libtailscale,android: use ExtraRootCAs for user-installed CA certificates

LoganRupe · bradfitz · commit e7fca1ad1ec2 · 2026-04-08T08:02:49.000-07:00
Bridge user-installed Android CA certificates to Go's TLS stack using the in-memory ExtraRootCAs cert pool on tsd.System. Depends on tailscale/tailscale#19280. Fixes tailscale/tailscale#8085 Signed-off-by: Logan Rupe <logan@coldtap.io>
diff --git a/android/src/main/java/com/tailscale/ipn/App.kt b/android/src/main/java/com/tailscale/ipn/App.kt
@@ -476,6 +476,22 @@ class App : UninitializedApp(), libtailscale.AppContext, ViewModelStoreOwner {
       false
     }
   }
+
+  override fun getUserCACertsPEM(): ByteArray {
+    val ks = java.security.KeyStore.getInstance("AndroidCAStore")
+    ks.load(null)
+    val sb = StringBuilder()
+    val encoder = android.util.Base64.NO_WRAP
+    for (alias in ks.aliases()) {
+      if (!alias.startsWith("user:")) continue
+      val cert = ks.getCertificate(alias) ?: continue
+      val pem = android.util.Base64.encodeToString(cert.encoded, encoder)
+      sb.append("-----BEGIN CERTIFICATE-----\n")
+      pem.chunked(64).forEach { sb.append(it).append('\n') }
+      sb.append("-----END CERTIFICATE-----\n")
+    }
+    return sb.toString().toByteArray(Charsets.UTF_8)
+  }
 }
 
 /**
diff --git a/go.mod b/go.mod
@@ -1,11 +1,11 @@
 module github.com/tailscale/tailscale-android
 
-go 1.26.1
+go 1.26.2
 
 require (
 	github.com/tailscale/wireguard-go v0.0.0-20260304043104-4184faf59e56
 	golang.org/x/mobile v0.0.0-20240806205939-81131f6468ab
-	tailscale.com v1.97.0-pre.0.20260401194235-5b62f9889451
+	tailscale.com v1.97.0-pre.0.20260408011054-a182b864ace4
 )
 
 require (
diff --git a/go.sum b/go.sum
@@ -159,6 +159,8 @@ github.com/studio-b12/gowebdav v0.9.0 h1:1j1sc9gQnNxbXXM4M/CebPOX4aXYtr7MojAVcN4
 github.com/studio-b12/gowebdav v0.9.0/go.mod h1:bHA7t77X/QFExdeAnDzK6vKM34kEZAcE1OX4MfiwjkE=
 github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e h1:PtWT87weP5LWHEY//SWsYkSO3RWRZo4OSWagh3YD2vQ=
 github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e/go.mod h1:XrBNfAFN+pwoWuksbFS9Ccxnopa15zJGgXRFN90l3K4=
+github.com/tailscale/gliderssh v0.3.4-0.20260330083525-c1389c70ff89 h1:glgVc1ZYMjwN1Q/ITWeuSQyl029uayagaR2sjsifehc=
+github.com/tailscale/gliderssh v0.3.4-0.20260330083525-c1389c70ff89/go.mod h1:wn16Km1EZOX4UEAyaZa3dBwfFGOJ7neck40NcwosJUw=
 github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 h1:Gzfnfk2TWrk8Jj4P4c1a3CtQyMaTVCznlkLZI++hok4=
 github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55/go.mod h1:4k4QO+dQ3R5FofL+SanAUZe+/QfeK0+OIuwDIRu2vSg=
 github.com/tailscale/golang-x-crypto v0.0.0-20250404221719-a5573b049869 h1:SRL6irQkKGQKKLzvQP/ke/2ZuB7Py5+XuqtOgSj+iMM=
@@ -245,5 +247,5 @@ howett.net/plist v1.0.0 h1:7CrbWYbPPO/PyNy38b2EB/+gYbjCe2DXBxgtOOZbSQM=
 howett.net/plist v1.0.0/go.mod h1:lqaXoTrLY4hg8tnEzNru53gicrbv7rrk+2xJA/7hw9g=
 software.sslmate.com/src/go-pkcs12 v0.4.0 h1:H2g08FrTvSFKUj+D309j1DPfk5APnIdAQAB8aEykJ5k=
 software.sslmate.com/src/go-pkcs12 v0.4.0/go.mod h1:Qiz0EyvDRJjjxGyUQa2cCNZn/wMyzrRJ/qcDXOQazLI=
-tailscale.com v1.97.0-pre.0.20260401194235-5b62f9889451 h1:8vwLyeDR0eVjLvl9n54SSOwmJKOsHtwDjp3itkHTMYI=
-tailscale.com v1.97.0-pre.0.20260401194235-5b62f9889451/go.mod h1:uWl7oasAISX6cMzTGBNT7TmjKui8W3IU3qrDN/A2PFo=
+tailscale.com v1.97.0-pre.0.20260408011054-a182b864ace4 h1:EbBRCAjxEWU/61I/DDqMg4aMKw0uqYCtt8diNQ3DQjI=
+tailscale.com v1.97.0-pre.0.20260408011054-a182b864ace4/go.mod h1:J3yUifgjBmMBIylCvle8qVui/MDlsjP6aRPsZ9pjfUY=
diff --git a/go.toolchain.rev b/go.toolchain.rev
@@ -1 +1 @@
-179b46cade24e44f53b53a3cbcc7b7eb78469c31
+dfe2a5fd8ee2e68b08ce5ff259269f50ecadf2f4
diff --git a/libtailscale/backend.go b/libtailscale/backend.go
@@ -5,6 +5,7 @@ package libtailscale
 
 import (
 	"context"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"log"
@@ -281,6 +282,22 @@ func (a *App) newBackend(dataDir string, appCtx AppContext, store *stateStore,
 	sys := tsd.NewSystem()
 	sys.Set(store)
 
+	if pemData, err := appCtx.GetUserCACertsPEM(); err != nil {
+		log.Printf("GetUserCACertsPEM: %v", err)
+	} else if len(pemData) > 0 {
+		pool, err := x509.SystemCertPool()
+		if err != nil {
+			log.Printf("x509.SystemCertPool: %v; using empty pool", err)
+			pool = x509.NewCertPool()
+		}
+		if pool.AppendCertsFromPEM(pemData) {
+			sys.ExtraRootCAs = pool
+			log.Printf("loaded user CA certificates into ExtraRootCAs")
+		} else {
+			log.Printf("failed to parse any user CA certificates from PEM data")
+		}
+	}
+
 	logf := logger.RusagePrefixLog(log.Printf)
 	b := &backend{
 		devices:  newTUNDevices(),
diff --git a/libtailscale/interfaces.go b/libtailscale/interfaces.go
@@ -76,6 +76,10 @@ type AppContext interface {
 	HardwareAttestationKeyLoad(id string) error
 
 	BindSocketToNetwork(fd int32) bool
+
+	// GetUserCACertsPEM returns PEM-encoded user-installed CA certificates
+	// from the Android KeyStore, or empty bytes if none are installed.
+	GetUserCACertsPEM() ([]byte, error)
 }
 
 // IPNService corresponds to our IPNService in Java.

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-179b46cade24e44f53b53a3cbcc7b7eb78469c31`
	`1`	`+dfe2a5fd8ee2e68b08ce5ff259269f50ecadf2f4`
Original file line number	Diff line number	Diff line change
`@@ -76,6 +76,10 @@ type AppContext interface {`
`76`	`76`	`HardwareAttestationKeyLoad(id string) error`
`77`	`77`
`78`	`78`	`BindSocketToNetwork(fd int32) bool`
	`79`	`+`
	`80`	`+ // GetUserCACertsPEM returns PEM-encoded user-installed CA certificates`
	`81`	`+ // from the Android KeyStore, or empty bytes if none are installed.`
	`82`	`+ GetUserCACertsPEM() ([]byte, error)`
`79`	`83`	`}`
`80`	`84`
`81`	`85`	`// IPNService corresponds to our IPNService in Java.`