ANDROID: Bundle cacert.pem and don't disable certificate checks

backends/networking/curl/connectionmanager.cpp

@@ -99,7 +99,15 @@ uint32 ConnectionManager::getCloudRequestsPeriodInMicroseconds() {
 }
 
 const char *ConnectionManager::getCaCertPath() {
-#if defined(DATA_PATH)
+#if defined(__ANDROID__)
+	Common::ArchiveMemberPtr member = SearchMan.getMember("cacert.pem");
+	Common::FSNode *node = dynamic_cast<Common::FSNode *>(member.get());
+	if (!node) {
+		return nullptr;
+	}
+
+	return node->getPath().c_str();
+#elif defined(DATA_PATH)
 	static enum {
 		kNotInitialized,
 		kFileNotFound,

backends/networking/curl/networkreadstream.cpp

@@ -92,7 +92,7 @@ void NetworkReadStream::initCurl(const char *url, curl_slist *headersList) {
 	curl_easy_setopt(_easy, CURLOPT_NOPROGRESS, 0L);
 	curl_easy_setopt(_easy, CURLOPT_PROGRESSFUNCTION, curlProgressCallbackOlder);
 	curl_easy_setopt(_easy, CURLOPT_PROGRESSDATA, this);
-#if defined NINTENDO_SWITCH || defined ANDROID_PLAIN_PORT || defined PSP2
+#if defined NINTENDO_SWITCH || defined PSP2
 	curl_easy_setopt(_easy, CURLOPT_SSL_VERIFYPEER, 0);
 #endif
 

backends/networking/curl/socket.cpp

@@ -22,6 +22,7 @@
 #define FORBIDDEN_SYMBOL_ALLOW_ALL
 #include <curl/curl.h>
 #include "backends/networking/curl/socket.h"
+#include "backends/networking/curl/connectionmanager.h"
 #include "common/debug.h"
 #include "common/system.h"
 
@@ -75,12 +76,18 @@ bool CurlSocket::connect(Common::String url) {
 		// Just connect to the host, do not do any transfers.
 		curl_easy_setopt(_easy, CURLOPT_CONNECT_ONLY, 1L);
 
-		// On Android, libcurl won't connect to SSL connections
+		// libcurl won't connect to SSL connections
 		// with VERIFYPEER enabled because we do not ship
-		// with a CA bundle.  So let's disable it.
-#ifdef ANDROID_PLAIN_PORT
-		curl_easy_setopt(_easy, CURLOPT_SSL_VERIFYPEER, 0L);
+		// with a CA bundle in these platforms.
+		// So let's disable it.
+#if defined NINTENDO_SWITCH || defined PSP2
+		curl_easy_setopt(_easy, CURLOPT_SSL_VERIFYPEER, 0);
 #endif
+		const char *caCertPath = ConnMan.getCaCertPath();
+		if (caCertPath) {
+			curl_easy_setopt(_easy, CURLOPT_CAINFO, caCertPath);
+		}
+
 		CURLcode res = curl_easy_perform(_easy);
 		if (res != CURLE_OK) {
 			warning("libcurl: Failed to connect: %s", curl_easy_strerror(res));

backends/platform/android/android.mk

@@ -33,15 +33,28 @@ ifneq ($(DIST_FILES_SHADERS),)
 	$(INSTALL) -c -m 644 $(DIST_FILES_SHADERS) $(PATH_BUILD_ASSETS)/shaders
 endif
 
+ifdef DIST_ANDROID_CACERT_PEM
+$(PATH_BUILD_ASSETS)/cacert.pem: $(DIST_ANDROID_CACERT_PEM) | $(PATH_BUILD_ASSETS)
+	$(INSTALL) -c -m 644 $(DIST_ANDROID_CACERT_PEM) $(PATH_BUILD_ASSETS)/cacert.pem
+else
+ifdef USE_CURL
+$(PATH_BUILD_ASSETS)/cacert.pem: | $(PATH_BUILD_ASSETS)
+	$(QUIET_CURL)$(CURL) -s https://curl.se/ca/cacert.pem --time-cond $(PATH_BUILD_ASSETS)/cacert.pem --output $(PATH_BUILD_ASSETS)/cacert.pem
+androidcacert: | $(PATH_BUILD_ASSETS)
+	$(QUIET_CURL)$(CURL) -s https://curl.se/ca/cacert.pem --time-cond $(PATH_BUILD_ASSETS)/cacert.pem --output $(PATH_BUILD_ASSETS)/cacert.pem
+.PHONY: androidcacert
+endif
+endif
+
 $(PATH_BUILD_LIBSCUMMVM): libscummvm.so | $(PATH_BUILD)
 	$(INSTALL) -d  $(PATH_BUILD_LIB)
 	$(INSTALL) -c -m 644 libscummvm.so $(PATH_BUILD_LIBSCUMMVM)
 
-$(APK_MAIN): $(PATH_BUILD_GRADLE) $(PATH_BUILD_ASSETS) $(PATH_BUILD_LIBSCUMMVM) | $(PATH_BUILD)
+$(APK_MAIN): $(PATH_BUILD_GRADLE) $(PATH_BUILD_ASSETS) $(PATH_BUILD_ASSETS)/cacert.pem $(PATH_BUILD_LIBSCUMMVM) | $(PATH_BUILD)
 	(cd $(PATH_BUILD); ./gradlew assembleDebug)
 	$(CP) $(PATH_BUILD)/build/outputs/apk/debug/$(APK_MAIN) $@
 
-$(APK_MAIN_RELEASE): $(PATH_BUILD_GRADLE) $(PATH_BUILD_ASSETS) $(PATH_BUILD_LIBSCUMMVM) | $(PATH_BUILD)
+$(APK_MAIN_RELEASE): $(PATH_BUILD_GRADLE) $(PATH_BUILD_ASSETS) $(PATH_BUILD_ASSETS)/cacert.pem $(PATH_BUILD_LIBSCUMMVM) | $(PATH_BUILD)
 	(cd $(PATH_BUILD); ./gradlew assembleRelease)
 	$(CP) $(PATH_BUILD)/build/outputs/apk/release/$(APK_MAIN_RELEASE) $@