From b01cb72eb7728faa95fbb82bae1183df137f5867 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@golang.org>
Date: Wed, 4 Oct 2023 13:53:31 +0200
Subject: [PATCH] crypto/x509: avoid Android root store paths on other Linuxes

Updates #58922

Change-Id: I0eb2c97babb05b2d9bc36ed8af03579094bc02ac
Reviewed-on: https://go-review.googlesource.com/c/go/+/531878
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Ian Lance Taylor <iant@google.com>
Reviewed-by: Ingo Oeser <nightlyone@googlemail.com>
---
 src/crypto/x509/root_linux.go | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/crypto/x509/root_linux.go b/src/crypto/x509/root_linux.go
index 76a64a80dd..8e79ccb5f6 100644
--- a/src/crypto/x509/root_linux.go
+++ b/src/crypto/x509/root_linux.go
@@ -4,6 +4,8 @@
 
 package x509
 
+import "internal/goos"
+
 // Possible certificate files; stop after finding one.
 var certFiles = []string{
 	"/etc/ssl/certs/ca-certificates.crt",                // Debian/Ubuntu/Gentoo etc.
@@ -16,8 +18,15 @@ var certFiles = []string{
 
 // Possible directories with certificate files; all will be read.
 var certDirectories = []string{
-	"/etc/ssl/certs",               // SLES10/SLES11, https://golang.org/issue/12139
-	"/etc/pki/tls/certs",           // Fedora/RHEL
-	"/system/etc/security/cacerts", // Android
-	"/data/misc/keychain/certs-added", // Android user trusted CA folder
+	"/etc/ssl/certs",     // SLES10/SLES11, https://golang.org/issue/12139
+	"/etc/pki/tls/certs", // Fedora/RHEL
+}
+
+func init() {
+	if goos.IsAndroid == 1 {
+		certDirectories = append(certDirectories,
+			"/system/etc/security/cacerts",    // Android system roots
+			"/data/misc/keychain/certs-added", // User trusted CA folder
+		)
+	}
 }
-- 
2.50.0