mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-29 15:52:07 +00:00
Bug 1196039 - Telemetry for certificate lifetime. r=rbarnes,vladan
This commit is contained in:
parent
b1c0d79c4e
commit
163979ae9f
@ -1143,6 +1143,50 @@ GatherRootCATelemetry(const ScopedCERTCertList& certList)
|
||||
rootCert);
|
||||
}
|
||||
|
||||
// These time are appoximate, i.e., doesn't account for leap seconds, etc
|
||||
const uint64_t ONE_WEEK_IN_SECONDS = (7 * (24 * 60 *60));
|
||||
const uint64_t ONE_YEAR_IN_WEEKS = 52;
|
||||
|
||||
// Gathers telemetry on the certificate lifetimes we observe in the wild
|
||||
void
|
||||
GatherEndEntityTelemetry(const ScopedCERTCertList& certList)
|
||||
{
|
||||
CERTCertListNode* endEntityNode = CERT_LIST_HEAD(certList);
|
||||
PR_ASSERT(endEntityNode);
|
||||
if (!endEntityNode) {
|
||||
return;
|
||||
}
|
||||
|
||||
CERTCertificate * endEntityCert = endEntityNode->cert;
|
||||
PR_ASSERT(endEntityCert);
|
||||
if (!endEntityCert) {
|
||||
return;
|
||||
}
|
||||
|
||||
PRTime notBefore;
|
||||
PRTime notAfter;
|
||||
|
||||
if (CERT_GetCertTimes(endEntityCert, ¬Before, ¬After) != SECSuccess) {
|
||||
return;
|
||||
}
|
||||
|
||||
PR_ASSERT(notAfter > notBefore);
|
||||
if (notAfter <= notBefore) {
|
||||
return;
|
||||
}
|
||||
|
||||
uint64_t durationInWeeks = (notAfter - notBefore)
|
||||
/ PR_USEC_PER_SEC
|
||||
/ ONE_WEEK_IN_SECONDS;
|
||||
|
||||
if (durationInWeeks > (2 * ONE_YEAR_IN_WEEKS)) {
|
||||
durationInWeeks = (2 * ONE_YEAR_IN_WEEKS) + 1;
|
||||
}
|
||||
|
||||
Telemetry::Accumulate(Telemetry::SSL_OBSERVED_END_ENTITY_CERTIFICATE_LIFETIME,
|
||||
durationInWeeks);
|
||||
}
|
||||
|
||||
// There are various things that we want to measure about certificate
|
||||
// chains that we accept. This is a single entry point for all of them.
|
||||
void
|
||||
@ -1151,6 +1195,7 @@ GatherSuccessfulValidationTelemetry(const ScopedCERTCertList& certList)
|
||||
GatherBaselineRequirementsTelemetry(certList);
|
||||
GatherEKUTelemetry(certList);
|
||||
GatherRootCATelemetry(certList);
|
||||
GatherEndEntityTelemetry(certList);
|
||||
}
|
||||
|
||||
SECStatus
|
||||
|
@ -1368,6 +1368,14 @@
|
||||
"n_values": 16,
|
||||
"description": "SSL Handshake Key Exchange Algorithm for resumed handshake (null=0, rsa=1, dh=2, fortezza=3, ecdh=4)"
|
||||
},
|
||||
"SSL_OBSERVED_END_ENTITY_CERTIFICATE_LIFETIME": {
|
||||
"expires_in_version": "55",
|
||||
"alert_emails": ["seceng-telemetry@mozilla.com"],
|
||||
"kind": "enumerated",
|
||||
"n_values": 125,
|
||||
"releaseChannelCollection": "opt-out",
|
||||
"description": "The lifetime of accepted HTTPS server certificates, in weeks, up to 2 years. Bucket 105 is all end-entity HTTPS server certificates with a lifetime > 2 years."
|
||||
},
|
||||
"WEBSOCKETS_HANDSHAKE_TYPE": {
|
||||
"expires_in_version": "never",
|
||||
"kind": "enumerated",
|
||||
|
Loading…
Reference in New Issue
Block a user