From 0541fe602bff224b83d38b24fea3abcabd39f14d Mon Sep 17 00:00:00 2001
From: Marc Prud'hommeaux <mwp1@cornell.edu>
Date: Fri, 31 Oct 2025 15:55:05 -0400
Subject: [PATCH] Add Android certificate paths to CURL_CA_PATH

---
 .../URLSession/libcurl/EasyHandle.swift       | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/Sources/FoundationNetworking/URLSession/libcurl/EasyHandle.swift b/Sources/FoundationNetworking/URLSession/libcurl/EasyHandle.swift
index e9b90a23f1..544ad6e8ac 100644
--- a/Sources/FoundationNetworking/URLSession/libcurl/EasyHandle.swift
+++ b/Sources/FoundationNetworking/URLSession/libcurl/EasyHandle.swift
@@ -220,6 +220,25 @@ extension _EasyHandle {
                 try! CFURLSession_easy_setopt_ptr(rawHandle, CFURLSessionOptionCAINFO, caInfo).asError()
             }
             return
+        } else {
+            // default to the standard Android folders, like how it is done at:
+            // https://github.com/apple/swift-nio-ssl/blob/main/Sources/NIOSSL/AndroidCABundle.swift
+            let paths = [
+                "/apex/com.android.conscrypt/cacerts",  // >= Android14
+                "/system/etc/security/cacerts",  // < Android14
+            ]
+
+            for path in paths {
+                var isDirectory: ObjCBool = false
+                if FileManager.default.fileExists(atPath: path,
+                                                  isDirectory: &isDirectory)
+                    && isDirectory.boolValue {
+                    path.withCString { pathPtr in
+                        try! CFURLSession_easy_setopt_ptr(rawHandle, CFURLSessionOptionCAPATH, UnsafeMutablePointer(mutating: pathPtr)).asError()
+                    }
+                    return
+                }
+            }
         }
 #endif