Simplify cert verify code

transport/internet/tls/config.go

@@ -289,9 +289,6 @@ func (r *RandCarrier) verifyPeerCert(rawCerts [][]byte, verifiedChains [][]*x509
 	if len(certs) == 0 {
 		return errors.New("unexpected certs")
 	}
-	if certs[0].IsCA {
-		slices.Reverse(certs)
-	}
 
 	// directly return success if pinned cert is leaf
 	// or replace RootCAs if pinned cert is CA (and can be used in VerifyPeerCertByName)
@@ -558,14 +555,19 @@ const (
 )
 
 func verifyChain(certs []*x509.Certificate, pinnedPeerCertSha256 [][]byte) (verifyResult, *x509.Certificate) {
+	leafHash := GenerateCertHash(certs[0])
+	for _, c := range pinnedPeerCertSha256 {
+		if hmac.Equal(leafHash, c) {
+			return foundLeaf, nil
+		}
+	}
+	certs = certs[1:] // skip leaf
 	for _, cert := range certs {
 		certHash := GenerateCertHash(cert)
 		for _, c := range pinnedPeerCertSha256 {
 			if hmac.Equal(certHash, c) {
 				if cert.IsCA {
 					return foundCA, cert
-				} else {
-					return foundLeaf, cert
 				}
 			}
 		}

transport/internet/tls/pin.go

@@ -5,25 +5,27 @@ import (
 	"crypto/x509"
 	"encoding/hex"
 	"encoding/pem"
+
+	"github.com/xtls/xray-core/common/errors"
 )
 
 func CalculatePEMLeafCertSHA256Hash(certContent []byte) (string, error) {
-	var leafCert *x509.Certificate
 	for {
-		var err error
 		block, remain := pem.Decode(certContent)
 		if block == nil {
-			break
+			return "", errors.New("Unable to decode cert")
 		}
-		leafCert, err = x509.ParseCertificate(block.Bytes)
+		Cert, err := x509.ParseCertificate(block.Bytes)
 		if err != nil {
 			return "", err
 		}
+		if !Cert.IsCA {
+			certHash := GenerateCertHash(Cert)
+			certHashHex := hex.EncodeToString(certHash)
+			return certHashHex, nil
+		}
 		certContent = remain
 	}
-	certHash := GenerateCertHash(leafCert)
-	certHashHex := hex.EncodeToString(certHash)
-	return certHashHex, nil
 }
 
 // []byte must be ASN.1 DER content