From: Tom Linford <tomlinford@gmail.com>
Date: Mon, 29 Sep 2014 23:51:49 +0000 (+1000)
Subject: x509: add root certs for android.
X-Git-Tag: go1.4beta1~248
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=5368e63b57f742495fcbbb82bb15772b761004bf;p=gostls13.git

x509: add root certs for android.

On android, root certificates appear to be stored in the folder
/system/etc/security/cacerts, which has many certs in several
different files. This change adds a new array of directories in
which certs can be found.

To test this, I simply tried making a request with the http
library to an HTTPS URL on an android emulator and manually
verified that it worked.

LGTM=crawshaw
R=golang-codereviews, gobot, crawshaw
CC=golang-codereviews
https://golang.org/cl/151800043
---

diff --git a/src/crypto/x509/root_unix.go b/src/crypto/x509/root_unix.go
index 11ad3c440d..10057c0c03 100644
--- a/src/crypto/x509/root_unix.go
+++ b/src/crypto/x509/root_unix.go
@@ -17,6 +17,13 @@ var certFiles = []string{
 	"/usr/local/share/certs/ca-root-nss.crt", // FreeBSD/DragonFly
 }
 
+// Possible directories with certificate files; stop after successfully
+// reading at least one file from a directory.
+var certDirectories = []string{
+	"/system/etc/security/cacerts", // Android
+
+}
+
 func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error) {
 	return nil, nil
 }
@@ -32,6 +39,24 @@ func initSystemRoots() {
 		}
 	}
 
+	for _, directory := range certDirectories {
+		fis, err := ioutil.ReadDir(directory)
+		if err != nil {
+			continue
+		}
+		rootsAdded := false
+		for _, fi := range fis {
+			data, err := ioutil.ReadFile(directory + "/" + fi.Name())
+			if err == nil && roots.AppendCertsFromPEM(data) {
+				rootsAdded = true
+			}
+		}
+		if rootsAdded {
+			systemRoots = roots
+			return
+		}
+	}
+
 	// All of the files failed to load. systemRoots will be nil which will
 	// trigger a specific error at verification time.
 }