Bug 1088255 - Collect telemetry on CAs that appear in valid cert chains r=keeler

2024-10-19 08:15:31 +00:00 · 2014-11-07 16:26:46 -05:00 · 2014-11-07 16:26:46 -05:00 · a5cf3d5e45
commit a5cf3d5e45
parent f8e9c4aaf6
3 changed files with 41 additions and 1 deletions
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@ -121,6 +121,7 @@
 #include "nsComponentManagerUtils.h"
 #include "nsServiceManagerUtils.h"
 #include "PSMRunnable.h"
+#include "RootCertificateTelemetryUtils.h"
 #include "SharedSSLState.h"
 #include "nsContentUtils.h"
 #include "nsURLHelper.h"
@ -959,6 +960,34 @@ GatherBaselineRequirementsTelemetry(const ScopedCERTCertList& certList)
                                       commonNameInSubjectAltNames);
 }

+// Gathers telemetry on which CA is the root of a given cert chain.
+// If the root is a built-in root, then the telemetry makes a count
+// by root.  Roots that are not built-in are counted in one bin.
+void
+GatherRootCATelemetry(const ScopedCERTCertList& certList)
+{
+  CERTCertListNode* rootNode = CERT_LIST_TAIL(certList);
+  PR_ASSERT(rootNode);
+  if (!rootNode) {
+    return;
+  }
+
+  // Only log telemetry if the certificate list is non-empty
+  if (!CERT_LIST_END(rootNode, certList)) {
+    AccumulateTelemetryForRootCA(Telemetry::CERT_VALIDATION_SUCCESS_BY_CA,
+                                 rootNode->cert);
+  }
+}
+
+// There are various things that we want to measure about certificate
+// chains that we accept.  This is a single entry point for all of them.
+void
+GatherSuccessfulValidationTelemetry(const ScopedCERTCertList& certList)
+{
+  GatherBaselineRequirementsTelemetry(certList);
+  GatherRootCATelemetry(certList);
+}
+
 SECStatus
 AuthCertificate(CertVerifier& certVerifier,
                TransportSecurityInfo* infoObject,
@ -1003,7 +1032,8 @@ AuthCertificate(CertVerifier& certVerifier,
  }

  if (rv == SECSuccess) {
-    GatherBaselineRequirementsTelemetry(certList);
+    GatherSuccessfulValidationTelemetry(certList);
+
    // The connection may get terminated, for example, if the server requires
    // a client cert. Let's provide a minimal SSLStatus
    // to the caller that contains at least the cert and its status.
--- a/security/manager/ssl/src/moz.build
+++ b/security/manager/ssl/src/moz.build
@ -77,6 +77,10 @@ SOURCES += [
    'PSMContentListener.cpp',
 ]

+LOCAL_INCLUDES += [
+    '/security/manager/boot/src',
+]
+
 if not CONFIG['MOZ_NO_SMART_CARDS']:
    UNIFIED_SOURCES += [
        'nsSmartCardMonitor.cpp',
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@ -6601,6 +6601,12 @@
    "n_buckets": 10,
    "extended_statistics_ok": true
  },
+  "CERT_VALIDATION_SUCCESS_BY_CA": {
+    "expires_in_version": "never",
+    "kind": "enumerated",
+    "n_values": 256,
+    "description": "Successful SSL server cert validations by CA (see RootHashes.inc for names of CAs)"
+  },
  "CERT_PINNING_FAILURES_BY_CA": {
    "alert_emails": ["pinning@mozilla.org"],
    "expires_in_version": "never",