Adding support for additional root CAs for DoH TLS Auth (#1281)

dnscrypt-proxy/config.go

@@ -226,6 +226,7 @@ type TLSClientAuthCredsConfig struct {
 	ServerName string `toml:"server_name"`
 	ClientCert string `toml:"client_cert"`
 	ClientKey  string `toml:"client_key"`
+	RootCA     string `toml:"root_ca"`
 }
 
 type DoHClientX509AuthConfig struct {
@@ -506,6 +507,7 @@ func ConfigLoad(proxy *Proxy, flags *ConfigFlags) error {
 		credFiles := DOHClientCreds{
 			clientCert: configClientCred.ClientCert,
 			clientKey:  configClientCred.ClientKey,
+			rootCA:     configClientCred.RootCA,
 		}
 		creds[configClientCred.ServerName] = credFiles
 	}

dnscrypt-proxy/example-dnscrypt-proxy.toml

@@ -648,7 +648,7 @@ fragments_blocked = ['cisco', 'cisco-ipv6', 'cisco-familyshield', 'cisco-familys
 # [doh_client_x509_auth]
 
 # creds = [
-#    { server_name='myserver', client_cert='client.crt', client_key='client.key' }
+#    { server_name='myserver', client_cert='client.crt', client_key='client.key', root_ca='ca.crt' }
 # ]
 
 

dnscrypt-proxy/serversInfo.go

@@ -38,6 +38,7 @@ type ServerBugs struct {
 type DOHClientCreds struct {
 	clientCert string
 	clientKey  string
+	rootCA     string
 }
 
 type ServerInfo struct {

dnscrypt-proxy/xtransport.go

@@ -5,6 +5,7 @@ import (
 	"context"
 	"crypto/sha512"
 	"crypto/tls"
+	"crypto/x509"
 	"encoding/base64"
 	"encoding/hex"
 	"errors"
@@ -164,6 +165,15 @@ func (xTransport *XTransport) rebuildTransport() {
 		if err != nil {
 			dlog.Fatalf("Unable to use certificate [%v] (key: [%v]): %v", clientCreds.clientCert, clientCreds.clientKey, err)
 		}
+		if clientCreds.rootCA != "" {
+			caCert, err := ioutil.ReadFile(clientCreds.rootCA)
+			if err != nil {
+				dlog.Fatal(err)
+			}
+			systemCertPool, err := x509.SystemCertPool()
+			systemCertPool.AppendCertsFromPEM(caCert)
+			tlsClientConfig.RootCAs = systemCertPool
+		}
 		tlsClientConfig.Certificates = []tls.Certificate{cert}
 	}
 	if xTransport.tlsDisableSessionTickets || xTransport.tlsCipherSuite != nil {