时间戳

首页 > 解决方案 > 如何找出为 AWS Lambda 预安装的受信任 CA?

aws-lambda - 如何找出为 AWS Lambda 预安装的受信任 CA?

问题描述

对于我的 AWS Lambda,我需要知道有哪些受信任的 CA。我想要一个 CA 列表,因此对于 lambda 尝试访问的服务,它可以信任它而无需安装任何新证书。

标签: aws-lambdassl-certificate

解决方案

你可以自己了解一下:

public class PrintCAInfo implements RequestStreamHandler {

    public void handleRequest(InputStream inputStream, OutputStream outputStream, Context context) throws IOException {
        LambdaLogger logger = context.getLogger();

        StringBuilder stringBuilder = new StringBuilder("[");

        try {
            TrustManagerFactory trustManagerFactory =
                    TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init((KeyStore) null);

            for( TrustManager trustManager: trustManagerFactory.getTrustManagers()) {
                X509TrustManager x509TrustManager = (X509TrustManager)trustManager;
                for(X509Certificate x509Certificate: x509TrustManager.getAcceptedIssuers() ) {
                    stringBuilder.append("{");
                    stringBuilder.append("\"subjectDN\":\"");
                    stringBuilder.append(x509Certificate.getSubjectDN().toString().replaceAll("\"", ""));
                    stringBuilder.append("\"},");
                }
            }

        } catch (NoSuchAlgorithmException | KeyStoreException e) {
            e.printStackTrace();
        }

        stringBuilder = new StringBuilder(stringBuilder.substring(0, stringBuilder.length() - 1));

        stringBuilder.append("]");

        OutputStreamWriter writer = new OutputStreamWriter(outputStream, StandardCharsets.UTF_8);
        writer.write(stringBuilder.toString());
        logger.log(stringBuilder.toString());

        writer.close();
    }
}

这将返回(并记录)一个非常简单的 JSON 正文:

[
  {
    "subjectDN": "CN=Amazon RDS eu-south-1 CA, OU=Amazon RDS, O=Amazon Web Services, Inc., L=Seattle, ST=Washington, C=US"
  },
  {
    "subjectDN": "CN=Hongkong Post Root CA 1, O=Hongkong Post, C=HK"
  },
  {
    "subjectDN": "CN=SecureTrust CA, O=SecureTrust Corporation, C=US"
  },
  {
    "subjectDN": "CN=Entrust Root Certification Authority - EC1, OU=(c) 2012 Entrust, Inc. - for authorized use only, OU=See www.entrust.net/legal-terms, O=Entrust, Inc., C=US"
  },
  {
    "subjectDN": "CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US"
  },
  {
    "subjectDN": "OU=Security Communication RootCA1, O=SECOM Trust.net, C=JP"
  },

推荐阅读