sing-box/cmd/internal/update_certificates/main.go

package main

import (
	"encoding/csv"
	"io"
	"net/http"
	"os"
	"strings"

	"github.com/sagernet/sing-box/log"

	"golang.org/x/exp/slices"
)

func main() {
	err := updateMozillaIncludedRootCAs()
	if err != nil {
		log.Error(err)
	}
	err = updateChromeIncludedRootCAs()
	if err != nil {
		log.Error(err)
	}
}

func updateMozillaIncludedRootCAs() error {
	response, err := http.Get("https://ccadb.my.salesforce-sites.com/mozilla/IncludedCACertificateReportPEMCSV")
	if err != nil {
		return err
	}
	defer response.Body.Close()
	reader := csv.NewReader(response.Body)
	header, err := reader.Read()
	if err != nil {
		return err
	}
	geoIndex := slices.Index(header, "Geographic Focus")
	nameIndex := slices.Index(header, "Common Name or Certificate Name")
	certIndex := slices.Index(header, "PEM Info")

	generated := strings.Builder{}
	generated.WriteString(`// Code generated by 'make update_certificates'. DO NOT EDIT.

package certificate

import "crypto/x509"

var mozillaIncluded *x509.CertPool

func init() {
	mozillaIncluded = x509.NewCertPool()
`)
	for {
		record, err := reader.Read()
		if err == io.EOF {
			break
		} else if err != nil {
			return err
		}
		if record[geoIndex] == "China" {
			continue
		}
		generated.WriteString("\n	// ")
		generated.WriteString(record[nameIndex])
		generated.WriteString("\n")
		generated.WriteString("	mozillaIncluded.AppendCertsFromPEM([]byte(`")
		cert := record[certIndex]
		// Remove single quotes
		cert = cert[1 : len(cert)-1]
		generated.WriteString(cert)
		generated.WriteString("`))\n")
	}
	generated.WriteString("}\n")
	return os.WriteFile("common/certificate/mozilla.go", []byte(generated.String()), 0o644)
}

func fetchChinaFingerprints() (map[string]bool, error) {
	response, err := http.Get("https://ccadb.my.salesforce-sites.com/ccadb/AllCertificateRecordsCSVFormatv4")
	if err != nil {
		return nil, err
	}
	defer response.Body.Close()
	reader := csv.NewReader(response.Body)
	header, err := reader.Read()
	if err != nil {
		return nil, err
	}
	countryIndex := slices.Index(header, "Country")
	fingerprintIndex := slices.Index(header, "SHA-256 Fingerprint")

	chinaFingerprints := make(map[string]bool)
	for {
		record, err := reader.Read()
		if err == io.EOF {
			break
		} else if err != nil {
			return nil, err
		}
		if record[countryIndex] == "China" {
			chinaFingerprints[record[fingerprintIndex]] = true
		}
	}
	return chinaFingerprints, nil
}

func updateChromeIncludedRootCAs() error {
	chinaFingerprints, err := fetchChinaFingerprints()
	if err != nil {
		return err
	}

	response, err := http.Get("https://ccadb.my.salesforce-sites.com/ccadb/RootCACertificatesIncludedByRSReportCSV")
	if err != nil {
		return err
	}
	defer response.Body.Close()
	reader := csv.NewReader(response.Body)
	header, err := reader.Read()
	if err != nil {
		return err
	}
	subjectIndex := slices.Index(header, "Subject")
	statusIndex := slices.Index(header, "Google Chrome Status")
	certIndex := slices.Index(header, "X.509 Certificate (PEM)")
	fingerprintIndex := slices.Index(header, "SHA-256 Fingerprint")

	generated := strings.Builder{}
	generated.WriteString(`// Code generated by 'make update_certificates'. DO NOT EDIT.

package certificate

import "crypto/x509"

var chromeIncluded *x509.CertPool

func init() {
	chromeIncluded = x509.NewCertPool()
`)
	for {
		record, err := reader.Read()
		if err == io.EOF {
			break
		} else if err != nil {
			return err
		}
		if record[statusIndex] != "Included" {
			continue
		}
		if chinaFingerprints[record[fingerprintIndex]] {
			continue
		}
		generated.WriteString("\n	// ")
		generated.WriteString(record[subjectIndex])
		generated.WriteString("\n")
		generated.WriteString("	chromeIncluded.AppendCertsFromPEM([]byte(`")
		cert := record[certIndex]
		// Remove single quotes if present
		if len(cert) > 0 && cert[0] == '\'' {
			cert = cert[1 : len(cert)-1]
		}
		generated.WriteString(cert)
		generated.WriteString("`))\n")
	}
	generated.WriteString("}\n")
	return os.WriteFile("common/certificate/chrome.go", []byte(generated.String()), 0o644)
}