On Tue, Apr 11, 2023 at 9:03 PM David Castillo <casve...@gmail.com> wrote:
>
> > There used to be at least two locations used on Android for
> > certificates. Maybe OpenSSL is only using one of them?
>
> Yes, user-installed certificates are stored in the
> "/data/misc/user/0/cacerts-added" directory while system certificates are
> stored in "/system/etc/security/cacerts" directory. That's why when I detect
> there's a proxy, I update the "CURLOPT_CAPATH" option to the user-installed
> CA cert directory. But the certificates in the user-installed directory are
> installed as DER format and libcurl fails to open them with this error:
> `BoringSSL: error:0900006e:PEM routines:OPENSSL_internal:NO_START_LINE`
Forgive my ignorance...
Is this a script or a [Java?] program? If it is a script, then you
can... if you detect a proxy, then loop over
/data/misc/user/0/cacerts-added, and perform:
# from a for loop
der=${file}
pem=$(sed -e 's/.der$/.pem$/g')
openssl x509 -in "${der}" -inform DER \
-out "${prefix}/${pem}" -outform PEM
Then, point CURLOPT_CAPATH to where you write the files (i.e., ${prefix}).
If it is a program, then you have to do heavier lifting. Read both
locations, create one store, and then use the one store for
validation. See, for example,
https://www.openssl.org/docs/man3.0/man3/OSSL_STORE_CTX.html and
Jeff
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-library
Etiquette: https://curl.se/mail/etiquette.html
