README
¶
certs
X.509 certificate generation and management code. We use four seperate certificate chains (4 CAs):
SliverCA- Used to encrypt and authenticated client-side C2 channels between the server and the Slivers. Uses both ECC and RSA certificates depending on the use case.OperatorCA(wasClientCA) - Used to sign certs that authenticate and encrypt the mutual TLS connection between the operator and the server.ServerCA- Used to secure server-side C2, the ServerCA public key is embedded into the sliver binaries.HTTPSCA- Used to generate self-signed HTTPS certificates (that are not used to encrypt C2 data)
Certificates are all stored CA-specific Badger databases managed by the db package. The key is the common name of the certificate and the value is a JSON object (i.e. CertificateKeyPair) that contains the key type (RSA or ECC), certifcate, and private key.
ACME
The package can also interact with Let's Encrypt (ACME) services to generate certificates that are trusted in the browser (alternative to HTTPSCA). These certificates are used with the HTTPS servers/listeners, but not used to encrypt any C2.
Documentation
¶
Index ¶
- Constants
- Variables
- func C2ServerGenerateECCCertificate(host string) ([]byte, []byte, error)
- func C2ServerGenerateRSACertificate(host string) ([]byte, []byte, error)
- func C2ServerGetRSACertificate(host string) ([]byte, []byte, error)
- func GenerateCertificateAuthority(caType string, commonName string) (*x509.Certificate, *ecdsa.PrivateKey)
- func GenerateECCCertificate(caType string, commonName string, isCA bool, isClient bool) ([]byte, []byte)
- func GenerateRSACertificate(caType string, commonName string, isCA bool, isClient bool) ([]byte, []byte)
- func GenerateWGKeys(isPeer bool, wgPeerTunIP string) (string, string, error)
- func GetACMEDir() string
- func GetACMEManager(domain string) *autocert.Manager
- func GetCertificate(caType string, keyType string, commonName string) ([]byte, []byte, error)
- func GetCertificateAuthority(caType string) (*x509.Certificate, *ecdsa.PrivateKey, error)
- func GetCertificateAuthorityPEM(caType string) ([]byte, []byte, error)
- func GetECCCertificate(caType string, commonName string) ([]byte, []byte, error)
- func GetRSACertificate(caType string, commonName string) ([]byte, []byte, error)
- func GetWGPeers() (map[string]string, error)
- func GetWGServerKeys() (string, string, error)
- func HTTPSGenerateRSACertificate(host string) ([]byte, []byte, error)
- func ImplantGenerateECCCertificate(sliverName string) ([]byte, []byte, error)
- func ImplantGenerateRSACertificate(sliverName string) ([]byte, []byte, error)
- func ImplantGenerateWGKeys(wgPeerTunIP string) (string, string, error)
- func OperatorClientGenerateCertificate(operator string) ([]byte, []byte, error)
- func OperatorClientGetCertificate(operator string) ([]byte, []byte, error)
- func OperatorClientListCertificates() []*x509.Certificate
- func OperatorClientRemoveCertificate(operator string) error
- func OperatorServerGenerateCertificate(hostname string) ([]byte, []byte, error)
- func OperatorServerGetCertificate(hostname string) ([]byte, []byte, error)
- func RemoveCertificate(caType string, keyType string, commonName string) error
- func SaveCertificateAuthority(caType string, cert []byte, key []byte)
- func SetupCAs()
- func SetupWGKeys()
Constants ¶
const ( // RSAKeySize - Default size of RSA keys in bits RSAKeySize = 2048 // This is plenty 4096 is overkill // ECCKey - Namespace for ECC keys ECCKey = "ecc" // RSAKey - Namespace for RSA keys RSAKey = "rsa" )
const (
// ACMEDirName - Name of dir to store ACME certs
ACMEDirName = "acme"
)
const (
// C2ServerCA - Directory containing HTTPS server certificates
C2ServerCA = "c2-server"
)
const (
// HTTPSCA - Directory containing operator certificates
HTTPSCA = "https"
)
const (
// ImplantCA - Directory containing sliver certificates
ImplantCA = "sliver"
)
const (
// OperatorCA - Directory containing operator certificates
OperatorCA = "operator"
)
Variables ¶
var ( ErrWGPeerDoesNotExist = errors.New("wg peer does not exist") ErrWGServerKeysDoNotExist = errors.New("wg server keys do not exist") )
var ( // ErrCertDoesNotExist - Returned if a GetCertificate() is called for a cert/cn that does not exist ErrCertDoesNotExist = errors.New("Certificate does not exist") )
Functions ¶
func C2ServerGenerateECCCertificate ¶
C2ServerGenerateECCCertificate - Generate a server certificate signed with a given CA
func C2ServerGenerateRSACertificate ¶
C2ServerGenerateRSACertificate - Generate a server certificate signed with a given CA
func C2ServerGetRSACertificate ¶
C2ServerGetRSACertificate - Get a server certificate based on hostname
func GenerateCertificateAuthority ¶
func GenerateCertificateAuthority(caType string, commonName string) (*x509.Certificate, *ecdsa.PrivateKey)
GenerateCertificateAuthority - Creates a new CA cert for a given type
func GenerateECCCertificate ¶
func GenerateECCCertificate(caType string, commonName string, isCA bool, isClient bool) ([]byte, []byte)
GenerateECCCertificate - Generate a TLS certificate with the given parameters We choose some reasonable defaults like Curve, Key Size, ValidFor, etc. Returns two strings `cert` and `key` (PEM Encoded).
func GenerateRSACertificate ¶
func GenerateRSACertificate(caType string, commonName string, isCA bool, isClient bool) ([]byte, []byte)
GenerateRSACertificate - Generates a 2048 bit RSA Certificate
func GenerateWGKeys ¶ added in v1.4.9
GenerateWGKeys - Generates and saves new wg keys
func GetACMEManager ¶
GetACMEManager - Get an ACME cert/tls config with the certs
func GetCertificate ¶
GetCertificate - Get the PEM encoded certificate & key for a host
func GetCertificateAuthority ¶
func GetCertificateAuthority(caType string) (*x509.Certificate, *ecdsa.PrivateKey, error)
GetCertificateAuthority - Get the current CA certificate
func GetCertificateAuthorityPEM ¶
GetCertificateAuthorityPEM - Get PEM encoded CA cert/key
func GetECCCertificate ¶
GetECCCertificate - Get an ECC certificate
func GetRSACertificate ¶
GetRSACertificate - Get an RSA certificate
func GetWGPeers ¶ added in v1.4.9
GetWGSPeers - Get a map of Pubkey:TunIP for existing wg peers
func GetWGServerKeys ¶ added in v1.4.9
GetWGServerKeys - Get existing wg server keys
func HTTPSGenerateRSACertificate ¶
HTTPSGenerateRSACertificate - Generate a server certificate signed with a given CA
func ImplantGenerateECCCertificate ¶
ImplantGenerateECCCertificate - Generate a certificate signed with a given CA
func ImplantGenerateRSACertificate ¶
ImplantGenerateRSACertificate - Generate a certificate signed with a given CA
func ImplantGenerateWGKeys ¶ added in v1.4.9
ImplantGenerateWGKeys - Generate WG keys for implant
func OperatorClientGenerateCertificate ¶
OperatorClientGenerateCertificate - Generate a certificate signed with a given CA
func OperatorClientGetCertificate ¶
OperatorClientGetCertificate - Helper function to fetch a client cert
func OperatorClientListCertificates ¶
func OperatorClientListCertificates() []*x509.Certificate
OperatorClientListCertificates - Get all client certificates
func OperatorClientRemoveCertificate ¶
OperatorClientRemoveCertificate - Helper function to remove a client cert
func OperatorServerGenerateCertificate ¶
OperatorServerGenerateCertificate - Generate a certificate signed with a given CA
func OperatorServerGetCertificate ¶
OperatorServerGetCertificate - Helper function to fetch a server cert
func RemoveCertificate ¶
RemoveCertificate - Remove a certificate from the cert store
func SaveCertificateAuthority ¶
SaveCertificateAuthority - Save the certificate and the key to the filesystem doesn't return an error because errors are fatal. If we can't generate CAs, then we can't secure comms and we should die a horrible death.
func SetupWGKeys ¶ added in v1.4.9
func SetupWGKeys()
Types ¶
This section is empty.
Source Files