certs

package
v1.7.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 31, 2026 License: GPL-3.0 Imports: 32 Imported by: 24

README

server/certs

Overview

Certificate generation and management helpers for server transports. Issues and rotates TLS material for listeners. Key routines cover acme, CA, HTTPS, and mTLS within the certs subsystem.

Go Files

  • acme.go – Integrates with ACME providers to issue certificates automatically.
  • ca.go – Manages the internal certificate authority lifecycle.
  • certs.go – High-level certificate manager used by transports.
  • certs_test.go (tests) – Tests certificate issuance and rotation workflows.
  • https.go – Provides HTTPS certificate helpers and caching.
  • mtls.go – Generates and manages mTLS client certificates.
  • operators.go – Issues operator-specific certificates and keys.
  • subject.go – Builds X.509 subject information based on configuration.
  • tlskeys.go – Handles TLS keypair generation and persistence.
  • wireguard.go – Manages certificates/keys for WireGuard listeners when needed.

Documentation

Index

Constants

View Source 
const (
	// ECCKey - Namespace for ECC keys
	ECCKey = "ecc"

	// RSAKey - Namespace for RSA keys
	RSAKey = "rsa"
)
View Source 
const (
	// MtlsImplantCA - Directory containing HTTPS server certificates
	MtlsImplantCA = "mtls-implant"
	MtlsServerCA  = "mtls-server"
)
View Source 
const (
	C2WireGuardServerIP          = "100.64.0.1"
	MultiplayerWireGuardServerIP = "100.65.0.1"
)
View Source 
const (
	// ACMEDirName - Name of dir to store ACME certs
	ACMEDirName = "acme"
)
View Source 
const (
	// HTTPSCA - Directory containing operator certificates
	HTTPSCA = "https"
)
View Source 
const (
	// OperatorCA - Directory containing operator certificates
	OperatorCA = "operator"
)

Variables

View Source 
var (
	// ErrOperatorClientCertificateNotFound indicates that the presented operator
	// client certificate is no longer trusted because it is not present in the
	// certificate store.
	ErrOperatorClientCertificateNotFound = errors.New("operator client certificate not found in database")

	// ErrInvalidOperatorClientCertificate indicates that the presented
	// certificate is not shaped like an operator client leaf certificate.
	ErrInvalidOperatorClientCertificate = errors.New("invalid operator client certificate")
)
View Source 
var (
	ErrWGPeerDoesNotExist                = errors.New("wg peer does not exist")
	ErrWGServerKeysDoNotExist            = errors.New("wg server keys do not exist")
	ErrMultiplayerWGServerKeysDoNotExist = errors.New("multiplayer wg server keys do not exist")
)
View Source 
var (

	// ErrCertDoesNotExist - Returned if a GetCertificate() is called for a cert/cn that does not exist
	ErrCertDoesNotExist = errors.New("Certificate does not exist")
)
View Source 
var (
	// TLSKeyLogger - File descriptor for logging TLS keys
	TLSKeyLogger = newKeyLogger()
)

Functions

func GenerateCertificateAuthority 

func GenerateCertificateAuthority(caType string, commonName string) (*x509.Certificate, *ecdsa.PrivateKey)

GenerateCertificateAuthority - Creates a new CA cert for a given type

func GenerateECCCertificate 

func GenerateECCCertificate(caType string, commonName string, isCA bool, isClient bool, isOperator bool) ([]byte, []byte)

GenerateECCCertificate - Generate a TLS certificate with the given parameters We choose some reasonable defaults like Curve, Key Size, ValidFor, etc. Returns two strings `cert` and `key` (PEM Encoded).

func GenerateMultiplayerWGServerKeys added in v1.7.4 

func GenerateMultiplayerWGServerKeys() (string, string, error)

GenerateMultiplayerWGServerKeys - Generates and saves dedicated multiplayer WireGuard server keys.

func GenerateRSACertificate 

func GenerateRSACertificate(caType string, commonName string, isCA bool, isClient bool) ([]byte, []byte)

GenerateRSACertificate - Generates an RSA Certificate

func GenerateWGKeyPair added in v1.7.4 

func GenerateWGKeyPair() (string, string, error)

GenerateWGKeyPair - Generate a WireGuard keypair without persisting it.

func GenerateWGKeys added in v1.4.9 

func GenerateWGKeys(isPeer bool, wgPeerTunIP string) (string, string, error)

GenerateWGKeys - Generates and saves new C2 WireGuard keys.

func GetACMEDir 

func GetACMEDir() string

GetACMEDir - Dir to store ACME certs

func GetACMEManager 

func GetACMEManager(domain string) *autocert.Manager

GetACMEManager - Get an ACME cert/tls config with the certs

func GetCertificate 

func GetCertificate(caType string, keyType string, commonName string) ([]byte, []byte, error)

GetCertificate - Get the PEM encoded certificate & key for a host

func GetCertificateAuthority 

func GetCertificateAuthority(caType string) (*x509.Certificate, *ecdsa.PrivateKey, error)

GetCertificateAuthority - Get the current CA certificate

func GetCertificateAuthorityPEM 

func GetCertificateAuthorityPEM(caType string) ([]byte, []byte, error)

GetCertificateAuthorityPEM - Get PEM encoded CA cert/key

func GetECCCertificate 

func GetECCCertificate(caType string, commonName string) ([]byte, []byte, error)

GetECCCertificate - Get an ECC certificate

func GetMultiplayerWGServerKeys added in v1.7.4 

func GetMultiplayerWGServerKeys() (string, string, error)

GetMultiplayerWGServerKeys - Get existing multiplayer WireGuard server keys.

func GetOperatorWGPeers added in v1.7.4 

func GetOperatorWGPeers() (map[string]string, error)

GetOperatorWGPeers - Get a map of operator WG public keys to tunnel IPs.

func GetRSACertificate 

func GetRSACertificate(caType string, commonName string) ([]byte, []byte, error)

GetRSACertificate - Get an RSA certificate

func GetWGPeers added in v1.4.9 

func GetWGPeers() (map[string]string, error)

GetWGSPeers - Get a map of Pubkey:TunIP for existing wg peers

func GetWGServerKeys added in v1.4.9 

func GetWGServerKeys() (string, string, error)

GetWGServerKeys - Get existing C2 WireGuard server keys.

func HTTPSGenerateRSACertificate 

func HTTPSGenerateRSACertificate(host string) ([]byte, []byte, error)

HTTPSGenerateRSACertificate - Generate a server certificate signed with a given CA

func ImplantGenerateWGKeys added in v1.4.9 

func ImplantGenerateWGKeys(wgPeerTunIP string) (string, string, error)

ImplantGenerateWGKeys - Generate WG keys for implant

func MtlsC2ImplantGenerateECCCertificate added in v1.5.0 

func MtlsC2ImplantGenerateECCCertificate(name string) ([]byte, []byte, error)

MtlsC2ImplantGenerateECCCertificate - Generate a server certificate signed with a given CA

func MtlsC2ServerGenerateECCCertificate added in v1.5.0 

func MtlsC2ServerGenerateECCCertificate(host string) ([]byte, []byte, error)

MtlsC2ServerGenerateECCCertificate - Generate a server certificate signed with a given CA

func OperatorClientGenerateCertificate 

func OperatorClientGenerateCertificate(operator string) ([]byte, []byte, error)

OperatorClientGenerateCertificate - Generate a certificate signed with a given CA

func OperatorClientGetCertificate 

func OperatorClientGetCertificate(operator string) ([]byte, []byte, error)

OperatorClientGetCertificate - Helper function to fetch a client cert

func OperatorClientListCertificates 

func OperatorClientListCertificates() []*x509.Certificate

OperatorClientListCertificates - Get all client certificates

func OperatorClientRemoveCertificate 

func OperatorClientRemoveCertificate(operator string) error

OperatorClientRemoveCertificate - Helper function to remove a client cert

func OperatorServerGenerateCertificate 

func OperatorServerGenerateCertificate(hostname string) ([]byte, []byte, error)

OperatorServerGenerateCertificate - Generate a certificate signed with a given CA

func OperatorServerGetCertificate 

func OperatorServerGetCertificate(hostname string) ([]byte, []byte, error)

OperatorServerGetCertificate - Helper function to fetch a server cert

func RemoveCertificate 

func RemoveCertificate(caType string, keyType string, commonName string) error

RemoveCertificate - Remove a certificate from the cert store

func SaveCertificateAuthority 

func SaveCertificateAuthority(caType string, cert []byte, key []byte)

SaveCertificateAuthority - Save the certificate and the key to the database doesn't return an error because errors are fatal. If we can't generate CAs, then we can't secure communication and we should die a horrible death.

func SetupCAs 

func SetupCAs()

SetupCAs - Ensure certificate authorities exist in storage

func SetupMultiplayerWGKeys added in v1.7.4 

func SetupMultiplayerWGKeys()

SetupMultiplayerWGKeys - Setup multiplayer WireGuard server keys.

func SetupWGKeys added in v1.4.9 

func SetupWGKeys()

SetupWGKeys - Setup C2 WireGuard server keys.

func ValidateOperatorClientCertificate added in v1.7.4 

func ValidateOperatorClientCertificate(peerCertificates []*x509.Certificate) error

ValidateOperatorClientCertificate ensures that the presented operator client certificate is still present in the database. A valid chain alone is not enough; the exact leaf certificate must still exist in storage.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.