doesn't work with Android cert store

[joeyh]

Now that ghc-android exists, it's possible to build this library for the Android. There are two issues preventing it from working:

1. Android stores the certs in /system/etc/security/cacerts/ not /etc/ssl/certs/ (This can be worked around by setting SYSTEM_CERTIFICATE_PATH)
2. listDirectoryCerts doesn't find any files. This is because it filters (not . isHashedFile), but on Android, it appears that hashed files are all that is stored. Probably for space reasons.

I commented out the filtering, and it otherwise seems to work; the cert format is the same as on regular Linux.

I guess the isHashedFile filtering is probably there to avoid loading the same cert twice when on, eg Debian, the hashed file is a symlink to the unhashed file.

Probably the best fix is to put in an #ifdef for Android.

[vincenthz]

cool stuff. is there an official #define defined by ghc-android or something similar to be able to do that ? I think it would be even better to have an android architecture support in cabal if possible.

[joeyh]

Vincent Hanquez wrote:

cool stuff. is there an official defined by ghc-android or something similar to be able to do that ? I think it would be even better to have an android architecture support in cabal if possible.

Yeah, I don't think there is a standard #define we can use yet. I've asked for one here: https://github.com/neurocyte/ghc-android/issues/13

About the hashed cert issue, one way to do it without an ifdef would be to see if there are any unhashed certs. If not, fall back to using the hashed ones. Other platforms could also choose to not install the certs with symlinks, to avoid clutter. So this seems like a win overall.

see shy jo

[neurocyte]

It would be better to load all the links in the system cert path and de-dupe them after loading. Preferably by following the symbolic links. AFAIK that is how the system cert path is expected to work.

Also, I think it would make sense to set the default cert path via a configure script. That way we would't need to explicitly check for Android.

I can prepare patches if you want me to.

[vincenthz]

@neurocyte what do you mean by de-dupe after loading ?

[neurocyte]

What I was thinking was that it would be more correct to resolve the symbolic links to real file names with readSymbolicLink and then put those file names into a unique set. Then load the actual certs from that set. You would need to call readSymbolicLink until isSymbolicLink returns False.

[vincenthz]

That would be fine

[joeyh]

If I'm reading this right, listDirectoryCerts still skips hashed certs, so it still won't work on Android, which has only hashed certs. I think this bug is only half fixed.