-
rsleevi authored
For the reasons described within the code itself, OS X can be a bit tetchy when it comes to PKI path building. Rather than blow up in users' face with an error, or warn them about weak signatures when strong signatures exist, take a performance hit and do something similar to Safari, which is to assume the OS APIs are broken/won't do the right thing, and try to fix up the inputs prior to giving to the Security.framework. In this case, it means trying to verify the cert as supplied (the existing behaviour), and if that fails / gives something undesirable, begin cutting off certs given to the OS and retrying until it gives something better or there are no more certs to amputate. This causes an (unmeasured) perf hit, but only for situations that would fail for users today, or would yell at them tomorrow, so overall, it's a worthy tradeoff. BUG=438653, 434914, 440267 TEST= https://github.com works. https://cacert.omniroot.com works. Unit tests are happy. Review URL: https://codereview.chromium.org/886223002 Cr-Commit-Position: refs/heads/master@{#314641}
a3fa5418
