Merge pull request #13 from skiptools/update-certs

marcprux · web-flow · commit 7f60e4793354 · 2025-05-06T23:27:16.000-04:00
Move certificate bootstrap into swift-android-native
diff --git a/Package.swift b/Package.swift
@@ -14,7 +14,7 @@ let package = Package(
         .package(url: "https://source.skip.tools/skip-foundation.git", from: "1.3.1"),
         .package(url: "https://source.skip.tools/swift-jni.git", "0.0.0"..<"2.0.0"),
         .package(url: "https://source.skip.tools/skip-bridge.git", "0.0.0"..<"2.0.0"),
-        .package(url: "https://source.skip.tools/swift-android-native.git", "0.0.0"..<"2.0.0")
+        .package(url: "https://source.skip.tools/swift-android-native.git", from: "1.4.1")
     ],
     targets: [
         .target(name: "SkipAndroidBridge", dependencies: [
diff --git a/Sources/SkipAndroidBridge/AndroidBridgeBootstrap.swift b/Sources/SkipAndroidBridge/AndroidBridgeBootstrap.swift
@@ -20,6 +20,9 @@ import Foundation
 #if canImport(AndroidLooper)
 @_exported import AndroidLooper
 #endif
+#if canImport(AndroidNative)
+import AndroidNative
+#endif
 fileprivate let logger: Logger = Logger(subsystem: "skip.android.bridge", category: "AndroidBridge")
 #endif
 
@@ -84,8 +87,8 @@ public class AndroidBridgeBootstrap {
         try AssetURLProtocol.register()
         logger.debug("initAndroidBridge: bootstrapTimezone")
         try bootstrapTimezone()
-        logger.debug("initAndroidBridge: bootstrapSSLCertificates")
-        try bootstrapSSLCertificates()
+        logger.debug("initAndroidBridge: setupCACerts")
+        try AndroidBootstrap.setupCACerts()
         logger.debug("initAndroidBridge: AndroidLooper.setupMainLooper")
         let _ = AndroidLooper.setupMainLooper()
         logger.debug("initAndroidBridge: done")
@@ -123,71 +126,6 @@ private func bootstrapFileManagerProperties(filesDir: String, cacheDir: String)
     logger.debug("bootstrapFileManagerProperties: applicationSupportDirectory=\(applicationSupportDirectory.path)")
 }
 
-/// Collects all the certificate files from the Android certificate store and writes them to a single `cacerts.pem` file that can be used by libcurl,
-/// which is communicated through the `URLSessionCertificateAuthorityInfoFile` environment property
-///
-/// See https://android.googlesource.com/platform/frameworks/base/+/8b192b19f264a8829eac2cfaf0b73f6fc188d933%5E%21/#F0
-/// See https://github.com/apple/swift-nio-ssl/blob/d1088ebe0789d9eea231b40741831f37ab654b61/Sources/NIOSSL/AndroidCABundle.swift#L30
-private func bootstrapSSLCertificates(fromCertficateFolders certsFolders: [String] = ["/system/etc/security/cacerts", "/apex/com.android.conscrypt/cacerts"]) throws {
-    //let cacheFolder = try FileManager.default.url(for: .cachesDirectory, in: .userDomainMask, appropriateFor: nil, create: true) // file:////.cache/ (unwritable)
-    let cacheFolder = URL.cachesDirectory
-    logger.debug("bootstrapSSLCertificates: \(cacheFolder)")
-    let generatedCacertsURL = cacheFolder.appendingPathComponent("cacerts-aggregate.pem")
-    logger.debug("bootstrapSSLCertificates: generatedCacertsURL=\(generatedCacertsURL)")
-
-    let contents = try FileManager.default.contentsOfDirectory(at: cacheFolder, includingPropertiesForKeys: nil)
-    logger.debug("bootstrapSSLCertificates: cacheFolder=\(cacheFolder) contents=\(contents)")
-
-    // clear any previous generated certificates file that may have been created by this app
-    if FileManager.default.fileExists(atPath: generatedCacertsURL.path) {
-        try FileManager.default.removeItem(atPath: generatedCacertsURL.path)
-    }
-
-    let created = FileManager.default.createFile(atPath: generatedCacertsURL.path, contents: nil)
-    logger.debug("bootstrapSSLCertificates: created file: \(created): \(generatedCacertsURL.path)")
-
-    let fs = try FileHandle(forWritingTo: generatedCacertsURL)
-    defer { try? fs.close() }
-
-    // write a header
-    fs.write("""
-    ## Bundle of CA Root Certificates
-    ## Auto-generated on \(Date())
-    ## by aggregating certificates from: \(certsFolders)
-    
-    """.data(using: .utf8)!)
-
-    // Go through each folder and load each certificate file (ending with ".0"),
-    // and smash them together into a single aggreagate file tha curl can load.
-    // The .0 files will contain some extra metadata, but libcurl only cares about the
-    // -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- sections,
-    // so we can naïvely concatenate them all and libcurl will understand the bundle.
-    for certsFolder in certsFolders {
-        let certsFolderURL = URL(fileURLWithPath: certsFolder)
-        if (try? certsFolderURL.resourceValues(forKeys: [.isDirectoryKey]).isDirectory) != true { continue }
-        let certURLs = try FileManager.default.contentsOfDirectory(at: certsFolderURL, includingPropertiesForKeys: [.isRegularFileKey, .isReadableKey])
-        for certURL in certURLs {
-            //logger.debug("bootstrapSSLCertificates: certURL=\(certURL)")
-            // certificate files have names like "53a1b57a.0"
-            if certURL.pathExtension != "0" { continue }
-            do {
-                if try certURL.resourceValues(forKeys: [.isRegularFileKey]).isRegularFile == false { continue }
-                if try certURL.resourceValues(forKeys: [.isReadableKey]).isReadable == false { continue }
-                try fs.write(contentsOf: try Data(contentsOf: certURL))
-            } catch {
-                logger.warning("bootstrapSSLCertificates: error reading certificate file \(certURL.path): \(error)")
-                continue
-            }
-        }
-    }
-
-
-    //setenv("URLSessionCertificateAuthorityInfoFile", "INSECURE_SSL_NO_VERIFY", 1) // disables all certificate verification
-    //setenv("URLSessionCertificateAuthorityInfoFile", "/system/etc/security/cacerts/", 1) // doesn't work for directories
-    setenv("URLSessionCertificateAuthorityInfoFile", generatedCacertsURL.path, 1)
-    logger.debug("bootstrapSSLCertificates: set URLSessionCertificateAuthorityInfoFile=\(generatedCacertsURL.path)")
-}
-
 // URL.applicationSupportDirectory exists in Darwin's Foundation but not in Android's Foundation
 #if os(Android)
 // SKIP @nobridge
diff --git a/Sources/SkipAndroidBridge/Observation.swift b/Sources/SkipAndroidBridge/Observation.swift
@@ -152,7 +152,11 @@ private final class BridgeObservationSupport: @unchecked Sendable {
 // Seem like Swift/lib/Threading/Errors.cpp (https://github.com/swiftlang/swift/blob/3934f78ecdd53031ac40d68499f9ee046a5abe50/lib/Threading/Errors.cpp#L13) is missing
 // Should be fixed by: https://github.com/swiftlang/swift/pull/77890
 @_cdecl("_ZN5swift9threading5fatalEPKcz")
-func swiftThreadingFatal() { }
+public func swiftThreadingFatal() {
+    // we need to do *something* here or the function will get stripped out in release mode
+    print("swiftThreadingFatal")
+}
+
 #endif
 
 #endif
