зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1714263 - remove expired CRLITE_RESULT telemetry histogram r=rmf
Differential Revision: https://phabricator.services.mozilla.com/D117084
This commit is contained in:
Родитель
e4b33674ec
Коммит
81b6f5967b
|
@ -479,8 +479,7 @@ Result CertVerifier::VerifyCert(
|
|||
/*optional out*/ KeySizeStatus* keySizeStatus,
|
||||
/*optional out*/ SHA1ModeResult* sha1ModeResult,
|
||||
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo,
|
||||
/*optional out*/ CertificateTransparencyInfo* ctInfo,
|
||||
/*optional out*/ CRLiteLookupResult* crliteLookupResult) {
|
||||
/*optional out*/ CertificateTransparencyInfo* ctInfo) {
|
||||
MOZ_LOG(gCertVerifierLog, LogLevel::Debug, ("Top of VerifyCert\n"));
|
||||
|
||||
MOZ_ASSERT(cert);
|
||||
|
@ -635,9 +634,6 @@ Result CertVerifier::VerifyCert(
|
|||
if (pinningTelemetryInfo) {
|
||||
pinningTelemetryInfo->Reset();
|
||||
}
|
||||
if (crliteLookupResult) {
|
||||
*crliteLookupResult = CRLiteLookupResult::NeverChecked;
|
||||
}
|
||||
|
||||
NSSCertDBTrustDomain trustDomain(
|
||||
trustSSL, evOCSPFetching, mOCSPCache, pinArg, mOCSPTimeoutSoft,
|
||||
|
@ -646,7 +642,7 @@ Result CertVerifier::VerifyCert(
|
|||
sha1ModeConfigurations[i], mNetscapeStepUpPolicy, mCRLiteMode,
|
||||
mCRLiteCTMergeDelaySeconds, originAttributes, mThirdPartyRootInputs,
|
||||
mThirdPartyIntermediateInputs, extraCertificates, builtChain,
|
||||
pinningTelemetryInfo, crliteLookupResult, hostname);
|
||||
pinningTelemetryInfo, hostname);
|
||||
rv = BuildCertChainForOneKeyUsage(
|
||||
trustDomain, certDER, time,
|
||||
KeyUsage::digitalSignature, // (EC)DHE
|
||||
|
@ -720,9 +716,6 @@ Result CertVerifier::VerifyCert(
|
|||
if (pinningTelemetryInfo) {
|
||||
pinningTelemetryInfo->Reset();
|
||||
}
|
||||
if (crliteLookupResult) {
|
||||
*crliteLookupResult = CRLiteLookupResult::NeverChecked;
|
||||
}
|
||||
|
||||
NSSCertDBTrustDomain trustDomain(
|
||||
trustSSL, defaultOCSPFetching, mOCSPCache, pinArg,
|
||||
|
@ -732,7 +725,7 @@ Result CertVerifier::VerifyCert(
|
|||
mNetscapeStepUpPolicy, mCRLiteMode, mCRLiteCTMergeDelaySeconds,
|
||||
originAttributes, mThirdPartyRootInputs,
|
||||
mThirdPartyIntermediateInputs, extraCertificates, builtChain,
|
||||
pinningTelemetryInfo, crliteLookupResult, hostname);
|
||||
pinningTelemetryInfo, hostname);
|
||||
rv = BuildCertChainForOneKeyUsage(
|
||||
trustDomain, certDER, time,
|
||||
KeyUsage::digitalSignature, //(EC)DHE
|
||||
|
@ -911,7 +904,6 @@ Result CertVerifier::VerifySSLServerCert(
|
|||
/*optional out*/ SHA1ModeResult* sha1ModeResult,
|
||||
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo,
|
||||
/*optional out*/ CertificateTransparencyInfo* ctInfo,
|
||||
/*optional out*/ CRLiteLookupResult* crliteLookupResult,
|
||||
/*optional out*/ bool* isBuiltCertChainRootBuiltInRoot) {
|
||||
MOZ_ASSERT(peerCert);
|
||||
// XXX: MOZ_ASSERT(pinarg);
|
||||
|
@ -931,12 +923,12 @@ Result CertVerifier::VerifySSLServerCert(
|
|||
|
||||
// CreateCertErrorRunnable assumes that CheckCertHostname is only called
|
||||
// if VerifyCert succeeded.
|
||||
Result rv = VerifyCert(peerCert.get(), certificateUsageSSLServer, time,
|
||||
pinarg, PromiseFlatCString(hostname).get(), builtChain,
|
||||
flags, extraCertificates, stapledOCSPResponse,
|
||||
sctsFromTLS, originAttributes, evStatus,
|
||||
ocspStaplingStatus, keySizeStatus, sha1ModeResult,
|
||||
pinningTelemetryInfo, ctInfo, crliteLookupResult);
|
||||
Result rv =
|
||||
VerifyCert(peerCert.get(), certificateUsageSSLServer, time, pinarg,
|
||||
PromiseFlatCString(hostname).get(), builtChain, flags,
|
||||
extraCertificates, stapledOCSPResponse, sctsFromTLS,
|
||||
originAttributes, evStatus, ocspStaplingStatus, keySizeStatus,
|
||||
sha1ModeResult, pinningTelemetryInfo, ctInfo);
|
||||
if (rv != Success) {
|
||||
if (rv == Result::ERROR_UNKNOWN_ISSUER &&
|
||||
CertIsSelfSigned(peerCert, pinarg)) {
|
||||
|
|
|
@ -133,17 +133,6 @@ class DelegatedCredentialInfo {
|
|||
uint32_t authKeyBits;
|
||||
};
|
||||
|
||||
enum class CRLiteLookupResult {
|
||||
NeverChecked = 0,
|
||||
FilterNotAvailable = 1,
|
||||
IssuerNotEnrolled = 2,
|
||||
CertificateTooNew = 3,
|
||||
CertificateValid = 4,
|
||||
CertificateRevoked = 5,
|
||||
LibraryFailure = 6,
|
||||
CertRevokedByStash = 7,
|
||||
};
|
||||
|
||||
class NSSCertDBTrustDomain;
|
||||
|
||||
class CertVerifier {
|
||||
|
@ -183,8 +172,7 @@ class CertVerifier {
|
|||
/*optional out*/ KeySizeStatus* keySizeStatus = nullptr,
|
||||
/*optional out*/ SHA1ModeResult* sha1ModeResult = nullptr,
|
||||
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo = nullptr,
|
||||
/*optional out*/ CertificateTransparencyInfo* ctInfo = nullptr,
|
||||
/*optional out*/ CRLiteLookupResult* crliteLookupResult = nullptr);
|
||||
/*optional out*/ CertificateTransparencyInfo* ctInfo = nullptr);
|
||||
|
||||
mozilla::pkix::Result VerifySSLServerCert(
|
||||
const UniqueCERTCertificate& peerCert, mozilla::pkix::Time time,
|
||||
|
@ -205,7 +193,6 @@ class CertVerifier {
|
|||
/*optional out*/ SHA1ModeResult* sha1ModeResult = nullptr,
|
||||
/*optional out*/ PinningTelemetryInfo* pinningTelemetryInfo = nullptr,
|
||||
/*optional out*/ CertificateTransparencyInfo* ctInfo = nullptr,
|
||||
/*optional out*/ CRLiteLookupResult* crliteLookupResult = nullptr,
|
||||
/*optional out*/ bool* isBuiltCertChainRootBuiltInRoot = nullptr);
|
||||
|
||||
enum PinningMode {
|
||||
|
|
|
@ -76,7 +76,6 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(
|
|||
const Maybe<nsTArray<nsTArray<uint8_t>>>& extraCertificates,
|
||||
/*out*/ UniqueCERTCertList& builtChain,
|
||||
/*optional*/ PinningTelemetryInfo* pinningTelemetryInfo,
|
||||
/*optional*/ CRLiteLookupResult* crliteLookupResult,
|
||||
/*optional*/ const char* hostname)
|
||||
: mCertDBTrustType(certDBTrustType),
|
||||
mOCSPFetching(ocspFetching),
|
||||
|
@ -99,7 +98,6 @@ NSSCertDBTrustDomain::NSSCertDBTrustDomain(
|
|||
mExtraCertificates(extraCertificates),
|
||||
mBuiltChain(builtChain),
|
||||
mPinningTelemetryInfo(pinningTelemetryInfo),
|
||||
mCRLiteLookupResult(crliteLookupResult),
|
||||
mHostname(hostname),
|
||||
mCertStorage(do_GetService(NS_CERT_STORAGE_CID)),
|
||||
mOCSPStaplingStatus(CertVerifier::OCSP_STAPLING_NEVER_CHECKED),
|
||||
|
@ -629,9 +627,6 @@ Result NSSCertDBTrustDomain::CheckRevocation(
|
|||
if (NS_FAILED(rv)) {
|
||||
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
|
||||
("NSSCertDBTrustDomain::CheckRevocation: CRLite call failed"));
|
||||
if (mCRLiteLookupResult) {
|
||||
*mCRLiteLookupResult = CRLiteLookupResult::LibraryFailure;
|
||||
}
|
||||
if (mCRLiteMode == CRLiteMode::Enforce) {
|
||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||
}
|
||||
|
@ -675,9 +670,6 @@ Result NSSCertDBTrustDomain::CheckRevocation(
|
|||
}
|
||||
if (earliestCertificateTimestamp <= filterTimestampTime &&
|
||||
crliteRevocationState == nsICertStorage::STATE_ENFORCE) {
|
||||
if (mCRLiteLookupResult) {
|
||||
*mCRLiteLookupResult = CRLiteLookupResult::CertificateRevoked;
|
||||
}
|
||||
if (mCRLiteMode == CRLiteMode::Enforce) {
|
||||
MOZ_LOG(
|
||||
gCertVerifierLog, LogLevel::Debug,
|
||||
|
@ -692,29 +684,17 @@ Result NSSCertDBTrustDomain::CheckRevocation(
|
|||
}
|
||||
|
||||
if (crliteRevocationState == nsICertStorage::STATE_NOT_ENROLLED) {
|
||||
if (mCRLiteLookupResult) {
|
||||
*mCRLiteLookupResult = CRLiteLookupResult::IssuerNotEnrolled;
|
||||
}
|
||||
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
|
||||
("NSSCertDBTrustDomain::CheckRevocation: issuer not enrolled"));
|
||||
}
|
||||
if (filterTimestamp == 0) {
|
||||
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
|
||||
("NSSCertDBTrustDomain::CheckRevocation: no timestamp"));
|
||||
if (mCRLiteLookupResult) {
|
||||
*mCRLiteLookupResult = CRLiteLookupResult::FilterNotAvailable;
|
||||
}
|
||||
} else if (earliestCertificateTimestamp > filterTimestampTime) {
|
||||
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
|
||||
("NSSCertDBTrustDomain::CheckRevocation: cert too new"));
|
||||
if (mCRLiteLookupResult) {
|
||||
*mCRLiteLookupResult = CRLiteLookupResult::CertificateTooNew;
|
||||
}
|
||||
} else if (crliteRevocationState == nsICertStorage::STATE_UNSET) {
|
||||
certificateFoundValidInCRLiteFilter = true;
|
||||
if (mCRLiteLookupResult) {
|
||||
*mCRLiteLookupResult = CRLiteLookupResult::CertificateValid;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -729,9 +709,6 @@ Result NSSCertDBTrustDomain::CheckRevocation(
|
|||
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
|
||||
("NSSCertDBTrustDomain::CheckRevocation: IsCertRevokedByStash "
|
||||
"failed"));
|
||||
if (mCRLiteLookupResult) {
|
||||
*mCRLiteLookupResult = CRLiteLookupResult::LibraryFailure;
|
||||
}
|
||||
if (mCRLiteMode == CRLiteMode::Enforce) {
|
||||
return Result::FATAL_ERROR_LIBRARY_FAILURE;
|
||||
}
|
||||
|
@ -739,9 +716,6 @@ Result NSSCertDBTrustDomain::CheckRevocation(
|
|||
MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
|
||||
("NSSCertDBTrustDomain::CheckRevocation: IsCertRevokedByStash "
|
||||
"returned true"));
|
||||
if (mCRLiteLookupResult) {
|
||||
*mCRLiteLookupResult = CRLiteLookupResult::CertRevokedByStash;
|
||||
}
|
||||
if (mCRLiteMode == CRLiteMode::Enforce) {
|
||||
return Result::ERROR_REVOKED_CERTIFICATE;
|
||||
}
|
||||
|
|
|
@ -139,7 +139,6 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
|
|||
const Maybe<nsTArray<nsTArray<uint8_t>>>& extraCertificates,
|
||||
/*out*/ UniqueCERTCertList& builtChain,
|
||||
/*optional*/ PinningTelemetryInfo* pinningTelemetryInfo = nullptr,
|
||||
/*optional*/ CRLiteLookupResult* crliteLookupResult = nullptr,
|
||||
/*optional*/ const char* hostname = nullptr);
|
||||
|
||||
virtual Result FindIssuer(mozilla::pkix::Input encodedIssuerName,
|
||||
|
@ -263,7 +262,6 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
|
|||
const Maybe<nsTArray<nsTArray<uint8_t>>>& mExtraCertificates; // non-owning
|
||||
UniqueCERTCertList& mBuiltChain; // non-owning
|
||||
PinningTelemetryInfo* mPinningTelemetryInfo;
|
||||
CRLiteLookupResult* mCRLiteLookupResult;
|
||||
const char* mHostname; // non-owning - only used for pinning checks
|
||||
nsCOMPtr<nsICertStorage> mCertStorage;
|
||||
CertVerifier::OCSPStaplingStatus mOCSPStaplingStatus;
|
||||
|
|
|
@ -753,8 +753,7 @@ static void CollectCertTelemetry(
|
|||
KeySizeStatus aKeySizeStatus, SHA1ModeResult aSha1ModeResult,
|
||||
const PinningTelemetryInfo& aPinningTelemetryInfo,
|
||||
const UniqueCERTCertList& aBuiltCertChain,
|
||||
const CertificateTransparencyInfo& aCertificateTransparencyInfo,
|
||||
const CRLiteLookupResult& aCRLiteLookupResult) {
|
||||
const CertificateTransparencyInfo& aCertificateTransparencyInfo) {
|
||||
uint32_t evStatus = (aCertVerificationResult != Success) ? 0 // 0 = Failure
|
||||
: (aEVStatus != EVStatus::EV) ? 1 // 1 = DV
|
||||
: 2; // 2 = EV
|
||||
|
@ -792,42 +791,6 @@ static void CollectCertTelemetry(
|
|||
aEVStatus == EVStatus::EV,
|
||||
aCertificateTransparencyInfo);
|
||||
}
|
||||
|
||||
switch (aCRLiteLookupResult) {
|
||||
case CRLiteLookupResult::FilterNotAvailable:
|
||||
Telemetry::AccumulateCategorical(
|
||||
Telemetry::LABELS_CRLITE_RESULT::FilterNotAvailable);
|
||||
break;
|
||||
case CRLiteLookupResult::IssuerNotEnrolled:
|
||||
Telemetry::AccumulateCategorical(
|
||||
Telemetry::LABELS_CRLITE_RESULT::IssuerNotEnrolled);
|
||||
break;
|
||||
case CRLiteLookupResult::CertificateTooNew:
|
||||
Telemetry::AccumulateCategorical(
|
||||
Telemetry::LABELS_CRLITE_RESULT::CertificateTooNew);
|
||||
break;
|
||||
case CRLiteLookupResult::CertificateValid:
|
||||
Telemetry::AccumulateCategorical(
|
||||
Telemetry::LABELS_CRLITE_RESULT::CertificateValid);
|
||||
break;
|
||||
case CRLiteLookupResult::CertificateRevoked:
|
||||
Telemetry::AccumulateCategorical(
|
||||
Telemetry::LABELS_CRLITE_RESULT::CertificateRevoked);
|
||||
break;
|
||||
case CRLiteLookupResult::LibraryFailure:
|
||||
Telemetry::AccumulateCategorical(
|
||||
Telemetry::LABELS_CRLITE_RESULT::LibraryFailure);
|
||||
break;
|
||||
case CRLiteLookupResult::CertRevokedByStash:
|
||||
Telemetry::AccumulateCategorical(
|
||||
Telemetry::LABELS_CRLITE_RESULT::CertRevokedByStash);
|
||||
break;
|
||||
case CRLiteLookupResult::NeverChecked:
|
||||
break;
|
||||
default:
|
||||
MOZ_ASSERT_UNREACHABLE("Unhandled CRLiteLookupResult value?");
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
static void AuthCertificateSetResults(
|
||||
|
@ -880,7 +843,6 @@ Result AuthCertificate(
|
|||
KeySizeStatus keySizeStatus = KeySizeStatus::NeverChecked;
|
||||
SHA1ModeResult sha1ModeResult = SHA1ModeResult::NeverChecked;
|
||||
PinningTelemetryInfo pinningTelemetryInfo;
|
||||
CRLiteLookupResult crliteTelemetryInfo;
|
||||
|
||||
nsTArray<nsTArray<uint8_t>> peerCertsBytes;
|
||||
// Don't include the end-entity certificate.
|
||||
|
@ -896,12 +858,12 @@ Result AuthCertificate(
|
|||
Some(std::move(peerCertsBytes)), stapledOCSPResponse,
|
||||
sctsFromTLSExtension, dcInfo, aOriginAttributes, &evStatus,
|
||||
&ocspStaplingStatus, &keySizeStatus, &sha1ModeResult,
|
||||
&pinningTelemetryInfo, &certificateTransparencyInfo, &crliteTelemetryInfo,
|
||||
&pinningTelemetryInfo, &certificateTransparencyInfo,
|
||||
&aIsCertChainRootBuiltInRoot);
|
||||
|
||||
CollectCertTelemetry(rv, evStatus, ocspStaplingStatus, keySizeStatus,
|
||||
sha1ModeResult, pinningTelemetryInfo, builtCertChain,
|
||||
certificateTransparencyInfo, crliteTelemetryInfo);
|
||||
certificateTransparencyInfo);
|
||||
|
||||
return rv;
|
||||
}
|
||||
|
|
|
@ -1110,7 +1110,6 @@ static void RebuildVerifiedCertificateInformation(PRFileDesc* fd,
|
|||
nullptr, // SHA-1 telemetry
|
||||
nullptr, // pinning telemetry
|
||||
&certificateTransparencyInfo,
|
||||
nullptr, // CRLite telemetry,
|
||||
&isBuiltCertChainRootBuiltInRoot);
|
||||
|
||||
if (rv != Success) {
|
||||
|
|
|
@ -12626,17 +12626,6 @@
|
|||
"n_values": 6,
|
||||
"description": "1 = No SHA1 signatures, 2 = SHA1 certificates issued by an imported root, 3 = SHA1 certificates issued before 2016, 4 = SHA1 certificates issued after 2015, 5 = another error prevented successful verification"
|
||||
},
|
||||
"CRLITE_RESULT": {
|
||||
"record_in_processes": ["main"],
|
||||
"products": ["firefox"],
|
||||
"expires_in_version": "92",
|
||||
"kind": "categorical",
|
||||
"labels": ["FilterNotAvailable", "IssuerNotEnrolled", "CertificateTooNew", "CertificateValid", "CertificateRevoked", "LibraryFailure", "CertRevokedByStash"],
|
||||
"description": "The result of looking up revocation information for a TLS server certificate in CRLite.",
|
||||
"bug_numbers": [1586855, 1607765, 1670984, 1678206],
|
||||
"releaseChannelCollection": "opt-out",
|
||||
"alert_emails": ["dkeeler@mozilla.com", "seceng-telemetry@mozilla.com"]
|
||||
},
|
||||
"WEAVE_START_COUNT": {
|
||||
"record_in_processes": ["main", "content"],
|
||||
"products": ["firefox", "fennec"],
|
||||
|
|
Загрузка…
Ссылка в новой задаче