Search in more locations for the system's root certificates.

TEST=access pub under wolfi
Bug: #56734
Change-Id: Ie2033d3551966180dfdf3eff1b5ef39ac0b79ce7
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/388080
Reviewed-by: Brian Quinlan <[email protected]>
Commit-Queue: Ryan Macnak <[email protected]>

Author: rmacnak-google

runtime/bin/security_context_linux.cc

@@ -62,16 +62,33 @@ void SSLCertContext::TrustBuiltinRoots() {
     // discussion of the complexities of this endeavor can be found here:
     //
     // https://www.happyassassin.net/2015/01/12/a-note-about-ssltls-trusted-certificate-stores-and-platforms/
-    const char* bundle = "/etc/pki/tls/certs/ca-bundle.crt";
-    const char* cachedir = "/etc/ssl/certs";
-    if (File::Exists(nullptr, bundle)) {
-      LoadRootCertFile(bundle);
-      return;
+    //
+    // This set of locations was copied from gRPC.
+    const char* kCertFiles[] = {
+        "/etc/ssl/certs/ca-certificates.crt",
+        "/etc/pki/tls/certs/ca-bundle.crt",
+        "/etc/ssl/ca-bundle.pem",
+        "/etc/pki/tls/cacert.pem",
+        "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem",
+    };
+    const char* kCertDirectories[] = {
+        "/etc/ssl/certs",         "/system/etc/security/cacerts",
+        "/usr/local/share/certs", "/etc/pki/tls/certs",
+        "/etc/openssl/certs",
+    };
+    for (size_t i = 0; i < ARRAY_SIZE(kCertFiles); i++) {
+      const char* bundle = kCertFiles[i];
+      if (File::Exists(nullptr, bundle)) {
+        LoadRootCertFile(bundle);
+        return;
+      }
     }
-
-    if (Directory::Exists(nullptr, cachedir) == Directory::EXISTS) {
-      LoadRootCertCache(cachedir);
-      return;
+    for (size_t i = 0; i < ARRAY_SIZE(kCertDirectories); i++) {
+      const char* cachedir = kCertDirectories[i];
+      if (Directory::Exists(nullptr, cachedir) == Directory::EXISTS) {
+        LoadRootCertCache(cachedir);
+        return;
+      }
     }
 #endif
   }

runtime/platform/globals.h

@@ -575,6 +575,14 @@ constexpr double MicrosecondsToMilliseconds(int64_t micros) {
   return static_cast<double>(micros) / kMicrosecondsPerMillisecond;
 }
 
+// The expression ARRAY_SIZE(array) is a compile-time constant of type
+// size_t which represents the number of elements of the given
+// array. You should only use ARRAY_SIZE on statically allocated
+// arrays.
+#define ARRAY_SIZE(array)                                                      \
+  ((sizeof(array) / sizeof(*(array))) /                                        \
+   static_cast<intptr_t>(!(sizeof(array) % sizeof(*(array)))))  // NOLINT
+
 // A macro to disallow the copy constructor and operator= functions.
 // This should be used in the private: declarations for a class.
 #if !defined(DISALLOW_COPY_AND_ASSIGN)

runtime/vm/globals.h

@@ -65,14 +65,6 @@ const intptr_t kDefaultNewGenSemiMaxSize = (kWordSize <= 4) ? 8 : 16;
 #define kPosInfinity bit_cast<double>(DART_UINT64_C(0x7ff0000000000000))
 #define kNegInfinity bit_cast<double>(DART_UINT64_C(0xfff0000000000000))
 
-// The expression ARRAY_SIZE(array) is a compile-time constant of type
-// size_t which represents the number of elements of the given
-// array. You should only use ARRAY_SIZE on statically allocated
-// arrays.
-#define ARRAY_SIZE(array)                                                      \
-  ((sizeof(array) / sizeof(*(array))) /                                        \
-   static_cast<intptr_t>(!(sizeof(array) % sizeof(*(array)))))  // NOLINT
-
 #if defined(PRODUCT) && defined(DEBUG)
 #error Both PRODUCT and DEBUG defined.
 #endif  // defined(PRODUCT) && defined(DEBUG)