[gnutls-devel] GnuTLS | Android build not using "User" certificates on newer android versions (#1512)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Tue Oct 24 17:21:07 CEST 2023

Tobias Diendorfer created an issue: https://gitlab.com/gnutls/gnutls/-/issues/1512

## Description of problem:
The android build (#define ANDROID or __ANDROID__) is not using the user installed CA certificates.

## Version of gnutls used: 3.6.16

## Distributor of gnutls (e.g., Ubuntu, Fedora, RHEL)

## How reproducible:

Steps to Reproduce:

 * generate an domain CA certificate & an correct client certificate for an ex.: IIS
 * try to access https site with browser from an windows machine, to check site is secure and cert is ok (lock symbol in url bar)
 * install the CA certificate manually on an android device (tested on android 10 & 11)
 * try to access https site with browser from the android device, to check site is secure and cert is ok (lock symbol in url bar)
 * use vlc-android (from playstore) or any other software on android which uses gnuTLS
 * try to play an m3u8 playlist with vlc android from the webserver which url starts with https://...
 * Now the error happens in gnutls, see actual results

## Actual results:

[7c02f630/12a7] libvlc tls client: Certificate verification failure: The certificate is NOT trusted. The certificate issuer is unknown. The name in the certificate does not match the expected. 

I have checked the installed system certificates count which is 138 and gnutls is reporting also 138 are loaded.
Missing the "1" single user certificate. Count should be 139.

## Expected results:

gnutls should also load user certificates on android and use them!

After changing: lib/system/certs.c

old, doesn't work:
  ret = gnutls_x509_trust_list_add_trust_dir(list, "/data/misc/keychain/cacerts-added/",

new, works:
  ret = gnutls_x509_trust_list_add_trust_dir(list, "/data/misc/user/0/cacerts-added/",

So clearly the path has changed on newer android versions and doesn't work with current ones.

Please fix this issue.

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/1512
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20231024/23903a74/attachment-0001.html>

More information about the Gnutls-devel mailing list