crypto/x509: Incorrect user trust store directory is used for Android #71258
Labels
BugReport
Issues describing a possible bug in the Go implementation.
mobile
Android, iOS, and x/mobile
OS-Android
Comments
|
Related Issues (Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.) |
gabyhelp
added
the
BugReport
|
Hmm, there's another potential issue. The system and apex directories contain PEM-encoded certificates, but Android writes DER-encoded certificates to the user directory (regardless of what the original format was during import). |
|
CC @golang/security @golang/android |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In #58922, the following user trust store directory was added to crypto/x509 for Android:
go/src/crypto/x509/root_linux.go
Line 29 in 6da1601
However, Android hasn't used this path since 2014 and instead uses
/data/misc/user/<user ID>/cacerts-added, where<user ID>is the Android user ID (not Linux/POSIX UID).I'm not sure if there's a good public API to get the user ID.
UserHandle.myUserId()(on the Java side) is not public. However, the Android user ID is implemented asgetuid() / 100000. As far as I can tell, this has never changed since Android got multi-user support ~14 years ago. Maybe it's good enough to rely on this implementation detail?Some links:
/data/misc/user/<user ID>/cacerts-addedfor the Java TLS stack/data/misc/keychain/certs-addeddirectorySide note: For system CA certs, golang currently only loads
/system/etc/security/cacerts, but ever since Android 14, the system CA certs became updatable and/apex/com.android.conscrypt/cacertsshould have priority: https://android.googlesource.com/platform/frameworks/base/+/refs/tags/android-15.0.0_r12/core/java/android/security/net/config/SystemCertificateSource.java#48The text was updated successfully, but these errors were encountered: