Add Chrome Root Store certificate option

Adds `chrome` as a new certificate store option alongside `mozilla`. Both stores filter out China-based CA certificates.
2026-04-11 17:47:20 +10:00 · 2025-12-21 15:13:24 +08:00
parent 0d8c7a9c5d
commit cba18635c8
6 changed files with 2934 additions and 9 deletions
--- a/cmd/internal/update_certificates/main.go
+++ b/cmd/internal/update_certificates/main.go
@@ -17,6 +17,10 @@ func main() {
 	if err != nil {
 		log.Error(err)
 	}
 	err = updateChromeIncludedRootCAs()
 	if err != nil {
 		log.Error(err)
 	}
 }
 func updateMozillaIncludedRootCAs() error {
@@ -69,3 +73,94 @@ func init() {
 	generated.WriteString("}\n")
 	return os.WriteFile("common/certificate/mozilla.go", []byte(generated.String()), 0o644)
 }
 func fetchChinaFingerprints() (map[string]bool, error) {
 	response, err := http.Get("https://ccadb.my.salesforce-sites.com/ccadb/AllCertificateRecordsCSVFormatv4")
 	if err != nil {
 		return nil, err
 	}
 	defer response.Body.Close()
 	reader := csv.NewReader(response.Body)
 	header, err := reader.Read()
 	if err != nil {
 		return nil, err
 	}
 	countryIndex := slices.Index(header, "Country")
 	fingerprintIndex := slices.Index(header, "SHA-256 Fingerprint")
 	chinaFingerprints := make(map[string]bool)
 	for {
 		record, err := reader.Read()
 		if err == io.EOF {
 			break
 		} else if err != nil {
 			return nil, err
 		}
 		if record[countryIndex] == "China" {
 			chinaFingerprints[record[fingerprintIndex]] = true
 		}
 	}
 	return chinaFingerprints, nil
 }
 func updateChromeIncludedRootCAs() error {
 	chinaFingerprints, err := fetchChinaFingerprints()
 	if err != nil {
 		return err
 	}
 	response, err := http.Get("https://ccadb.my.salesforce-sites.com/ccadb/RootCACertificatesIncludedByRSReportCSV")
 	if err != nil {
 		return err
 	}
 	defer response.Body.Close()
 	reader := csv.NewReader(response.Body)
 	header, err := reader.Read()
 	if err != nil {
 		return err
 	}
 	subjectIndex := slices.Index(header, "Subject")
 	statusIndex := slices.Index(header, "Google Chrome Status")
 	certIndex := slices.Index(header, "X.509 Certificate (PEM)")
 	fingerprintIndex := slices.Index(header, "SHA-256 Fingerprint")
 	generated := strings.Builder{}
 	generated.WriteString(`// Code generated by 'make update_certificates'. DO NOT EDIT.
 package certificate
 import "crypto/x509"
 var chromeIncluded *x509.CertPool
 func init() {
 	chromeIncluded = x509.NewCertPool()
 `)
 	for {
 		record, err := reader.Read()
 		if err == io.EOF {
 			break
 		} else if err != nil {
 			return err
 		}
 		if record[statusIndex] != "Included" {
 			continue
 		}
 		if chinaFingerprints[record[fingerprintIndex]] {
 			continue
 		}
 		generated.WriteString("\n	// ")
 		generated.WriteString(record[subjectIndex])
 		generated.WriteString("\n")
 		generated.WriteString("	chromeIncluded.AppendCertsFromPEM([]byte(`")
 		cert := record[certIndex]
 		// Remove single quotes if present
 		if len(cert) > 0 && cert[0] == '\'' {
 			cert = cert[1 : len(cert)-1]
 		}
 		generated.WriteString(cert)
 		generated.WriteString("`))\n")
 	}
 	generated.WriteString("}\n")
 	return os.WriteFile("common/certificate/chrome.go", []byte(generated.String()), 0o644)
 }
--- a/common/certificate/chrome.go
+++ b/common/certificate/chrome.go
--- a/common/certificate/store.go
+++ b/common/certificate/store.go
@@ -53,6 +53,8 @@ func NewStore(ctx context.Context, logger logger.Logger, options option.Certific
 		}
 	case C.CertificateStoreMozilla:
 		systemPool = mozillaIncluded
 	case C.CertificateStoreChrome:
 		systemPool = chromeIncluded
 	case C.CertificateStoreNone:
 		systemPool = nil
 	default:
--- a/constant/certificate.go
+++ b/constant/certificate.go
@@ -3,5 +3,6 @@ package constant
 const (
 	CertificateStoreSystem  = "system"
 	CertificateStoreMozilla = "mozilla"
 	CertificateStoreChrome  = "chrome"
 	CertificateStoreNone    = "none"
 )
--- a/docs/configuration/certificate/index.md
+++ b/docs/configuration/certificate/index.md
@@ -4,6 +4,10 @@ icon: material/new-box
 !!! question "Since sing-box 1.12.0"
 !!! quote "Changes in sing-box 1.13.0"
    :material-plus: [Chrome Root Store](#store)
 # Certificate
 ### Structure
@@ -27,11 +31,12 @@ icon: material/new-box
 The default X509 trusted CA certificate list.
-| Type               | Description                                                                                                   |
+| Type               | Description                                                                                                    |
-|--------------------|---------------------------------------------------------------------------------------------------------------|
+|--------------------|----------------------------------------------------------------------------------------------------------------|
-| `system` (default) | System trusted CA certificates                                                                                |
+| `system` (default) | System trusted CA certificates                                                                                 |
 | `mozilla`          | [Mozilla Included List](https://wiki.mozilla.org/CA/Included_Certificates) with China CA certificates removed |
-| `none`             | Empty list                                                                                                    |
+| `chrome`           | [Chrome Root Store](https://g.co/chrome/root-policy) with China CA certificates removed                        |
 | `none`             | Empty list                                                                                                     |
 #### certificate
--- a/docs/configuration/certificate/index.zh.md
+++ b/docs/configuration/certificate/index.zh.md
@@ -4,6 +4,10 @@ icon: material/new-box
 !!! question "自 sing-box 1.12.0 起"
 !!! quote "sing-box 1.13.0 中的更改"
    :material-plus: [Chrome Root Store](#store)
 # 证书
 ### 结构
@@ -27,11 +31,12 @@ icon: material/new-box
 默认的 X509 受信任 CA 证书列表。
-| 类型                | 描述                                                                                       |
+| 类型              | 描述                                                                                       |
-|--------------------|--------------------------------------------------------------------------------------------|
+|-------------------|--------------------------------------------------------------------------------------------|
-| `system`（默认）    | 系统受信任的 CA 证书                                                                        |
+| `system`（默认）   | 系统受信任的 CA 证书                                                                        |
-| `mozilla`          | [Mozilla 包含列表](https://wiki.mozilla.org/CA/Included_Certificates)（已移除中国 CA 证书） |
+| `mozilla`         | [Mozilla 包含列表](https://wiki.mozilla.org/CA/Included_Certificates)（已移除中国 CA 证书） |
-| `none`             | 空列表                                                                                     |
+| `chrome`          | [Chrome Root Store](https://g.co/chrome/root-policy)（已移除中国 CA 证书）                  |
 | `none`            | 空列表                                                                                     |
 #### certificate