[TLS] Add support for platform-specific CA bundles.

Adds a new OS::get_system_ca_certs method which can be implemented by platforms to retrieve the list of trusted CA certificates using OS specific APIs. The function should return the certificates in PEM format, and is currently implemented for Windows/macOS/LinuxBSD(*)/Android. mbedTLS will fall back to bundled certificates when the OS returns no certificates. (*) LinuxBSD does not have a standardized certificates store location. The current implementation will test for common locations and may return an empty string on some distributions (falling back to the bundled certificates).
2025-10-25 18:54:43 +00:00 · 2023-04-13 21:17:55 +02:00 · 2023-04-13 21:17:55 +02:00 · 6fd9982358
commit 6fd9982358
parent 4e1d5be9d3
17 changed files with 180 additions and 13 deletions
--- a/platform/android/java/lib/src/org/godotengine/godot/Godot.java
+++ b/platform/android/java/lib/src/org/godotengine/godot/Godot.java
@ -1044,6 +1044,11 @@ public class Godot extends Fragment implements SensorEventListener, IDownloaderC
 		return PermissionsUtil.getGrantedPermissions(getActivity());
 	}

+	@Keep
+	private String getCACertificates() {
+		return GodotNetUtils.getCACertificates();
+	}
+
 	/**
 	 * The download state should trigger changes in the UI --- it may be useful
 	 * to show the state as being indeterminate at times. This sample can be
--- a/platform/android/java/lib/src/org/godotengine/godot/utils/GodotNetUtils.java
+++ b/platform/android/java/lib/src/org/godotengine/godot/utils/GodotNetUtils.java
@ -33,11 +33,17 @@ package org.godotengine.godot.utils;
 import android.app.Activity;
 import android.content.Context;
 import android.net.wifi.WifiManager;
+import android.util.Base64;
 import android.util.Log;

+import java.io.StringWriter;
+import java.security.KeyStore;
+import java.security.cert.X509Certificate;
+import java.util.Enumeration;
+
 /**
 * This class handles Android-specific networking functions.
- * For now, it only provides access to WifiManager.MulticastLock, which is needed on some devices
+ * It provides access to the CA certificates KeyStore, and the WifiManager.MulticastLock, which is needed on some devices
 * to receive broadcast and multicast packets.
 */
 public class GodotNetUtils {
@ -79,4 +85,34 @@ public class GodotNetUtils {
 			Log.e("Godot", "Exception during multicast lock release: " + e);
 		}
 	}
+
+	/**
+	 * Retrieves the list of trusted CA certificates from the "AndroidCAStore" and returns them in PRM format.
+	 * @see https://developer.android.com/reference/java/security/KeyStore .
+	 * @return A string of concatenated X509 certificates in PEM format.
+	 */
+	public static String getCACertificates() {
+		try {
+			KeyStore ks = KeyStore.getInstance("AndroidCAStore");
+			StringBuilder writer = new StringBuilder();
+
+			if (ks != null) {
+				ks.load(null, null);
+				Enumeration<String> aliases = ks.aliases();
+
+				while (aliases.hasMoreElements()) {
+					String alias = (String)aliases.nextElement();
+
+					X509Certificate cert = (X509Certificate)ks.getCertificate(alias);
+					writer.append("-----BEGIN CERTIFICATE-----\n");
+					writer.append(Base64.encodeToString(cert.getEncoded(), Base64.DEFAULT));
+					writer.append("-----END CERTIFICATE-----\n");
+				}
+			}
+			return writer.toString();
+		} catch (Exception e) {
+			Log.e("Godot", "Exception while reading CA certificates: " + e);
+			return "";
+		}
+	}
 }