[TLS] Add support for platform-specific CA bundles.

Adds a new OS::get_system_ca_certs method which can be implemented by
platforms to retrieve the list of trusted CA certificates using OS
specific APIs.

The function should return the certificates in PEM format, and is
currently implemented for Windows/macOS/LinuxBSD(*)/Android.

mbedTLS will fall back to bundled certificates when the OS returns no
certificates.

(*) LinuxBSD does not have a standardized certificates store location.
    The current implementation will test for common locations and may
    return an empty string on some distributions (falling back to the
    bundled certificates).

2 files changed, 42 insertions, 1 deletions

diff --git a/platform/android/java/lib/src/org/godotengine/godot/Godot.java b/platform/android/java/lib/src/org/godotengine/godot/Godot.java
index e111bd18ca..99527ccf3a 100644
--- a/platform/android/java/lib/src/org/godotengine/godot/Godot.java
+++ b/platform/android/java/lib/src/org/godotengine/godot/Godot.java
@@ -1044,6 +1044,11 @@ public class Godot extends Fragment implements SensorEventListener, IDownloaderC
 		return PermissionsUtil.getGrantedPermissions(getActivity());
 	}
 
+	@Keep
+	private String getCACertificates() {
+		return GodotNetUtils.getCACertificates();
+	}
+
 	/**
 	 * The download state should trigger changes in the UI --- it may be useful
 	 * to show the state as being indeterminate at times. This sample can be
diff --git a/platform/android/java/lib/src/org/godotengine/godot/utils/GodotNetUtils.java b/platform/android/java/lib/src/org/godotengine/godot/utils/GodotNetUtils.java
index 401c105cd7..c31d56a3e1 100644
--- a/platform/android/java/lib/src/org/godotengine/godot/utils/GodotNetUtils.java
+++ b/platform/android/java/lib/src/org/godotengine/godot/utils/GodotNetUtils.java
@@ -33,11 +33,17 @@ package org.godotengine.godot.utils;
 import android.app.Activity;
 import android.content.Context;
 import android.net.wifi.WifiManager;
+import android.util.Base64;
 import android.util.Log;
 
+import java.io.StringWriter;
+import java.security.KeyStore;
+import java.security.cert.X509Certificate;
+import java.util.Enumeration;
+
 /**
  * This class handles Android-specific networking functions.
- * For now, it only provides access to WifiManager.MulticastLock, which is needed on some devices
+ * It provides access to the CA certificates KeyStore, and the WifiManager.MulticastLock, which is needed on some devices
  * to receive broadcast and multicast packets.
  */
 public class GodotNetUtils {
@@ -79,4 +85,34 @@ public class GodotNetUtils {
 			Log.e("Godot", "Exception during multicast lock release: " + e);
 		}
 	}
+
+	/**
+	 * Retrieves the list of trusted CA certificates from the "AndroidCAStore" and returns them in PRM format.
+	 * @see https://developer.android.com/reference/java/security/KeyStore .
+	 * @return A string of concatenated X509 certificates in PEM format.
+	 */
+	public static String getCACertificates() {
+		try {
+			KeyStore ks = KeyStore.getInstance("AndroidCAStore");
+			StringBuilder writer = new StringBuilder();
+
+			if (ks != null) {
+				ks.load(null, null);
+				Enumeration<String> aliases = ks.aliases();
+
+				while (aliases.hasMoreElements()) {
+					String alias = (String)aliases.nextElement();
+
+					X509Certificate cert = (X509Certificate)ks.getCertificate(alias);
+					writer.append("-----BEGIN CERTIFICATE-----\n");
+					writer.append(Base64.encodeToString(cert.getEncoded(), Base64.DEFAULT));
+					writer.append("-----END CERTIFICATE-----\n");
+				}
+			}
+			return writer.toString();
+		} catch (Exception e) {
+			Log.e("Godot", "Exception while reading CA certificates: " + e);
+			return "";
+		}
+	}
 }