Bug 951315 - Add telemetry to PK pinning. r=dkeeler

2024-09-13 09:24:08 -07:00 · 2014-04-30 17:04:00 -07:00 · 2014-04-30 17:04:00 -07:00 · 2114fc7458
commit 2114fc7458
parent 76c09e572a
3 changed files with 30 additions and 5 deletions
--- a/security/manager/boot/src/PublicKeyPinningService.cpp
+++ b/security/manager/boot/src/PublicKeyPinningService.cpp
@ -4,16 +4,17 @@

 #include "PublicKeyPinningService.h"
 #include "StaticHPKPins.h" // autogenerated by genHPKPStaticpins.js
-#include "ScopedNSSTypes.h"
-#include "pkix/pkixtypes.h"

-#include "nsString.h"
 #include "cert.h"
+#include "mozilla/Base64.h"
+#include "mozilla/Telemetry.h"
+#include "nsString.h"
 #include "nssb64.h"
+#include "pkix/pkixtypes.h"
 #include "prlog.h"
+#include "ScopedNSSTypes.h"
 #include "seccomon.h"
 #include "sechash.h"
-#include "mozilla/Base64.h"

 using namespace mozilla;
 using namespace mozilla::psm;
@ -148,7 +149,10 @@ CheckPinsForHostname(const CERTCertList *certList, const char *hostname,
  } // end while

  if (foundEntry && foundEntry->pinset) {
-    return EvalPinWithPinset(certList, foundEntry->pinset);
+    bool result = EvalPinWithPinset(certList, foundEntry->pinset);
+    Telemetry::Accumulate(Telemetry::CERT_PINNING_EVALUATION_RESULTS,
+                          result ? 1 : 0);
+    return result;
  }
  return true; // No pinning information for this hostname
 }
--- a/security/manager/ssl/tests/unit/test_pinning.js
+++ b/security/manager/ssl/tests/unit/test_pinning.js
@ -83,6 +83,17 @@ function test_disabled() {
  add_connection_test("sub.exclude-subdomains.pinning.example.com", Cr.NS_OK);
 };

+function check_pinning_telemetry() {
+  let histogram = Cc["@mozilla.org/base/telemetry;1"]
+                    .getService(Ci.nsITelemetry)
+                    .getHistogramById("CERT_PINNING_EVALUATION_RESULTS")
+                    .snapshot();
+   // Currently only strict mode gets evaluated
+   do_check_eq(histogram.counts[0], 1); // Failure count
+   do_check_eq(histogram.counts[1], 3); // Success count
+   run_next_test();
+}
+
 function run_test() {
  add_tls_server_setup("BadCertServer");

@ -92,5 +103,9 @@ function run_test() {
  test_strict();
  test_mitm();
  test_disabled();
+
+  add_test(function () {
+    check_pinning_telemetry();
+  });
  run_next_test();
 }
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@ -5916,5 +5916,11 @@
    "high": "5000",
    "n_buckets": 10,
    "extended_statistics_ok": true
+  },
+  "CERT_PINNING_EVALUATION_RESULTS": {
+    "expires_in_version": "never",
+    "kind": "enumerated",
+    "n_values": 4,
+    "description": "Certificate pinning evalutation results(pinned host)(0 = failure, 1 = success)"
  }
 }