certs

package
v1.4.20 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 21, 2021 License: GPL-3.0 Imports: 25 Imported by: 18

README

certs

X.509 certificate generation and management code. We use four seperate certificate chains (4 CAs):

  • SliverCA - Used to encrypt and authenticated client-side C2 channels between the server and the Slivers. Uses both ECC and RSA certificates depending on the use case.
  • OperatorCA (was ClientCA) - Used to sign certs that authenticate and encrypt the mutual TLS connection between the operator and the server.
  • ServerCA - Used to secure server-side C2, the ServerCA public key is embedded into the sliver binaries.
  • HTTPSCA - Used to generate self-signed HTTPS certificates (that are not used to encrypt C2 data)

Certificates are all stored CA-specific Badger databases managed by the db package. The key is the common name of the certificate and the value is a JSON object (i.e. CertificateKeyPair) that contains the key type (RSA or ECC), certifcate, and private key.

ACME

The package can also interact with Let's Encrypt (ACME) services to generate certificates that are trusted in the browser (alternative to HTTPSCA). These certificates are used with the HTTPS servers/listeners, but not used to encrypt any C2.

Documentation

Index

Constants

View Source
const (
	// RSAKeySize - Default size of RSA keys in bits
	RSAKeySize = 2048 // This is plenty 4096 is overkill

	// ECCKey - Namespace for ECC keys
	ECCKey = "ecc"

	// RSAKey - Namespace for RSA keys
	RSAKey = "rsa"
)
View Source
const (
	// ACMEDirName - Name of dir to store ACME certs
	ACMEDirName = "acme"
)
View Source
const (
	// C2ServerCA - Directory containing HTTPS server certificates
	C2ServerCA = "c2-server"
)
View Source
const (
	// HTTPSCA - Directory containing operator certificates
	HTTPSCA = "https"
)
View Source
const (
	// ImplantCA - Directory containing sliver certificates
	ImplantCA = "sliver"
)
View Source
const (
	// OperatorCA - Directory containing operator certificates
	OperatorCA = "operator"
)

Variables

View Source
var (
	ErrWGPeerDoesNotExist     = errors.New("wg peer does not exist")
	ErrWGServerKeysDoNotExist = errors.New("wg server keys do not exist")
)
View Source
var (

	// ErrCertDoesNotExist - Returned if a GetCertificate() is called for a cert/cn that does not exist
	ErrCertDoesNotExist = errors.New("Certificate does not exist")
)

Functions

func C2ServerGenerateECCCertificate

func C2ServerGenerateECCCertificate(host string) ([]byte, []byte, error)

C2ServerGenerateECCCertificate - Generate a server certificate signed with a given CA

func C2ServerGenerateRSACertificate

func C2ServerGenerateRSACertificate(host string) ([]byte, []byte, error)

C2ServerGenerateRSACertificate - Generate a server certificate signed with a given CA

func C2ServerGetRSACertificate

func C2ServerGetRSACertificate(host string) ([]byte, []byte, error)

C2ServerGetRSACertificate - Get a server certificate based on hostname

func GenerateCertificateAuthority

func GenerateCertificateAuthority(caType string, commonName string) (*x509.Certificate, *ecdsa.PrivateKey)

GenerateCertificateAuthority - Creates a new CA cert for a given type

func GenerateECCCertificate

func GenerateECCCertificate(caType string, commonName string, isCA bool, isClient bool) ([]byte, []byte)

GenerateECCCertificate - Generate a TLS certificate with the given parameters We choose some reasonable defaults like Curve, Key Size, ValidFor, etc. Returns two strings `cert` and `key` (PEM Encoded).

func GenerateRSACertificate

func GenerateRSACertificate(caType string, commonName string, isCA bool, isClient bool) ([]byte, []byte)

GenerateRSACertificate - Generates a 2048 bit RSA Certificate

func GenerateWGKeys added in v1.4.9

func GenerateWGKeys(isPeer bool, wgPeerTunIP string) (string, string, error)

GenerateWGKeys - Generates and saves new wg keys

func GetACMEDir

func GetACMEDir() string

GetACMEDir - Dir to store ACME certs

func GetACMEManager

func GetACMEManager(domain string) *autocert.Manager

GetACMEManager - Get an ACME cert/tls config with the certs

func GetCertificate

func GetCertificate(caType string, keyType string, commonName string) ([]byte, []byte, error)

GetCertificate - Get the PEM encoded certificate & key for a host

func GetCertificateAuthority

func GetCertificateAuthority(caType string) (*x509.Certificate, *ecdsa.PrivateKey, error)

GetCertificateAuthority - Get the current CA certificate

func GetCertificateAuthorityPEM

func GetCertificateAuthorityPEM(caType string) ([]byte, []byte, error)

GetCertificateAuthorityPEM - Get PEM encoded CA cert/key

func GetECCCertificate

func GetECCCertificate(caType string, commonName string) ([]byte, []byte, error)

GetECCCertificate - Get an ECC certificate

func GetRSACertificate

func GetRSACertificate(caType string, commonName string) ([]byte, []byte, error)

GetRSACertificate - Get an RSA certificate

func GetWGPeers added in v1.4.9

func GetWGPeers() (map[string]string, error)

GetWGSPeers - Get a map of Pubkey:TunIP for existing wg peers

func GetWGServerKeys added in v1.4.9

func GetWGServerKeys() (string, string, error)

GetWGServerKeys - Get existing wg server keys

func HTTPSGenerateRSACertificate

func HTTPSGenerateRSACertificate(host string) ([]byte, []byte, error)

HTTPSGenerateRSACertificate - Generate a server certificate signed with a given CA

func ImplantGenerateECCCertificate

func ImplantGenerateECCCertificate(sliverName string) ([]byte, []byte, error)

ImplantGenerateECCCertificate - Generate a certificate signed with a given CA

func ImplantGenerateRSACertificate

func ImplantGenerateRSACertificate(sliverName string) ([]byte, []byte, error)

ImplantGenerateRSACertificate - Generate a certificate signed with a given CA

func ImplantGenerateWGKeys added in v1.4.9

func ImplantGenerateWGKeys(wgPeerTunIP string) (string, string, error)

ImplantGenerateWGKeys - Generate WG keys for implant

func OperatorClientGenerateCertificate

func OperatorClientGenerateCertificate(operator string) ([]byte, []byte, error)

OperatorClientGenerateCertificate - Generate a certificate signed with a given CA

func OperatorClientGetCertificate

func OperatorClientGetCertificate(operator string) ([]byte, []byte, error)

OperatorClientGetCertificate - Helper function to fetch a client cert

func OperatorClientListCertificates

func OperatorClientListCertificates() []*x509.Certificate

OperatorClientListCertificates - Get all client certificates

func OperatorClientRemoveCertificate

func OperatorClientRemoveCertificate(operator string) error

OperatorClientRemoveCertificate - Helper function to remove a client cert

func OperatorServerGenerateCertificate

func OperatorServerGenerateCertificate(hostname string) ([]byte, []byte, error)

OperatorServerGenerateCertificate - Generate a certificate signed with a given CA

func OperatorServerGetCertificate

func OperatorServerGetCertificate(hostname string) ([]byte, []byte, error)

OperatorServerGetCertificate - Helper function to fetch a server cert

func RemoveCertificate

func RemoveCertificate(caType string, keyType string, commonName string) error

RemoveCertificate - Remove a certificate from the cert store

func SaveCertificateAuthority

func SaveCertificateAuthority(caType string, cert []byte, key []byte)

SaveCertificateAuthority - Save the certificate and the key to the filesystem doesn't return an error because errors are fatal. If we can't generate CAs, then we can't secure comms and we should die a horrible death.

func SetupCAs

func SetupCAs()

SetupCAs - Creates directories for certs

func SetupWGKeys added in v1.4.9

func SetupWGKeys()

Types

This section is empty.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL