TLS config: Add pinnedPeerCertSha256; Remove pinnedPeerCertificateChainSha256 and pinnedPeerCertificatePublicKeySha256 (#5154)

Usage: https://github.com/XTLS/Xray-core/pull/5507

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: RPRX <63339210+RPRX@users.noreply.github.com>

main/commands/all/tls/certchainhash.go

@@ -1,40 +0,0 @@
-package tls
-
-import (
-	"flag"
-	"fmt"
-	"os"
-
-	"github.com/xtls/xray-core/main/commands/base"
-	"github.com/xtls/xray-core/transport/internet/tls"
-)
-
-var cmdCertChainHash = &base.Command{
-	UsageLine: "{{.Exec}} certChainHash",
-	Short:     "Calculate TLS certificates hash.",
-	Long: `
-	xray tls certChainHash --cert <cert.pem>
-	Calculate TLS certificate chain hash.
-	`,
-}
-
-func init() {
-	cmdCertChainHash.Run = executeCertChainHash // break init loop
-}
-
-var input = cmdCertChainHash.Flag.String("cert", "fullchain.pem", "The file path of the certificates chain")
-
-func executeCertChainHash(cmd *base.Command, args []string) {
-	fs := flag.NewFlagSet("certChainHash", flag.ContinueOnError)
-	if err := fs.Parse(args); err != nil {
-		fmt.Println(err)
-		return
-	}
-	certContent, err := os.ReadFile(*input)
-	if err != nil {
-		fmt.Println(err)
-		return
-	}
-	certChainHashB64 := tls.CalculatePEMCertChainSHA256Hash(certContent)
-	fmt.Println(certChainHashB64)
-}

main/commands/all/tls/leafcerthash.go

@@ -0,0 +1,44 @@
+package tls
+
+import (
+	"flag"
+	"fmt"
+	"os"
+
+	"github.com/xtls/xray-core/main/commands/base"
+	"github.com/xtls/xray-core/transport/internet/tls"
+)
+
+var cmdLeafCertHash = &base.Command{
+	UsageLine: "{{.Exec}} tls leafCertHash",
+	Short:     "Calculate TLS leaf certificate hash.",
+	Long: `
+	xray tls leafCertHash --cert <cert.pem>
+	Calculate TLS leaf certificate hash.
+	`,
+}
+
+func init() {
+	cmdLeafCertHash.Run = executeLeafCertHash // break init loop
+}
+
+var input = cmdLeafCertHash.Flag.String("cert", "fullchain.pem", "The file path of the leaf certificate")
+
+func executeLeafCertHash(cmd *base.Command, args []string) {
+	fs := flag.NewFlagSet("leafCertHash", flag.ContinueOnError)
+	if err := fs.Parse(args); err != nil {
+		fmt.Println(err)
+		return
+	}
+	certContent, err := os.ReadFile(*input)
+	if err != nil {
+		fmt.Println(err)
+		return
+	}
+	certChainHashB64, err := tls.CalculatePEMLeafCertSHA256Hash(certContent)
+	if err != nil {
+		fmt.Println("failed to decode cert", err)
+		return
+	}
+	fmt.Println(certChainHashB64)
+}

main/commands/all/tls/ping.go

@@ -3,7 +3,7 @@ package tls
 import (
 	gotls "crypto/tls"
 	"crypto/x509"
-	"encoding/base64"
+	"encoding/hex"
 	"fmt"
 	"net"
 	"strconv"
@@ -156,8 +156,14 @@ func printTLSConnDetail(tlsConn *gotls.Conn) {
 
 func showCert() func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
 	return func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
-		hash := GenerateCertChainHash(rawCerts)
-		fmt.Println("Certificate Chain Hash: ", base64.StdEncoding.EncodeToString(hash))
+		var hash []byte
+		for _, asn1Data := range rawCerts {
+			cert, _ := x509.ParseCertificate(asn1Data)
+			if cert.IsCA {
+				hash = GenerateCertHash(cert)
+			}
+		}
+		fmt.Println("Certificate Leaf Hash: ", hex.EncodeToString(hash))
 		return nil
 	}
 }

main/commands/all/tls/tls.go

@@ -13,7 +13,7 @@ var CmdTLS = &base.Command{
 	Commands: []*base.Command{
 		cmdCert,
 		cmdPing,
-		cmdCertChainHash,
+		cmdLeafCertHash,
 		cmdECH,
 	},
 }