Merge pull request #1772 from Mark-Simulacrum/update-rds-ca

Update the RDS root CA list
rust-lang · Feb 14, 2024 · c52016a · c52016a
2 parents c5cd297 + cac9498
commit c52016a
Show file tree

Hide file tree

Showing 3 changed files with 139 additions and 12 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -32,6 +32,7 @@ chrono = { version = "0.4", features = ["serde"] }
 tokio-postgres = { version = "0.7.2", features = ["with-chrono-0_4", "with-serde_json-1", "with-uuid-0_8"] }
 postgres-native-tls = "0.5.0"
 native-tls = "0.2"
+x509-cert = { version = "0.2.5", features = ["pem"] }
 serde_path_to_error = "0.1.2"
 octocrab = "0.30.1"
 comrak = { version = "0.8.2", default-features = false }

diff --git a/src/db.rs b/src/db.rs
@@ -12,10 +12,10 @@ pub mod jobs;
 pub mod notifications;
 pub mod rustc_commits;
 
-const CERT_URL: &str = "https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem";
+const CERT_URL: &str = "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem";
 
 lazy_static::lazy_static! {
-    static ref CERTIFICATE_PEM: Vec<u8> = {
+    static ref CERTIFICATE_PEMS: Vec<u8> = {
         let client = reqwest::blocking::Client::new();
         let resp = client
             .get(CERT_URL)
@@ -94,12 +94,11 @@ impl ClientPool {
 async fn make_client() -> anyhow::Result<tokio_postgres::Client> {
     let db_url = std::env::var("DATABASE_URL").expect("needs DATABASE_URL");
     if db_url.contains("rds.amazonaws.com") {
-        let cert = &CERTIFICATE_PEM[..];
-        let cert = Certificate::from_pem(&cert).context("made certificate")?;
-        let connector = TlsConnector::builder()
-            .add_root_certificate(cert)
-            .build()
-            .context("built TlsConnector")?;
+        let mut builder = TlsConnector::builder();
+        for cert in make_certificates() {
+            builder.add_root_certificate(cert);
+        }
+        let connector = builder.build().context("built TlsConnector")?;
         let connector = MakeTlsConnector::new(connector);
 
         let (db_client, connection) = match tokio_postgres::connect(&db_url, connector).await {
@@ -134,6 +133,24 @@ async fn make_client() -> anyhow::Result<tokio_postgres::Client> {
     }
 }
 
+fn make_certificates() -> Vec<Certificate> {
+    use x509_cert::der::pem::LineEnding;
+    use x509_cert::der::EncodePem;
+
+    let certs = x509_cert::Certificate::load_pem_chain(&CERTIFICATE_PEMS[..]).unwrap();
+    certs
+        .into_iter()
+        .map(|cert| Certificate::from_pem(cert.to_pem(LineEnding::LF).unwrap().as_bytes()).unwrap())
+        .collect()
+}
+
+// Makes sure we successfully parse the RDS certificates and load them into native-tls compatible
+// format.
+#[test]
+fn cert() {
+    make_certificates();
+}
+
 pub async fn run_migrations(client: &DbClient) -> anyhow::Result<()> {
     client
         .execute(