Documentation
¶
Index ¶
- func NewSource(cfg SourceConfig, logger *slog.Logger) (aitm.CertSource, error)
- type CA
- func (ca *CA) CACertPEM() []byte
- func (ca *CA) CertPool() *x509.CertPool
- func (ca *CA) IssueClientCert(commonName string) ([]byte, []byte, error)
- func (ca *CA) LoadOrIssueServerCert(certPath, hostname string) (*tls.Certificate, error)
- func (ca *CA) SignCSR(csr *x509.CertificateRequest, commonName string) ([]byte, error)
- type ChainedCertSource
- type FileCertSource
- type PerHostACMECertSource
- type SelfSignedCertSource
- type SourceConfig
- type WildcardACMECertSource
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewSource ¶
func NewSource(cfg SourceConfig, logger *slog.Logger) (aitm.CertSource, error)
NewSource constructs the appropriate cert source chain for the given config. In self-signed mode: FileCertSource → SelfSignedCertSource. In production mode: FileCertSource → WildcardACMECertSource → PerHostACMECertSource.
Types ¶
type CA ¶ added in v0.3.0
type CA struct {
Cert *x509.Certificate
CertPEM []byte
Key *ecdsa.PrivateKey
}
CA holds a local certificate authority that can sign client and server certs.
func GenerateCA ¶ added in v0.3.0
GenerateCA creates a new ECDSA P-256 CA valid for 10 years, writes the cert and key to certPath and certPath+".key", and returns the loaded CA.
func (*CA) CertPool ¶ added in v0.3.0
CertPool returns an *x509.CertPool containing only this CA's certificate.
func (*CA) IssueClientCert ¶ added in v0.3.0
IssueClientCert creates and signs a new client certificate. The certificate is valid for 3 years. Returns (certPEM, keyPEM, error).
func (*CA) LoadOrIssueServerCert ¶ added in v0.3.0
func (ca *CA) LoadOrIssueServerCert(certPath, hostname string) (*tls.Certificate, error)
LoadOrIssueServerCert loads a TLS server certificate from certPath, or issues a new one signed by this CA if the file doesn't exist.
type ChainedCertSource ¶
type ChainedCertSource struct {
// contains filtered or unexported fields
}
func NewChainedCertSource ¶
func NewChainedCertSource(logger *slog.Logger, sources ...certSource) *ChainedCertSource
NewChainedCertSource constructs a ChainedCertSource. sources must not be empty.
func (*ChainedCertSource) GetCertificate ¶
func (c *ChainedCertSource) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error)
GetCertificate is the tls.Config.GetCertificate callback; checks cache first.
func (*ChainedCertSource) InvalidateCache ¶
func (c *ChainedCertSource) InvalidateCache(hostname string)
type FileCertSource ¶
type FileCertSource struct {
BaseDir string // e.g. "/home/operator/.mirage/crt"
}
FileCertSource loads TLS certificates from PEM files on disk. Directory layout:
baseDir/
└── sites/
├── mail.attacker.com/
│ ├── fullchain.pem
│ └── privkey.pem
└── *.attacker.com/
├── fullchain.pem
└── privkey.pem
FileCertSource checks the exact hostname first, then falls back to a wildcard entry ("*.base_domain") if present.
func (*FileCertSource) GetCertificate ¶
func (s *FileCertSource) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error)
GetCertificate returns the PEM-loaded certificate for hello.ServerName, or (nil, nil) if no PEM files exist for that hostname.
type PerHostACMECertSource ¶
type PerHostACMECertSource struct {
// contains filtered or unexported fields
}
PerHostACMECertSource issues per-hostname TLS certificates using CertMagic. It uses TLS-ALPN-01 by default (no port 80 required). Falls back to HTTP-01 if TLS-ALPN-01 is unavailable (controlled by the CertMagic config).
CertMagic stores certificates in its own cache directory and handles renewal automatically via background goroutines.
func NewPerHostACMECertSource ¶
func NewPerHostACMECertSource(email, acmeDir, storageDir string, logger *slog.Logger) *PerHostACMECertSource
NewPerHostACMECertSource constructs the source. email is the ACME contact address. storageDir overrides CertMagic's default storage path.
func (*PerHostACMECertSource) GetCertificate ¶
func (s *PerHostACMECertSource) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error)
GetCertificate returns the certificate for hello.ServerName, issuing one via ACME if not already cached by CertMagic.
func (*PerHostACMECertSource) ManageAsync ¶
func (s *PerHostACMECertSource) ManageAsync(ctx context.Context, hostnames []string) error
ManageAsync tells CertMagic to begin managing a hostname proactively (pre-issuing the cert) rather than waiting for the first TLS handshake. Call this when a phishlet is enabled so the cert is ready before the first victim arrives.
type SelfSignedCertSource ¶
type SelfSignedCertSource struct {
// contains filtered or unexported fields
}
SelfSignedCertSource generates and signs TLS certificates using a local CA. The CA is created once and reused for all subsequent leaf cert requests. The CA certificate is written to caDir/mirage-ca.crt for browser import.
func NewSelfSignedCertSource ¶
func NewSelfSignedCertSource(caDir string) *SelfSignedCertSource
func (*SelfSignedCertSource) CACert ¶
func (s *SelfSignedCertSource) CACert() *x509.Certificate
CACert returns the dev CA certificate; useful for building a test trust pool. Returns nil until EnsureCA (or GetCertificate) has been called.
func (*SelfSignedCertSource) EnsureCA ¶
func (s *SelfSignedCertSource) EnsureCA() error
EnsureCA initializes the CA if it has not been already, and is safe to call more than once. After it returns without error, CACert() is non-nil and the CA certificate file is present in caDir.
func (*SelfSignedCertSource) GetCertificate ¶
func (s *SelfSignedCertSource) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error)
GetCertificate signs a leaf cert on first use, then serves from cache.
type SourceConfig ¶
type SourceConfig struct {
// SelfSigned selects local-CA mode. When true, ACME fields are ignored.
SelfSigned bool
// CADir is the directory where the self-signed CA key and cert are stored.
// Only used when SelfSigned is true.
CADir string
// CertFileDir is the base directory for operator-supplied PEM overrides.
// Checked first in both modes.
CertFileDir string
// ACMEEmail is the contact address for ACME account registration.
ACMEEmail string
// ACMEDirectoryURL is the ACME directory URL. Defaults to the Let's Encrypt
// production URL when empty. Set to the staging URL to avoid rate limits
// during testing: https://acme-staging-v02.api.letsencrypt.org/directory
ACMEDirectoryURL string
// ACMEStorageDir is the directory for persisting ACME-issued certs across restarts.
ACMEStorageDir string
// Providers maps each base domain to the DNS provider used for DNS-01 challenges.
// Domains without an entry fall through to per-host ACME (TLS-ALPN-01).
Providers map[string]aitm.DNSProvider
}
SourceConfig holds all parameters needed to construct a cert source chain.
type WildcardACMECertSource ¶
type WildcardACMECertSource struct {
// contains filtered or unexported fields
}
WildcardACMECertSource issues *.base_domain certificates via ACME DNS-01. One certificate is issued per base domain. All phishlet subdomains under that base domain share the single wildcard cert.
Wildcard certs are issued against *.attacker.com — Certificate Transparency logs show only the wildcard, not individual phishing subdomains, which prevents scanner enumeration.
func (*WildcardACMECertSource) GetCertificate ¶
func (s *WildcardACMECertSource) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error)
GetCertificate returns the wildcard cert for hello.ServerName's base domain, issuing one via DNS-01 ACME if not already held. Returns (nil, nil) if no DNS provider is registered for this base domain.
Source Files