}, nil
+}
+
+func (c *Config) GetCA() *x509.Certificate {
+	return c.ca
+}
+
+func (c *Config) SetOrganization(organization string) {
+	c.organization = organization
+}
+
+func (c *Config) SetValidity(validity time.Duration) {
+	c.validity = validity
+}
+
+func (c *Config) NewTLSConfigForHost(hostname string) *tls.Config {
+	tlsConfig := &tls.Config{
+		GetCertificate: func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
+			host := clientHello.ServerName
+			if host == "" {
+				host = hostname
+			}
+
+			return c.GetOrCreateCert(host)
+		},
+		NextProtos: []string{"http/1.1"},
+	}
+
+	tlsConfig.InsecureSkipVerify = true
+
+	return tlsConfig
+}
+
+func (c *Config) GetOrCreateCert(hostname string, ips ...net.IP) (*tls.Certificate, error) {
+	host, _, err := net.SplitHostPort(hostname)
+	if err == nil {
+		hostname = host
+	}
+
+	tlsCertificate, ok := c.certsStorage.Get(hostname)
+	if ok {
+		if _, err = tlsCertificate.Leaf.Verify(x509.VerifyOptions{
+			DNSName: hostname,
+			Roots:   c.roots,
+		}); err == nil {
+			return tlsCertificate, nil
+		}
+	}
+
+	serial := atomic.AddInt64(&currentSerialNumber, 1)
+
+	tmpl := &x509.Certificate{
+		SerialNumber: big.NewInt(serial),
+		Subject: pkix.Name{
+			CommonName:   hostname,
+			Organization: []string{c.organization},
+		},
+		SubjectKeyId:          c.keyID,
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+		NotBefore:             time.Now().Add(-c.validity),
+		NotAfter:              time.Now().Add(c.validity),
+	}
+
+	if ip := net.ParseIP(hostname); ip != nil {
+		ips = append(ips, ip)
+	} else {
+		tmpl.DNSNames = []string{hostname}
+	}
+
+	tmpl.IPAddresses = ips
+
+	raw, err := x509.CreateCertificate(rand.Reader, tmpl, c.ca, c.privateKey.Public(), c.caPrivateKey)
+	if err != nil {
+		return nil, err
+	}
+
+	x509c, err := x509.ParseCertificate(raw)
+	if err != nil {
+		return nil, err
+	}
+
+	tlsCertificate = &tls.Certificate{
+		Certificate: [][]byte{raw, c.ca.Raw},
+		PrivateKey:  c.privateKey,
+		Leaf:        x509c,
+	}
+
+	c.certsStorage.Set(hostname, tlsCertificate)
+	return tlsCertificate, nil
+}
+
+// GenerateAndSave generate CA private key and CA certificate and dump them to file
+func GenerateAndSave(caPath string, caKeyPath string) error {
+	privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return err
+	}
+
+	tmpl := &x509.Certificate{
+		SerialNumber: big.NewInt(time.Now().Unix()),
+		Subject: pkix.Name{
+			Country:      []string{"US"},
+			CommonName:   "Clash Root CA",
+			Organization: []string{"Clash Trust Services"},
+		},
+		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		NotBefore:             time.Now().Add(-(time.Hour * 24 * 60)),
+		NotAfter:              time.Now().Add(time.Hour * 24 * 365 * 25),
+		BasicConstraintsValid: true,
+		IsCA:                  true,
+	}
+
+	caRaw, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, privateKey.Public(), privateKey)
+	if err != nil {
+		return err
+	}
+
+	caOut, err := os.OpenFile(caPath, os.O_CREATE|os.O_WRONLY, 0o600)
+	if err != nil {
+		return err
+	}
+	defer func(caOut *os.File) {
+		_ = caOut.Close()
+	}(caOut)
+
+	if err = pem.Encode(caOut, &pem.Block{Type: "CERTIFICATE", Bytes: caRaw}); err != nil {
+		return err
+	}
+
+	caKeyOut, err := os.OpenFile(caKeyPath, os.O_CREATE|os.O_WRONLY, 0o600)
+	if err != nil {
+		return err
+	}
+	defer func(caKeyOut *os.File) {
+		_ = caKeyOut.Close()
+	}(caKeyOut)
+
+	if err = pem.Encode(caKeyOut, &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(privateKey)}); err != nil {
+		return err
+	}
+
+	return nil
+}

common/cert/cert_test.go

@@ -0,0 +1,76 @@
+package cert
+
+import (
+	"crypto/tls"
+	"crypto/x509"
+	"net"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCert(t *testing.T) {
+	ca, privateKey, err := NewAuthority("Clash ca", "Clash", 24*time.Hour)
+
+	assert.Nil(t, err)
+	assert.NotNil(t, ca)
+	assert.NotNil(t, privateKey)
+
+	c, err := NewConfig(ca, privateKey, nil)
+	assert.Nil(t, err)
+
+	c.SetValidity(20 * time.Hour)
+	c.SetOrganization("Test Organization")
+
+	conf := c.NewTLSConfigForHost("example.org")
+	assert.Equal(t, []string{"http/1.1"}, conf.NextProtos)
+	assert.True(t, conf.InsecureSkipVerify)
+
+	// Test generating a certificate
+	clientHello := &tls.ClientHelloInfo{
+		ServerName: "example.org",
+	}
+	tlsCert, err := conf.GetCertificate(clientHello)
+	assert.Nil(t, err)
+	assert.NotNil(t, tlsCert)
+
+	// Assert certificate details
+	x509c := tlsCert.Leaf
+	assert.Equal(t, "example.org", x509c.Subject.CommonName)
+	assert.Nil(t, x509c.VerifyHostname("example.org"))
+	assert.Equal(t, []string{"Test Organization"}, x509c.Subject.Organization)
+	assert.NotNil(t, x509c.SubjectKeyId)
+	assert.True(t, x509c.BasicConstraintsValid)
+	assert.True(t, x509c.KeyUsage&x509.KeyUsageKeyEncipherment == x509.KeyUsageKeyEncipherment)
+	assert.True(t, x509c.KeyUsage&x509.KeyUsageDigitalSignature == x509.KeyUsageDigitalSignature)
+	assert.Equal(t, []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, x509c.ExtKeyUsage)
+	assert.Equal(t, []string{"example.org"}, x509c.DNSNames)
+	assert.True(t, x509c.NotBefore.Before(time.Now().Add(-2*time.Hour)))
+	assert.True(t, x509c.NotAfter.After(time.Now().Add(2*time.Hour)))
+
+	// Check that certificate is cached
+	tlsCert2, err := c.GetOrCreateCert("example.org")
+	assert.Nil(t, err)
+	assert.True(t, tlsCert == tlsCert2)
+
+	// Check the certificate for an IP
+	tlsCertForIP, err := c.GetOrCreateCert("192.168.0.1:443")
+	assert.Nil(t, err)
+	x509c = tlsCertForIP.Leaf
+	assert.Equal(t, 1, len(x509c.IPAddresses))
+	assert.True(t, net.ParseIP("192.168.0.1").Equal(x509c.IPAddresses[0]))
+}
+
+func TestGenerateAndSave(t *testing.T) {
+	caPath := "ca.crt"
+	caKeyPath := "ca.key"
+
+	err := GenerateAndSave(caPath, caKeyPath)
+
+	assert.Nil(t, err)
+
+	_ = os.Remove(caPath)
+	_ = os.Remove(caKeyPath)
+}

common/cert/storage.go

@@ -0,0 +1,32 @@
+package cert
+
+import (
+	"crypto/tls"
+	"time"
+
+	"github.com/Dreamacro/clash/common/cache"
+)
+
+var TTL = time.Hour * 2
+
+// AutoGCCertsStorage cache with the generated certificates, auto released after TTL
+type AutoGCCertsStorage struct {
+	certsCache *cache.Cache[string, *tls.Certificate]
+}
+
+// Get gets the certificate from the storage
+func (c *AutoGCCertsStorage) Get(key string) (*tls.Certificate, bool) {
+	ca := c.certsCache.Get(key)
+	return ca, ca != nil
+}
+
+// Set saves the certificate to the storage
+func (c *AutoGCCertsStorage) Set(key string, cert *tls.Certificate) {
+	c.certsCache.Put(key, cert, TTL)
+}
+
+func NewAutoGCCertsStorage() *AutoGCCertsStorage {
+	return &AutoGCCertsStorage{
+		certsCache: cache.New[string, *tls.Certificate](TTL),
+	}
+}