refactor(ssl): 提取证书池加载函数到 sslutil 包

将 LoadCACertPool 和 LoadCertPool 函数提取到独立的 sslutil 包，消除 ssl 和 stream 模块中的重复实现。 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-13 10:58:57 +08:00 · 2026-04-13 10:58:57 +08:00 · 96bd4b0ed5
commit 96bd4b0ed5
parent 019bc80aa4
5 changed files with 70 additions and 57 deletions
--- a/internal/ssl/client_verify.go
+++ b/internal/ssl/client_verify.go
@ -22,6 +22,7 @@ import (
 	"time"
 	"rua.plus/lolly/internal/config"
 	"rua.plus/lolly/internal/sslutil"
 )
 // ClientVerifyMode 客户端证书验证模式
@ -147,7 +148,7 @@ func NewClientVerifier(cfg config.ClientVerifyConfig) (*ClientVerifier, error) {
 			return nil, errors.New("client_ca is required when verify is enabled")
 		}
-		caPool, err := LoadCACertPool(cfg.ClientCA)
+		caPool, err := sslutil.LoadCACertPool(cfg.ClientCA)
 		if err != nil {
 			return nil, fmt.Errorf("failed to load CA certificate pool: %w", err)
 		}
@ -246,30 +247,6 @@ func (v *ClientVerifier) GetMode() ClientVerifyMode {
 	return v.mode
 }
 // LoadCACertPool 从文件加载 CA 证书池。
 //
 // 支持 PEM 格式的证书文件，可包含多个 CA 证书。
 //
 // 参数：
 //   - caFile: CA 证书文件路径
 //
 // 返回值：
 //   - *x509.CertPool: CA 证书池
 //   - error: 加载失败时返回错误
 func LoadCACertPool(caFile string) (*x509.CertPool, error) {
 	data, err := os.ReadFile(caFile)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read CA file: %w", err)
 	}
 	caPool := x509.NewCertPool()
 	if !caPool.AppendCertsFromPEM(data) {
 		return nil, errors.New("failed to parse CA certificates")
 	}
 	return caPool, nil
 }
 // LoadCRL 从文件加载证书吊销列表。
 //
 // 支持 PEM 和 DER 格式的 CRL 文件。
--- a/internal/ssl/client_verify_test.go
+++ b/internal/ssl/client_verify_test.go
@ -24,6 +24,7 @@ import (
 	"time"
 	"rua.plus/lolly/internal/config"
 	"rua.plus/lolly/internal/sslutil"
 )
 // generateTestCA 生成测试 CA 证书。
@ -165,7 +166,7 @@ func TestLoadCACertPool(t *testing.T) {
 	}
 	// 测试加载
-	pool, err := LoadCACertPool(caFile)
+	pool, err := sslutil.LoadCACertPool(caFile)
 	if err != nil {
 		t.Fatalf("LoadCACertPool() failed: %v", err)
 	}
@ -174,7 +175,7 @@ func TestLoadCACertPool(t *testing.T) {
 	}
 	// 测试文件不存在
-	_, err = LoadCACertPool("/nonexistent/ca.crt")
+	_, err = sslutil.LoadCACertPool("/nonexistent/ca.crt")
 	if err == nil {
 		t.Error("LoadCACertPool() should fail for non-existent file")
 	}
@ -184,7 +185,7 @@ func TestLoadCACertPool(t *testing.T) {
 	if err := os.WriteFile(invalidFile, []byte("invalid data"), 0644); err != nil {
 		t.Fatalf("写入无效证书文件失败: %v", err)
 	}
-	_, err = LoadCACertPool(invalidFile)
+	_, err = sslutil.LoadCACertPool(invalidFile)
 	if err == nil {
 		t.Error("LoadCACertPool() should fail for invalid certificate")
 	}
@ -692,7 +693,7 @@ func BenchmarkLoadCACertPool(b *testing.B) {
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
-		_, err := LoadCACertPool(caFile)
+		_, err := sslutil.LoadCACertPool(caFile)
 		if err != nil {
 			b.Fatal(err)
 		}
--- a/internal/sslutil/certpool.go
+++ b/internal/sslutil/certpool.go
@ -0,0 +1,56 @@
 // Package sslutil provides SSL/TLS utility functions.
 package sslutil
 import (
 	"crypto/x509"
 	"errors"
 	"fmt"
 	"os"
 )
 // LoadCertPool loads a certificate pool from a file.
 // Supports PEM format certificate files that may contain multiple certificates.
 //
 // Parameters:
 //   - certFile: Certificate file path
 //   - context: Context description for error messages
 //
 // Returns:
 //   - *x509.CertPool: Certificate pool
 //   - error: Returns error if loading fails
 func LoadCertPool(certFile string, context string) (*x509.CertPool, error) {
 	data, err := os.ReadFile(certFile)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read certificate file: %w", err)
 	}
 	pool := x509.NewCertPool()
 	if !pool.AppendCertsFromPEM(data) {
 		return nil, fmt.Errorf("failed to parse certificates from %s", certFile)
 	}
 	return pool, nil
 }
 // LoadCACertPool loads a CA certificate pool from a file.
 // This is a convenience function for loading CA certificates.
 //
 // Parameters:
 //   - caFile: CA certificate file path
 //
 // Returns:
 //   - *x509.CertPool: CA certificate pool
 //   - error: Returns error if loading fails
 func LoadCACertPool(caFile string) (*x509.CertPool, error) {
 	data, err := os.ReadFile(caFile)
 	if err != nil {
 		return nil, fmt.Errorf("failed to read CA file: %w", err)
 	}
 	caPool := x509.NewCertPool()
 	if !caPool.AppendCertsFromPEM(data) {
 		return nil, errors.New("failed to parse CA certificates")
 	}
 	return caPool, nil
 }
--- a/internal/stream/ssl.go
+++ b/internal/stream/ssl.go
@ -13,10 +13,10 @@ import (
 	"crypto/tls"
 	"crypto/x509"
 	"fmt"
 	"os"
 	"sync"
 	"rua.plus/lolly/internal/config"
 	"rua.plus/lolly/internal/sslutil"
 )
 // SSLManager 管理 Stream SSL/TLS 配置。
@ -65,7 +65,7 @@ func NewSSLManager(cfg config.StreamSSLConfig) (*SSLManager, error) {
 	// 加载客户端 CA 证书（mTLS）
 	if cfg.ClientCA != "" {
-		pool, err := loadCertPool(cfg.ClientCA)
+		pool, err := sslutil.LoadCertPool(cfg.ClientCA, "client CA")
 		if err != nil {
 			return nil, fmt.Errorf("failed to load client CA: %w", err)
 		}
@ -101,7 +101,7 @@ func NewProxySSLManager(cfg config.StreamProxySSLConfig) (*ProxySSLManager, erro
 	// 加载信任的 CA 证书
 	if cfg.TrustedCA != "" {
-		pool, err := loadCertPool(cfg.TrustedCA)
+		pool, err := sslutil.LoadCertPool(cfg.TrustedCA, "trusted CA")
 		if err != nil {
 			return nil, fmt.Errorf("failed to load trusted CA: %w", err)
 		}
@ -211,28 +211,6 @@ func (m *ProxySSLManager) IsEnabled() bool {
 	return m.config.Enabled
 }
 // loadCertPool 从文件加载证书池。
 //
 // 参数：
 //   - certFile: 证书文件路径
 //
 // 返回值：
 //   - *x509.CertPool: 证书池
 //   - error: 加载失败时返回错误
 func loadCertPool(certFile string) (*x509.CertPool, error) {
 	data, err := os.ReadFile(certFile)
 	if err != nil {
 		return nil, err
 	}
 	pool := x509.NewCertPool()
 	if !pool.AppendCertsFromPEM(data) {
 		return nil, fmt.Errorf("failed to parse certificates from %s", certFile)
 	}
 	return pool, nil
 }
 // parseMinTLSVersion 解析最小 TLS 版本。
 //
 // 参数：
--- a/internal/stream/ssl_test.go
+++ b/internal/stream/ssl_test.go
@ -18,6 +18,7 @@ import (
 	"time"
 	"rua.plus/lolly/internal/config"
 	"rua.plus/lolly/internal/sslutil"
 )
 // generateTestCertificate 生成测试用的自签名证书
@ -351,7 +352,7 @@ func TestLoadCertPool(t *testing.T) {
 			t.Fatalf("Failed to encode certificate: %v", err)
 		}
-		pool, err := loadCertPool(certFile)
+		pool, err := sslutil.LoadCertPool(certFile, "test")
 		if err != nil {
 			t.Fatalf("loadCertPool failed: %v", err)
 		}
@ -361,7 +362,7 @@ func TestLoadCertPool(t *testing.T) {
 	})
 	t.Run("invalid path", func(t *testing.T) {
-		_, err := loadCertPool("/nonexistent/cert.pem")
+		_, err := sslutil.LoadCertPool("/nonexistent/cert.pem", "test")
 		if err == nil {
 			t.Error("Expected error for nonexistent file")
 		}
@ -374,7 +375,7 @@ func TestLoadCertPool(t *testing.T) {
 			t.Fatalf("写入无效证书文件失败: %v", err)
 		}
-		_, err := loadCertPool(certFile)
+		_, err := sslutil.LoadCertPool(certFile, "test")
 		if err == nil {
 			t.Error("Expected error for invalid certificate content")
 		}