Re: Client/server certificates verification support on Android platform

Thanks for the response Daniel.

AFAIK, Android has a KeyCert API, however this doesn't let you extract private keys as such and only to perform certain cryptographic operations on it. Guessing a bit here, this likely means that we would need to provide an openssl engine (via libpq?) that implements certain openssl callbacks and connects them through JNI to the android KeyCert API. This is a rather complex integration to begin with, and one I wouldn’t blame libpq to not be interested in.

I also can’t see the method suggested above to be super friendly to services defined via pg_service.conf across multiple OSes; the filesystem access for that is quite useful.

While presumed-safe locations are not bulletproof, they do have their uses on Windows, and would definitively ease things when using libpq on Android. When it comes to the actual use case described in this thread, I’d rather rely on a clearly established and documented presumed-safe location logic than doing the workaround I linked above. Both ultimately get us a workable connection.