Bug 1196039 - Telemetry for certificate lifetime. r=rbarnes,vladan

This commit is contained in:
Kate McKinley 2015-09-17 10:04:52 -07:00
parent b1c0d79c4e
commit 163979ae9f
2 changed files with 53 additions and 0 deletions

View File

@ -1143,6 +1143,50 @@ GatherRootCATelemetry(const ScopedCERTCertList& certList)
rootCert);
}
// These time are appoximate, i.e., doesn't account for leap seconds, etc
const uint64_t ONE_WEEK_IN_SECONDS = (7 * (24 * 60 *60));
const uint64_t ONE_YEAR_IN_WEEKS = 52;
// Gathers telemetry on the certificate lifetimes we observe in the wild
void
GatherEndEntityTelemetry(const ScopedCERTCertList& certList)
{
CERTCertListNode* endEntityNode = CERT_LIST_HEAD(certList);
PR_ASSERT(endEntityNode);
if (!endEntityNode) {
return;
}
CERTCertificate * endEntityCert = endEntityNode->cert;
PR_ASSERT(endEntityCert);
if (!endEntityCert) {
return;
}
PRTime notBefore;
PRTime notAfter;
if (CERT_GetCertTimes(endEntityCert, &notBefore, &notAfter) != SECSuccess) {
return;
}
PR_ASSERT(notAfter > notBefore);
if (notAfter <= notBefore) {
return;
}
uint64_t durationInWeeks = (notAfter - notBefore)
/ PR_USEC_PER_SEC
/ ONE_WEEK_IN_SECONDS;
if (durationInWeeks > (2 * ONE_YEAR_IN_WEEKS)) {
durationInWeeks = (2 * ONE_YEAR_IN_WEEKS) + 1;
}
Telemetry::Accumulate(Telemetry::SSL_OBSERVED_END_ENTITY_CERTIFICATE_LIFETIME,
durationInWeeks);
}
// There are various things that we want to measure about certificate
// chains that we accept. This is a single entry point for all of them.
void
@ -1151,6 +1195,7 @@ GatherSuccessfulValidationTelemetry(const ScopedCERTCertList& certList)
GatherBaselineRequirementsTelemetry(certList);
GatherEKUTelemetry(certList);
GatherRootCATelemetry(certList);
GatherEndEntityTelemetry(certList);
}
SECStatus

View File

@ -1368,6 +1368,14 @@
"n_values": 16,
"description": "SSL Handshake Key Exchange Algorithm for resumed handshake (null=0, rsa=1, dh=2, fortezza=3, ecdh=4)"
},
"SSL_OBSERVED_END_ENTITY_CERTIFICATE_LIFETIME": {
"expires_in_version": "55",
"alert_emails": ["seceng-telemetry@mozilla.com"],
"kind": "enumerated",
"n_values": 125,
"releaseChannelCollection": "opt-out",
"description": "The lifetime of accepted HTTPS server certificates, in weeks, up to 2 years. Bucket 105 is all end-entity HTTPS server certificates with a lifetime > 2 years."
},
"WEBSOCKETS_HANDSHAKE_TYPE": {
"expires_in_version": "never",
"kind": "enumerated",