Google Git
Sign in
chromium / chromium / src / b7b0457e35ca5fa1ca4df84c493767d73cae3690
commitb7b0457e35ca5fa1ca4df84c493767d73cae3690[log] [tgz]
authorRyan Sleevi <rsleevi@chromium.org>Thu Dec 28 02:15:41 2017
committerCommit Bot <commit-bot@chromium.org>Thu Dec 28 21:11:12 2017
tree1bc04f4399c6dd1e1ebc4df12e178924301837f2
parent38563bf4c5da1b11fd639c9156eb6b63c4b702a9 [diff]
Use PK11_HasAttributeSet on Linux to determine root status when available

NSS 3.30 introduced PK11_HasAttributeSet(), along with
CKA_NSS_MOZILLA_CA_POLICY, to determine whether or not a certificate is
part of the "built-in" set. This was introduced because some
distributions replace NSS's nssckbi.so with a redirect to a
distro-specific version which does not maintain the same properties as
the upstream Mozilla version.

Generally, this is a redirect to p11-kit, to allow multiple trust sources
(upstream, per-system, admin-defined, user-defined) to be integrated as if
they're a single store. Unfortunately, this breaks the detection logic
for whether or not a certificate is issued by a known root on Linux.

As Chromium does not yet require an NSS version >= 3.30, use dlsym to
detect the function, and if it's available, do the more expensive query
to determine whether or not a cert is a known-root, while keeping the
fallback to the existing path.

BUG=707280

Change-Id: I340dafe56e605515d2421c33cf1b05f9431f6126
Reviewed-on: https://chromium-review.googlesource.com/845095
Reviewed-by: Eric Roman <eroman@chromium.org>
Commit-Queue: Ryan Sleevi <rsleevi@chromium.org>
Cr-Commit-Position: refs/heads/master@{#526325}
1 file changed
tree: 1bc04f4399c6dd1e1ebc4df12e178924301837f2
  1. android_webview/
  2. apps/
  3. ash/
  4. base/
  5. blink/
  6. build/
  7. build_overrides/
  8. cc/
  9. chrome/
  10. chrome_elf/
  11. chromecast/
  12. chromeos/
  13. cloud_print/
  14. components/
  15. content/
  16. courgette/
  17. crypto/
  18. dbus/
  19. device/
  20. docs/
  21. extensions/
  22. gin/
  23. google_apis/
  24. google_update/
  25. gpu/
  26. headless/
  27. infra/
  28. ios/
  29. ipc/
  30. jingle/
  31. mash/
  32. media/
  33. mojo/
  34. native_client_sdk/
  35. net/
  36. pdf/
  37. ppapi/
  38. printing/
  39. remoting/
  40. rlz/
  41. sandbox/
  42. services/
  43. skia/
  44. sql/
  45. storage/
  46. styleguide/
  47. testing/
  48. third_party/
  49. tools/
  50. ui/
  51. url/
  52. .clang-format
  53. .eslintrc.js
  54. .git-blame-ignore-revs
  55. .gitattributes
  56. .gitignore
  57. .gn
  58. .vpython
  59. AUTHORS
  60. BUILD.gn
  61. CODE_OF_CONDUCT.md
  62. codereview.settings
  63. DEPS
  64. ENG_REVIEW_OWNERS
  65. LICENSE
  66. LICENSE.chromium_os
  67. OWNERS
  68. PRESUBMIT.py
  69. PRESUBMIT_test.py
  70. PRESUBMIT_test_mocks.py
  71. README.md
  72. WATCHLISTS
README.md

Logo Chromium

Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.

The project's web site is https://www.chromium.org.

Documentation in the source is rooted in docs/README.md.

Learn how to Get Around the Chromium Source Code Directory Structure .