bug 969048 - adjust OCSP stapling telemetry for insanity::pkix r=briansmith r=cviecco

security/certverifier/NSSCertDBTrustDomain.cpp

@@ -11,6 +11,7 @@
 #include "ExtendedValidation.h"
 #include "certdb.h"
 #include "insanity/pkix.h"
+#include "mozilla/Telemetry.h"
 #include "nss.h"
 #include "ocsp.h"
 #include "pk11pub.h"
@@ -167,16 +168,27 @@ NSSCertDBTrustDomain::CheckRevocation(
                                                           time,
                                                           stapledOCSPResponse);
     if (rv == SECSuccess) {
+      // stapled OCSP response present and good
+      Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 1);
       PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
              ("NSSCertDBTrustDomain: stapled OCSP response: good"));
       return rv;
     }
     if (PR_GetError() != SEC_ERROR_OCSP_OLD_RESPONSE) {
+      // stapled OCSP response present but invalid for some reason
+      Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 4);
       PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
              ("NSSCertDBTrustDomain: stapled OCSP response: failure"));
       return rv;
+    } else {
+      // stapled OCSP response present but expired
+      Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 3);
+      PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
+             ("NSSCertDBTrustDomain: expired stapled OCSP response"));
     }
   } else {
+    // no stapled OCSP response
+    Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, 2);
     PR_LOG(gCertVerifierLog, PR_LOG_DEBUG,
            ("NSSCertDBTrustDomain: no stapled OCSP response"));
   }

security/manager/ssl/tests/unit/test_ocsp_stapling.js

@@ -126,11 +126,11 @@ function check_ocsp_stapling_telemetry() {
                     .getService(Ci.nsITelemetry)
                     .getHistogramById("SSL_OCSP_STAPLING")
                     .snapshot();
-  do_check_eq(histogram.counts[0], 0); // histogram bucket 0 is unused
-  do_check_eq(histogram.counts[1], 1); // 1 connection with a good response
-  do_check_eq(histogram.counts[2], 14); // 14 connections with no stapled resp.
-  do_check_eq(histogram.counts[3], 0); // 0 connections with an expired response
-  do_check_eq(histogram.counts[4], 11); // 11 connections with bad responses
+  do_check_eq(histogram.counts[0], 2 * 0); // histogram bucket 0 is unused
+  do_check_eq(histogram.counts[1], 2 * 1); // 1 connection with a good response
+  do_check_eq(histogram.counts[2], 2 * 14); // 14 connections with no stapled resp.
+  do_check_eq(histogram.counts[3], 2 * 0); // 0 connections with an expired response
+  do_check_eq(histogram.counts[4], 2 * 11); // 11 connections with bad responses
   run_next_test();
 }
 

security/manager/ssl/tests/unit/test_ocsp_stapling_expired.js

@@ -107,10 +107,10 @@ function check_ocsp_stapling_telemetry() {
                     .getService(Ci.nsITelemetry)
                     .getHistogramById("SSL_OCSP_STAPLING")
                     .snapshot();
-  do_check_eq(histogram.counts[0], 0); // histogram bucket 0 is unused
-  do_check_eq(histogram.counts[1], 0); // 0 connections with a good response
-  do_check_eq(histogram.counts[2], 0); // 0 connections with no stapled resp.
-  do_check_eq(histogram.counts[3], 9); // 9 connections with an expired response
-  do_check_eq(histogram.counts[4], 0); // 0 connections with bad responses
+  do_check_eq(histogram.counts[0], 2 * 0); // histogram bucket 0 is unused
+  do_check_eq(histogram.counts[1], 2 * 0); // 0 connections with a good response
+  do_check_eq(histogram.counts[2], 2 * 0); // 0 connections with no stapled resp.
+  do_check_eq(histogram.counts[3], 2 * 9); // 9 connections with an expired response
+  do_check_eq(histogram.counts[4], 2 * 0); // 0 connections with bad responses
   run_next_test();
 }