Add Chrome Root Store certificate option

Adds `chrome` as a new certificate store option alongside `mozilla`.
Both stores filter out China-based CA certificates.

cmd/internal/update_certificates/main.go

@@ -17,6 +17,10 @@ func main() {
 	if err != nil {
 		log.Error(err)
 	}
+	err = updateChromeIncludedRootCAs()
+	if err != nil {
+		log.Error(err)
+	}
 }
 
 func updateMozillaIncludedRootCAs() error {
@@ -69,3 +73,94 @@ func init() {
 	generated.WriteString("}\n")
 	return os.WriteFile("common/certificate/mozilla.go", []byte(generated.String()), 0o644)
 }
+
+func fetchChinaFingerprints() (map[string]bool, error) {
+	response, err := http.Get("https://ccadb.my.salesforce-sites.com/ccadb/AllCertificateRecordsCSVFormatv4")
+	if err != nil {
+		return nil, err
+	}
+	defer response.Body.Close()
+	reader := csv.NewReader(response.Body)
+	header, err := reader.Read()
+	if err != nil {
+		return nil, err
+	}
+	countryIndex := slices.Index(header, "Country")
+	fingerprintIndex := slices.Index(header, "SHA-256 Fingerprint")
+
+	chinaFingerprints := make(map[string]bool)
+	for {
+		record, err := reader.Read()
+		if err == io.EOF {
+			break
+		} else if err != nil {
+			return nil, err
+		}
+		if record[countryIndex] == "China" {
+			chinaFingerprints[record[fingerprintIndex]] = true
+		}
+	}
+	return chinaFingerprints, nil
+}
+
+func updateChromeIncludedRootCAs() error {
+	chinaFingerprints, err := fetchChinaFingerprints()
+	if err != nil {
+		return err
+	}
+
+	response, err := http.Get("https://ccadb.my.salesforce-sites.com/ccadb/RootCACertificatesIncludedByRSReportCSV")
+	if err != nil {
+		return err
+	}
+	defer response.Body.Close()
+	reader := csv.NewReader(response.Body)
+	header, err := reader.Read()
+	if err != nil {
+		return err
+	}
+	subjectIndex := slices.Index(header, "Subject")
+	statusIndex := slices.Index(header, "Google Chrome Status")
+	certIndex := slices.Index(header, "X.509 Certificate (PEM)")
+	fingerprintIndex := slices.Index(header, "SHA-256 Fingerprint")
+
+	generated := strings.Builder{}
+	generated.WriteString(`// Code generated by 'make update_certificates'. DO NOT EDIT.
+
+package certificate
+
+import "crypto/x509"
+
+var chromeIncluded *x509.CertPool
+
+func init() {
+	chromeIncluded = x509.NewCertPool()
+`)
+	for {
+		record, err := reader.Read()
+		if err == io.EOF {
+			break
+		} else if err != nil {
+			return err
+		}
+		if record[statusIndex] != "Included" {
+			continue
+		}
+		if chinaFingerprints[record[fingerprintIndex]] {
+			continue
+		}
+		generated.WriteString("\n	// ")
+		generated.WriteString(record[subjectIndex])
+		generated.WriteString("\n")
+		generated.WriteString("	chromeIncluded.AppendCertsFromPEM([]byte(`")
+		cert := record[certIndex]
+		// Remove single quotes if present
+		if len(cert) > 0 && cert[0] == '\'' {
+			cert = cert[1 : len(cert)-1]
+		}
+		generated.WriteString(cert)
+		generated.WriteString("`))\n")
+	}
+	generated.WriteString("}\n")
+	return os.WriteFile("common/certificate/chrome.go", []byte(generated.String()), 0o644)
+}

common/certificate/store.go

@@ -53,6 +53,8 @@ func NewStore(ctx context.Context, logger logger.Logger, options option.Certific
 		}
 	case C.CertificateStoreMozilla:
 		systemPool = mozillaIncluded
+	case C.CertificateStoreChrome:
+		systemPool = chromeIncluded
 	case C.CertificateStoreNone:
 		systemPool = nil
 	default:

constant/certificate.go

@@ -3,5 +3,6 @@ package constant
 const (
 	CertificateStoreSystem  = "system"
 	CertificateStoreMozilla = "mozilla"
+	CertificateStoreChrome  = "chrome"
 	CertificateStoreNone    = "none"
 )

docs/configuration/certificate/index.md

@@ -4,6 +4,10 @@ icon: material/new-box
 
 !!! question "Since sing-box 1.12.0"
 
+!!! quote "Changes in sing-box 1.13.0"
+
+    :material-plus: [Chrome Root Store](#store)
+
 # Certificate
 
 ### Structure
@@ -28,9 +32,10 @@ icon: material/new-box
 The default X509 trusted CA certificate list.
 
 | Type               | Description                                                                                                    |
-|--------------------|---------------------------------------------------------------------------------------------------------------|
+|--------------------|----------------------------------------------------------------------------------------------------------------|
 | `system` (default) | System trusted CA certificates                                                                                 |
 | `mozilla`          | [Mozilla Included List](https://wiki.mozilla.org/CA/Included_Certificates) with China CA certificates removed |
+| `chrome`           | [Chrome Root Store](https://g.co/chrome/root-policy) with China CA certificates removed                        |
 | `none`             | Empty list                                                                                                     |
 
 #### certificate

docs/configuration/certificate/index.zh.md

@@ -4,6 +4,10 @@ icon: material/new-box
 
 !!! question "自 sing-box 1.12.0 起"
 
+!!! quote "sing-box 1.13.0 中的更改"
+
+    :material-plus: [Chrome Root Store](#store)
+
 # 证书
 
 ### 结构
@@ -28,9 +32,10 @@ icon: material/new-box
 默认的 X509 受信任 CA 证书列表。
 
 | 类型              | 描述                                                                                       |
-|--------------------|--------------------------------------------------------------------------------------------|
+|-------------------|--------------------------------------------------------------------------------------------|
 | `system`（默认）   | 系统受信任的 CA 证书                                                                        |
 | `mozilla`         | [Mozilla 包含列表](https://wiki.mozilla.org/CA/Included_Certificates)（已移除中国 CA 证书） |
+| `chrome`          | [Chrome Root Store](https://g.co/chrome/root-policy)（已移除中国 CA 证书）                  |
 | `none`            | 空列表                                                                                     |
 
 #### certificate