bug 1085509 - add telemetry for how many permanent certificate overrides users have r=mmc r=jcj

security/manager/ssl/public/nsICertOverrideService.idl

@@ -18,7 +18,7 @@ interface nsIX509Cert;
  *   {host:port, cert-fingerprint, allowed-overrides} 
  * that the user wants to accept without further warnings. 
  */
-[scriptable, uuid(31738d2a-77d3-4359-84c9-4be2f38fb8c5)]
+[scriptable, uuid(be019e47-22fc-4355-9f16-9ab047d6742d)]
 interface nsICertOverrideService : nsISupports {
 
   /**
@@ -109,13 +109,11 @@ interface nsICertOverrideService : nsISupports {
                              in int32_t aPort);
 
   /**
-   *  Obtain the full list of hostname:port for which overrides are known.
+   *  Count and return the number of permanent overrides.
    *
-   *  @param aCount The number of host:port entries returned
-   *  @param aHostsWithPortsArray The array of host:port entries returned
+   *  @param aCount The number of permanent overrides
    */
-  void getAllOverrideHostsWithPorts(out uint32_t aCount, 
-                                    [array, size_is(aCount)] out wstring aHostsWithPortsArray);
+  void getPermanentOverrideCount(out uint32_t aCount);
 
   /**
    *  Is the given cert used in rules?

security/manager/ssl/src/nsCertOverrideService.cpp

@@ -613,11 +613,28 @@ nsCertOverrideService::ClearValidityOverride(const nsACString & aHostName, int32
   return NS_OK;
 }
 
-NS_IMETHODIMP
-nsCertOverrideService::GetAllOverrideHostsWithPorts(uint32_t *aCount, 
-                                                        char16_t ***aHostsWithPortsArray)
+static PLDHashOperator
+CountPermanentEntriesCallback(nsCertOverrideEntry* aEntry, void* aArg)
 {
-  return NS_ERROR_NOT_IMPLEMENTED;
+  uint32_t* overrideCount = reinterpret_cast<uint32_t*>(aArg);
+  if (aEntry && !aEntry->mSettings.mIsTemporary) {
+    *overrideCount = *overrideCount + 1;
+    return PL_DHASH_NEXT;
+  }
+
+  return PL_DHASH_NEXT;
+}
+
+NS_IMETHODIMP
+nsCertOverrideService::GetPermanentOverrideCount(uint32_t* aOverrideCount)
+{
+  NS_ENSURE_ARG(aOverrideCount);
+  *aOverrideCount = 0;
+
+  ReentrantMonitorAutoEnter lock(monitor);
+  mSettingsTable.EnumerateEntries(CountPermanentEntriesCallback, aOverrideCount);
+
+  return NS_OK;
 }
 
 static bool

security/manager/ssl/src/nsNSSComponent.cpp

@@ -1049,6 +1049,23 @@ nsNSSComponent::InitializeNSS()
     return NS_ERROR_FAILURE;
   }
 
+  // This can happen during startup and is a bit expensive, so only instantiate
+  // the certificate override service if telemetry is actually enabled.
+  if (Telemetry::CanRecord()) {
+    nsCOMPtr<nsICertOverrideService> overrideService(
+      do_GetService(NS_CERTOVERRIDE_CONTRACTID));
+    if (!overrideService) {
+      PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("Failed to initialize cert override service\n"));
+      return NS_ERROR_FAILURE;
+    }
+    uint32_t overrideCount = 0;
+    rv = overrideService->GetPermanentOverrideCount(&overrideCount);
+    if (NS_FAILED(rv)) {
+      return rv;
+    }
+    Telemetry::Accumulate(Telemetry::SSL_PERMANENT_CERT_ERROR_OVERRIDES,
+                          overrideCount);
+  }
 
   PR_LOG(gPIPNSSLog, PR_LOG_DEBUG, ("NSS Initialization done\n"));
   return NS_OK;

toolkit/components/telemetry/Histograms.json

@@ -6478,6 +6478,13 @@
     "n_values": 24,
     "description": "Was a certificate error overridden on this handshake? What was it? (0=unknown error (indicating bug), 1=no, >1=a specific error)"
   },
+  "SSL_PERMANENT_CERT_ERROR_OVERRIDES": {
+    "expires_in_version": "never",
+    "kind": "exponential",
+    "high": 1024,
+    "n_buckets": 10,
+    "description": "How many permanent certificate overrides a user has stored."
+  },
   "TELEMETRY_TEST_EXPIRED": {
     "expires_in_version": "4.0a1",
     "kind": "flag",