はじめに
Lambda 実行環境で使用されているルート証明書が気になったので確認してみた。
ステップ 1: 実行環境の確認
ひとまず以下のコードで Lambda 実行環境の OS を確認。
def lambda_handler(event, context):
with open('/etc/os-release', 'r') as os_file:
os_files = os_file.readlines()
return {
'body': os_files
}
実行結果は以下の通りで Amazon linux が使用されている。
{
"body": [
"NAME=\"Amazon Linux\"\n",
"VERSION=\"2023\"\n",
"ID=\"amzn\"\n",
"ID_LIKE=\"fedora\"\n",
"VERSION_ID=\"2023\"\n",
"PLATFORM_ID=\"platform:al2023\"\n",
"PRETTY_NAME=\"Amazon Linux 2023.5.20240903\"\n",
"ANSI_COLOR=\"0;33\"\n",
"CPE_NAME=\"cpe:2.3:o:amazon:amazon_linux:2023\"\n",
"HOME_URL=\"https://aws.amazon.com/linux/amazon-linux-2023/\"\n",
"DOCUMENTATION_URL=\"https://docs.aws.amazon.com/linux/\"\n",
"SUPPORT_URL=\"https://aws.amazon.com/premiumsupport/\"\n",
"BUG_REPORT_URL=\"https://github.com/amazonlinux/amazon-linux-2023\"\n",
"VENDOR_NAME=\"AWS\"\n",
"VENDOR_URL=\"https://aws.amazon.com/\"\n",
"SUPPORT_END=\"2028-03-15\"\n",
"VARIANT_ID=\"202409061136-2023.222.0\"\n"
]
}
ステップ 2: ルート証明書の確認
一般的な linux 環境では以下のファイルにルート証明書が存在するはず。
/etc/pki/tls/certs/ca-bundle.crt
以下のコードで ca-bundle.crt を確認。
import ssl
def lambda_handler(event, context):
ca_bundle_path = '/etc/pki/tls/certs/ca-bundle.crt'
# CA バンドルを読み込む
with open(ca_bundle_path, 'r') as ca_file:
ca_bundle_content = ca_file.readlines() # 行単位で読み込む
# # から始まる行のみを抽出
filtered_lines = [line.strip() for line in ca_bundle_content if line.startswith('#')]
return {
'body': filtered_lines
}
以下のように確認できた。
{
"body": [
"# Amazon RDS ap-south-2 Root CA RSA4096 G1",
"# Amazon RDS eu-west-2 Root CA ECC384 G1",
"# Amazon RDS ap-southeast-5 Root CA RSA2048 G1",
"# Amazon RDS eu-south-1 CA",
"# Amazon RDS ap-southeast-3 Root CA RSA4096 G1",
"# Amazon RDS af-south-1 Root CA RSA4096 G1",
"# Amazon RDS eu-central-2 Root CA RSA4096 G1",
"# Amazon RDS sa-east-1 Root CA ECC384 G1",
"# Amazon RDS ap-southeast-1 2019 CA",
"# Amazon RDS ap-northeast-2 Root CA RSA4096 G1",
"# Amazon RDS us-east-1 Root CA RSA2048 G1",
"# Amazon RDS af-south-1 CA",
"# Amazon RDS ap-northeast-3 2019 CA",
"# Amazon RDS eu-south-1 Root CA",
"# Amazon RDS ca-central-1 2019 CA",
"# Amazon RDS ap-southeast-3 Root CA RSA2048 G1",
"# Amazon RDS eu-central-2 Root CA RSA2048 G1",
"# Amazon RDS eu-north-1 Root CA RSA4096 G1",
"# Amazon RDS eu-central-1 Root CA RSA2048 G1",
"# Amazon RDS us-west-1 2019 CA",
"# Amazon RDS ap-northeast-1 Root CA ECC384 G1",
"# Amazon RDS ap-northeast-1 Root CA RSA4096 G1",
"# Amazon RDS eu-central-2 Root CA ECC384 G1",
"# Amazon RDS Preview us-east-2 2019 CA",
"# Amazon RDS ap-south-2 Root CA ECC384 G1",
"# Amazon RDS Beta us-east-1 Root CA RSA2048 G1",
"# Amazon RDS af-south-1 Root CA",
"# Amazon RDS ap-southeast-4 Root CA RSA2048 G1",
"# Amazon RDS me-central-1 Root CA RSA2048 G1",
"# Amazon RDS Preview us-east-2 Root CA RSA2048 G1",
"# Amazon RDS eu-west-2 Root CA RSA2048 G1",
"# Amazon RDS ap-east-1 Root CA RSA2048 G1",
"# Amazon RDS eu-west-3 Root CA RSA4096 G1",
"# Amazon RDS eu-central-1 Root CA ECC384 G1",
"# Amazon RDS Beta us-east-1 2019 CA",
"# Amazon RDS eu-north-1 2019 CA",
"# Amazon RDS il-central-1 Root CA RSA2048 G1",
"# Amazon RDS ca-central-1 Root CA ECC384 G1",
"# Amazon RDS ap-southeast-4 Root CA RSA4096 G1",
"# Amazon RDS eu-west-1 Root CA RSA4096 G1",
"# Amazon RDS eu-west-3 2019 CA",
"# Amazon RDS us-east-1 Root CA RSA4096 G1",
"# Amazon RDS eu-south-1 Root CA ECC384 G1",
"# Amazon RDS ap-south-1 Root CA RSA4096 G1",
"# Amazon RDS ap-southeast-3 Root CA ECC384 G1",
"# Amazon RDS ca-west-1 Root CA RSA2048 G1",
"# Amazon RDS ap-south-2 Root CA RSA2048 G1",
"# Amazon RDS Root 2019 CA",
"# Amazon RDS ap-southeast-5 Root CA ECC384 G1",
"# Amazon RDS ap-northeast-2 Root CA RSA2048 G1",
"# Amazon RDS ap-east-1 Root CA RSA4096 G1",
"# Amazon RDS eu-central-1 Root CA RSA4096 G1",
"# Amazon RDS ap-south-1 2019 CA",
"# Amazon RDS il-central-1 Root CA ECC384 G1",
"# Amazon RDS eu-west-2 Root CA RSA4096 G1",
"# Amazon RDS us-west-2 Root CA RSA4096 G1",
"# Amazon RDS ca-central-1 Root CA RSA2048 G1",
"# Amazon RDS ca-central-1 Root CA RSA4096 G1",
"# Amazon RDS me-south-1 Root CA",
"# Amazon RDS eu-west-1 2019 CA",
"# Amazon RDS eu-west-1 Root CA RSA2048 G1",
"# Amazon RDS us-east-2 Root CA ECC384 G1",
"# Amazon RDS ap-southeast-5 Root CA RSA4096 G1",
"# Amazon RDS ap-northeast-1 Root CA RSA2048 G1",
"# Amazon RDS ap-southeast-2 Root CA ECC384 G1",
"# Amazon RDS ap-northeast-3 Root CA ECC384 G1",
"# Amazon RDS me-south-1 Root CA RSA4096 G1",
"# Amazon RDS ap-southeast-1 Root CA RSA2048 G1",
"# Amazon RDS ap-northeast-2 2019 CA",
"# Amazon RDS ca-west-1 Root CA RSA4096 G1",
"# Amazon RDS ap-northeast-1 2019 CA",
"# Amazon RDS me-central-1 Root CA RSA4096 G1",
"# Amazon RDS eu-south-1 Root CA RSA4096 G1",
"# Amazon RDS il-central-1 Root CA RSA4096 G1",
"# Amazon RDS eu-central-1 2019 CA",
"# Amazon RDS me-south-1 Root CA ECC384 G1",
"# Amazon RDS eu-south-2 Root CA ECC384 G1",
"# Amazon RDS us-west-1 Root CA ECC384 G1",
"# Amazon RDS Beta us-east-1 Root CA ECC384 G1",
"# Amazon RDS ap-northeast-3 Root CA RSA2048 G1",
"# Amazon RDS eu-north-1 Root CA RSA2048 G1",
"# Amazon RDS Preview us-east-2 Root CA RSA4096 G1",
"# Amazon RDS me-south-1 Root CA RSA2048 G1",
"# Amazon RDS us-east-2 2019 CA",
"# Amazon RDS ap-northeast-2 Root CA ECC384 G1",
"# Amazon RDS eu-west-1 Root CA ECC384 G1",
"# Amazon RDS ap-northeast-3 Root CA RSA4096 G1",
"# Amazon RDS ap-south-1 Root CA ECC384 G1",
"# Amazon RDS eu-south-2 Root CA RSA2048 G1",
"# Amazon RDS ca-west-1 Root CA ECC384 G1",
"# Amazon RDS ap-southeast-1 Root CA RSA4096 G1",
"# Amazon RDS ap-southeast-2 2019 CA",
"# Amazon RDS sa-east-1 2019 CA",
"# Amazon RDS Beta us-east-1 Root CA RSA4096 G1",
"# Amazon RDS us-east-1 2019 CA",
"# Amazon RDS Preview Root 2019 CA",
"# Amazon RDS Beta Root 2019 CA",
"# Amazon RDS us-west-2 2019 CA",
"# Amazon RDS ap-east-1 Root CA ECC384 G1",
"# Amazon RDS ap-southeast-2 Root CA RSA2048 G1",
"# Amazon RDS us-east-2 Root CA RSA4096 G1",
"# Amazon RDS sa-east-1 Root CA RSA2048 G1",
"# Amazon RDS ap-south-1 Root CA RSA2048 G1",
"# Amazon RDS us-west-1 Root CA RSA2048 G1",
"# Amazon RDS us-west-2 Root CA ECC384 G1",
"# Amazon RDS Preview us-east-2 Root CA ECC384 G1",
"# Amazon RDS me-central-1 Root CA ECC384 G1",
"# Amazon RDS af-south-1 Root CA ECC384 G1",
"# Amazon RDS us-east-2 Root CA RSA2048 G1",
"# Amazon RDS ap-southeast-2 Root CA RSA4096 G1",
"# Amazon RDS us-east-1 Root CA ECC384 G1",
"# Amazon RDS eu-west-2 2019 CA",
"# Amazon RDS ap-southeast-4 Root CA ECC384 G1",
"# Amazon RDS sa-east-1 Root CA RSA4096 G1",
"# Amazon RDS eu-west-3 Root CA ECC384 G1",
"# Amazon RDS me-south-1 CA",
"# Amazon RDS eu-west-3 Root CA RSA2048 G1",
"# Amazon RDS us-west-1 Root CA RSA4096 G1",
"# Amazon RDS eu-south-2 Root CA RSA4096 G1",
"# Amazon RDS eu-south-1 Root CA RSA2048 G1",
"# Amazon RDS af-south-1 Root CA RSA2048 G1",
"# Amazon RDS us-west-2 Root CA RSA2048 G1",
"# Amazon RDS ap-southeast-1 Root CA ECC384 G1",
"# Amazon RDS eu-north-1 Root CA ECC384 G1",
"# ACCVRAIZ1",
"# AC RAIZ FNMT-RCM",
"# AC RAIZ FNMT-RCM SERVIDORES SEGUROS",
"# ANF Secure Server Root CA",
"# Actalis Authentication Root CA",
"# AffirmTrust Commercial",
"# AffirmTrust Networking",
"# AffirmTrust Premium",
"# AffirmTrust Premium ECC",
"# Amazon Root CA 1",
"# Amazon Root CA 2",
"# Amazon Root CA 3",
"# Amazon Root CA 4",
"# Atos TrustedRoot 2011",
"# Atos TrustedRoot Root CA ECC TLS 2021",
"# Atos TrustedRoot Root CA RSA TLS 2021",
"# Autoridad de Certificacion Firmaprofesional CIF A62634068",
"# BJCA Global Root CA1",
"# BJCA Global Root CA2",
"# Baltimore CyberTrust Root",
"# Buypass Class 2 Root CA",
"# Buypass Class 3 Root CA",
"# CA Disig Root R2",
"# CFCA EV ROOT",
"# COMODO Certification Authority",
"# COMODO ECC Certification Authority",
"# COMODO RSA Certification Authority",
"# Certainly Root E1",
"# Certainly Root R1",
"# Certigna",
"# Certigna Root CA",
"# Certum EC-384 CA",
"# Certum Trusted Network CA",
"# Certum Trusted Network CA 2",
"# Certum Trusted Root CA",
"# CommScope Public Trust ECC Root-01",
"# CommScope Public Trust ECC Root-02",
"# CommScope Public Trust RSA Root-01",
"# CommScope Public Trust RSA Root-02",
"# Comodo AAA Services root",
"# D-TRUST BR Root CA 1 2020",
"# D-TRUST EV Root CA 1 2020",
"# D-TRUST Root Class 3 CA 2 2009",
"# D-TRUST Root Class 3 CA 2 EV 2009",
"# DigiCert Assured ID Root CA",
"# DigiCert Assured ID Root G2",
"# DigiCert Assured ID Root G3",
"# DigiCert Global Root CA",
"# DigiCert Global Root G2",
"# DigiCert Global Root G3",
"# DigiCert High Assurance EV Root CA",
"# DigiCert TLS ECC P384 Root G5",
"# DigiCert TLS RSA4096 Root G5",
"# DigiCert Trusted Root G4",
"# Entrust.net Premium 2048 Secure Server CA",
"# Entrust Root Certification Authority",
"# Entrust Root Certification Authority - EC1",
"# Entrust Root Certification Authority - G2",
"# Entrust Root Certification Authority - G4",
"# GDCA TrustAUTH R5 ROOT",
"# GLOBALTRUST 2020",
"# GTS Root R1",
"# GTS Root R2",
"# GTS Root R3",
"# GTS Root R4",
"# GlobalSign ECC Root CA - R4",
"# GlobalSign ECC Root CA - R5",
"# GlobalSign Root CA",
"# GlobalSign Root CA - R3",
"# GlobalSign Root CA - R6",
"# GlobalSign Root E46",
"# GlobalSign Root R46",
"# Go Daddy Class 2 CA",
"# Go Daddy Root Certificate Authority - G2",
"# HARICA TLS ECC Root CA 2021",
"# HARICA TLS RSA Root CA 2021",
"# Hellenic Academic and Research Institutions ECC RootCA 2015",
"# Hellenic Academic and Research Institutions RootCA 2015",
"# HiPKI Root CA - G1",
"# Hongkong Post Root CA 3",
"# ISRG Root X1",
"# ISRG Root X2",
"# IdenTrust Commercial Root CA 1",
"# IdenTrust Public Sector Root CA 1",
"# Izenpe.com",
"# Microsec e-Szigno Root CA 2009",
"# Microsoft ECC Root Certificate Authority 2017",
"# Microsoft RSA Root Certificate Authority 2017",
"# NAVER Global Root Certification Authority",
"# NetLock Arany (Class Gold) Főtanúsítvány",
"# OISTE WISeKey Global Root GB CA",
"# OISTE WISeKey Global Root GC CA",
"# QuoVadis Root CA 1 G3",
"# QuoVadis Root CA 2",
"# QuoVadis Root CA 2 G3",
"# QuoVadis Root CA 3",
"# QuoVadis Root CA 3 G3",
"# SSL.com EV Root Certification Authority ECC",
"# SSL.com EV Root Certification Authority RSA R2",
"# SSL.com Root Certification Authority ECC",
"# SSL.com Root Certification Authority RSA",
"# SSL.com TLS ECC Root CA 2022",
"# SSL.com TLS RSA Root CA 2022",
"# SZAFIR ROOT CA2",
"# Sectigo Public Server Authentication Root E46",
"# Sectigo Public Server Authentication Root R46",
"# SecureSign RootCA11",
"# SecureTrust CA",
"# Secure Global CA",
"# Security Communication ECC RootCA1",
"# Security Communication RootCA2",
"# Security Communication RootCA3",
"# Starfield Class 2 CA",
"# Starfield Root Certificate Authority - G2",
"# Starfield Services Root Certificate Authority - G2",
"# SwissSign Gold CA - G2",
"# SwissSign Silver CA - G2",
"# T-TeleSec GlobalRoot Class 2",
"# T-TeleSec GlobalRoot Class 3",
"# TUBITAK Kamu SM SSL Kok Sertifikasi - Surum 1",
"# TWCA Global Root CA",
"# TWCA Root Certification Authority",
"# TeliaSonera Root CA v1",
"# Telia Root CA v2",
"# TrustAsia Global Root CA G3",
"# TrustAsia Global Root CA G4",
"# Trustwave Global Certification Authority",
"# Trustwave Global ECC P256 Certification Authority",
"# Trustwave Global ECC P384 Certification Authority",
"# TunTrust Root CA",
"# UCA Extended Validation Root",
"# UCA Global G2 Root",
"# USERTrust ECC Certification Authority",
"# USERTrust RSA Certification Authority",
"# XRamp Global CA Root",
"# certSIGN ROOT CA",
"# certSIGN Root CA G2",
"# e-Szigno Root CA 2017",
"# ePKI Root Certification Authority",
"# emSign ECC Root CA - C3",
"# emSign ECC Root CA - G3",
"# emSign Root CA - C1",
"# emSign Root CA - G1",
"# vTrus ECC Root CA",
"# vTrus Root CA"
]
}