diff --git a/infra/conf/transport_internet.go b/infra/conf/transport_internet.go index f88a3ba3e..1a4157435 100644 --- a/infra/conf/transport_internet.go +++ b/infra/conf/transport_internet.go @@ -1,6 +1,7 @@ package conf import ( + "encoding/base64" "encoding/json" "strings" @@ -291,12 +292,13 @@ func (c *TLSCertConfig) Build() (*tls.Certificate, error) { } type TLSConfig struct { - Insecure bool `json:"allowInsecure"` - Certs []*TLSCertConfig `json:"certificates"` - ServerName string `json:"serverName"` - ALPN *StringList `json:"alpn"` - EnableSessionResumption bool `json:"enableSessionResumption"` - DisableSystemRoot bool `json:"disableSystemRoot"` + Insecure bool `json:"allowInsecure"` + Certs []*TLSCertConfig `json:"certificates"` + ServerName string `json:"serverName"` + ALPN *StringList `json:"alpn"` + EnableSessionResumption bool `json:"enableSessionResumption"` + DisableSystemRoot bool `json:"disableSystemRoot"` + PinnedPeerCertificateChainSha256 *[]string `json:"pinnedPeerCertificateChainSha256"` } // Build implements Buildable. @@ -320,6 +322,18 @@ func (c *TLSConfig) Build() (proto.Message, error) { } config.EnableSessionResumption = c.EnableSessionResumption config.DisableSystemRoot = c.DisableSystemRoot + + if c.PinnedPeerCertificateChainSha256 != nil { + config.PinnedPeerCertificateChainSha256 = [][]byte{} + for _, v := range *c.PinnedPeerCertificateChainSha256 { + hashValue, err := base64.StdEncoding.DecodeString(v) + if err != nil { + return nil, err + } + config.PinnedPeerCertificateChainSha256 = append(config.PinnedPeerCertificateChainSha256, hashValue) + } + } + return config, nil }