Add swift-android-foundation-cacerts.patch (#18)

* Add swift-android-foundation-cacerts.patch

* Update cache key for PR

* Update swift-android-foundation-cacerts.patch

* Update patch to use CFURLSessionOptionCAPATH instead of CFURLSessionOptionCAINFO

* New cache key for github workflow

* Fix check for isDirectory

* Revert "Fix check for isDirectory"

This reverts commit ff12e16.

* Revert "Update patch to use CFURLSessionOptionCAPATH instead of CFURLSessionOptionCAINFO"

This reverts commit 94e355e.

* Go back to using CFURLSessionOptionCAINFO instead of CFURLSessionOptionCAPATH, since the latter does not work

* Update patch to match swiftlang/swift-corelibs-foundation#5163

Author: marcprux

.github/workflows/sdks.yml

@@ -31,7 +31,7 @@ jobs:
             SWIFT_TAG="swift-DEVELOPMENT-SNAPSHOT-${LATEST_TOOLCHAIN_VERSION}-a"
           fi
           echo "tag=$SWIFT_TAG" >> $GITHUB_OUTPUT
-          echo "key=$SWIFT_TAG-ndk-${NDK_VERSION}-pic-bundle" >> $GITHUB_OUTPUT
+          echo "key=$SWIFT_TAG-ndk-${NDK_VERSION}-url3-bundle" >> $GITHUB_OUTPUT
       - name: Get cached SDK bundle
         id: cache-bundle
         uses: actions/cache/restore@v4
@@ -126,7 +126,9 @@ jobs:
             ANDROID_ARCH=$arch BUILD_SWIFT_PM=1 ${TOOLCHAIN}/bin/swift get-packages-and-swift-source.swift
           done
 
+          git apply swift-android-foundation-cacerts.patch
           git apply swift-android.patch swift-android-ci.patch swift-crypto.patch swift-system.patch
+
           if [ ${{ matrix.version }} = 'release' ]; then
             git apply swift-android-ci-release.patch swift-android-foundation-release.patch
             perl -pi -e 's%r26%ndk/27%' swift/stdlib/cmake/modules/AddSwiftStdlib.cmake

swift-android-foundation-cacerts.patch

@@ -0,0 +1,71 @@
+diff --git a/swift-corelibs-foundation/Sources/FoundationNetworking/URLSession/libcurl/EasyHandle.swift b/swift-corelibs-foundation/Sources/FoundationNetworking/URLSession/libcurl/EasyHandle.swift
+index cdf8875fce..b9b50a2361 100644
+--- a/swift-corelibs-foundation/Sources/FoundationNetworking/URLSession/libcurl/EasyHandle.swift
++++ b/swift-corelibs-foundation/Sources/FoundationNetworking/URLSession/libcurl/EasyHandle.swift
+@@ -220,6 +220,66 @@ extension _EasyHandle {
+                 try! CFURLSession_easy_setopt_ptr(rawHandle, CFURLSessionOptionCAINFO, caInfo).asError()
+             }
+             return
++        } else {
++            // When no certificate file has been specified, assemble all the certificate files
++            // from the Android certificate store and writes them to a single `cacerts.pem` file
++
++            // See https://github.com/apple/swift-nio-ssl/blob/main/Sources/NIOSSL/AndroidCABundle.swift
++            let certsFolders = [
++                "/apex/com.android.conscrypt/cacerts", // >= Android14
++                "/system/etc/security/cacerts" // < Android14
++            ]
++
++            let aggregateCertPath = NSTemporaryDirectory() + "/cacerts-\(UUID().uuidString).pem"
++
++            if FileManager.default.createFile(atPath: aggregateCertPath, contents: nil) == false {
++                return
++            }
++
++            guard let fs = FileHandle(forWritingAtPath: aggregateCertPath) else {
++                return
++            }
++
++            // write a header
++            fs.write("""
++            ## Bundle of CA Root Certificates
++            ## Auto-generated on \(Date())
++            ## by aggregating certificates from: \(certsFolders)
++
++            """.data(using: .utf8)!)
++
++            // Go through each folder and load each certificate file (ending with ".0"),
++            // and append them together into a single aggreagate file that curl can load.
++            // The .0 files will contain some extra metadata, but libcurl only cares about the
++            // -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- sections,
++            // so we can naïvely concatenate them all and libcurl will understand the bundle.
++            for certsFolder in certsFolders {
++                let certsFolderURL = URL(fileURLWithPath: certsFolder)
++                if (try? certsFolderURL.resourceValues(forKeys: [.isDirectoryKey]).isDirectory) != true { continue }
++                let certURLs = try! FileManager.default.contentsOfDirectory(at: certsFolderURL, includingPropertiesForKeys: [.isRegularFileKey, .isReadableKey])
++                for certURL in certURLs {
++                    // certificate files have names like "53a1b57a.0"
++                    if certURL.pathExtension != "0" { continue }
++                    do {
++                        if try certURL.resourceValues(forKeys: [.isRegularFileKey]).isRegularFile != true { continue }
++                        if try certURL.resourceValues(forKeys: [.isReadableKey]).isReadable != true { continue }
++                        try fs.write(contentsOf: try Data(contentsOf: certURL))
++                    } catch {
++                        // ignore individual errors and soldier on…
++                        continue
++                    }
++                }
++            }
++
++            try! fs.close()
++
++            aggregateCertPath.withCString { pathPtr in
++                // note that it would be nice to use CFURLSessionOptionCAPATH instead
++                // (see https://curl.se/libcurl/c/CURLOPT_CAPATH.html)
++                // but it requires `c_rehash` to be run on the folder, which Android doesn't do
++                try! CFURLSession_easy_setopt_ptr(rawHandle, CFURLSessionOptionCAINFO, UnsafeMutablePointer(mutating: pathPtr)).asError()
++            }
++            return
+         }
+ #endif
+