Android: enable BoringSSL and other Package Collections support (#3393)

finagolfin · web-flow · commit d4a488b73e68 · 2021-04-14T12:01:18.000-07:00
Also, disable FTS search through collections.
diff --git a/Sources/PackageCollections/PackageCollections.swift b/Sources/PackageCollections/PackageCollections.swift
@@ -15,7 +15,7 @@ import TSCBasic
 // TODO: is there a better name? this conflicts with the module name which is okay in this case but not ideal in Swift
 public struct PackageCollections: PackageCollectionsProtocol {
     // Check JSONPackageCollectionProvider.isSignatureCheckSupported before updating or removing this
-    #if os(macOS) || os(Linux) || os(Windows)
+    #if os(macOS) || os(Linux) || os(Windows) || os(Android)
     static let isSupportedPlatform = true
     #else
     static let isSupportedPlatform = false
diff --git a/Sources/PackageCollections/Providers/JSONPackageCollectionProvider.swift b/Sources/PackageCollections/Providers/JSONPackageCollectionProvider.swift
@@ -27,7 +27,7 @@ private typealias JSONModel = PackageCollectionModel.V1
 struct JSONPackageCollectionProvider: PackageCollectionProvider {
     // TODO: This can be removed when the `Security` framework APIs that the `PackageCollectionsSigning`
     // module depends on are available on all Apple platforms.
-    #if os(macOS) || os(Linux) || os(Windows)
+    #if os(macOS) || os(Linux) || os(Windows) || os(Android)
     static let isSignatureCheckSupported = true
     #else
     static let isSignatureCheckSupported = false
diff --git a/Sources/PackageCollections/Storage/SQLitePackageCollectionsStorage.swift b/Sources/PackageCollections/Storage/SQLitePackageCollectionsStorage.swift
@@ -798,6 +798,11 @@ final class SQLitePackageCollectionsStorage: PackageCollectionsStorage, Closable
         """
         try db.exec(query: table)
 
+        #if os(Android)
+        // FTS queries for strings containing hyphens isn't working in SQLite on
+        // Android, so disable for now.
+        useSearchIndices.put(false)
+        #else
         do {
             let ftsPackages = """
                 CREATE VIRTUAL TABLE IF NOT EXISTS \(Self.packagesFTSName) USING fts4(
@@ -824,6 +829,7 @@ final class SQLitePackageCollectionsStorage: PackageCollectionsStorage, Closable
             // consistent results we will not fallback to FTS3 and just give up if FTS4 is not available.
             useSearchIndices.put(false)
         }
+        #endif
 
         try db.exec(query: "PRAGMA journal_mode=WAL;")
     }
diff --git a/Sources/PackageCollectionsSigning/Certificate/Certificate.swift b/Sources/PackageCollectionsSigning/Certificate/Certificate.swift
@@ -12,13 +12,13 @@ import struct Foundation.Data
 
 #if os(macOS)
 import Security
-#elseif os(Linux) || os(Windows)
+#elseif os(Linux) || os(Windows) || os(Android)
 @_implementationOnly import CCryptoBoringSSL
 #endif
 
 #if os(macOS)
 typealias Certificate = CoreCertificate
-#elseif os(Linux) || os(Windows)
+#elseif os(Linux) || os(Windows) || os(Android)
 typealias Certificate = BoringSSLCertificate
 #else
 typealias Certificate = UnsupportedCertificate
@@ -109,7 +109,7 @@ struct CoreCertificate {
 
 // MARK: - Certificate implementation using BoringSSL
 
-#elseif os(Linux) || os(Windows)
+#elseif os(Linux) || os(Windows) || os(Android)
 final class BoringSSLCertificate {
     private let underlying: UnsafeMutablePointer<X509>
 
diff --git a/Sources/PackageCollectionsSigning/Certificate/CertificatePolicy.swift b/Sources/PackageCollectionsSigning/Certificate/CertificatePolicy.swift
@@ -19,7 +19,7 @@ import TSCBasic
 
 #if os(macOS)
 import Security
-#elseif os(Linux) || os(Windows)
+#elseif os(Linux) || os(Windows) || os(Android)
 @_implementationOnly import CCryptoBoringSSL
 @_implementationOnly import PackageCollectionsSigningLibc
 #endif
@@ -29,7 +29,7 @@ let appleDistributionMacOSMarker = "1.2.840.113635.100.6.1.7"
 let appleIntermediateMarker = "1.2.840.113635.100.6.2.1"
 
 // For BoringSSL only - the Security framework recognizes these marker extensions
-#if os(Linux) || os(Windows)
+#if os(Linux) || os(Windows) || os(Android)
 let supportedCriticalExtensions: Set<String> = [appleDistributionIOSMarker, appleDistributionMacOSMarker,
                                                 // Support "Apple Development" cert markers--they are valid code signing certs after all and satisfy DefaultCertificatePolicy
                                                 "1.2.840.113635.100.6.1.2", "1.2.840.113635.100.6.1.12"]
@@ -99,7 +99,7 @@ extension CertificatePolicy {
         }
     }
 
-    #elseif os(Linux) || os(Windows)
+    #elseif os(Linux) || os(Windows) || os(Android)
     typealias BoringSSLVerifyCallback = @convention(c) (CInt, UnsafeMutablePointer<X509_STORE_CTX>?) -> CInt
 
     /// Verifies a certificate chain.
@@ -232,7 +232,7 @@ extension CertificatePolicy {
     #endif
 }
 
-#if os(Linux) || os(Windows)
+#if os(Linux) || os(Windows) || os(Android)
 private let ocspClient = BoringSSLOCSPClient()
 
 private struct BoringSSLOCSPClient {
@@ -447,7 +447,7 @@ extension CertificatePolicy {
             throw CertificatePolicyError.extensionFailure
         }
         return !dict.isEmpty
-        #elseif os(Linux) || os(Windows)
+        #elseif os(Linux) || os(Windows) || os(Android)
         let nid = CCryptoBoringSSL_OBJ_create(oid, "ObjectShortName", "ObjectLongName")
         let index = certificate.withUnsafeMutablePointer { CCryptoBoringSSL_X509_get_ext_by_NID($0, nid, -1) }
         return index >= 0
@@ -466,7 +466,7 @@ extension CertificatePolicy {
             return false
         }
         return usages.first(where: { $0 == usage.data }) != nil
-        #elseif os(Linux) || os(Windows)
+        #elseif os(Linux) || os(Windows) || os(Android)
         let eku = certificate.withUnsafeMutablePointer { CCryptoBoringSSL_X509_get_extended_key_usage($0) }
         return eku & UInt32(usage.flag) > 0
         #else
@@ -488,7 +488,7 @@ extension CertificatePolicy {
             return false
         }
         return infoAccessValue.first(where: { valueDict in valueDict[kSecPropertyKeyValue] as? String == "1.3.6.1.5.5.7.48.1" }) != nil
-        #elseif os(Linux) || os(Windows)
+        #elseif os(Linux) || os(Windows) || os(Android)
         // Check that there is at least one OCSP responder URL, in which case OCSP check will take place in `verify`.
         let ocspURLs = certificate.withUnsafeMutablePointer { CCryptoBoringSSL_X509_get1_ocsp($0) }
         defer { CCryptoBoringSSL_sk_OPENSSL_STRING_free(ocspURLs) }
@@ -513,7 +513,7 @@ enum CertificateExtendedKeyUsage {
         }
     }
 
-    #elseif os(Linux) || os(Windows)
+    #elseif os(Linux) || os(Windows) || os(Android)
     var flag: CInt {
         switch self {
         case .codeSigning:
@@ -581,7 +581,7 @@ struct DefaultCertificatePolicy: CertificatePolicy {
     private let callbackQueue: DispatchQueue
     private let diagnosticsEngine: DiagnosticsEngine
 
-    #if os(Linux) || os(Windows)
+    #if os(Linux) || os(Windows) || os(Android)
     private let httpClient: HTTPClient
     #endif
 
@@ -598,7 +598,7 @@ struct DefaultCertificatePolicy: CertificatePolicy {
     ///   - callbackQueue: The `DispatchQueue` to use for callbacks
     ///   - diagnosticsEngine: The `DiagnosticsEngine` for emitting warnings and errors.
     init(trustedRootCertsDir: URL?, additionalTrustedRootCerts: [Certificate]?, expectedSubjectUserID: String? = nil, callbackQueue: DispatchQueue, diagnosticsEngine: DiagnosticsEngine) {
-        #if !(os(macOS) || os(Linux) || os(Windows))
+        #if !(os(macOS) || os(Linux) || os(Windows) || os(Android))
         fatalError("Unsupported: \(#function)")
         #else
         var trustedRoots = [Certificate]()
@@ -613,14 +613,14 @@ struct DefaultCertificatePolicy: CertificatePolicy {
         self.callbackQueue = callbackQueue
         self.diagnosticsEngine = diagnosticsEngine
 
-        #if os(Linux) || os(Windows)
+        #if os(Linux) || os(Windows) || os(Android)
         self.httpClient = HTTPClient.makeDefault(callbackQueue: callbackQueue)
         #endif
         #endif
     }
 
     func validate(certChain: [Certificate], callback: @escaping (Result<Void, Error>) -> Void) {
-        #if !(os(macOS) || os(Linux) || os(Windows))
+        #if !(os(macOS) || os(Linux) || os(Windows) || os(Android))
         fatalError("Unsupported: \(#function)")
         #else
         let wrappedCallback: (Result<Void, Error>) -> Void = { result in self.callbackQueue.async { callback(result) } }
@@ -649,7 +649,7 @@ struct DefaultCertificatePolicy: CertificatePolicy {
             // Verify the cert chain - if it is trusted then cert chain is valid
             #if os(macOS)
             self.verify(certChain: certChain, anchorCerts: self.trustedRoots, diagnosticsEngine: self.diagnosticsEngine, callbackQueue: self.callbackQueue, callback: callback)
-            #elseif os(Linux) || os(Windows)
+            #elseif os(Linux) || os(Windows) || os(Android)
             self.verify(certChain: certChain, anchorCerts: self.trustedRoots, httpClient: self.httpClient, diagnosticsEngine: self.diagnosticsEngine, callbackQueue: self.callbackQueue, callback: callback)
             #endif
         } catch {
@@ -672,7 +672,7 @@ struct AppleDeveloperCertificatePolicy: CertificatePolicy {
     private let callbackQueue: DispatchQueue
     private let diagnosticsEngine: DiagnosticsEngine
 
-    #if os(Linux) || os(Windows)
+    #if os(Linux) || os(Windows) || os(Android)
     private let httpClient: HTTPClient
     #endif
 
@@ -689,7 +689,7 @@ struct AppleDeveloperCertificatePolicy: CertificatePolicy {
     ///   - callbackQueue: The `DispatchQueue` to use for callbacks
     ///   - diagnosticsEngine: The `DiagnosticsEngine` for emitting warnings and errors.
     init(trustedRootCertsDir: URL?, additionalTrustedRootCerts: [Certificate]?, expectedSubjectUserID: String? = nil, callbackQueue: DispatchQueue, diagnosticsEngine: DiagnosticsEngine) {
-        #if !(os(macOS) || os(Linux) || os(Windows))
+        #if !(os(macOS) || os(Linux) || os(Windows) || os(Android))
         fatalError("Unsupported: \(#function)")
         #else
         var trustedRoots = [Certificate]()
@@ -704,14 +704,14 @@ struct AppleDeveloperCertificatePolicy: CertificatePolicy {
         self.callbackQueue = callbackQueue
         self.diagnosticsEngine = diagnosticsEngine
 
-        #if os(Linux) || os(Windows)
+        #if os(Linux) || os(Windows) || os(Android)
         self.httpClient = HTTPClient.makeDefault(callbackQueue: callbackQueue)
         #endif
         #endif
     }
 
     func validate(certChain: [Certificate], callback: @escaping (Result<Void, Error>) -> Void) {
-        #if !(os(macOS) || os(Linux) || os(Windows))
+        #if !(os(macOS) || os(Linux) || os(Windows) || os(Android))
         fatalError("Unsupported: \(#function)")
         #else
         let wrappedCallback: (Result<Void, Error>) -> Void = { result in self.callbackQueue.async { callback(result) } }
@@ -752,7 +752,7 @@ struct AppleDeveloperCertificatePolicy: CertificatePolicy {
             // Verify the cert chain - if it is trusted then cert chain is valid
             #if os(macOS)
             self.verify(certChain: certChain, anchorCerts: self.trustedRoots, diagnosticsEngine: self.diagnosticsEngine, callbackQueue: self.callbackQueue, callback: callback)
-            #elseif os(Linux) || os(Windows)
+            #elseif os(Linux) || os(Windows) || os(Android)
             self.verify(certChain: certChain, anchorCerts: self.trustedRoots, httpClient: self.httpClient, diagnosticsEngine: self.diagnosticsEngine, callbackQueue: self.callbackQueue, callback: callback)
             #endif
         } catch {
diff --git a/Sources/PackageCollectionsSigning/Key/BoringSSLKey.swift b/Sources/PackageCollectionsSigning/Key/BoringSSLKey.swift
@@ -21,7 +21,7 @@
 //
 //===----------------------------------------------------------------------===//
 
-#if os(Linux) || os(Windows)
+#if os(Linux) || os(Windows) || os(Android)
 import Foundation
 
 @_implementationOnly import CCryptoBoringSSL
diff --git a/Sources/PackageCollectionsSigning/Key/Key+RSA.swift b/Sources/PackageCollectionsSigning/Key/Key+RSA.swift
@@ -25,14 +25,14 @@ import Foundation
 
 #if os(macOS)
 import Security
-#elseif os(Linux) || os(Windows)
+#elseif os(Linux) || os(Windows) || os(Android)
 @_implementationOnly import CCryptoBoringSSL
 #endif
 
 #if os(macOS)
 typealias RSAPublicKey = CoreRSAPublicKey
 typealias RSAPrivateKey = CoreRSAPrivateKey
-#elseif os(Linux) || os(Windows)
+#elseif os(Linux) || os(Windows) || os(Android)
 typealias RSAPublicKey = BoringSSLRSAPublicKey
 typealias RSAPrivateKey = BoringSSLRSAPrivateKey
 #else
@@ -106,7 +106,7 @@ struct CoreRSAPublicKey: PublicKey {
 
 // Reference: https://github.com/vapor/jwt-kit/blob/master/Sources/JWTKit/RSA/RSAKey.swift
 
-#elseif os(Linux) || os(Windows)
+#elseif os(Linux) || os(Windows) || os(Android)
 final class BoringSSLRSAPrivateKey: PrivateKey, BoringSSLKey {
     let underlying: UnsafeMutablePointer<CCryptoBoringSSL.RSA>
 
diff --git a/Sources/PackageCollectionsSigning/Signing/BoringSSLSigning.swift b/Sources/PackageCollectionsSigning/Signing/BoringSSLSigning.swift
@@ -21,7 +21,7 @@
 //
 //===----------------------------------------------------------------------===//
 
-#if os(Linux) || os(Windows)
+#if os(Linux) || os(Windows) || os(Android)
 import Foundation
 
 @_implementationOnly import CCryptoBoringSSL
diff --git a/Sources/PackageCollectionsSigning/Signing/Signing+RSAKey.swift b/Sources/PackageCollectionsSigning/Signing/Signing+RSAKey.swift
@@ -25,7 +25,7 @@ import struct Foundation.Data
 
 #if os(macOS)
 import Security
-#elseif os(Linux) || os(Windows)
+#elseif os(Linux) || os(Windows) || os(Android)
 @_implementationOnly import CCryptoBoringSSL
 #endif
 
@@ -59,7 +59,7 @@ extension CoreRSAPublicKey {
 
 // MARK: - MessageSigner and MessageValidator conformance using BoringSSL
 
-#elseif os(Linux) || os(Windows)
+#elseif os(Linux) || os(Windows) || os(Android)
 // Reference: https://github.com/vapor/jwt-kit/blob/master/Sources/JWTKit/RSA/RSASigner.swift
 extension BoringSSLRSAPrivateKey: BoringSSLSigning {
     private static let algorithm = BoringSSLEVP(type: .sha256)
diff --git a/Tests/PackageCollectionsSigningTests/CertificatePolicyTests.swift b/Tests/PackageCollectionsSigningTests/CertificatePolicyTests.swift
@@ -79,7 +79,7 @@ class CertificatePolicyTests: XCTestCase {
                 guard CertificatePolicyError.invalidCertChain == error as? CertificatePolicyError else {
                     return XCTFail("Expected CertificatePolicyError.invalidCertChain")
                 }
-                #elseif os(Linux) || os(Windows)
+                #elseif os(Linux) || os(Windows) || os(Android)
                 guard CertificatePolicyError.noTrustedRootCertsConfigured == error as? CertificatePolicyError else {
                     return XCTFail("Expected CertificatePolicyError.noTrustedRootCertsConfigured")
                 }
@@ -142,7 +142,7 @@ class CertificatePolicyTests: XCTestCase {
                     return XCTFail("Expected CertificatePolicyError.invalidCertChain")
                 }
             }
-            #elseif os(Linux) || os(Windows)
+            #elseif os(Linux) || os(Windows) || os(Android)
             // On other platforms we have to specify `trustedRootCertsDir` so the Apple root cert is trusted
             try withTemporaryDirectory { tmp in
                 try localFileSystem.copy(from: rootCAPath, to: tmp.appending(components: "AppleIncRoot.cer"))
@@ -192,7 +192,7 @@ class CertificatePolicyTests: XCTestCase {
                                                       callbackQueue: callbackQueue, diagnosticsEngine: diagnosticsEngine)
                 XCTAssertNoThrow(try tsc_await { callback in policy.validate(certChain: certChain, callback: callback) })
             }
-            #elseif os(Linux) || os(Windows)
+            #elseif os(Linux) || os(Windows) || os(Android)
             // On other platforms we have to specify `trustedRootCertsDir` so the Apple root cert is trusted
             try withTemporaryDirectory { tmp in
                 try localFileSystem.copy(from: rootCAPath, to: tmp.appending(components: "AppleIncRoot.cer"))
@@ -257,7 +257,7 @@ class CertificatePolicyTests: XCTestCase {
                                                              callbackQueue: callbackQueue, diagnosticsEngine: diagnosticsEngine)
                 XCTAssertNoThrow(try tsc_await { callback in policy.validate(certChain: certChain, callback: callback) })
             }
-            #elseif os(Linux) || os(Windows)
+            #elseif os(Linux) || os(Windows) || os(Android)
             // On other platforms we have to specify `trustedRootCertsDir` so the Apple root cert is trusted
             try withTemporaryDirectory { tmp in
                 try localFileSystem.copy(from: rootCAPath, to: tmp.appending(components: "AppleIncRoot.cer"))
@@ -327,7 +327,7 @@ class CertificatePolicyTests: XCTestCase {
                     }
                 }
             }
-            #elseif os(Linux) || os(Windows)
+            #elseif os(Linux) || os(Windows) || os(Android)
             // On other platforms we have to specify `trustedRootCertsDir` so the Apple root cert is trusted
             try withTemporaryDirectory { tmp in
                 try localFileSystem.copy(from: rootCAPath, to: tmp.appending(components: "AppleIncRoot.cer"))
@@ -395,7 +395,7 @@ class CertificatePolicyTests: XCTestCase {
                     }
                 }
             }
-            #elseif os(Linux) || os(Windows)
+            #elseif os(Linux) || os(Windows) || os(Android)
             // On other platforms we have to specify `trustedRootCertsDir` so the Apple root cert is trusted
             try withTemporaryDirectory { tmp in
                 try localFileSystem.copy(from: rootCAPath, to: tmp.appending(components: "AppleIncRoot.cer"))
diff --git a/Tests/PackageCollectionsSigningTests/PackageCollectionSigningTest.swift b/Tests/PackageCollectionsSigningTests/PackageCollectionSigningTest.swift
@@ -247,7 +247,7 @@ class PackageCollectionSigningTests: XCTestCase {
                     signing.validate(signedCollection: signedCollection, certPolicyKey: certPolicyKey, callback: callback)
                 })
             }
-            #elseif os(Linux) || os(Windows)
+            #elseif os(Linux) || os(Windows) || os(Android)
             // On other platforms we have to specify `trustedRootCertsDir` so the Apple root cert is trusted
             try withTemporaryDirectory { tmp in
                 try localFileSystem.copy(from: rootCAPath, to: tmp.appending(components: "AppleIncRoot.cer"))
@@ -339,7 +339,7 @@ class PackageCollectionSigningTests: XCTestCase {
                     signing.validate(signedCollection: signedCollection, certPolicyKey: certPolicyKey, callback: callback)
                 })
             }
-            #elseif os(Linux) || os(Windows)
+            #elseif os(Linux) || os(Windows) || os(Android)
             // On other platforms we have to specify `trustedRootCertsDir` so the Apple root cert is trusted
             try withTemporaryDirectory { tmp in
                 try localFileSystem.copy(from: rootCAPath, to: tmp.appending(components: "AppleIncRoot.cer"))
@@ -412,7 +412,7 @@ class PackageCollectionSigningTests: XCTestCase {
             XCTAssertNoThrow(try tsc_await { callback in
                 signing.validate(signedCollection: signedCollection, certPolicyKey: certPolicyKey, callback: callback)
             })
-            #elseif os(Linux) || os(Windows)
+            #elseif os(Linux) || os(Windows) || os(Android)
             // On other platforms we have to specify `trustedRootCertsDir` so the Apple root cert is trusted
             try withTemporaryDirectory { tmp in
                 try localFileSystem.copy(from: rootCAPath, to: tmp.appending(components: "AppleIncRoot.cer"))
@@ -467,7 +467,7 @@ class PackageCollectionSigningTests: XCTestCase {
             XCTAssertNoThrow(try tsc_await { callback in
                 signing.validate(signedCollection: signedCollection, certPolicyKey: certPolicyKey, callback: callback)
             })
-            #elseif os(Linux) || os(Windows)
+            #elseif os(Linux) || os(Windows) || os(Android)
             // On other platforms we have to specify `trustedRootCertsDir` so the Apple root cert is trusted
             try withTemporaryDirectory { tmp in
                 try localFileSystem.copy(from: rootCAPath, to: tmp.appending(components: "AppleIncRoot.cer"))
diff --git a/Tests/PackageCollectionsSigningTests/Utilities.swift b/Tests/PackageCollectionsSigningTests/Utilities.swift
@@ -178,7 +178,7 @@ extension String {
 
 extension XCTestCase {
     func skipIfUnsupportedPlatform() throws {
-        #if os(macOS) || os(Linux) || os(Windows)
+        #if os(macOS) || os(Linux) || os(Windows) || os(Android)
         #else
         throw XCTSkip("Skipping test on unsupported platform")
         #endif

Original file line number	Diff line number	Diff line change
`@@ -79,7 +79,7 @@ class CertificatePolicyTests: XCTestCase {`
`79`	`79`	`guard CertificatePolicyError.invalidCertChain == error as? CertificatePolicyError else {`
`80`	`80`	`return XCTFail("Expected CertificatePolicyError.invalidCertChain")`
`81`	`81`	`}`
`82`		`- #elseif os(Linux) \|\| os(Windows)`
	`82`	`+ #elseif os(Linux) \|\| os(Windows) \|\| os(Android)`
`83`	`83`	`guard CertificatePolicyError.noTrustedRootCertsConfigured == error as? CertificatePolicyError else {`
`84`	`84`	`return XCTFail("Expected CertificatePolicyError.noTrustedRootCertsConfigured")`
`85`	`85`	`}`
`@@ -142,7 +142,7 @@ class CertificatePolicyTests: XCTestCase {`
`142`	`142`	`return XCTFail("Expected CertificatePolicyError.invalidCertChain")`
`143`	`143`	`}`
`144`	`144`	`}`
`145`		`- #elseif os(Linux) \|\| os(Windows)`
	`145`	`+ #elseif os(Linux) \|\| os(Windows) \|\| os(Android)`
`146`	`146`	// On other platforms we have to specify `trustedRootCertsDir` so the Apple root cert is trusted
`147`	`147`	`try withTemporaryDirectory { tmp in`
`148`	`148`	`try localFileSystem.copy(from: rootCAPath, to: tmp.appending(components: "AppleIncRoot.cer"))`
`@@ -192,7 +192,7 @@ class CertificatePolicyTests: XCTestCase {`
`192`	`192`	`callbackQueue: callbackQueue, diagnosticsEngine: diagnosticsEngine)`
`193`	`193`	`XCTAssertNoThrow(try tsc_await { callback in policy.validate(certChain: certChain, callback: callback) })`
`194`	`194`	`}`
`195`		`- #elseif os(Linux) \|\| os(Windows)`
	`195`	`+ #elseif os(Linux) \|\| os(Windows) \|\| os(Android)`
`196`	`196`	// On other platforms we have to specify `trustedRootCertsDir` so the Apple root cert is trusted
`197`	`197`	`try withTemporaryDirectory { tmp in`
`198`	`198`	`try localFileSystem.copy(from: rootCAPath, to: tmp.appending(components: "AppleIncRoot.cer"))`
`@@ -257,7 +257,7 @@ class CertificatePolicyTests: XCTestCase {`
`257`	`257`	`callbackQueue: callbackQueue, diagnosticsEngine: diagnosticsEngine)`
`258`	`258`	`XCTAssertNoThrow(try tsc_await { callback in policy.validate(certChain: certChain, callback: callback) })`
`259`	`259`	`}`
`260`		`- #elseif os(Linux) \|\| os(Windows)`
	`260`	`+ #elseif os(Linux) \|\| os(Windows) \|\| os(Android)`
`261`	`261`	// On other platforms we have to specify `trustedRootCertsDir` so the Apple root cert is trusted
`262`	`262`	`try withTemporaryDirectory { tmp in`
`263`	`263`	`try localFileSystem.copy(from: rootCAPath, to: tmp.appending(components: "AppleIncRoot.cer"))`
`@@ -327,7 +327,7 @@ class CertificatePolicyTests: XCTestCase {`
`327`	`327`	`}`
`328`	`328`	`}`
`329`	`329`	`}`
`330`		`- #elseif os(Linux) \|\| os(Windows)`
	`330`	`+ #elseif os(Linux) \|\| os(Windows) \|\| os(Android)`
`331`	`331`	// On other platforms we have to specify `trustedRootCertsDir` so the Apple root cert is trusted
`332`	`332`	`try withTemporaryDirectory { tmp in`
`333`	`333`	`try localFileSystem.copy(from: rootCAPath, to: tmp.appending(components: "AppleIncRoot.cer"))`
`@@ -395,7 +395,7 @@ class CertificatePolicyTests: XCTestCase {`
`395`	`395`	`}`
`396`	`396`	`}`
`397`	`397`	`}`
`398`		`- #elseif os(Linux) \|\| os(Windows)`
	`398`	`+ #elseif os(Linux) \|\| os(Windows) \|\| os(Android)`
`399`	`399`	// On other platforms we have to specify `trustedRootCertsDir` so the Apple root cert is trusted
`400`	`400`	`try withTemporaryDirectory { tmp in`
`401`	`401`	`try localFileSystem.copy(from: rootCAPath, to: tmp.appending(components: "AppleIncRoot.cer"))`