commit | b7b0457e35ca5fa1ca4df84c493767d73cae3690 | [log] [tgz] |
---|---|---|
author | Ryan Sleevi <rsleevi@chromium.org> | Thu Dec 28 02:15:41 2017 |
committer | Commit Bot <commit-bot@chromium.org> | Thu Dec 28 21:11:12 2017 |
tree | 1bc04f4399c6dd1e1ebc4df12e178924301837f2 | |
parent | 38563bf4c5da1b11fd639c9156eb6b63c4b702a9 [diff] |
Use PK11_HasAttributeSet on Linux to determine root status when available NSS 3.30 introduced PK11_HasAttributeSet(), along with CKA_NSS_MOZILLA_CA_POLICY, to determine whether or not a certificate is part of the "built-in" set. This was introduced because some distributions replace NSS's nssckbi.so with a redirect to a distro-specific version which does not maintain the same properties as the upstream Mozilla version. Generally, this is a redirect to p11-kit, to allow multiple trust sources (upstream, per-system, admin-defined, user-defined) to be integrated as if they're a single store. Unfortunately, this breaks the detection logic for whether or not a certificate is issued by a known root on Linux. As Chromium does not yet require an NSS version >= 3.30, use dlsym to detect the function, and if it's available, do the more expensive query to determine whether or not a cert is a known-root, while keeping the fallback to the existing path. BUG=707280 Change-Id: I340dafe56e605515d2421c33cf1b05f9431f6126 Reviewed-on: https://chromium-review.googlesource.com/845095 Reviewed-by: Eric Roman <eroman@chromium.org> Commit-Queue: Ryan Sleevi <rsleevi@chromium.org> Cr-Commit-Position: refs/heads/master@{#526325}
Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.
The project's web site is https://www.chromium.org.
Documentation in the source is rooted in docs/README.md.
Learn how to Get Around the Chromium Source Code Directory Structure .