Bug 1088255 - Collect telemetry on CAs that appear in valid cert chains r=keeler
authorRichard Barnes <rbarnes@mozilla.com>
Fri, 07 Nov 2014 16:26:46 -0500
changeset 217244 6ac497a25cd87413e86ffb6dc7045d0d6a7a49fd
parent 217243 111b2dd131cf0c5b2070fb444d39c5771848c64c
child 217245 4ca1865c2102918986c975ed2d6dbd94e789c3d3
push id27876
push userkwierso@gmail.com
push dateTue, 25 Nov 2014 00:56:55 +0000
treeherdermozilla-central@74edfbf0e6a3 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerskeeler
bugs1088255
milestone36.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1088255 - Collect telemetry on CAs that appear in valid cert chains r=keeler
security/manager/ssl/src/SSLServerCertVerification.cpp
security/manager/ssl/src/moz.build
toolkit/components/telemetry/Histograms.json
--- a/security/manager/ssl/src/SSLServerCertVerification.cpp
+++ b/security/manager/ssl/src/SSLServerCertVerification.cpp
@@ -116,16 +116,17 @@
 #include "mozilla/net/DNS.h"
 #include "mozilla/unused.h"
 #include "nsIThreadPool.h"
 #include "nsNetUtil.h"
 #include "nsXPCOMCIDInternal.h"
 #include "nsComponentManagerUtils.h"
 #include "nsServiceManagerUtils.h"
 #include "PSMRunnable.h"
+#include "RootCertificateTelemetryUtils.h"
 #include "SharedSSLState.h"
 #include "nsContentUtils.h"
 #include "nsURLHelper.h"
 
 #include "ssl.h"
 #include "secerr.h"
 #include "secport.h"
 #include "sslerr.h"
@@ -954,16 +955,44 @@ GatherBaselineRequirementsTelemetry(cons
     // 0 means the extension is acceptable
     Telemetry::Accumulate(Telemetry::BR_9_2_1_SUBJECT_ALT_NAMES, 0);
   }
 
   AccumulateSubjectCommonNameTelemetry(commonName.get(),
                                        commonNameInSubjectAltNames);
 }
 
+// Gathers telemetry on which CA is the root of a given cert chain.
+// If the root is a built-in root, then the telemetry makes a count
+// by root.  Roots that are not built-in are counted in one bin.
+void
+GatherRootCATelemetry(const ScopedCERTCertList& certList)
+{
+  CERTCertListNode* rootNode = CERT_LIST_TAIL(certList);
+  PR_ASSERT(rootNode);
+  if (!rootNode) {
+    return;
+  }
+
+  // Only log telemetry if the certificate list is non-empty
+  if (!CERT_LIST_END(rootNode, certList)) {
+    AccumulateTelemetryForRootCA(Telemetry::CERT_VALIDATION_SUCCESS_BY_CA,
+                                 rootNode->cert);
+  }
+}
+
+// There are various things that we want to measure about certificate
+// chains that we accept.  This is a single entry point for all of them.
+void
+GatherSuccessfulValidationTelemetry(const ScopedCERTCertList& certList)
+{
+  GatherBaselineRequirementsTelemetry(certList);
+  GatherRootCATelemetry(certList);
+}
+
 SECStatus
 AuthCertificate(CertVerifier& certVerifier,
                 TransportSecurityInfo* infoObject,
                 CERTCertificate* cert,
                 ScopedCERTCertList& peerCertChain,
                 SECItem* stapledOCSPResponse,
                 uint32_t providerFlags,
                 Time time)
@@ -998,17 +1027,18 @@ AuthCertificate(CertVerifier& certVerifi
       nsc = nsNSSCertificate::Create(cert, &evOidPolicy);
     }
     else {
       nsc = nsNSSCertificate::Create(cert);
     }
   }
 
   if (rv == SECSuccess) {
-    GatherBaselineRequirementsTelemetry(certList);
+    GatherSuccessfulValidationTelemetry(certList);
+
     // The connection may get terminated, for example, if the server requires
     // a client cert. Let's provide a minimal SSLStatus
     // to the caller that contains at least the cert and its status.
     if (!status) {
       status = new nsSSLStatus();
       infoObject->SetSSLStatus(status);
     }
 
--- a/security/manager/ssl/src/moz.build
+++ b/security/manager/ssl/src/moz.build
@@ -72,16 +72,20 @@ UNIFIED_SOURCES += [
 SOURCES += [
     'nsCryptoHash.cpp',
     'nsNSSCertificateDB.cpp',
     'nsNSSComponent.cpp',
     'nsNSSVersion.cpp',
     'PSMContentListener.cpp',
 ]
 
+LOCAL_INCLUDES += [
+    '/security/manager/boot/src',
+]
+
 if not CONFIG['MOZ_NO_SMART_CARDS']:
     UNIFIED_SOURCES += [
         'nsSmartCardMonitor.cpp',
     ]
 
 if CONFIG['MOZ_XUL']:
     UNIFIED_SOURCES += [
         'nsCertTree.cpp',
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@@ -6596,16 +6596,22 @@
   "OSFILE_WRITEATOMIC_JANK_MS": {
     "expires_in_version": "default",
     "kind": "exponential",
     "description": "The duration during which the main thread is blocked during a call to OS.File.writeAtomic, in milliseconds",
     "high": "5000",
     "n_buckets": 10,
     "extended_statistics_ok": true
   },
+  "CERT_VALIDATION_SUCCESS_BY_CA": {
+    "expires_in_version": "never",
+    "kind": "enumerated",
+    "n_values": 256,
+    "description": "Successful SSL server cert validations by CA (see RootHashes.inc for names of CAs)"
+  },
   "CERT_PINNING_FAILURES_BY_CA": {
     "alert_emails": ["pinning@mozilla.org"],
     "expires_in_version": "never",
     "kind": "enumerated",
     "n_values": 256,
     "description": "Pinning failures by CA (see RootHashes.inc for names of CAs)"
   },
   "CERT_PINNING_RESULTS": {