0bcd21
diff --git a/security/certverifier/CertVerifier.cpp b/security/certverifier/CertVerifier.cpp
0bcd21
--- a/security/certverifier/CertVerifier.cpp
0bcd21
+++ b/security/certverifier/CertVerifier.cpp
0bcd21
@@ -120,16 +120,20 @@ IsCertChainRootBuiltInRoot(const UniqueC
0bcd21
   }
0bcd21
   CERTCertificate* root = rootNode->cert;
0bcd21
   if (!root) {
0bcd21
     return Result::FATAL_ERROR_LIBRARY_FAILURE;
0bcd21
   }
0bcd21
   return IsCertBuiltInRoot(root, result);
0bcd21
 }
0bcd21
 
0bcd21
+// The term "builtin root" traditionally refers to a root CA certificate that
0bcd21
+// has been added to the NSS trust store, because it has been approved
0bcd21
+// for inclusion according to the Mozilla CA policy, and might be accepted
0bcd21
+// by Mozilla applications as an issuer for certificates seen on the public web.
0bcd21
 Result
0bcd21
 IsCertBuiltInRoot(CERTCertificate* cert, bool& result)
0bcd21
 {
0bcd21
   result = false;
0bcd21
 #ifdef DEBUG
0bcd21
   nsCOMPtr<nsINSSComponent> component(do_GetService(PSM_COMPONENT_CONTRACTID));
0bcd21
   if (!component) {
0bcd21
     return Result::FATAL_ERROR_LIBRARY_FAILURE;
0bcd21
@@ -142,25 +146,38 @@ IsCertBuiltInRoot(CERTCertificate* cert,
0bcd21
     return Success;
0bcd21
   }
0bcd21
 #endif // DEBUG
0bcd21
   AutoSECMODListReadLock lock;
0bcd21
   for (SECMODModuleList* list = SECMOD_GetDefaultModuleList(); list;
0bcd21
        list = list->next) {
0bcd21
     for (int i = 0; i < list->module->slotCount; i++) {
0bcd21
       PK11SlotInfo* slot = list->module->slots[i];
0bcd21
-      // PK11_HasRootCerts should return true if and only if the given slot has
0bcd21
-      // an object with a CKA_CLASS of CKO_NETSCAPE_BUILTIN_ROOT_LIST, which
0bcd21
-      // should be true only of the builtin root list.
0bcd21
-      // If we can find a copy of the given certificate on the slot with the
0bcd21
-      // builtin root list, that certificate must be a builtin.
0bcd21
-      if (PK11_IsPresent(slot) && PK11_HasRootCerts(slot) &&
0bcd21
-          PK11_FindCertInSlot(slot, cert, nullptr) != CK_INVALID_HANDLE) {
0bcd21
-        result = true;
0bcd21
-        return Success;
0bcd21
+      // We're searching for the "builtin root module", which is a module that
0bcd21
+      // contains an object with a CKA_CLASS of CKO_NETSCAPE_BUILTIN_ROOT_LIST.
0bcd21
+      // We use PK11_HasRootCerts() to identify a module with that property.
0bcd21
+      // In the past, we exclusively used the PKCS#11 module named nssckbi,
0bcd21
+      // which is provided by the NSS library.
0bcd21
+      // Nowadays, some distributions use a replacement module, which contains
0bcd21
+      // the builtin roots, but which also contains additional CA certificates,
0bcd21
+      // such as CAs trusted in a local deployment.
0bcd21
+      // We want to be able to distinguish between these two categories,
0bcd21
+      // because a CA, which may issue certificates for the public web,
0bcd21
+      // is expected to comply with additional requirements.
0bcd21
+      // If the certificate has attribute CKA_NSS_MOZILLA_CA_POLICY set to true,
0bcd21
+      // then we treat it as a "builtin root".
0bcd21
+      if (PK11_IsPresent(slot) && PK11_HasRootCerts(slot)) {
0bcd21
+        CK_OBJECT_HANDLE handle = PK11_FindCertInSlot(slot, cert, nullptr);
0bcd21
+        if (handle != CK_INVALID_HANDLE &&
0bcd21
+            PK11_HasAttributeSet(slot, handle, CKA_NSS_MOZILLA_CA_POLICY,
0bcd21
+                                 false)) {
0bcd21
+          // Attribute was found, and is set to true
0bcd21
+          result = true;
0bcd21
+          break;
0bcd21
+        }
0bcd21
       }
0bcd21
     }
0bcd21
   }
0bcd21
   return Success;
0bcd21
 }
0bcd21
 
0bcd21
 static Result
0bcd21
 BuildCertChainForOneKeyUsage(NSSCertDBTrustDomain& trustDomain, Input certDER,