Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use installed Android cacerts for URLSession #5163

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Use installed Android cacerts for URLSession #5163

wants to merge 8 commits into from

Conversation

marcprux
Copy link

This PR will cause URLSession to use the installed Android cacerts folders (/apex/com.android.conscrypt/cacerts and /system/etc/security/cacerts), similar to how swift-nio supports TLS on Android (apple/swift-nio-ssl#453). If no custom URLSessionCertificateAuthorityInfoFile environment variable is set, it will dynamically assemble a certificate file from the contents of those folders, and then instruct curl to use it with the curl_easy_setopt parameter CURLOPT_CAINFO.

This has the benefits of:

  1. https URLs will work out-of-the-box on Android without an app needing to bundle it's own custom certificate file (typically from https://curl.haxx.se/ca/cacert.pem)
  2. Android system updates that add and remove certificate authorities will be respected in apps that use Swift

@parkera parkera requested a review from guoye-zhang January 24, 2025 23:12
@guoye-zhang guoye-zhang requested a review from jrflat January 25, 2025 00:29
@marcprux marcprux marked this pull request as draft January 25, 2025 13:54
@marcprux marcprux marked this pull request as ready for review January 25, 2025 23:08
@marcprux
Copy link
Author

This is ready for review. I've tested it out against the swift-6.0.3-RELEASE-android-24-0.1.artifactbundle.tar.gz artifact from https://github.com/marcprux/swift-android-sdk/actions/runs/12960699464 and loading an https site works on Android.

marcprux added a commit to marcprux/swift-android-sdk that referenced this pull request Jan 25, 2025
@marcprux
Update patch to match swiftlang/swift-corelibs-foundation#5163
53088eb
marcprux added a commit to marcprux/swift-android-sdk that referenced this pull request Jan 25, 2025
@marcprux
Add swift-android-foundation-cacerts.patch (#18)
dc8069d 
* Add swift-android-foundation-cacerts.patch

* Update cache key for PR

* Update swift-android-foundation-cacerts.patch

* Update patch to use CFURLSessionOptionCAPATH instead of CFURLSessionOptionCAINFO

* New cache key for github workflow

* Fix check for isDirectory

* Revert "Fix check for isDirectory"

This reverts commit ff12e16.

* Revert "Update patch to use CFURLSessionOptionCAPATH instead of CFURLSessionOptionCAINFO"

This reverts commit 94e355e.

* Go back to using CFURLSessionOptionCAINFO instead of CFURLSessionOptionCAPATH, since the latter does not work

* Update patch to match swiftlang/swift-corelibs-foundation#5163
@marcprux marcprux mentioned this pull request Jan 25, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@guoye-zhang guoye-zhang Awaiting requested review from guoye-zhang

@jrflat jrflat Awaiting requested review from jrflat

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@marcprux