Bug 1876442 - remove OCSP_AGE_AT_CRLITE_OVERRIDE probe. r=keeler

Differential Revision: https://phabricator.services.mozilla.com/D199681

security/certverifier/NSSCertDBTrustDomain.cpp

@@ -861,10 +861,9 @@ Result NSSCertDBTrustDomain::CheckRevocationByOCSP(
   Result stapledOCSPResponseResult = Success;
   if (stapledOCSPResponse) {
     bool expired;
-    uint32_t ageInHours;
     stapledOCSPResponseResult = VerifyAndMaybeCacheEncodedOCSPResponse(
         certID, time, maxOCSPLifetimeInDays, *stapledOCSPResponse,
-        ResponseWasStapled, expired, ageInHours);
+        ResponseWasStapled, expired);
     Telemetry::AccumulateCategorical(
         Telemetry::LABELS_CERT_REVOCATION_MECHANISMS::StapledOCSP);
     if (stapledOCSPResponseResult == Success) {
@@ -1087,10 +1086,9 @@ Result NSSCertDBTrustDomain::SynchronousCheckRevocationWithServer(
   // or unknown certificate, PR_GetError() will return the appropriate error.
   // We actually ignore expired here.
   bool expired;
-  uint32_t ageInHours;
+  rv = VerifyAndMaybeCacheEncodedOCSPResponse(certID, time,
-  rv = VerifyAndMaybeCacheEncodedOCSPResponse(
+                                              maxOCSPLifetimeInDays, response,
-      certID, time, maxOCSPLifetimeInDays, response, ResponseIsFromNetwork,
+                                              ResponseIsFromNetwork, expired);
-      expired, ageInHours);
 
   // If the CRLite filter covers the certificate, compare the CRLite result
   // with the OCSP fetching result. OCSP may have succeeded, said the
@@ -1109,11 +1107,6 @@ Result NSSCertDBTrustDomain::SynchronousCheckRevocationWithServer(
         // CRLite says the certificate is revoked, but OCSP says it is OK.
         Telemetry::AccumulateCategorical(
             Telemetry::LABELS_CRLITE_VS_OCSP_RESULT::CRLiteRevOCSPOk);
-
-        if (mCRLiteMode == CRLiteMode::ConfirmRevocations) {
-          Telemetry::Accumulate(Telemetry::OCSP_AGE_AT_CRLITE_OVERRIDE,
-                                ageInHours);
-        }
       }
     } else if (rv == Result::ERROR_REVOKED_CERTIFICATE) {
       if (crliteResult == Success) {
@@ -1209,8 +1202,7 @@ Result NSSCertDBTrustDomain::HandleOCSPFailure(
 Result NSSCertDBTrustDomain::VerifyAndMaybeCacheEncodedOCSPResponse(
     const CertID& certID, Time time, uint16_t maxLifetimeInDays,
     Input encodedResponse, EncodedResponseSource responseSource,
-    /*out*/ bool& expired,
+    /*out*/ bool& expired) {
-    /*out*/ uint32_t& ageInHours) {
   Time thisUpdate(Time::uninitialized);
   Time validThrough(Time::uninitialized);
 
@@ -1234,30 +1226,6 @@ Result NSSCertDBTrustDomain::VerifyAndMaybeCacheEncodedOCSPResponse(
       return Result::FATAL_ERROR_LIBRARY_FAILURE;  // integer overflow
     }
   }
-  // The `thisUpdate` field holds the latest time at which the server knew the
-  // response was correct. The age of the response is the time that has elapsed
-  // since. We only use this for the telemetry defined in Bug 1794479.
-  uint64_t timeInSeconds;
-  uint64_t thisUpdateInSeconds;
-  uint64_t ageInSeconds;
-  SecondsSinceEpochFromTime(time, &timeInSeconds);
-  SecondsSinceEpochFromTime(thisUpdate, &thisUpdateInSeconds);
-  if (timeInSeconds >= thisUpdateInSeconds) {
-    ageInSeconds = timeInSeconds - thisUpdateInSeconds;
-    // ageInHours is 32 bits because of the telemetry api.
-    if (ageInSeconds > UINT32_MAX) {
-      // We could divide by 3600 before checking the UINT32_MAX bound, but if
-      // ageInSeconds is more than UINT32_MAX then there's been some sort of
-      // error.
-      ageInHours = UINT32_MAX;
-    } else {
-      // We start at 1 and divide with truncation to reserve ageInHours=0 for
-      // the case where `thisUpdate` is in the future.
-      ageInHours = 1 + ageInSeconds / (60 * 60);
-    }
-  } else {
-    ageInHours = 0;
-  }
   if (responseSource == ResponseIsFromNetwork || rv == Success ||
       rv == Result::ERROR_REVOKED_CERTIFICATE ||
       rv == Result::ERROR_OCSP_UNKNOWN_CERT) {

security/certverifier/NSSCertDBTrustDomain.h

@@ -272,8 +272,7 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
   Result VerifyAndMaybeCacheEncodedOCSPResponse(
       const mozilla::pkix::CertID& certID, mozilla::pkix::Time time,
       uint16_t maxLifetimeInDays, mozilla::pkix::Input encodedResponse,
-      EncodedResponseSource responseSource, /*out*/ bool& expired,
+      EncodedResponseSource responseSource, /*out*/ bool& expired);
-      /*out*/ uint32_t& ageInHours);
   TimeDuration GetOCSPTimeout() const;
 
   Result CheckRevocationByCRLite(const mozilla::pkix::CertID& certID,

toolkit/components/telemetry/Histograms.json

@@ -3971,19 +3971,6 @@
     "n_values": 16,
     "description": "SSL Handshake Key Exchange Algorithm for resumed handshake (null=0, rsa=1, dh=2, fortezza=3, ecdh=4)"
   },
-  "OCSP_AGE_AT_CRLITE_OVERRIDE": {
-    "record_in_processes": ["main", "socket"],
-    "products": ["firefox"],
-    "alert_emails": ["seceng-telemetry@mozilla.com", "jschanck@mozilla.com"],
-    "bug_numbers": [1794479, 1817101, 1846897],
-    "expires_in_version": "125",
-    "kind": "linear",
-    "releaseChannelCollection": "opt-out",
-    "low": 1,
-    "high": 240,
-    "n_buckets": 20,
-    "description": "When OCSP and CRLite differ, how old is the OCSP response (in hours)?"
-  },
   "CRLITE_VS_OCSP_RESULT": {
     "record_in_processes": ["main", "socket"],
     "products": ["firefox"],