From cac949815ff98ff5f6886a5652701a4cd81a5b09 Mon Sep 17 00:00:00 2001 From: Mark Rousskov Date: Tue, 13 Feb 2024 21:14:41 -0500 Subject: [PATCH] Update the RDS root CA list The current root is expiring in a few months, so we need to migrate to a new one. We'll be copying similar code to perf, but we can start with making sure it works with triagebot. I've checked that the new CA file contains the old certificate, so this should keep working with our current database (i.e. doesn't need to be synchronized deployment wise with anything). --- Cargo.lock | 117 +++++++++++++++++++++++++++++++++++++++++++++++++++-- Cargo.toml | 1 + src/db.rs | 33 +++++++++++---- 3 files changed, 139 insertions(+), 12 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 73f1cc3c..ac9faad0 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -25,9 +25,9 @@ checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe" [[package]] name = "ahash" -version = "0.7.7" +version = "0.7.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a824f2aa7e75a0c98c5a504fceb80649e9c35265d44525b5f94de4771a395cd" +checksum = "891477e0c6a8957309ee5c45a6368af3ae14bb510732d2684ffa19af310920f9" dependencies = [ "getrandom", "once_cell", @@ -120,6 +120,12 @@ version = "0.21.4" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "9ba43ea6f343b788c8764558649e08df62f86c6ef251fdaeb1ffd010a9ae50a2" +[[package]] +name = "base64ct" +version = "1.6.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8c3c1a368f70d6cf7302d78f8f7093da241fb8e8807c05cc9e51a125895a6d5b" + [[package]] name = "bitflags" version = "1.3.2" @@ -286,6 +292,12 @@ dependencies = [ "xdg", ] +[[package]] +name = "const-oid" +version = "0.9.6" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8" + [[package]] name = "core-foundation" version = "0.9.3" @@ -429,6 +441,30 @@ dependencies = [ "syn 1.0.91", ] +[[package]] +name = "der" +version = "0.7.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fffa369a668c8af7dbf8b5e56c9f744fbd399949ed171606040001947de40b1c" +dependencies = [ + "const-oid", + "der_derive", + "flagset", + "pem-rfc7468", + "zeroize", +] + +[[package]] +name = "der_derive" +version = "0.7.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "5fe87ce4529967e0ba1dcf8450bab64d97dfd5010a6256187ffe2e43e6f0e049" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.37", +] + [[package]] name = "deranged" version = "0.3.8" @@ -535,6 +571,12 @@ dependencies = [ "instant", ] +[[package]] +name = "flagset" +version = "0.4.4" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d52a7e408202050813e6f1d9addadcaafef3dca7530c7ddfb005d4081cce6779" + [[package]] name = "fnv" version = "1.0.7" @@ -1374,6 +1416,15 @@ dependencies = [ "base64 0.13.0", ] +[[package]] +name = "pem-rfc7468" +version = "0.7.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "88b39c9bfcfc231068454382784bb460aae594343fb030d46e9f50a645418412" +dependencies = [ + "base64ct", +] + [[package]] name = "percent-encoding" version = "2.3.0" @@ -2134,6 +2185,16 @@ version = "0.5.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6e63cff320ae2c57904679ba7cb63280a3dc4613885beafb148ee7bf9aa9042d" +[[package]] +name = "spki" +version = "0.7.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d" +dependencies = [ + "base64ct", + "der", +] + [[package]] name = "static_assertions" version = "1.1.0" @@ -2303,6 +2364,27 @@ version = "0.1.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cda74da7e1a664f795bb1f8a87ec406fb89a02522cf6e50620d016add6dbbf5c" +[[package]] +name = "tls_codec" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b5e78c9c330f8c85b2bae7c8368f2739157db9991235123aa1b15ef9502bfb6a" +dependencies = [ + "tls_codec_derive", + "zeroize", +] + +[[package]] +name = "tls_codec_derive" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8d9ef545650e79f30233c0003bcc2504d7efac6dad25fca40744de773fe2049c" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.37", +] + [[package]] name = "tokio" version = "1.17.0" @@ -2601,6 +2683,7 @@ dependencies = [ "tracing-subscriber", "url", "uuid 0.8.2", + "x509-cert", ] [[package]] @@ -3042,6 +3125,18 @@ dependencies = [ "tap", ] +[[package]] +name = "x509-cert" +version = "0.2.5" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1301e935010a701ae5f8655edc0ad17c44bad3ac5ce8c39185f75453b720ae94" +dependencies = [ + "const-oid", + "der", + "spki", + "tls_codec", +] + [[package]] name = "xdg" version = "2.4.1" @@ -3053,6 +3148,20 @@ dependencies = [ [[package]] name = "zeroize" -version = "1.6.0" +version = "1.7.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2a0956f1ba7c7909bfb66c2e9e4124ab6f6482560f6628b5aaeba39207c9aad9" +checksum = "525b4ec142c6b68a2d10f01f7bbf6755599ca3f81ea53b8431b7dd348f5fdb2d" +dependencies = [ + "zeroize_derive", +] + +[[package]] +name = "zeroize_derive" +version = "1.4.2" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69" +dependencies = [ + "proc-macro2", + "quote", + "syn 2.0.37", +] diff --git a/Cargo.toml b/Cargo.toml index 27736094..280e977b 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -32,6 +32,7 @@ chrono = { version = "0.4", features = ["serde"] } tokio-postgres = { version = "0.7.2", features = ["with-chrono-0_4", "with-serde_json-1", "with-uuid-0_8"] } postgres-native-tls = "0.5.0" native-tls = "0.2" +x509-cert = { version = "0.2.5", features = ["pem"] } serde_path_to_error = "0.1.2" octocrab = "0.30.1" comrak = { version = "0.8.2", default-features = false } diff --git a/src/db.rs b/src/db.rs index 272601b0..14513892 100644 --- a/src/db.rs +++ b/src/db.rs @@ -12,10 +12,10 @@ pub mod jobs; pub mod notifications; pub mod rustc_commits; -const CERT_URL: &str = "https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem"; +const CERT_URL: &str = "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem"; lazy_static::lazy_static! { - static ref CERTIFICATE_PEM: Vec = { + static ref CERTIFICATE_PEMS: Vec = { let client = reqwest::blocking::Client::new(); let resp = client .get(CERT_URL) @@ -94,12 +94,11 @@ impl ClientPool { async fn make_client() -> anyhow::Result { let db_url = std::env::var("DATABASE_URL").expect("needs DATABASE_URL"); if db_url.contains("rds.amazonaws.com") { - let cert = &CERTIFICATE_PEM[..]; - let cert = Certificate::from_pem(&cert).context("made certificate")?; - let connector = TlsConnector::builder() - .add_root_certificate(cert) - .build() - .context("built TlsConnector")?; + let mut builder = TlsConnector::builder(); + for cert in make_certificates() { + builder.add_root_certificate(cert); + } + let connector = builder.build().context("built TlsConnector")?; let connector = MakeTlsConnector::new(connector); let (db_client, connection) = match tokio_postgres::connect(&db_url, connector).await { @@ -134,6 +133,24 @@ async fn make_client() -> anyhow::Result { } } +fn make_certificates() -> Vec { + use x509_cert::der::pem::LineEnding; + use x509_cert::der::EncodePem; + + let certs = x509_cert::Certificate::load_pem_chain(&CERTIFICATE_PEMS[..]).unwrap(); + certs + .into_iter() + .map(|cert| Certificate::from_pem(cert.to_pem(LineEnding::LF).unwrap().as_bytes()).unwrap()) + .collect() +} + +// Makes sure we successfully parse the RDS certificates and load them into native-tls compatible +// format. +#[test] +fn cert() { + make_certificates(); +} + pub async fn run_migrations(client: &DbClient) -> anyhow::Result<()> { client .execute(