Certificate Transparency: Add UMA for whitelist status

In order to figure out if non-compliant EV certs are non-compliant because the client is missing the whitelist or the certificate is not whitelisted, log the whitelist status to a histogram when a non-compliant cert is encountered. BUG=397458 Review URL: https://codereview.chromium.org/985993003 Cr-Commit-Position: refs/heads/master@{#321302}

Certificate Transparency: Add UMA for whitelist status
In order to figure out if non-compliant EV certs are non-compliant because the client is missing the whitelist or the certificate is not whitelisted, log the whitelist status to a histogram when a non-compliant cert is encountered. BUG=397458 Review URL: https://codereview.chromium.org/985993003 Cr-Commit-Position: refs/heads/master@{#321302}
1ab731da · eranm · Commit bot · 2b246d6f · 1ab731da · 1ab731da
Commit 1ab731da authored Mar 18, 2015 by eranm Committed by Commit bot Mar 19, 2015
Show whitespace changes
Inline Side-by-side

Showing with 42 additions and 2 deletions

net/cert/cert_policy_enforcer.cc net/cert/cert_policy_enforcer.cc +22 -2

tools/metrics/histograms/histograms.xml tools/metrics/histograms/histograms.xml +20 -0

No files found.
--- a/net/cert/cert_policy_enforcer.cc
+++ b/net/cert/cert_policy_enforcer.cc
@@ -126,9 +126,29 @@ const char* ComplianceStatusToString(CTComplianceStatus status) {
  return "unknown";
 }

-void LogCTComplianceStatusToUMA(CTComplianceStatus status) {
+enum EVWhitelistStatus {
+  EV_WHITELIST_NOT_PRESENT = 0,
+  EV_WHITELIST_INVALID = 1,
+  EV_WHITELIST_VALID = 2,
+  EV_WHITELIST_MAX,
+};
+
+void LogCTComplianceStatusToUMA(CTComplianceStatus status,
+                                const ct::EVCertsWhitelist* ev_whitelist) {
  UMA_HISTOGRAM_ENUMERATION("Net.SSL_EVCertificateCTCompliance", status,
                            CT_COMPLIANCE_MAX);
+  if (status == CT_NOT_COMPLIANT) {
+    EVWhitelistStatus ev_whitelist_status = EV_WHITELIST_NOT_PRESENT;
+    if (ev_whitelist != NULL) {
+      if (ev_whitelist->IsValid())
+        ev_whitelist_status = EV_WHITELIST_VALID;
+      else
+        ev_whitelist_status = EV_WHITELIST_INVALID;
+    }
+
+    UMA_HISTOGRAM_ENUMERATION("Net.SSL_EVWhitelistValidityForNonCompliantCert",
+                              ev_whitelist_status, EV_WHITELIST_MAX);
+  }
 }

 struct ComplianceDetails {
@@ -244,7 +264,7 @@ bool CertPolicyEnforcer::DoesConformToCTEVPolicy(
  if (!details.build_timely)
    return false;

-  LogCTComplianceStatusToUMA(details.status);
+  LogCTComplianceStatusToUMA(details.status, ev_whitelist);

  if (details.status == CT_IN_WHITELIST || details.status == CT_ENOUGH_SCTS)
    return true;

--- a/tools/metrics/histograms/histograms.xml
+++ b/tools/metrics/histograms/histograms.xml
@@ -20391,6 +20391,20 @@ Therefore, the affected-histogram name has to have at least one dot in it.
  </summary>
 </histogram>

+<histogram name="Net.SSL_EVWhitelistValidityForNonCompliantCert"
+    enum="EVWhitelistStatus">
+  <owner>eranm@chromium.org</owner>
+  <owner>rsleevi@chromium.org</owner>
+  <summary>
+    Whether the client holds a valid EV Certificates whitelist or not. Only
+    emitted when an EV cert that is not compliant with the Certificate
+    Transparency requirement is encountered. This histogram is intended to be
+    short-lived and help determine if EV certificates are considered
+    non-compliant because they are not whitelisted or if the client does not
+    hold a valid instance of the whitelist.
+  </summary>
+</histogram>
+
 <histogram name="Net.SSLCertBlacklisted">
  <owner>agl@chromium.org</owner>
  <summary>
@@ -48004,6 +48018,12 @@ Therefore, the affected-histogram name has to have at least one dot in it.
  <int value="11004" label="WSANO_DATA"/>
 </enum>

+<enum name="EVWhitelistStatus" type="int">
+  <int value="0" label="Not present"/>
+  <int value="1" label="Invalid"/>
+  <int value="2" label="Valid"/>
+</enum>
+
 <enum name="ExecutionPhase" type="int">
  <int value="0" label="UNINITIALIZED_PHASE"/>
  <int value="100" label="START_METRICS_RECORDING"/>