New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/x509: add android user trusted CA folder as a possible source for certificate retrieval #58922
Comments
CC @golang/security |
This proposal has been added to the active column of the proposals project |
The proposal is to read Android certs both from the system cert directory and what is apparently the user cert directory (/data/misc/keychain/certs-added). This seems reasonable and aligns with reading user-installed certs on Mac and Windows, which we do by querying the operating system for certs. Is there a user-installed cert directory on Linux too? If so should we add that? |
Given the similarity to Mac and Windows it sounds like we can accept this for Android. |
Seems reasonable, ideally there would be a uniform place to look/API we could use, but that is wishful thinking. At some point the list of places we might slurp certs from is going to become unwieldy, but I'm not sure we are there yet. |
Based on the discussion above, this proposal seems like a likely accept. |
No change in consensus, so accepted. 🎉 |
Can the implementation of the change be limited to Android? /data is often used by system administrators to mount storage that is exported via CIFS/NFS, as a place to restore a backup from or do forensics on. I admire the simplicity of the current implementation, but would prefer to limit Android specifics to the android build tag. |
@nightlyone yes, good catch, mailed CL 531878. |
Also, CL 473035 was submitted, so closing. |
Change https://go.dev/cl/531878 mentions this issue: |
Updates #58922 Change-Id: I0eb2c97babb05b2d9bc36ed8af03579094bc02ac Reviewed-on: https://go-review.googlesource.com/c/go/+/531878 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: Ian Lance Taylor <iant@google.com> Reviewed-by: Ingo Oeser <nightlyone@googlemail.com>
For the purposes of getting what looks like a simple cryptography related change expediently but carefully reviewed and approved, I am coming here from @jbpin's CL https://go-review.googlesource.com/c/go/+/473035 and PR #50240, a new contributor sent a change adding the Android User Trusted Certificate Authority folder as a source of certificates. This change is to invite experts to comment and approve if we should support
/data/misc/keychain/certs-added
as a source of certificatesKindly cc-ing @rolandshoemaker @FiloSottile
The text was updated successfully, but these errors were encountered: