diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-15 03:35:49 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-05-15 03:35:49 +0000 |
commit | d8bbc7858622b6d9c278469aab701ca0b609cddf (patch) | |
tree | eff41dc61d9f714852212739e6b3738b82a2af87 /security/certverifier | |
parent | Releasing progress-linux version 125.0.3-1~progress7.99u1. (diff) | |
download | firefox-d8bbc7858622b6d9c278469aab701ca0b609cddf.tar.xz firefox-d8bbc7858622b6d9c278469aab701ca0b609cddf.zip |
Merging upstream version 126.0.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'security/certverifier')
-rw-r--r-- | security/certverifier/NSSCertDBTrustDomain.cpp | 20 | ||||
-rw-r--r-- | security/certverifier/metrics.yaml | 47 |
2 files changed, 66 insertions, 1 deletions
diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp index cfc17f46a7..dc13eb0b8f 100644 --- a/security/certverifier/NSSCertDBTrustDomain.cpp +++ b/security/certverifier/NSSCertDBTrustDomain.cpp @@ -28,18 +28,19 @@ #include "mozilla/SyncRunnable.h" #include "mozilla/TimeStamp.h" #include "mozilla/Unused.h" +#include "mozilla/glean/GleanMetrics.h" #include "mozpkix/Result.h" #include "mozpkix/pkix.h" #include "mozpkix/pkixnss.h" #include "mozpkix/pkixutil.h" #include "nsCRTGlue.h" #include "nsIObserverService.h" -#include "nsNetCID.h" #include "nsNSSCallbacks.h" #include "nsNSSCertHelper.h" #include "nsNSSCertificate.h" #include "nsNSSCertificateDB.h" #include "nsNSSIOLayer.h" +#include "nsNetCID.h" #include "nsPrintfCString.h" #include "nsServiceManagerUtils.h" #include "nsThreadUtils.h" @@ -475,9 +476,16 @@ Result NSSCertDBTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA, // candidate certificate is a third-party certificate, above. SECItem candidateCertDERSECItem = UnsafeMapInputToSECItem(candidateCertDER); + auto timerId = + mozilla::glean::cert_verifier::cert_trust_evaluation_time.Start(); + UniqueCERTCertificate candidateCert(CERT_NewTempCertificate( CERT_GetDefaultCertDB(), &candidateCertDERSECItem, nullptr, false, true)); + + mozilla::glean::cert_verifier::cert_trust_evaluation_time + .StopAndAccumulate(std::move(timerId)); + if (!candidateCert) { result = MapPRErrorCodeToResult(PR_GetError()); return; @@ -487,6 +495,7 @@ Result NSSCertDBTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA, // means there is not a trust record. I looked at NSS's internal uses of // CERT_GetCertTrust, and all that code uses the result as a boolean // meaning "We have a trust record." + CERTCertTrust trust; if (CERT_GetCertTrust(candidateCert.get(), &trust) == SECSuccess) { uint32_t flags = SEC_GET_TRUST_FLAGS(&trust, mCertDBTrustType); @@ -664,6 +673,8 @@ Result NSSCertDBTrustDomain::CheckCRLiteStash( MOZ_LOG(gCertVerifierLog, LogLevel::Debug, ("NSSCertDBTrustDomain::CheckCRLiteStash: IsCertRevokedByStash " "returned true")); + mozilla::glean::cert_verifier::crlite_status.Get("revoked_in_stash"_ns) + .Add(1); return Result::ERROR_REVOKED_CERTIFICATE; } return Success; @@ -693,18 +704,25 @@ Result NSSCertDBTrustDomain::CheckCRLite( switch (crliteRevocationState) { case nsICertStorage::STATE_ENFORCE: filterCoversCertificate = true; + mozilla::glean::cert_verifier::crlite_status.Get("revoked_in_filter"_ns) + .Add(1); return Result::ERROR_REVOKED_CERTIFICATE; case nsICertStorage::STATE_UNSET: filterCoversCertificate = true; + mozilla::glean::cert_verifier::crlite_status.Get("not_revoked"_ns).Add(1); return Success; case nsICertStorage::STATE_NOT_ENROLLED: filterCoversCertificate = false; + mozilla::glean::cert_verifier::crlite_status.Get("not_enrolled"_ns) + .Add(1); return Success; case nsICertStorage::STATE_NOT_COVERED: filterCoversCertificate = false; + mozilla::glean::cert_verifier::crlite_status.Get("not_covered"_ns).Add(1); return Success; case nsICertStorage::STATE_NO_FILTER: filterCoversCertificate = false; + mozilla::glean::cert_verifier::crlite_status.Get("no_filter"_ns).Add(1); return Success; default: MOZ_LOG(gCertVerifierLog, LogLevel::Debug, diff --git a/security/certverifier/metrics.yaml b/security/certverifier/metrics.yaml new file mode 100644 index 0000000000..ef212e610a --- /dev/null +++ b/security/certverifier/metrics.yaml @@ -0,0 +1,47 @@ +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# Adding a new metric? We have docs for that! +# https://firefox-source-docs.mozilla.org/toolkit/components/glean/user/new_definitions_file.html + +--- +$schema: moz://mozilla.org/schemas/glean/metrics/2-0-0 +$tags: + - 'Core :: Security: PSM' + +cert_verifier: + crlite_status: + type: labeled_counter + description: > + Counts the number of times different CRLite statuses were returned. + data_sensitivity: + - technical + bugs: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1886042 + data_reviews: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1886042 + notification_emails: + - jschanck@mozilla.com + expires: never + labels: + - no_filter + - not_covered + - not_enrolled + - not_revoked + - revoked_in_filter + - revoked_in_stash + + cert_trust_evaluation_time: + type: timing_distribution + time_unit: nanosecond + description: > + Measures how long we take to evaluate the trust status of a certificate. + data_sensitivity: + - technical + bugs: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1888420 + data_reviews: + - https://bugzilla.mozilla.org/show_bug.cgi?id=1888420 + notification_emails: + - jschanck@mozilla.com + expires: 132 |