Can't locate system certificates on Android systems

[sanghoon]

Hello, I'd like to validate x509 certificates (and check the signature of other messages with them) with Botan in my Android native library. The library will be compiled with Android NDK and used in another Android App.

Unfortunately, when I tried to use the system certificate store (Botan::System_Certificate_Store), I encounter the following error message.

E/libc++abi: terminating with uncaught exception of type
Botan::Stream_IO_Error: I/O error: DataSource: Failure opening file /etc/ssl/cert.pem

FYI, I generated botan_all.cpp / h with the following commands. ./configure.py --os=android --cc=clang --amalgamation --cpu=arm64 --disable-shared --disable-modules=pkcs11,aes,aes_armv8,sha1_armv8,sha2_32_armv8,pmull

Is there anything I've missed? Any comments or suggestions related to this issue will be appreciated.

[randombit]

There is a bug here wrt cross-compliation where the configure script guesses the location for a certificate bundle based on your machine, rather than the target machine. Probably on your machine /etc/ssl/cert.pem is a valid bundle. And on Android it is not.

I am not sure in fact if such a bundle file exists on Android at all. It is possible that we have to use some Android specific API in order to access the trust store (done analogously to the macOS and Windows certificate stores).

One workaround would be to create (or just copy from some trusted local machine) your bundle and embed it into your apk and then load the trust roots from there.

[sadevelopment]

Android certs are contained within /system/etc/security/cacerts and are individual files. What we have done is to read and convert each cert into pem format, pass these as a string array via JNI to the C++ code we have implemented. We then add each of these to the trust store which is used via a sub class of Botan::Credentials_Manager.