TLS client: Simplify cert's verification code (#5656)

Fixes https://github.com/XTLS/Xray-core/issues/5655
2026-05-08 14:13:22 +00:00 · 2026-02-06 09:57:32 +08:00
parent b7a22c729b
commit 4632984b66
6 changed files with 105 additions and 78 deletions
--- a/transport/internet/tls/config.go
+++ b/transport/internet/tls/config.go
@@ -289,9 +289,6 @@ func (r *RandCarrier) verifyPeerCert(rawCerts [][]byte, verifiedChains [][]*x509
 	if len(certs) == 0 {
 		return errors.New("unexpected certs")
 	}
-	if certs[0].IsCA {
-		slices.Reverse(certs)
-	}

 	// directly return success if pinned cert is leaf
 	// or replace RootCAs if pinned cert is CA (and can be used in VerifyPeerCertByName)
@@ -558,14 +555,19 @@ const (
 )

 func verifyChain(certs []*x509.Certificate, pinnedPeerCertSha256 [][]byte) (verifyResult, *x509.Certificate) {
+	leafHash := GenerateCertHash(certs[0])
+	for _, c := range pinnedPeerCertSha256 {
+		if hmac.Equal(leafHash, c) {
+			return foundLeaf, nil
+		}
+	}
+	certs = certs[1:] // skip leaf
 	for _, cert := range certs {
 		certHash := GenerateCertHash(cert)
 		for _, c := range pinnedPeerCertSha256 {
 			if hmac.Equal(certHash, c) {
 				if cert.IsCA {
 					return foundCA, cert
-				} else {
-					return foundLeaf, cert
 				}
 			}
 		}
--- a/transport/internet/tls/pin.go
+++ b/transport/internet/tls/pin.go
@@ -4,28 +4,8 @@ import (
 	"crypto/sha256"
 	"crypto/x509"
 	"encoding/hex"
-	"encoding/pem"
 )

-func CalculatePEMLeafCertSHA256Hash(certContent []byte) (string, error) {
-	var leafCert *x509.Certificate
-	for {
-		var err error
-		block, remain := pem.Decode(certContent)
-		if block == nil {
-			break
-		}
-		leafCert, err = x509.ParseCertificate(block.Bytes)
-		if err != nil {
-			return "", err
-		}
-		certContent = remain
-	}
-	certHash := GenerateCertHash(leafCert)
-	certHashHex := hex.EncodeToString(certHash)
-	return certHashHex, nil
-}
-
 // []byte must be ASN.1 DER content
 func GenerateCertHash[T *x509.Certificate | []byte](cert T) []byte {
 	var out [32]byte
@@ -37,3 +17,14 @@ func GenerateCertHash[T *x509.Certificate | []byte](cert T) []byte {
 	}
 	return out[:]
 }
+
+func GenerateCertHashHex[T *x509.Certificate | []byte](cert T) string {
+	var out [32]byte
+	switch v := any(cert).(type) {
+	case *x509.Certificate:
+		out = sha256.Sum256(v.Raw)
+	case []byte:
+		out = sha256.Sum256(v)
+	}
+	return hex.EncodeToString(out[:])
+}