Bug 1009720: Telemetry for CERT_PINNING_TEST_RESULTS (r=keeler)

2024-09-13 09:24:08 -07:00 · 2014-05-13 13:50:13 -07:00 · 2014-05-13 13:50:13 -07:00 · 9eb1c9c9de
commit 9eb1c9c9de
parent eb69e55005
4 changed files with 33 additions and 21 deletions
--- a/netwerk/base/public/security-prefs.js
+++ b/netwerk/base/public/security-prefs.js
@ -57,4 +57,5 @@ pref("security.OCSP.GET.enabled", false);

 pref("security.use_mozillapkix_verification", true);

-pref("security.cert_pinning.enforcement_level", 0);
+// Default to MITM mode for pinning checks.
+pref("security.cert_pinning.enforcement_level", 1);
--- a/security/manager/boot/src/PublicKeyPinningService.cpp
+++ b/security/manager/boot/src/PublicKeyPinningService.cpp
@ -194,16 +194,18 @@ CheckPinsForHostname(const CERTCertList *certList, const char *hostname,

  if (foundEntry && foundEntry->pinset) {
    bool result = EvalChainWithPinset(certList, foundEntry->pinset);
+    bool retval = result;
+    Telemetry::ID histogram = Telemetry::CERT_PINNING_RESULTS;
    if (foundEntry->mTestMode) {
-      // TODO: Accumulate telemetry in test mode.
-      PR_LOG(gPublicKeyPinningLog, PR_LOG_DEBUG,
-             ("pkpin: Skipping test mode evaluation for host: '%s'\n",
-              evalHost));
-      return true;
+      histogram = Telemetry::CERT_PINNING_TEST_RESULTS;
+      retval = true;
    }
-    Telemetry::Accumulate(Telemetry::CERT_PINNING_EVALUATION_RESULTS,
-                          result ? 1 : 0);
-    return result;
+    Telemetry::Accumulate(histogram, result ? 1 : 0);
+    PR_LOG(gPublicKeyPinningLog, PR_LOG_DEBUG,
+           ("pkpin: Pin check %s for host '%s' (mode=%s)\n",
+            result ? "passed" : "failed", evalHost,
+            foundEntry->mTestMode ? "test" : "production"));
+    return retval;
  }
  return true; // No pinning information for this hostname
 }
--- a/security/manager/ssl/tests/unit/test_pinning.js
+++ b/security/manager/ssl/tests/unit/test_pinning.js
@ -92,14 +92,19 @@ function test_disabled() {
 };

 function check_pinning_telemetry() {
-  let histogram = Cc["@mozilla.org/base/telemetry;1"]
-                    .getService(Ci.nsITelemetry)
-                    .getHistogramById("CERT_PINNING_EVALUATION_RESULTS")
-                    .snapshot();
-   // Currently only strict mode gets evaluated
-   do_check_eq(histogram.counts[0], 1); // Failure count
-   do_check_eq(histogram.counts[1], 3); // Success count
-   run_next_test();
+  let service = Cc["@mozilla.org/base/telemetry;1"].getService(Ci.nsITelemetry);
+  let prod_histogram = service.getHistogramById("CERT_PINNING_RESULTS")
+                         .snapshot();
+  let test_histogram = service.getHistogramById("CERT_PINNING_TEST_RESULTS")
+                         .snapshot();
+  // Because all of our test domains are pinned to user-specified trust
+  // anchors, effectively only strict mode gets evaluated
+  do_check_eq(prod_histogram.counts[0], 1); // Failure count
+  do_check_eq(prod_histogram.counts[1], 3); // Success count
+  do_check_eq(test_histogram.counts[0], 1); // Failure count
+  do_check_eq(test_histogram.counts[1], 0); // Success count
+
+  run_next_test();
 }

 function run_test() {
--- a/toolkit/components/telemetry/Histograms.json
+++ b/toolkit/components/telemetry/Histograms.json
@ -5917,10 +5917,14 @@
    "n_buckets": 10,
    "extended_statistics_ok": true
  },
-  "CERT_PINNING_EVALUATION_RESULTS": {
+  "CERT_PINNING_RESULTS": {
    "expires_in_version": "never",
-    "kind": "enumerated",
-    "n_values": 4,
-    "description": "Certificate pinning evalutation results(pinned host)(0 = failure, 1 = success)"
+    "kind": "boolean",
+    "description": "Certificate pinning evalutation results (0 = failure, 1 = success)"
+  },
+  "CERT_PINNING_TEST_RESULTS": {
+    "expires_in_version": "never",
+    "kind": "boolean",
+    "description": "Certificate pinning evalutation results (0 = failure, 1 = success)"
  }
 }