summaryrefslogtreecommitdiffstats
path: root/security/certverifier/NSSCertDBTrustDomain.cpp
diff options
context:
space:
mode:
Diffstat (limited to 'security/certverifier/NSSCertDBTrustDomain.cpp')
-rw-r--r--security/certverifier/NSSCertDBTrustDomain.cpp26
1 files changed, 25 insertions, 1 deletions
diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp
index cfc17f46a7..a631b50572 100644
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -28,18 +28,19 @@
#include "mozilla/SyncRunnable.h"
#include "mozilla/TimeStamp.h"
#include "mozilla/Unused.h"
+#include "mozilla/glean/GleanMetrics.h"
#include "mozpkix/Result.h"
#include "mozpkix/pkix.h"
#include "mozpkix/pkixnss.h"
#include "mozpkix/pkixutil.h"
#include "nsCRTGlue.h"
#include "nsIObserverService.h"
-#include "nsNetCID.h"
#include "nsNSSCallbacks.h"
#include "nsNSSCertHelper.h"
#include "nsNSSCertificate.h"
#include "nsNSSCertificateDB.h"
#include "nsNSSIOLayer.h"
+#include "nsNetCID.h"
#include "nsPrintfCString.h"
#include "nsServiceManagerUtils.h"
#include "nsThreadUtils.h"
@@ -475,9 +476,22 @@ Result NSSCertDBTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
// candidate certificate is a third-party certificate, above.
SECItem candidateCertDERSECItem =
UnsafeMapInputToSECItem(candidateCertDER);
+
+ // This metric can be evaluated as many as 600 times during a cnn.com
+ // load so we avoid measuring it on Android because of the high
+ // cost of serializing the db everytime we measure.
+#ifndef MOZ_WIDGET_ANDROID
+ auto timerId =
+ mozilla::glean::cert_verifier::cert_trust_evaluation_time.Start();
+#endif
UniqueCERTCertificate candidateCert(CERT_NewTempCertificate(
CERT_GetDefaultCertDB(), &candidateCertDERSECItem, nullptr, false,
true));
+
+#ifndef MOZ_WIDGET_ANDROID
+ mozilla::glean::cert_verifier::cert_trust_evaluation_time
+ .StopAndAccumulate(std::move(timerId));
+#endif
if (!candidateCert) {
result = MapPRErrorCodeToResult(PR_GetError());
return;
@@ -487,6 +501,7 @@ Result NSSCertDBTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
// means there is not a trust record. I looked at NSS's internal uses of
// CERT_GetCertTrust, and all that code uses the result as a boolean
// meaning "We have a trust record."
+
CERTCertTrust trust;
if (CERT_GetCertTrust(candidateCert.get(), &trust) == SECSuccess) {
uint32_t flags = SEC_GET_TRUST_FLAGS(&trust, mCertDBTrustType);
@@ -664,6 +679,8 @@ Result NSSCertDBTrustDomain::CheckCRLiteStash(
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
("NSSCertDBTrustDomain::CheckCRLiteStash: IsCertRevokedByStash "
"returned true"));
+ mozilla::glean::cert_verifier::crlite_status.Get("revoked_in_stash"_ns)
+ .Add(1);
return Result::ERROR_REVOKED_CERTIFICATE;
}
return Success;
@@ -693,18 +710,25 @@ Result NSSCertDBTrustDomain::CheckCRLite(
switch (crliteRevocationState) {
case nsICertStorage::STATE_ENFORCE:
filterCoversCertificate = true;
+ mozilla::glean::cert_verifier::crlite_status.Get("revoked_in_filter"_ns)
+ .Add(1);
return Result::ERROR_REVOKED_CERTIFICATE;
case nsICertStorage::STATE_UNSET:
filterCoversCertificate = true;
+ mozilla::glean::cert_verifier::crlite_status.Get("not_revoked"_ns).Add(1);
return Success;
case nsICertStorage::STATE_NOT_ENROLLED:
filterCoversCertificate = false;
+ mozilla::glean::cert_verifier::crlite_status.Get("not_enrolled"_ns)
+ .Add(1);
return Success;
case nsICertStorage::STATE_NOT_COVERED:
filterCoversCertificate = false;
+ mozilla::glean::cert_verifier::crlite_status.Get("not_covered"_ns).Add(1);
return Success;
case nsICertStorage::STATE_NO_FILTER:
filterCoversCertificate = false;
+ mozilla::glean::cert_verifier::crlite_status.Get("no_filter"_ns).Add(1);
return Success;
default:
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-10 12:14:22 +0000