diff options
Diffstat (limited to 'security/certverifier/NSSCertDBTrustDomain.cpp')
-rw-r--r-- | security/certverifier/NSSCertDBTrustDomain.cpp | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp index cfc17f46a7..dc13eb0b8f 100644 --- a/security/certverifier/NSSCertDBTrustDomain.cpp +++ b/security/certverifier/NSSCertDBTrustDomain.cpp @@ -28,18 +28,19 @@ #include "mozilla/SyncRunnable.h" #include "mozilla/TimeStamp.h" #include "mozilla/Unused.h" +#include "mozilla/glean/GleanMetrics.h" #include "mozpkix/Result.h" #include "mozpkix/pkix.h" #include "mozpkix/pkixnss.h" #include "mozpkix/pkixutil.h" #include "nsCRTGlue.h" #include "nsIObserverService.h" -#include "nsNetCID.h" #include "nsNSSCallbacks.h" #include "nsNSSCertHelper.h" #include "nsNSSCertificate.h" #include "nsNSSCertificateDB.h" #include "nsNSSIOLayer.h" +#include "nsNetCID.h" #include "nsPrintfCString.h" #include "nsServiceManagerUtils.h" #include "nsThreadUtils.h" @@ -475,9 +476,16 @@ Result NSSCertDBTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA, // candidate certificate is a third-party certificate, above. SECItem candidateCertDERSECItem = UnsafeMapInputToSECItem(candidateCertDER); + auto timerId = + mozilla::glean::cert_verifier::cert_trust_evaluation_time.Start(); + UniqueCERTCertificate candidateCert(CERT_NewTempCertificate( CERT_GetDefaultCertDB(), &candidateCertDERSECItem, nullptr, false, true)); + + mozilla::glean::cert_verifier::cert_trust_evaluation_time + .StopAndAccumulate(std::move(timerId)); + if (!candidateCert) { result = MapPRErrorCodeToResult(PR_GetError()); return; @@ -487,6 +495,7 @@ Result NSSCertDBTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA, // means there is not a trust record. I looked at NSS's internal uses of // CERT_GetCertTrust, and all that code uses the result as a boolean // meaning "We have a trust record." + CERTCertTrust trust; if (CERT_GetCertTrust(candidateCert.get(), &trust) == SECSuccess) { uint32_t flags = SEC_GET_TRUST_FLAGS(&trust, mCertDBTrustType); @@ -664,6 +673,8 @@ Result NSSCertDBTrustDomain::CheckCRLiteStash( MOZ_LOG(gCertVerifierLog, LogLevel::Debug, ("NSSCertDBTrustDomain::CheckCRLiteStash: IsCertRevokedByStash " "returned true")); + mozilla::glean::cert_verifier::crlite_status.Get("revoked_in_stash"_ns) + .Add(1); return Result::ERROR_REVOKED_CERTIFICATE; } return Success; @@ -693,18 +704,25 @@ Result NSSCertDBTrustDomain::CheckCRLite( switch (crliteRevocationState) { case nsICertStorage::STATE_ENFORCE: filterCoversCertificate = true; + mozilla::glean::cert_verifier::crlite_status.Get("revoked_in_filter"_ns) + .Add(1); return Result::ERROR_REVOKED_CERTIFICATE; case nsICertStorage::STATE_UNSET: filterCoversCertificate = true; + mozilla::glean::cert_verifier::crlite_status.Get("not_revoked"_ns).Add(1); return Success; case nsICertStorage::STATE_NOT_ENROLLED: filterCoversCertificate = false; + mozilla::glean::cert_verifier::crlite_status.Get("not_enrolled"_ns) + .Add(1); return Success; case nsICertStorage::STATE_NOT_COVERED: filterCoversCertificate = false; + mozilla::glean::cert_verifier::crlite_status.Get("not_covered"_ns).Add(1); return Success; case nsICertStorage::STATE_NO_FILTER: filterCoversCertificate = false; + mozilla::glean::cert_verifier::crlite_status.Get("no_filter"_ns).Add(1); return Success; default: MOZ_LOG(gCertVerifierLog, LogLevel::Debug, |