diff --git a/.github/workflows/go.yml b/.github/workflows/test.yml similarity index 92% rename from .github/workflows/go.yml rename to .github/workflows/test.yml index dc8020f..4b207c5 100644 --- a/.github/workflows/go.yml +++ b/.github/workflows/test.yml @@ -10,6 +10,7 @@ jobs: name: Test runs-on: ${{ matrix.os }} strategy: + fail-fast: false matrix: os: - ubuntu-latest @@ -23,9 +24,6 @@ jobs: - "1.18" - "1.17" - "1.16" - - "1.15" - - "1.14" - - "1.13" steps: - name: Check out code into the Go module directory diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml new file mode 100644 index 0000000..6a14ca2 --- /dev/null +++ b/.github/workflows/update.yml @@ -0,0 +1,25 @@ +name: update +on: + schedule: + - cron: "23 6 * * *" + workflow_dispatch: + +jobs: + update: + name: update + runs-on: ubuntu-latest + + steps: + - name: Check out code into the Go module directory + uses: actions/checkout@v3 + + - name: Set up Go + uses: actions/setup-go@v4 + with: + go-version: stable + + - name: Update the Certificates + run: go generate ./... + + - name: Commit and Push Changes + uses: shogo82148/actions-commit-and-create-pr@v1 diff --git a/go.mod b/go.mod index 5047209..849bde0 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/shogo82148/rdsmysql -go 1.13 +go 1.16 require ( github.com/aws/aws-sdk-go v1.44.313 diff --git a/go.sum b/go.sum index 535f833..17413ec 100644 --- a/go.sum +++ b/go.sum @@ -20,7 +20,6 @@ golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= -golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0= golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= @@ -36,7 +35,6 @@ golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= -golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4= golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -44,7 +42,6 @@ golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGm golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= diff --git a/internal/certificate/certificate.go b/internal/certificate/certificate.go index 24486fc..e68da1a 100644 --- a/internal/certificate/certificate.go +++ b/internal/certificate/certificate.go @@ -1,3 +1,5 @@ +//go:generate go run ../cmd/update_certificate/main.go + package certificate import ( @@ -9,9 +11,11 @@ import ( ) // Certificate is the certificates for connecting RDS MySQL with SSL/TLS. -// It contains the intermediate and root certificates for RDS MySQL ( https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem ), -// and the root certificates for RDS Proxy( https://www.amazontrust.com/repository/AmazonRootCA1.pem ). -const Certificate = rdsProxyCertificate + rdsCertificates +// It contains the intermediate and root certificates for [Amazon RDS MySQL] and [Amazon Aurora MySQL]. +// +// [Amazon RDS MySQL]: https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html +// [Amazon Aurora MySQL]: https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html +const Certificate = rdsCertificates var Config *tls.Config diff --git a/internal/certificate/rds.go b/internal/certificate/rds.go index 8298e15..b8e9aad 100644 --- a/internal/certificate/rds.go +++ b/internal/certificate/rds.go @@ -1,8 +1,12 @@ +// Code generated by cmd/update_certificate/main.go; DO NOT EDIT. + package certificate -// the intermediate and root certificates for RDS MySQL. -// Document: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesAllRegions -// Certificate: https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem +// rdsCertificates is the intermediate and root [certificates] for [Amazon RDS MySQL] and [Amazon Aurora MySQL]. +// +// [Amazon RDS MySQL]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesAllRegions +// [Amazon Aurora MySQL]: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesAllRegions +// [certificates]: https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem const rdsCertificates = `-----BEGIN CERTIFICATE----- MIIEEjCCAvqgAwIBAgIJAM2ZN/+nPi27MA0GCSqGSIb3DQEBCwUAMIGVMQswCQYD VQQGEwJVUzEQMA4GA1UEBwwHU2VhdHRsZTETMBEGA1UECAwKV2FzaGluZ3RvbjEi @@ -1707,6 +1711,41 @@ F/Vv/wyWSTGdobxBL6iArQNVXz0Gr4dvPAIwd0rsoa6R0x5mtvhdRPtM37FYrbHJ pbV+OMusQqcSLseunLBoCHenvJW0QOCQ8EDY -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- +MIIGBTCCA+2gAwIBAgIRAO9dVdiLTEGO8kjUFExJmgowDQYJKoZIhvcNAQEMBQAw +gZoxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ +bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTEzMDEGA1UEAwwq +QW1hem9uIFJEUyBpbC1jZW50cmFsLTEgUm9vdCBDQSBSU0E0MDk2IEcxMRAwDgYD +VQQHDAdTZWF0dGxlMCAXDTIyMTIwMjIwMjYwOFoYDzIxMjIxMjAyMjEyNjA4WjCB +mjELMAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIElu +Yy4xEzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTMwMQYDVQQDDCpB +bWF6b24gUkRTIGlsLWNlbnRyYWwtMSBSb290IENBIFJTQTQwOTYgRzExEDAOBgNV +BAcMB1NlYXR0bGUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDkVHmJ +bUc8CNDGBcgPmXHSHj5dS1PDnnpk3doCu6pahyYXW8tqAOmOqsDuNz48exY7YVy4 +u9I9OPBeTYB9ZUKwxq+1ZNLsr1cwVz5DdOyDREVFOjlU4rvw0eTgzhP5yw/d+Ai/ ++WmPebZG0irwPKN2f60W/KJ45UNtR+30MT8ugfnPuSHWjjV+dqCOCp/mj8nOCckn +k8GoREwjuTFJMKInpQUC0BaVVX6LiIdgtoLY4wdx00EqNBuROoRTAvrked0jvm7J +UI39CSYxhNZJ9F6LdESZXjI4u2apfNQeSoy6WptxFHr+kh2yss1B2KT6lbwGjwWm +l9HODk9kbBNSy2NeewAms36q+p8wSLPavL28IRfK0UaBAiN1hr2a/2RDGCwOJmw6 +5erRC5IIX5kCStyXPEGhVPp18EvMuBd37eLIxjZBBO8AIDf4Ue8QmxSeZH0cT204 +3/Bd6XR6+Up9iMTxkHr1URcL1AR8Zd62lg/lbEfxePNMK9mQGxKP8eTMG5AjtW9G +TatEoRclgE0wZQalXHmKpBNshyYdGqQZhzL1MxCxWzfHNgZkTKIsdzxrjnP7RiBR +jdRH0YhXn6Y906QfLwMCaufwfQ5J8+nj/tu7nG138kSxsu6VUkhnQJhUcUsxuHD/ +NnBx0KGVEldtZiZf7ccgtRVp1lA0OrVtq3ZLMQIDAQABo0IwQDAPBgNVHRMBAf8E +BTADAQH/MB0GA1UdDgQWBBQ2WC3p8rWeE2N0S4Om01KsNLpk/jAOBgNVHQ8BAf8E +BAMCAYYwDQYJKoZIhvcNAQEMBQADggIBAFFEVDt45Obr6Ax9E4RMgsKjj4QjMFB9 +wHev1jL7hezl/ULrHuWxjIusaIZEIcKfn+v2aWtqOq13P3ht7jV5KsV29CmFuCdQ +q3PWiAXVs+hnMskTOmGMDnptqd6/UuSIha8mlOKKAvnmRQJvfX9hIfb/b/mVyKWD +uvTTmcy3cOTJY5ZIWGyzuvmcqA0YNcb7rkJt/iaLq4RX3/ofq4y4w36hefbcvj++ +pXHOmXk3dAej3y6SMBOUcGMyCJcCluRPNYKDTLn+fitcPxPC3JG7fI5bxQ0D6Hpa +qbyGBQu96sfahQyMc+//H8EYlo4b0vPeS5RFFXJS/VBf0AyNT4vVc7H17Q6KjeNp +wEARqsIa7UalHx9MnxrQ/LSTTxiC8qmDkIFuQtw8iQMN0SoL5S0eCZNRD31awgaY +y1PvY8JMN549ugIUjOXnown/OxharLW1evWUraU5rArq3JfeFpPXl4K/u10T5SCL +iJRoxFilGPMFE3hvnmbi5rEy8wRUn7TpLb4I4s/CB/lT2qZTPqvQHwxKCnMm9BKF +NHb4rLL5dCvUi5NJ6fQ/exOoGdOVSfT7jqFeq2TtNunERSz9vpriweliB6iIe1Al +Thj8aEs1GqA764rLVGA+vUe18NhjJm9EemrdIzjSQFy/NdbN/DMaHqEzJogWloAI +izQWYnCS19TJ +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- MIICvTCCAkOgAwIBAgIQCIY7E/bFvFN2lK9Kckb0dTAKBggqhkjOPQQDAzCBnjEL MAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIEluYy4x EzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTcwNQYDVQQDDC5BbWF6 @@ -1883,6 +1922,30 @@ k8x6/wvtw7wht0/DOqz1li7baSsMazqxx+jDdSr1h9xML416Q4loFCLgqQhil8Jq Em4Hy3A= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- +MIIEBDCCAuygAwIBAgIQFn6AJ+uxaPDpNVx7174CpjANBgkqhkiG9w0BAQsFADCB +mjELMAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIElu +Yy4xEzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTMwMQYDVQQDDCpB +bWF6b24gUkRTIGlsLWNlbnRyYWwtMSBSb290IENBIFJTQTIwNDggRzExEDAOBgNV +BAcMB1NlYXR0bGUwIBcNMjIxMjAyMjAxNDA4WhgPMjA2MjEyMDIyMTE0MDhaMIGa +MQswCQYDVQQGEwJVUzEiMCAGA1UECgwZQW1hem9uIFdlYiBTZXJ2aWNlcywgSW5j +LjETMBEGA1UECwwKQW1hem9uIFJEUzELMAkGA1UECAwCV0ExMzAxBgNVBAMMKkFt +YXpvbiBSRFMgaWwtY2VudHJhbC0xIFJvb3QgQ0EgUlNBMjA0OCBHMTEQMA4GA1UE +BwwHU2VhdHRsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL2xGTSJ +fXorki/dkkTqdLyv4U1neeFYEyUCPN/HJ7ZloNwhj8RBrHYhZ4qtvUAvN+rs8fUm +L0wmaL69ye61S+CSfDzNwBDGwOzUm/cc1NEJOHCm8XA0unBNBvpJTjsFk2LQ+rz8 +oU0lVV4mjnfGektrTDeADonO1adJvUTYmF6v1wMnykSkp8AnW9EG/6nwcAJuAJ7d +BfaLThm6lfxPdsBNG81DLKi2me2TLQ4yl+vgRKJi2fJWwA77NaDqQuD5upRIcQwt +5noJt2kFFmeiro98ZMMRaDTHAHhJfWkwkw5f2QNIww7T4r85IwbQCgJVRo4m4ZTC +W/1eiEccU2407mECAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU +DNhVvGHzKXv0Yh6asK0apP9jJlUwDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEB +CwUAA4IBAQCoEVTUY/rF9Zrlpb1Y1hptEguw0i2pCLakcmv3YNj6thsubbGeGx8Z +RjUA/gPKirpoae2HU1y64WEu7akwr6pdTRtXXjbe9NReT6OW/0xAwceSXCOiStqS +cMsWWTGg6BA3uHqad5clqITjDZr1baQ8X8en4SXRBxXyhJXbOkB60HOQeFR9CNeh +pJdrWLeNYXwU0Z59juqdVMGwvDAYdugWUhW2rhafVUXszfRA5c8Izc+E31kq90aY +LmxFXUHUfG0eQOmxmg+Z/nG7yLUdHIFA3id8MRh22hye3KvRdQ7ZVGFni0hG2vQQ +Q01AvD/rhzyjg0czzJKLK9U/RttwdMaV +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- MIIGBTCCA+2gAwIBAgIRAJfKe4Zh4aWNt3bv6ZjQwogwDQYJKoZIhvcNAQEMBQAw gZoxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTEzMDEGA1UEAwwq @@ -2081,6 +2144,23 @@ Pyy25SzFSmNalWoQd9wZVc/Cps2ldxhcttM+WLkFNzprd0VJa8qTz8vYtHP0ouDN nWS0 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- +MIICtDCCAjmgAwIBAgIQKKqVZvk6NsLET+uYv5myCzAKBggqhkjOPQQDAzCBmTEL +MAkGA1UEBhMCVVMxIjAgBgNVBAoMGUFtYXpvbiBXZWIgU2VydmljZXMsIEluYy4x +EzARBgNVBAsMCkFtYXpvbiBSRFMxCzAJBgNVBAgMAldBMTIwMAYDVQQDDClBbWF6 +b24gUkRTIGlsLWNlbnRyYWwtMSBSb290IENBIEVDQzM4NCBHMTEQMA4GA1UEBwwH +U2VhdHRsZTAgFw0yMjEyMDIyMDMyMjBaGA8yMTIyMTIwMjIxMzIyMFowgZkxCzAJ +BgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJbmMuMRMw +EQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTEyMDAGA1UEAwwpQW1hem9u +IFJEUyBpbC1jZW50cmFsLTEgUm9vdCBDQSBFQ0MzODQgRzExEDAOBgNVBAcMB1Nl +YXR0bGUwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAASYwfvj8BmvLAP6UkNQ4X4dXBB/ +webBO7swW+8HnFN2DAu+Cn/lpcDpu+dys1JmkVX435lrCH3oZjol0kCDIM1lF4Cv ++78yoY1Jr/YMat22E4iz4AZd9q0NToS7+ZA0r2yjQjBAMA8GA1UdEwEB/wQFMAMB +Af8wHQYDVR0OBBYEFO/8Py16qPr7J2GWpvxlTMB+op7XMA4GA1UdDwEB/wQEAwIB +hjAKBggqhkjOPQQDAwNpADBmAjEAwk+rg788+u8JL6sdix7l57WTo8E/M+o3TO5x +uRuPdShrBFm4ArGR2PPs4zCQuKgqAjEAi0TA3PVqAxKpoz+Ps8/054p9WTgDfBFZ +i/lm2yTaPs0xjY6FNWoy7fsVw5oEKxOn +-----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- MIIGCTCCA/GgAwIBAgIRAOY7gfcBZgR2tqfBzMbFQCUwDQYJKoZIhvcNAQEMBQAw gZwxCzAJBgNVBAYTAlVTMSIwIAYDVQQKDBlBbWF6b24gV2ViIFNlcnZpY2VzLCBJ bmMuMRMwEQYDVQQLDApBbWF6b24gUkRTMQswCQYDVQQIDAJXQTE1MDMGA1UEAwws @@ -2880,3 +2960,124 @@ f9DhFD4ohE1C63XP0kOQee+LYg/MY5vH8swpCSWxQgX5icv5jVDz8YTdCKgUc5u8 rM2p0kk= -----END CERTIFICATE----- ` + +// rdsCertificates contains: +// +// - Amazon RDS af-south-1 Root CA (not before: 2019-10-28T18:05:58Z, not after: 2024-10-26T18:05:58Z) +// - Amazon RDS eu-south-1 Root CA (not before: 2019-10-30T20:20:36Z, not after: 2024-10-28T20:20:36Z) +// - Amazon RDS me-south-1 Root CA (not before: 2019-05-10T21:48:27Z, not after: 2024-05-08T21:48:27Z) +// - Amazon RDS Root 2019 CA (not before: 2019-08-22T17:08:50Z, not after: 2024-08-22T17:08:50Z) +// - Amazon RDS Beta Root 2019 CA (not before: 2019-08-19T17:38:26Z, not after: 2024-08-19T17:38:26Z) +// - Amazon RDS Preview Root 2019 CA (not before: 2019-08-21T22:29:49Z, not after: 2024-08-21T22:29:49Z) +// - Amazon RDS af-south-1 CA (not before: 2019-10-28T18:06:53Z, not after: 2024-10-28T18:06:53Z) +// - Amazon RDS eu-south-1 CA (not before: 2019-10-30T20:21:30Z, not after: 2024-10-30T20:21:30Z) +// - Amazon RDS me-south-1 CA (not before: 2019-05-10T21:58:43Z, not after: 2025-06-01T12:00:00Z) +// - Amazon RDS ap-south-1 2019 CA (not before: 2019-09-04T17:13:04Z, not after: 2024-08-22T17:08:50Z) +// - Amazon RDS sa-east-1 2019 CA (not before: 2019-09-05T18:46:29Z, not after: 2024-08-22T17:08:50Z) +// - Amazon RDS us-west-1 2019 CA (not before: 2019-09-06T17:40:21Z, not after: 2024-08-22T17:08:50Z) +// - Amazon RDS ap-northeast-2 2019 CA (not before: 2019-09-10T17:46:21Z, not after: 2024-08-22T17:08:50Z) +// - Amazon RDS ca-central-1 2019 CA (not before: 2019-09-10T20:52:25Z, not after: 2024-08-22T17:08:50Z) +// - Amazon RDS eu-west-1 2019 CA (not before: 2019-09-11T17:31:48Z, not after: 2024-08-22T17:08:50Z) +// - Amazon RDS eu-central-1 2019 CA (not before: 2019-09-11T19:36:20Z, not after: 2024-08-22T17:08:50Z) +// - Amazon RDS eu-north-1 2019 CA (not before: 2019-09-12T18:19:44Z, not after: 2024-08-22T17:08:50Z) +// - Amazon RDS eu-west-2 2019 CA (not before: 2019-09-12T21:32:32Z, not after: 2024-08-22T17:08:50Z) +// - Amazon RDS us-east-2 2019 CA (not before: 2019-09-13T17:06:41Z, not after: 2024-08-22T17:08:50Z) +// - Amazon RDS ap-southeast-1 2019 CA (not before: 2019-09-13T20:11:42Z, not after: 2024-08-22T17:08:50Z) +// - Amazon RDS us-west-2 2019 CA (not before: 2019-09-16T18:21:15Z, not after: 2024-08-22T17:08:50Z) +// - Amazon RDS ap-southeast-2 2019 CA (not before: 2019-09-16T19:53:47Z, not after: 2024-08-22T17:08:50Z) +// - Amazon RDS ap-northeast-3 2019 CA (not before: 2019-09-17T20:05:29Z, not after: 2024-08-22T17:08:50Z) +// - Amazon RDS ap-northeast-1 2019 CA (not before: 2019-09-18T16:56:20Z, not after: 2024-08-22T17:08:50Z) +// - Amazon RDS eu-west-3 2019 CA (not before: 2019-09-18T17:03:15Z, not after: 2024-08-22T17:08:50Z) +// - Amazon RDS us-east-1 2019 CA (not before: 2019-09-19T18:16:53Z, not after: 2024-08-22T17:08:50Z) +// - Amazon RDS Beta us-east-1 2019 CA (not before: 2019-08-20T17:10:07Z, not after: 2024-08-19T17:38:26Z) +// - Amazon RDS Preview us-east-2 2019 CA (not before: 2019-08-21T22:39:47Z, not after: 2024-08-21T22:29:49Z) +// - Amazon RDS sa-east-1 Root CA RSA2048 G1 (not before: 2021-05-19T18:06:26Z, not after: 2061-05-19T19:06:26Z) +// - Amazon RDS me-central-1 Root CA RSA2048 G1 (not before: 2022-05-06T23:20:09Z, not after: 2062-05-07T00:20:09Z) +// - Amazon RDS us-west-2 Root CA ECC384 G1 (not before: 2021-05-24T22:06:59Z, not after: 2121-05-24T23:06:59Z) +// - Amazon RDS ap-northeast-3 Root CA RSA4096 G1 (not before: 2021-05-24T20:28:03Z, not after: 2121-05-24T21:28:03Z) +// - Amazon RDS af-south-1 Root CA RSA4096 G1 (not before: 2021-05-19T19:28:43Z, not after: 2121-05-19T20:28:43Z) +// - Amazon RDS us-west-1 Root CA RSA4096 G1 (not before: 2021-05-19T19:08:58Z, not after: 2121-05-19T20:08:58Z) +// - Amazon RDS ap-southeast-3 Root CA RSA2048 G1 (not before: 2021-06-10T18:19:07Z, not after: 2061-06-10T19:19:07Z) +// - Amazon RDS ap-south-2 Root CA RSA2048 G1 (not before: 2022-06-06T21:42:22Z, not after: 2062-06-06T22:42:22Z) +// - Amazon RDS sa-east-1 Root CA ECC384 G1 (not before: 2021-05-19T18:16:01Z, not after: 2121-05-19T19:16:01Z) +// - Amazon RDS us-west-2 Root CA RSA4096 G1 (not before: 2021-05-24T22:03:20Z, not after: 2121-05-24T23:03:20Z) +// - Amazon RDS ap-northeast-3 Root CA RSA2048 G1 (not before: 2021-05-24T20:23:16Z, not after: 2061-05-24T21:23:16Z) +// - Amazon RDS Preview us-east-2 Root CA RSA4096 G1 (not before: 2021-05-18T20:57:50Z, not after: 2121-05-18T21:57:50Z) +// - Amazon RDS ap-southeast-2 Root CA RSA2048 G1 (not before: 2021-05-24T20:42:33Z, not after: 2061-05-24T21:42:33Z) +// - Amazon RDS ap-east-1 Root CA RSA2048 G1 (not before: 2021-05-25T21:30:33Z, not after: 2061-05-25T22:30:33Z) +// - Amazon RDS ap-southeast-1 Root CA RSA4096 G1 (not before: 2021-05-21T21:45:05Z, not after: 2121-05-21T22:45:05Z) +// - Amazon RDS ap-northeast-2 Root CA ECC384 G1 (not before: 2021-05-20T16:38:26Z, not after: 2121-05-20T17:38:26Z) +// - Amazon RDS ap-southeast-1 Root CA RSA2048 G1 (not before: 2021-05-21T21:39:39Z, not after: 2061-05-21T22:39:39Z) +// - Amazon RDS Preview us-east-2 Root CA RSA2048 G1 (not before: 2021-05-18T20:49:45Z, not after: 2061-05-18T21:49:45Z) +// - Amazon RDS ca-central-1 Root CA ECC384 G1 (not before: 2021-05-21T22:13:09Z, not after: 2121-05-21T23:13:09Z) +// - Amazon RDS ap-south-1 Root CA RSA2048 G1 (not before: 2021-05-19T17:40:34Z, not after: 2061-05-19T18:40:34Z) +// - Amazon RDS us-west-1 Root CA RSA2048 G1 (not before: 2021-05-19T19:04:06Z, not after: 2061-05-19T20:04:06Z) +// - Amazon RDS ap-east-1 Root CA ECC384 G1 (not before: 2021-05-25T21:45:11Z, not after: 2121-05-25T22:45:11Z) +// - Amazon RDS ap-southeast-2 Root CA ECC384 G1 (not before: 2021-05-24T20:50:15Z, not after: 2121-05-24T21:50:15Z) +// - Amazon RDS ap-southeast-4 Root CA RSA2048 G1 (not before: 2022-05-25T16:49:16Z, not after: 2062-05-25T17:49:16Z) +// - Amazon RDS us-west-2 Root CA RSA2048 G1 (not before: 2021-05-24T21:59:00Z, not after: 2061-05-24T22:59:00Z) +// - Amazon RDS ap-northeast-2 Root CA RSA2048 G1 (not before: 2021-05-20T16:28:41Z, not after: 2061-05-20T17:28:41Z) +// - Amazon RDS ap-northeast-3 Root CA ECC384 G1 (not before: 2021-05-24T20:32:17Z, not after: 2121-05-24T21:32:17Z) +// - Amazon RDS Beta us-east-1 Root CA ECC384 G1 (not before: 2021-05-18T21:40:12Z, not after: 2121-05-18T22:40:12Z) +// - Amazon RDS ap-south-1 Root CA ECC384 G1 (not before: 2021-05-19T17:50:59Z, not after: 2121-05-19T18:50:59Z) +// - Amazon RDS ap-northeast-1 Root CA RSA4096 G1 (not before: 2021-05-25T21:59:10Z, not after: 2121-05-25T22:59:10Z) +// - Amazon RDS ap-northeast-1 Root CA ECC384 G1 (not before: 2021-05-25T22:03:16Z, not after: 2121-05-25T23:03:16Z) +// - Amazon RDS Beta us-east-1 Root CA RSA4096 G1 (not before: 2021-05-18T21:34:15Z, not after: 2121-05-18T22:34:15Z) +// - Amazon RDS us-west-1 Root CA ECC384 G1 (not before: 2021-05-19T19:13:24Z, not after: 2121-05-19T20:13:24Z) +// - Amazon RDS ap-south-2 Root CA ECC384 G1 (not before: 2022-06-06T21:54:42Z, not after: 2122-06-06T22:54:42Z) +// - Amazon RDS me-central-1 Root CA RSA4096 G1 (not before: 2022-05-07T00:40:23Z, not after: 2122-05-07T01:40:23Z) +// - Amazon RDS me-south-1 Root CA RSA2048 G1 (not before: 2021-05-20T17:09:16Z, not after: 2061-05-20T18:09:16Z) +// - Amazon RDS ap-southeast-1 Root CA ECC384 G1 (not before: 2021-05-21T21:50:01Z, not after: 2121-05-21T22:50:01Z) +// - Amazon RDS ca-central-1 Root CA RSA2048 G1 (not before: 2021-05-21T22:02:35Z, not after: 2061-05-21T23:02:35Z) +// - Amazon RDS us-east-2 Root CA RSA2048 G1 (not before: 2021-05-21T23:04:44Z, not after: 2061-05-22T00:04:44Z) +// - Amazon RDS us-east-2 Root CA RSA4096 G1 (not before: 2021-05-21T23:11:06Z, not after: 2121-05-22T00:11:06Z) +// - Amazon RDS ap-south-2 Root CA RSA4096 G1 (not before: 2022-06-06T21:48:18Z, not after: 2122-06-06T22:48:18Z) +// - Amazon RDS ap-southeast-4 Root CA ECC384 G1 (not before: 2022-05-25T16:58:33Z, not after: 2122-05-25T17:58:33Z) +// - Amazon RDS il-central-1 Root CA RSA4096 G1 (not before: 2022-12-02T20:26:08Z, not after: 2122-12-02T21:26:08Z) +// - Amazon RDS Preview us-east-2 Root CA ECC384 G1 (not before: 2021-05-18T21:05:10Z, not after: 2121-05-18T22:05:10Z) +// - Amazon RDS af-south-1 Root CA RSA2048 G1 (not before: 2021-05-19T19:24:16Z, not after: 2061-05-19T20:24:16Z) +// - Amazon RDS ap-east-1 Root CA RSA4096 G1 (not before: 2021-05-25T21:34:51Z, not after: 2121-05-25T22:34:51Z) +// - Amazon RDS us-east-1 Root CA RSA2048 G1 (not before: 2021-05-25T22:34:57Z, not after: 2061-05-25T23:34:57Z) +// - Amazon RDS af-south-1 Root CA ECC384 G1 (not before: 2021-05-19T19:35:16Z, not after: 2121-05-19T20:35:16Z) +// - Amazon RDS ap-northeast-1 Root CA RSA2048 G1 (not before: 2021-05-25T21:54:58Z, not after: 2061-05-25T22:54:58Z) +// - Amazon RDS ap-south-1 Root CA RSA4096 G1 (not before: 2021-05-19T17:45:20Z, not after: 2121-05-19T18:45:20Z) +// - Amazon RDS il-central-1 Root CA RSA2048 G1 (not before: 2022-12-02T20:14:08Z, not after: 2062-12-02T21:14:08Z) +// - Amazon RDS ca-central-1 Root CA RSA4096 G1 (not before: 2021-05-21T22:08:53Z, not after: 2121-05-21T23:08:53Z) +// - Amazon RDS us-east-1 Root CA RSA4096 G1 (not before: 2021-05-25T22:38:35Z, not after: 2121-05-25T23:38:35Z) +// - Amazon RDS me-central-1 Root CA ECC384 G1 (not before: 2022-05-07T00:44:37Z, not after: 2122-05-07T01:44:37Z) +// - Amazon RDS me-south-1 Root CA RSA4096 G1 (not before: 2021-05-20T17:15:33Z, not after: 2121-05-20T18:15:33Z) +// - Amazon RDS Beta us-east-1 Root CA RSA2048 G1 (not before: 2021-05-18T21:28:41Z, not after: 2061-05-18T22:28:41Z) +// - Amazon RDS us-east-1 Root CA ECC384 G1 (not before: 2021-05-25T22:41:55Z, not after: 2121-05-25T23:41:55Z) +// - Amazon RDS sa-east-1 Root CA RSA4096 G1 (not before: 2021-05-19T18:11:20Z, not after: 2121-05-19T19:11:20Z) +// - Amazon RDS il-central-1 Root CA ECC384 G1 (not before: 2022-12-02T20:32:20Z, not after: 2122-12-02T21:32:20Z) +// - Amazon RDS ap-southeast-4 Root CA RSA4096 G1 (not before: 2022-05-25T16:54:59Z, not after: 2122-05-25T17:54:59Z) +// - Amazon RDS ap-southeast-2 Root CA RSA4096 G1 (not before: 2021-05-24T20:46:18Z, not after: 2121-05-24T21:46:18Z) +// - Amazon RDS ap-northeast-2 Root CA RSA4096 G1 (not before: 2021-05-20T16:33:23Z, not after: 2121-05-20T17:33:23Z) +// - Amazon RDS ap-southeast-3 Root CA ECC384 G1 (not before: 2021-06-11T00:12:43Z, not after: 2121-06-11T01:12:43Z) +// - Amazon RDS us-east-2 Root CA ECC384 G1 (not before: 2021-05-21T23:15:56Z, not after: 2121-05-22T00:15:56Z) +// - Amazon RDS me-south-1 Root CA ECC384 G1 (not before: 2021-05-20T17:19:55Z, not after: 2121-05-20T18:19:55Z) +// - Amazon RDS ap-southeast-3 Root CA RSA4096 G1 (not before: 2021-06-11T00:08:36Z, not after: 2121-06-11T01:08:36Z) +// - Amazon RDS eu-south-2 Root CA ECC384 G1 (not before: 2022-05-23T18:41:28Z, not after: 2122-05-23T19:41:27Z) +// - Amazon RDS eu-west-3 Root CA ECC384 G1 (not before: 2021-05-25T22:26:12Z, not after: 2121-05-25T23:26:12Z) +// - Amazon RDS eu-west-3 Root CA RSA2048 G1 (not before: 2021-05-25T22:18:33Z, not after: 2061-05-25T23:18:33Z) +// - Amazon RDS eu-central-2 Root CA RSA2048 G1 (not before: 2022-06-06T21:17:05Z, not after: 2062-06-06T22:17:05Z) +// - Amazon RDS eu-west-2 Root CA ECC384 G1 (not before: 2021-05-21T22:55:21Z, not after: 2121-05-21T23:55:21Z) +// - Amazon RDS eu-north-1 Root CA ECC384 G1 (not before: 2021-05-24T21:06:38Z, not after: 2121-05-24T22:06:38Z) +// - Amazon RDS eu-south-2 Root CA RSA4096 G1 (not before: 2022-05-23T18:34:22Z, not after: 2122-05-23T19:34:22Z) +// - Amazon RDS eu-central-1 Root CA ECC384 G1 (not before: 2021-05-21T22:33:24Z, not after: 2121-05-21T23:33:24Z) +// - Amazon RDS eu-west-1 Root CA RSA2048 G1 (not before: 2021-05-20T16:49:12Z, not after: 2061-05-20T17:49:12Z) +// - Amazon RDS eu-central-1 Root CA RSA2048 G1 (not before: 2021-05-21T22:23:47Z, not after: 2061-05-21T23:23:47Z) +// - Amazon RDS eu-west-2 Root CA RSA4096 G1 (not before: 2021-05-21T22:51:22Z, not after: 2121-05-21T23:51:22Z) +// - Amazon RDS eu-south-1 Root CA RSA4096 G1 (not before: 2021-05-19T18:33:21Z, not after: 2121-05-19T19:33:21Z) +// - Amazon RDS eu-south-1 Root CA ECC384 G1 (not before: 2021-05-19T18:38:11Z, not after: 2121-05-19T19:38:11Z) +// - Amazon RDS eu-central-2 Root CA ECC384 G1 (not before: 2022-06-06T21:29:17Z, not after: 2122-06-06T22:29:17Z) +// - Amazon RDS eu-west-3 Root CA RSA4096 G1 (not before: 2021-05-25T22:22:33Z, not after: 2121-05-25T23:22:33Z) +// - Amazon RDS eu-west-1 Root CA RSA4096 G1 (not before: 2021-05-20T16:53:54Z, not after: 2121-05-20T17:53:54Z) +// - Amazon RDS eu-central-1 Root CA RSA4096 G1 (not before: 2021-05-21T22:28:26Z, not after: 2121-05-21T23:28:26Z) +// - Amazon RDS eu-north-1 Root CA RSA2048 G1 (not before: 2021-05-24T20:59:21Z, not after: 2061-05-24T21:59:21Z) +// - Amazon RDS eu-south-2 Root CA RSA2048 G1 (not before: 2022-05-23T18:16:32Z, not after: 2062-05-23T19:16:32Z) +// - Amazon RDS eu-west-1 Root CA ECC384 G1 (not before: 2021-05-20T16:58:07Z, not after: 2121-05-20T17:58:07Z) +// - Amazon RDS eu-central-2 Root CA RSA4096 G1 (not before: 2022-06-06T21:25:23Z, not after: 2122-06-06T22:25:23Z) +// - Amazon RDS eu-west-2 Root CA RSA2048 G1 (not before: 2021-05-21T22:46:24Z, not after: 2061-05-21T23:46:24Z) +// - Amazon RDS eu-south-1 Root CA RSA2048 G1 (not before: 2021-05-19T18:27:18Z, not after: 2061-05-19T19:27:18Z) +// - Amazon RDS eu-north-1 Root CA RSA4096 G1 (not before: 2021-05-24T21:03:20Z, not after: 2121-05-24T22:03:20Z) diff --git a/internal/certificate/rds_proxy.go b/internal/certificate/rds_proxy.go deleted file mode 100644 index a36b3f7..0000000 --- a/internal/certificate/rds_proxy.go +++ /dev/null @@ -1,25 +0,0 @@ -package certificate - -// https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/rds-proxy.html#rds-proxy-connecting-iam -// the root certificate for RDS Proxy from https://www.amazontrust.com/repository/AmazonRootCA1.pem -const rdsProxyCertificate = `-----BEGIN CERTIFICATE----- -MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF -ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6 -b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL -MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv -b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj -ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM -9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw -IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6 -VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L -93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm -jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC -AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA -A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI -U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs -N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv -o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU -5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy -rqXRfboQnoZsG4q5WTP468SQvvG5 ------END CERTIFICATE----- -` diff --git a/internal/cmd/update_certificate/main.go b/internal/cmd/update_certificate/main.go new file mode 100644 index 0000000..aa0de22 --- /dev/null +++ b/internal/cmd/update_certificate/main.go @@ -0,0 +1,121 @@ +package main + +import ( + "bytes" + "context" + "crypto/x509" + "encoding/pem" + "fmt" + "go/format" + "io" + "net/http" + "os" + "os/signal" + "syscall" + "time" +) + +func main() { + ctx, cancel := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM) + defer cancel() + + err := downloadCertificate(ctx, &options{ + file: "rds.go", + pkg: "certificate", + url: "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem", + name: "rdsCertificates", + comment: `// rdsCertificates is the intermediate and root [certificates] for [Amazon RDS MySQL] and [Amazon Aurora MySQL]. +// +// [Amazon RDS MySQL]: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesAllRegions +// [Amazon Aurora MySQL]: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesAllRegions +// [certificates]: https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem +`, + }) + if err != nil { + panic(err) + } +} + +type options struct { + file string + pkg string + url string + name string + comment string +} + +func downloadCertificate(ctx context.Context, opts *options) error { + pemCerts, err := download(ctx, opts.url) + if err != nil { + return err + } + + certs, err := parseCertificate(pemCerts) + if err != nil { + return err + } + + buf := &bytes.Buffer{} + buf.WriteString("// Code generated by cmd/update_certificate/main.go; DO NOT EDIT.\n\n") + buf.WriteString("package " + opts.pkg + "\n\n") + buf.WriteString(opts.comment) + buf.WriteString("const " + opts.name + " = `") + buf.Write(pemCerts) + buf.WriteString("`\n\n") + + buf.WriteString("// " + opts.name + " contains:\n") + buf.WriteString("//\n") + for _, cert := range certs { + nbf := cert.NotBefore.Format(time.RFC3339) + naf := cert.NotAfter.Format(time.RFC3339) + fmt.Fprintf(buf, "// - %50s (not before: %s, not after: %s)\n", cert.Subject.CommonName, nbf, naf) + } + + data, err := format.Source(buf.Bytes()) + if err != nil { + return err + } + + return os.WriteFile(opts.file, data, 0644) +} + +func download(ctx context.Context, url string) ([]byte, error) { + req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil) + if err != nil { + return nil, err + } + + resp, err := http.DefaultClient.Do(req) + if err != nil { + return nil, err + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusOK { + return nil, fmt.Errorf("unexpected status code: %d", resp.StatusCode) + } + + return io.ReadAll(resp.Body) +} + +func parseCertificate(pemCerts []byte) ([]*x509.Certificate, error) { + var certs []*x509.Certificate + for len(pemCerts) > 0 { + var block *pem.Block + block, pemCerts = pem.Decode(pemCerts) + if block == nil { + break + } + if block.Type != "CERTIFICATE" || len(block.Headers) != 0 { + continue + } + + certBytes := block.Bytes + cert, err := x509.ParseCertificate(certBytes) + if err != nil { + return nil, err + } + certs = append(certs, cert) + } + return certs, nil +}