README
¶
certs
X.509 certificate generation and management code. We use four seperate certificate chains (4 CAs):
SliverCA- Used to encrypt and authenticated client-side C2 channels between the server and the Slivers. Uses both ECC and RSA certificates depending on the use case.OperatorCA(wasClientCA) - Used to sign certs that authenticate and encrypt the mutual TLS connection between the operator and the server.ServerCA- Used to secure server-side C2, the ServerCA public key is embedded into the sliver binaries.HTTPSCA- Used to generate self-signed HTTPS certificates (that are not used to encrypt C2 data)
Certificates are all stored CA-specific Badger databases managed by the db package. The key is the common name of the certificate and the value is a JSON object (i.e. CertificateKeyPair) that contains the key type (RSA or ECC), certifcate, and private key.
ACME
The package can also interact with Let's Encrypt (ACME) services to generate certificates that are trusted in the browser (alternative to HTTPSCA). These certificates are used with the HTTPS servers/listeners, but not used to encrypt any C2.
Documentation
¶
Index ¶
- Constants
- Variables
- func GenerateCertificateAuthority(caType string) (*x509.Certificate, *ecdsa.PrivateKey)
- func GenerateECCCertificate(caType string, commonName string, isCA bool, isClient bool) ([]byte, []byte)
- func GenerateRSACertificate(caType string, commonName string, isCA bool, isClient bool) ([]byte, []byte)
- func GetACMEDir() string
- func GetACMEManager(domain string) *autocert.Manager
- func GetCertificate(caType string, keyType string, commonName string) ([]byte, []byte, error)
- func GetCertificateAuthority(caType string) (*x509.Certificate, *ecdsa.PrivateKey, error)
- func GetCertificateAuthorityPEM(caType string) ([]byte, []byte, error)
- func GetECCCertificate(caType string, commonName string) ([]byte, []byte, error)
- func GetRSACertificate(caType string, commonName string) ([]byte, []byte, error)
- func HTTPSGenerateRSACertificate(host string) ([]byte, []byte, error)
- func OperatorClientGenerateCertificate(operator string) ([]byte, []byte, error)
- func OperatorClientGetCertificate(operator string) ([]byte, []byte, error)
- func OperatorClientListCertificates() []*x509.Certificate
- func OperatorServerGenerateCertificate(hostname string) ([]byte, []byte, error)
- func OperatorServerGetCertificate(operator string) ([]byte, []byte, error)
- func RemoveCertificate(caType string, commonName string, keyType string) error
- func SaveCertificate(caType string, keyType string, commonName string, cert []byte, key []byte) error
- func SaveCertificateAuthority(caType string, cert []byte, key []byte)
- func ServerGenerateECCCertificate(host string) ([]byte, []byte, error)
- func ServerGenerateRSACertificate(host string) ([]byte, []byte, error)
- func SetupCAs()
- func SliverGenerateECCCertificate(sliverName string) ([]byte, []byte, error)
- func SliverGenerateRSACertificate(sliverName string) ([]byte, []byte, error)
- type CertificateKeyPair
Constants ¶
const ( // RSAKeySize - Default size of RSA keys in bits RSAKeySize = 2048 // This is plenty 4096 is overkill // ECCKey - Namespace for ECC keys ECCKey = "ecc" // RSAKey - Namespace for RSA keys RSAKey = "rsa" )
const (
// ACMEDirName - Name of dir to store ACME certs
ACMEDirName = "acme"
)
const (
// HTTPSCA - Directory containing operator certificates
HTTPSCA = "https"
)
const (
// OperatorCA - Directory containing operator certificates
OperatorCA = "operator"
)
const (
// ServerCA - Directory containing server certificates
ServerCA = "server"
)
const (
// SliverCA - Directory containing sliver certificates
SliverCA = "sliver"
)
Variables ¶
var ( // ErrCertDoesNotExist - Returned if a GetCertificate() is called for a cert/cn that does not exist ErrCertDoesNotExist = errors.New("Certificate does not exist") )
Functions ¶
func GenerateCertificateAuthority ¶
func GenerateCertificateAuthority(caType string) (*x509.Certificate, *ecdsa.PrivateKey)
GenerateCertificateAuthority - Creates a new CA cert for a given type
func GenerateECCCertificate ¶
func GenerateECCCertificate(caType string, commonName string, isCA bool, isClient bool) ([]byte, []byte)
GenerateECCCertificate - Generate a TLS certificate with the given parameters We choose some reasonable defaults like Curve, Key Size, ValidFor, etc. Returns two strings `cert` and `key` (PEM Encoded).
func GenerateRSACertificate ¶
func GenerateRSACertificate(caType string, commonName string, isCA bool, isClient bool) ([]byte, []byte)
GenerateRSACertificate - Generates a 2048 bit RSA Certificate
func GetACMEManager ¶
GetACMEManager - Get an ACME cert/tls config with the certs
func GetCertificate ¶
GetCertificate - Get the PEM encoded certificate & key for a host
func GetCertificateAuthority ¶
func GetCertificateAuthority(caType string) (*x509.Certificate, *ecdsa.PrivateKey, error)
GetCertificateAuthority - Get the current CA certificate
func GetCertificateAuthorityPEM ¶
GetCertificateAuthorityPEM - Get PEM encoded CA cert/key
func GetECCCertificate ¶
GetECCCertificate - Get an ECC certificate
func GetRSACertificate ¶
GetRSACertificate - Get an RSA certificate
func HTTPSGenerateRSACertificate ¶
HTTPSGenerateRSACertificate - Generate a server certificate signed with a given CA
func OperatorClientGenerateCertificate ¶
OperatorClientGenerateCertificate - Generate a certificate signed with a given CA
func OperatorClientGetCertificate ¶
OperatorClientGetCertificate - Helper function to fetch a client cert
func OperatorClientListCertificates ¶
func OperatorClientListCertificates() []*x509.Certificate
OperatorClientListCertificates - Get all client certificates
func OperatorServerGenerateCertificate ¶
OperatorServerGenerateCertificate - Generate a certificate signed with a given CA
func OperatorServerGetCertificate ¶
OperatorServerGetCertificate - Helper function to fetch a client cert
func RemoveCertificate ¶
RemoveCertificate - Remove a certificate from the cert store
func SaveCertificate ¶
func SaveCertificate(caType string, keyType string, commonName string, cert []byte, key []byte) error
SaveCertificate - Save the certificate and the key to the filesystem
func SaveCertificateAuthority ¶
SaveCertificateAuthority - Save the certificate and the key to the filesystem doesn't return an error because errors are fatal. If we can't generate CAs, then we can't secure comms and we should die a horrible death.
func ServerGenerateECCCertificate ¶
ServerGenerateECCCertificate - Generate a server certificate signed with a given CA
func ServerGenerateRSACertificate ¶
ServerGenerateRSACertificate - Generate a server certificate signed with a given CA
func SliverGenerateECCCertificate ¶
SliverGenerateECCCertificate - Generate a certificate signed with a given CA
Types ¶
type CertificateKeyPair ¶
type CertificateKeyPair struct {
KeyType string `json:"key_type"`
Certificate []byte `json:"certificate"`
PrivateKey []byte `json:"private_key"`
}
CertificateKeyPair - Single struct with KeyType/Cert/PrivateKey
Source Files