mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1714263 - remove expired CRLITE_RESULT telemetry histogram r=rmf 

Differential Revision: https://phabricator.services.mozilla.com/D117084
This commit is contained in:
Dana Keeler 2021-06-09 22:33:12 +00:00
Родитель e4b33674ec
Коммит 81b6f5967b
7 изменённых файлов: 13 добавлений и 112 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

26
security/certverifier/CertVerifier.cpp
Просмотреть файл

@ -479,8 +479,7 @@ Result CertVerifier::VerifyCert(
/*optional out*/ KeySizeStatus* keySizeStatus,
/*optional out*/ SHA1ModeResult* sha1ModeResult,
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo,
/*optional out*/ CertificateTransparencyInfo* ctInfo,
/*optional out*/ CRLiteLookupResult* crliteLookupResult) {
/*optional out*/ CertificateTransparencyInfo* ctInfo) {
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, ("Top of VerifyCert\n"));
MOZ_ASSERT(cert);
@ -635,9 +634,6 @@ Result CertVerifier::VerifyCert(
if (pinningTelemetryInfo) {
pinningTelemetryInfo->Reset();
}
if (crliteLookupResult) {
*crliteLookupResult = CRLiteLookupResult::NeverChecked;
}
NSSCertDBTrustDomain trustDomain(
trustSSL, evOCSPFetching, mOCSPCache, pinArg, mOCSPTimeoutSoft,
@ -646,7 +642,7 @@ Result CertVerifier::VerifyCert(
sha1ModeConfigurations[i], mNetscapeStepUpPolicy, mCRLiteMode,
mCRLiteCTMergeDelaySeconds, originAttributes, mThirdPartyRootInputs,
mThirdPartyIntermediateInputs, extraCertificates, builtChain,
pinningTelemetryInfo, crliteLookupResult, hostname);
pinningTelemetryInfo, hostname);
rv = BuildCertChainForOneKeyUsage(
trustDomain, certDER, time,
KeyUsage::digitalSignature, // (EC)DHE
@ -720,9 +716,6 @@ Result CertVerifier::VerifyCert(
if (pinningTelemetryInfo) {
pinningTelemetryInfo->Reset();
}
if (crliteLookupResult) {
*crliteLookupResult = CRLiteLookupResult::NeverChecked;
}
NSSCertDBTrustDomain trustDomain(
trustSSL, defaultOCSPFetching, mOCSPCache, pinArg,
@ -732,7 +725,7 @@ Result CertVerifier::VerifyCert(
mNetscapeStepUpPolicy, mCRLiteMode, mCRLiteCTMergeDelaySeconds,
originAttributes, mThirdPartyRootInputs,
mThirdPartyIntermediateInputs, extraCertificates, builtChain,
pinningTelemetryInfo, crliteLookupResult, hostname);
pinningTelemetryInfo, hostname);
rv = BuildCertChainForOneKeyUsage(
trustDomain, certDER, time,
KeyUsage::digitalSignature, //(EC)DHE
@ -911,7 +904,6 @@ Result CertVerifier::VerifySSLServerCert(
/*optional out*/ SHA1ModeResult* sha1ModeResult,
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo,
/*optional out*/ CertificateTransparencyInfo* ctInfo,
/*optional out*/ CRLiteLookupResult* crliteLookupResult,
/*optional out*/ bool* isBuiltCertChainRootBuiltInRoot) {
MOZ_ASSERT(peerCert);
// XXX: MOZ_ASSERT(pinarg);
@ -931,12 +923,12 @@ Result CertVerifier::VerifySSLServerCert(
// CreateCertErrorRunnable assumes that CheckCertHostname is only called
// if VerifyCert succeeded.
Result rv = VerifyCert(peerCert.get(), certificateUsageSSLServer, time,
pinarg, PromiseFlatCString(hostname).get(), builtChain,
flags, extraCertificates, stapledOCSPResponse,
sctsFromTLS, originAttributes, evStatus,
ocspStaplingStatus, keySizeStatus, sha1ModeResult,
pinningTelemetryInfo, ctInfo, crliteLookupResult);
Result rv =
VerifyCert(peerCert.get(), certificateUsageSSLServer, time, pinarg,
PromiseFlatCString(hostname).get(), builtChain, flags,
extraCertificates, stapledOCSPResponse, sctsFromTLS,
originAttributes, evStatus, ocspStaplingStatus, keySizeStatus,
sha1ModeResult, pinningTelemetryInfo, ctInfo);
if (rv != Success) {
if (rv == Result::ERROR_UNKNOWN_ISSUER &&
CertIsSelfSigned(peerCert, pinarg)) {

15
security/certverifier/CertVerifier.h
Просмотреть файл

@ -133,17 +133,6 @@ class DelegatedCredentialInfo {
uint32_t authKeyBits;
};
enum class CRLiteLookupResult {
NeverChecked = 0,
FilterNotAvailable = 1,
IssuerNotEnrolled = 2,
CertificateTooNew = 3,
CertificateValid = 4,
CertificateRevoked = 5,
LibraryFailure = 6,
CertRevokedByStash = 7,
};
class NSSCertDBTrustDomain;
class CertVerifier {
@ -183,8 +172,7 @@ class CertVerifier {
/*optional out*/ KeySizeStatus* keySizeStatus = nullptr,
/*optional out*/ SHA1ModeResult* sha1ModeResult = nullptr,
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo = nullptr,
/*optional out*/ CertificateTransparencyInfo* ctInfo = nullptr,
/*optional out*/ CRLiteLookupResult* crliteLookupResult = nullptr);
/*optional out*/ CertificateTransparencyInfo* ctInfo = nullptr);
mozilla::pkix::Result VerifySSLServerCert(
const UniqueCERTCertificate& peerCert, mozilla::pkix::Time time,
@ -205,7 +193,6 @@ class CertVerifier {
/*optional out*/ SHA1ModeResult* sha1ModeResult = nullptr,
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo = nullptr,
/*optional out*/ CertificateTransparencyInfo* ctInfo = nullptr,
/*optional out*/ CRLiteLookupResult* crliteLookupResult = nullptr,
/*optional out*/ bool* isBuiltCertChainRootBuiltInRoot = nullptr);
enum PinningMode {

26
security/certverifier/NSSCertDBTrustDomain.cpp
Просмотреть файл

@ -76,7 +76,6 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(
const Maybe<nsTArray<nsTArray<uint8_t>>>& extraCertificates,
/*out*/ UniqueCERTCertList& builtChain,
/*optional*/ PinningTelemetryInfo* pinningTelemetryInfo,
/*optional*/ CRLiteLookupResult* crliteLookupResult,
/*optional*/ const char* hostname)
: mCertDBTrustType(certDBTrustType),
mOCSPFetching(ocspFetching),
@ -99,7 +98,6 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(
mExtraCertificates(extraCertificates),
mBuiltChain(builtChain),
mPinningTelemetryInfo(pinningTelemetryInfo),
mCRLiteLookupResult(crliteLookupResult),
mHostname(hostname),
mCertStorage(do_GetService(NS_CERT_STORAGE_CID)),
mOCSPStaplingStatus(CertVerifier::OCSP_STAPLING_NEVER_CHECKED),
@ -629,9 +627,6 @@ Result NSSCertDBTrustDomain::CheckRevocation(
if (NS_FAILED(rv)) {
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
("NSSCertDBTrustDomain::CheckRevocation: CRLite call failed"));
if (mCRLiteLookupResult) {
*mCRLiteLookupResult = CRLiteLookupResult::LibraryFailure;
}
if (mCRLiteMode == CRLiteMode::Enforce) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
@ -675,9 +670,6 @@ Result NSSCertDBTrustDomain::CheckRevocation(
}
if (earliestCertificateTimestamp <= filterTimestampTime &&
crliteRevocationState == nsICertStorage::STATE_ENFORCE) {
if (mCRLiteLookupResult) {
*mCRLiteLookupResult = CRLiteLookupResult::CertificateRevoked;
}
if (mCRLiteMode == CRLiteMode::Enforce) {
MOZ_LOG(
gCertVerifierLog, LogLevel::Debug,
@ -692,29 +684,17 @@ Result NSSCertDBTrustDomain::CheckRevocation(
}
if (crliteRevocationState == nsICertStorage::STATE_NOT_ENROLLED) {
if (mCRLiteLookupResult) {
*mCRLiteLookupResult = CRLiteLookupResult::IssuerNotEnrolled;
}
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
("NSSCertDBTrustDomain::CheckRevocation: issuer not enrolled"));
}
if (filterTimestamp == 0) {
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
("NSSCertDBTrustDomain::CheckRevocation: no timestamp"));
if (mCRLiteLookupResult) {
*mCRLiteLookupResult = CRLiteLookupResult::FilterNotAvailable;
}
} else if (earliestCertificateTimestamp > filterTimestampTime) {
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
("NSSCertDBTrustDomain::CheckRevocation: cert too new"));
if (mCRLiteLookupResult) {
*mCRLiteLookupResult = CRLiteLookupResult::CertificateTooNew;
}
} else if (crliteRevocationState == nsICertStorage::STATE_UNSET) {
certificateFoundValidInCRLiteFilter = true;
if (mCRLiteLookupResult) {
*mCRLiteLookupResult = CRLiteLookupResult::CertificateValid;
}
}
}
@ -729,9 +709,6 @@ Result NSSCertDBTrustDomain::CheckRevocation(
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
("NSSCertDBTrustDomain::CheckRevocation: IsCertRevokedByStash "
"failed"));
if (mCRLiteLookupResult) {
*mCRLiteLookupResult = CRLiteLookupResult::LibraryFailure;
}
if (mCRLiteMode == CRLiteMode::Enforce) {
return Result::FATAL_ERROR_LIBRARY_FAILURE;
}
@ -739,9 +716,6 @@ Result NSSCertDBTrustDomain::CheckRevocation(
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
("NSSCertDBTrustDomain::CheckRevocation: IsCertRevokedByStash "
"returned true"));
if (mCRLiteLookupResult) {
*mCRLiteLookupResult = CRLiteLookupResult::CertRevokedByStash;
}
if (mCRLiteMode == CRLiteMode::Enforce) {
return Result::ERROR_REVOKED_CERTIFICATE;
}

2
security/certverifier/NSSCertDBTrustDomain.h
Просмотреть файл

@ -139,7 +139,6 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
const Maybe<nsTArray<nsTArray<uint8_t>>>& extraCertificates,
/*out*/ UniqueCERTCertList& builtChain,
/*optional*/ PinningTelemetryInfo* pinningTelemetryInfo = nullptr,
/*optional*/ CRLiteLookupResult* crliteLookupResult = nullptr,
/*optional*/ const char* hostname = nullptr);
virtual Result FindIssuer(mozilla::pkix::Input encodedIssuerName,
@ -263,7 +262,6 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
const Maybe<nsTArray<nsTArray<uint8_t>>>& mExtraCertificates; // non-owning
UniqueCERTCertList& mBuiltChain; // non-owning
PinningTelemetryInfo* mPinningTelemetryInfo;
CRLiteLookupResult* mCRLiteLookupResult;
const char* mHostname; // non-owning - only used for pinning checks
nsCOMPtr<nsICertStorage> mCertStorage;
CertVerifier::OCSPStaplingStatus mOCSPStaplingStatus;

44
security/manager/ssl/SSLServerCertVerification.cpp
Просмотреть файл

@ -753,8 +753,7 @@ static void CollectCertTelemetry(
KeySizeStatus aKeySizeStatus, SHA1ModeResult aSha1ModeResult,
const PinningTelemetryInfo& aPinningTelemetryInfo,
const UniqueCERTCertList& aBuiltCertChain,
const CertificateTransparencyInfo& aCertificateTransparencyInfo,
const CRLiteLookupResult& aCRLiteLookupResult) {
const CertificateTransparencyInfo& aCertificateTransparencyInfo) {
uint32_t evStatus = (aCertVerificationResult != Success) ? 0 // 0 = Failure
: (aEVStatus != EVStatus::EV) ? 1 // 1 = DV
: 2; // 2 = EV
@ -792,42 +791,6 @@ static void CollectCertTelemetry(
aEVStatus == EVStatus::EV,
aCertificateTransparencyInfo);
}
switch (aCRLiteLookupResult) {
case CRLiteLookupResult::FilterNotAvailable:
Telemetry::AccumulateCategorical(
Telemetry::LABELS_CRLITE_RESULT::FilterNotAvailable);
break;
case CRLiteLookupResult::IssuerNotEnrolled:
Telemetry::AccumulateCategorical(
Telemetry::LABELS_CRLITE_RESULT::IssuerNotEnrolled);
break;
case CRLiteLookupResult::CertificateTooNew:
Telemetry::AccumulateCategorical(
Telemetry::LABELS_CRLITE_RESULT::CertificateTooNew);
break;
case CRLiteLookupResult::CertificateValid:
Telemetry::AccumulateCategorical(
Telemetry::LABELS_CRLITE_RESULT::CertificateValid);
break;
case CRLiteLookupResult::CertificateRevoked:
Telemetry::AccumulateCategorical(
Telemetry::LABELS_CRLITE_RESULT::CertificateRevoked);
break;
case CRLiteLookupResult::LibraryFailure:
Telemetry::AccumulateCategorical(
Telemetry::LABELS_CRLITE_RESULT::LibraryFailure);
break;
case CRLiteLookupResult::CertRevokedByStash:
Telemetry::AccumulateCategorical(
Telemetry::LABELS_CRLITE_RESULT::CertRevokedByStash);
break;
case CRLiteLookupResult::NeverChecked:
break;
default:
MOZ_ASSERT_UNREACHABLE("Unhandled CRLiteLookupResult value?");
break;
}
}
static void AuthCertificateSetResults(
@ -880,7 +843,6 @@ Result AuthCertificate(
KeySizeStatus keySizeStatus = KeySizeStatus::NeverChecked;
SHA1ModeResult sha1ModeResult = SHA1ModeResult::NeverChecked;
PinningTelemetryInfo pinningTelemetryInfo;
CRLiteLookupResult crliteTelemetryInfo;
nsTArray<nsTArray<uint8_t>> peerCertsBytes;
// Don't include the end-entity certificate.
@ -896,12 +858,12 @@ Result AuthCertificate(
Some(std::move(peerCertsBytes)), stapledOCSPResponse,
sctsFromTLSExtension, dcInfo, aOriginAttributes, &evStatus,
&ocspStaplingStatus, &keySizeStatus, &sha1ModeResult,
&pinningTelemetryInfo, &certificateTransparencyInfo, &crliteTelemetryInfo,
&pinningTelemetryInfo, &certificateTransparencyInfo,
&aIsCertChainRootBuiltInRoot);
CollectCertTelemetry(rv, evStatus, ocspStaplingStatus, keySizeStatus,
sha1ModeResult, pinningTelemetryInfo, builtCertChain,
certificateTransparencyInfo, crliteTelemetryInfo);
certificateTransparencyInfo);
return rv;
}

1
security/manager/ssl/nsNSSCallbacks.cpp
Просмотреть файл

@ -1110,7 +1110,6 @@ static void RebuildVerifiedCertificateInformation(PRFileDesc* fd,
nullptr, // SHA-1 telemetry
nullptr, // pinning telemetry
&certificateTransparencyInfo,
nullptr, // CRLite telemetry,
&isBuiltCertChainRootBuiltInRoot);
if (rv != Success) {

11
toolkit/components/telemetry/Histograms.json
Просмотреть файл

@ -12626,17 +12626,6 @@
"n_values": 6,
"description": "1 = No SHA1 signatures, 2 = SHA1 certificates issued by an imported root, 3 = SHA1 certificates issued before 2016, 4 = SHA1 certificates issued after 2015, 5 = another error prevented successful verification"
},
"CRLITE_RESULT": {
"record_in_processes": ["main"],
"products": ["firefox"],
"expires_in_version": "92",
"kind": "categorical",
"labels": ["FilterNotAvailable", "IssuerNotEnrolled", "CertificateTooNew", "CertificateValid", "CertificateRevoked", "LibraryFailure", "CertRevokedByStash"],
"description": "The result of looking up revocation information for a TLS server certificate in CRLite.",
"bug_numbers": [1586855, 1607765, 1670984, 1678206],
"releaseChannelCollection": "opt-out",
"alert_emails": ["dkeeler@mozilla.com", "seceng-telemetry@mozilla.com"]
},
"WEAVE_START_COUNT": {
"record_in_processes": ["main", "content"],
"products": ["firefox", "fennec"],