From 1388a9d276a90a6507a07bd1a6195a67da176cf1 Mon Sep 17 00:00:00 2001 From: Camilo Viecco Date: Wed, 30 Apr 2014 17:04:00 -0700 Subject: [PATCH] Bug 951315 - Add telemetry to PK pinning. r=dkeeler --- .../manager/boot/src/PublicKeyPinningService.cpp | 14 +++++++++----- security/manager/ssl/tests/unit/test_pinning.js | 15 +++++++++++++++ toolkit/components/telemetry/Histograms.json | 6 ++++++ 3 files changed, 30 insertions(+), 5 deletions(-) diff --git a/security/manager/boot/src/PublicKeyPinningService.cpp b/security/manager/boot/src/PublicKeyPinningService.cpp index 5c626488b344..8ea4dafc255d 100644 --- a/security/manager/boot/src/PublicKeyPinningService.cpp +++ b/security/manager/boot/src/PublicKeyPinningService.cpp @@ -4,16 +4,17 @@ #include "PublicKeyPinningService.h" #include "StaticHPKPins.h" // autogenerated by genHPKPStaticpins.js -#include "ScopedNSSTypes.h" -#include "pkix/pkixtypes.h" -#include "nsString.h" #include "cert.h" +#include "mozilla/Base64.h" +#include "mozilla/Telemetry.h" +#include "nsString.h" #include "nssb64.h" +#include "pkix/pkixtypes.h" #include "prlog.h" +#include "ScopedNSSTypes.h" #include "seccomon.h" #include "sechash.h" -#include "mozilla/Base64.h" using namespace mozilla; using namespace mozilla::psm; @@ -148,7 +149,10 @@ CheckPinsForHostname(const CERTCertList *certList, const char *hostname, } // end while if (foundEntry && foundEntry->pinset) { - return EvalPinWithPinset(certList, foundEntry->pinset); + bool result = EvalPinWithPinset(certList, foundEntry->pinset); + Telemetry::Accumulate(Telemetry::CERT_PINNING_EVALUATION_RESULTS, + result ? 1 : 0); + return result; } return true; // No pinning information for this hostname } diff --git a/security/manager/ssl/tests/unit/test_pinning.js b/security/manager/ssl/tests/unit/test_pinning.js index e70563ab9247..1ed1e2589584 100644 --- a/security/manager/ssl/tests/unit/test_pinning.js +++ b/security/manager/ssl/tests/unit/test_pinning.js @@ -83,6 +83,17 @@ function test_disabled() { add_connection_test("sub.exclude-subdomains.pinning.example.com", Cr.NS_OK); }; +function check_pinning_telemetry() { + let histogram = Cc["@mozilla.org/base/telemetry;1"] + .getService(Ci.nsITelemetry) + .getHistogramById("CERT_PINNING_EVALUATION_RESULTS") + .snapshot(); + // Currently only strict mode gets evaluated + do_check_eq(histogram.counts[0], 1); // Failure count + do_check_eq(histogram.counts[1], 3); // Success count + run_next_test(); +} + function run_test() { add_tls_server_setup("BadCertServer"); @@ -92,5 +103,9 @@ function run_test() { test_strict(); test_mitm(); test_disabled(); + + add_test(function () { + check_pinning_telemetry(); + }); run_next_test(); } diff --git a/toolkit/components/telemetry/Histograms.json b/toolkit/components/telemetry/Histograms.json index 6203cb603652..3683989e0a40 100644 --- a/toolkit/components/telemetry/Histograms.json +++ b/toolkit/components/telemetry/Histograms.json @@ -5916,5 +5916,11 @@ "high": "5000", "n_buckets": 10, "extended_statistics_ok": true + }, + "CERT_PINNING_EVALUATION_RESULTS": { + "expires_in_version": "never", + "kind": "enumerated", + "n_values": 4, + "description": "Certificate pinning evalutation results(pinned host)(0 = failure, 1 = success)" } }