2 files changed, 66 insertions, 1 deletions

diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp
index cfc17f46a7..dc13eb0b8f 100644
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -28,18 +28,19 @@
 #include "mozilla/SyncRunnable.h"
 #include "mozilla/TimeStamp.h"
 #include "mozilla/Unused.h"
+#include "mozilla/glean/GleanMetrics.h"
 #include "mozpkix/Result.h"
 #include "mozpkix/pkix.h"
 #include "mozpkix/pkixnss.h"
 #include "mozpkix/pkixutil.h"
 #include "nsCRTGlue.h"
 #include "nsIObserverService.h"
-#include "nsNetCID.h"
 #include "nsNSSCallbacks.h"
 #include "nsNSSCertHelper.h"
 #include "nsNSSCertificate.h"
 #include "nsNSSCertificateDB.h"
 #include "nsNSSIOLayer.h"
+#include "nsNetCID.h"
 #include "nsPrintfCString.h"
 #include "nsServiceManagerUtils.h"
 #include "nsThreadUtils.h"
@@ -475,9 +476,16 @@ Result NSSCertDBTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
         // candidate certificate is a third-party certificate, above.
         SECItem candidateCertDERSECItem =
             UnsafeMapInputToSECItem(candidateCertDER);
+        auto timerId =
+            mozilla::glean::cert_verifier::cert_trust_evaluation_time.Start();
+
         UniqueCERTCertificate candidateCert(CERT_NewTempCertificate(
             CERT_GetDefaultCertDB(), &candidateCertDERSECItem, nullptr, false,
             true));
+
+        mozilla::glean::cert_verifier::cert_trust_evaluation_time
+            .StopAndAccumulate(std::move(timerId));
+
         if (!candidateCert) {
           result = MapPRErrorCodeToResult(PR_GetError());
           return;
@@ -487,6 +495,7 @@ Result NSSCertDBTrustDomain::GetCertTrust(EndEntityOrCA endEntityOrCA,
         // means there is not a trust record. I looked at NSS's internal uses of
         // CERT_GetCertTrust, and all that code uses the result as a boolean
         // meaning "We have a trust record."
+
         CERTCertTrust trust;
         if (CERT_GetCertTrust(candidateCert.get(), &trust) == SECSuccess) {
           uint32_t flags = SEC_GET_TRUST_FLAGS(&trust, mCertDBTrustType);
@@ -664,6 +673,8 @@ Result NSSCertDBTrustDomain::CheckCRLiteStash(
     MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
             ("NSSCertDBTrustDomain::CheckCRLiteStash: IsCertRevokedByStash "
              "returned true"));
+    mozilla::glean::cert_verifier::crlite_status.Get("revoked_in_stash"_ns)
+        .Add(1);
     return Result::ERROR_REVOKED_CERTIFICATE;
   }
   return Success;
@@ -693,18 +704,25 @@ Result NSSCertDBTrustDomain::CheckCRLite(
   switch (crliteRevocationState) {
     case nsICertStorage::STATE_ENFORCE:
       filterCoversCertificate = true;
+      mozilla::glean::cert_verifier::crlite_status.Get("revoked_in_filter"_ns)
+          .Add(1);
       return Result::ERROR_REVOKED_CERTIFICATE;
     case nsICertStorage::STATE_UNSET:
       filterCoversCertificate = true;
+      mozilla::glean::cert_verifier::crlite_status.Get("not_revoked"_ns).Add(1);
       return Success;
     case nsICertStorage::STATE_NOT_ENROLLED:
       filterCoversCertificate = false;
+      mozilla::glean::cert_verifier::crlite_status.Get("not_enrolled"_ns)
+          .Add(1);
       return Success;
     case nsICertStorage::STATE_NOT_COVERED:
       filterCoversCertificate = false;
+      mozilla::glean::cert_verifier::crlite_status.Get("not_covered"_ns).Add(1);
       return Success;
     case nsICertStorage::STATE_NO_FILTER:
       filterCoversCertificate = false;
+      mozilla::glean::cert_verifier::crlite_status.Get("no_filter"_ns).Add(1);
       return Success;
     default:
       MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
diff --git a/security/certverifier/metrics.yaml b/security/certverifier/metrics.yaml
new file mode 100644
index 0000000000..ef212e610a
--- /dev/null
+++ b/security/certverifier/metrics.yaml
@@ -0,0 +1,47 @@
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at http://mozilla.org/MPL/2.0/.
+# Adding a new metric? We have docs for that!
+# https://firefox-source-docs.mozilla.org/toolkit/components/glean/user/new_definitions_file.html
+
+---
+$schema: moz://mozilla.org/schemas/glean/metrics/2-0-0
+$tags:
+  - 'Core :: Security: PSM'
+
+cert_verifier:
+  crlite_status:
+    type: labeled_counter
+    description: >
+      Counts the number of times different CRLite statuses were returned.
+    data_sensitivity:
+      - technical
+    bugs:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1886042
+    data_reviews:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1886042
+    notification_emails:
+      - jschanck@mozilla.com
+    expires: never
+    labels:
+      - no_filter
+      - not_covered
+      - not_enrolled
+      - not_revoked
+      - revoked_in_filter
+      - revoked_in_stash
+
+  cert_trust_evaluation_time:
+    type: timing_distribution
+    time_unit: nanosecond
+    description: >
+      Measures how long we take to evaluate the trust status of a certificate.
+    data_sensitivity:
+      - technical
+    bugs:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1888420
+    data_reviews:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1888420
+    notification_emails:
+      - jschanck@mozilla.com
+    expires: 132