On android, only certificates present in /system/etc/security/cacerts are considered as trusted by Go (see https://github.com/golang/go/blob/master/src/crypto/x509/root_unix.go#L18). This only includes certificates added by Google, and not those added by the user (typically by using this method: https://support.google.com/nexus/answer/2844832).
It would be nice to also consider certificates added by the user as trusted. According to Nikolay Elenkov (https://nelenkov.blogspot.fr/2011/12/ics-trust-store-implementation.html), certificates added by the user can be enumerated using the following code: KeyStore ks = KeyStore.getInstance("AndroidCAStore"); ks.load(null, null); Enumeration aliases = ks.aliases(); while (aliases.hasMoreElements()) { String alias = aliases.nextElement(); X09Certificate cert = (X509Certificate) ks.getCertificate(alias); Log.d(TAG, "Subject DN: " + cert.getSubjectDN().getName()); Log.d(TAG, "Issuer DN: " + cert.getIssuerDN().getName()); } Would it be feasible to add this logic in the Go standard library to consider certificates added by the user as trusted ? With Nougat, the ideal behavior would probably be to follow the network security configuration of the app: https://developer.android.com/training/articles/security-config.html#CustomTrust, but I'm not sure how to do it, it seems that we could use X509TrustManagerExtensions (https://developer.android.com/reference/android/net/http/X509TrustManagerExtensions.html) ? What do you think ? -- Renaud -- You received this message because you are subscribed to the Google Groups "golang-nuts" group. To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
