From a39800270b1ff9bb2fd6c385ad2935a5b5d4e2c5 Mon Sep 17 00:00:00 2001
From: ginuerzh <ginuerzh@gmail.com>
Date: Tue, 21 Mar 2023 18:11:06 +0800
Subject: [PATCH] load default CA from ca.pem

---
 config/parsing/tls.go    | 17 +++--------------
 internal/util/tls/tls.go | 16 ++++++++++------
 2 files changed, 13 insertions(+), 20 deletions(-)

diff --git a/config/parsing/tls.go b/config/parsing/tls.go
index 6279f1d..fa38087 100644
--- a/config/parsing/tls.go
+++ b/config/parsing/tls.go
@@ -16,6 +16,7 @@ import (
 
 	"github.com/go-gost/core/logger"
 	"github.com/go-gost/x/config"
+	tls_util "github.com/go-gost/x/internal/util/tls"
 )
 
 var (
@@ -29,10 +30,11 @@ func BuildDefaultTLSConfig(cfg *config.TLSConfig) {
 		cfg = &config.TLSConfig{
 			CertFile: "cert.pem",
 			KeyFile:  "key.pem",
+			CAFile:   "ca.pem",
 		}
 	}
 
-	tlsConfig, err := loadConfig(cfg.CertFile, cfg.KeyFile)
+	tlsConfig, err := tls_util.LoadConfig(cfg.CertFile, cfg.KeyFile, cfg.CAFile)
 	if err != nil {
 		// generate random self-signed certificate.
 		cert, err := genCertificate(cfg.Validity, cfg.Organization, cfg.CommonName)
@@ -49,19 +51,6 @@ func BuildDefaultTLSConfig(cfg *config.TLSConfig) {
 	defaultTLSConfig = tlsConfig
 }
 
-func loadConfig(certFile, keyFile string) (*tls.Config, error) {
-	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
-	if err != nil {
-		return nil, err
-	}
-
-	cfg := &tls.Config{
-		Certificates: []tls.Certificate{cert},
-	}
-
-	return cfg, nil
-}
-
 func genCertificate(validity time.Duration, org string, cn string) (cert tls.Certificate, err error) {
 	rawCert, rawKey, err := generateKeyPair(validity, org, cn)
 	if err != nil {
diff --git a/internal/util/tls/tls.go b/internal/util/tls/tls.go
index 50a7bbb..f40746c 100644
--- a/internal/util/tls/tls.go
+++ b/internal/util/tls/tls.go
@@ -9,12 +9,7 @@ import (
 	"time"
 )
 
-// LoadServerConfig loads the certificate from cert & key files and optional client CA file.
-func LoadServerConfig(certFile, keyFile, caFile string) (*tls.Config, error) {
-	if certFile == "" && keyFile == "" {
-		return nil, nil
-	}
-
+func LoadConfig(certFile, keyFile, caFile string) (*tls.Config, error) {
 	cert, err := tls.LoadX509KeyPair(certFile, keyFile)
 	if err != nil {
 		return nil, err
@@ -34,6 +29,15 @@ func LoadServerConfig(certFile, keyFile, caFile string) (*tls.Config, error) {
 	return cfg, nil
 }
 
+// LoadServerConfig loads the certificate from cert & key files and optional client CA file.
+func LoadServerConfig(certFile, keyFile, caFile string) (*tls.Config, error) {
+	if certFile == "" && keyFile == "" {
+		return nil, nil
+	}
+
+	return LoadConfig(certFile, keyFile, caFile)
+}
+
 // LoadClientConfig loads the certificate from cert & key files and optional CA file.
 func LoadClientConfig(certFile, keyFile, caFile string, verify bool, serverName string) (*tls.Config, error) {
 	var cfg *tls.Config