mozilla
diff --git a/‎security/certverifier/CertVerifier.h
Lines changed: 4 additions & 2 deletions b/‎security/certverifier/CertVerifier.h
Lines changed: 4 additions & 2 deletions
diff --git a/‎security/manager/ssl/PublicKeyPinningService.cpp
Lines changed: 2 additions & 8 deletions b/‎security/manager/ssl/PublicKeyPinningService.cpp
Lines changed: 2 additions & 8 deletions
diff --git a/‎security/manager/ssl/RootCertificateTelemetryUtils.cpp
Lines changed: 0 additions & 11 deletions b/‎security/manager/ssl/RootCertificateTelemetryUtils.cpp
Lines changed: 0 additions & 11 deletions
diff --git a/‎security/manager/ssl/RootCertificateTelemetryUtils.h
Lines changed: 0 additions & 4 deletions b/‎security/manager/ssl/RootCertificateTelemetryUtils.h
Lines changed: 0 additions & 4 deletions
diff --git a/‎security/manager/ssl/SSLServerCertVerification.cpp
Lines changed: 35 additions & 13 deletions b/‎security/manager/ssl/SSLServerCertVerification.cpp
Lines changed: 35 additions & 13 deletions
diff --git a/‎security/manager/ssl/metrics.yaml
Lines changed: 201 additions & 0 deletions b/‎security/manager/ssl/metrics.yaml
Lines changed: 201 additions & 0 deletions
diff --git a/‎security/manager/ssl/nsNSSCallbacks.cpp
Lines changed: 4 additions & 4 deletions b/‎security/manager/ssl/nsNSSCallbacks.cpp
Lines changed: 4 additions & 4 deletions
@@ -14,7 +14,6 @@
 #include "RootCertificateTelemetryUtils.h"
 #include "ScopedNSSTypes.h"
 #include "mozilla/EnumSet.h"
-#include "mozilla/Telemetry.h"
 #include "mozilla/TimeStamp.h"
 #include "mozilla/UniquePtr.h"
 #include "mozilla/glean/bindings/MetricTypes.h"
@@ -93,7 +92,8 @@ class PinningTelemetryInfo {
 
   // Should we accumulate pinning telemetry for the result?
   bool accumulateResult;
-  Maybe<Telemetry::HistogramID> certPinningResultHistogram;
+  bool isMoz;
+  bool testMode;
   int32_t certPinningResultBucket;
   // Should we accumulate telemetry for the root?
   bool accumulateForRoot;
@@ -102,6 +102,8 @@ class PinningTelemetryInfo {
   void Reset() {
     accumulateForRoot = false;
     accumulateResult = false;
+    isMoz = false;
+    testMode = false;
   }
 };
 
 
@@ -286,23 +286,17 @@ static nsresult CheckPinsForHostname(
         return NS_ERROR_FAILURE;
       }
 
-      Telemetry::HistogramID histogram;
       int32_t bucket;
       // We can collect per-host pinning violations for this host because it is
       // operationally critical to Firefox.
       if (staticFingerprints->mIsMoz) {
-        histogram = staticFingerprints->mTestMode
-                        ? Telemetry::CERT_PINNING_MOZ_TEST_RESULTS_BY_HOST
-                        : Telemetry::CERT_PINNING_MOZ_RESULTS_BY_HOST;
         bucket = staticFingerprints->mId * 2 + (enforceTestModeResult ? 1 : 0);
       } else {
-        histogram = staticFingerprints->mTestMode
-                        ? Telemetry::CERT_PINNING_TEST_RESULTS
-                        : Telemetry::CERT_PINNING_RESULTS;
         bucket = enforceTestModeResult ? 1 : 0;
       }
+      pinningTelemetryInfo->isMoz = staticFingerprints->mIsMoz;
+      pinningTelemetryInfo->testMode = staticFingerprints->mTestMode;
       pinningTelemetryInfo->accumulateResult = true;
-      pinningTelemetryInfo->certPinningResultHistogram = Some(histogram);
       pinningTelemetryInfo->certPinningResultBucket = bucket;
 
       // We only collect per-CA pinning statistics upon failures.
 
@@ -124,16 +124,5 @@ int32_t RootCABinNumber(Span<const uint8_t> cert) {
   return ROOT_CERTIFICATE_UNKNOWN;
 }
 
-// Attempt to increment the appropriate bin in the provided Telemetry probe ID.
-// If there was a hash failure, we do nothing.
-void AccumulateTelemetryForRootCA(mozilla::Telemetry::HistogramID probe,
-                                  const Span<const uint8_t> cert) {
-  int32_t binId = RootCABinNumber(cert);
-
-  if (binId != ROOT_CERTIFICATE_HASH_FAILURE) {
-    Accumulate(probe, binId);
-  }
-}
-
 }  // namespace psm
 }  // namespace mozilla
@@ -8,7 +8,6 @@
 #define RootCertificateTelemetryUtils_h
 
 #include "mozilla/Span.h"
-#include "mozilla/Telemetry.h"
 
 namespace mozilla {
 namespace psm {
@@ -28,9 +27,6 @@ namespace psm {
 
 int32_t RootCABinNumber(Span<const uint8_t> cert);
 
-void AccumulateTelemetryForRootCA(mozilla::Telemetry::HistogramID probe,
-                                  const Span<const uint8_t> cert);
-
 }  // namespace psm
 }  // namespace mozilla
 
 
@@ -504,8 +504,11 @@ void GatherCertificateTransparencyTelemetry(
   // Report CT Policy compliance by CA.
   if (info.policyCompliance.isSome() &&
       *info.policyCompliance != ct::CTPolicyCompliance::Compliant) {
-    AccumulateTelemetryForRootCA(
-        Telemetry::SSL_CT_POLICY_NON_COMPLIANT_CONNECTIONS_BY_CA_2, rootCert);
+    int32_t binId = RootCABinNumber(rootCert);
+    if (binId != ROOT_CERTIFICATE_HASH_FAILURE) {
+      Telemetry::Accumulate(
+          Telemetry::SSL_CT_POLICY_NON_COMPLIANT_CONNECTIONS_BY_CA_2, binId);
+    }
   }
 }
 
@@ -523,33 +526,52 @@ static void CollectCertTelemetry(
   uint32_t evStatus = (aCertVerificationResult != Success) ? 0  // 0 = Failure
                       : (aEVStatus != EVStatus::EV)        ? 1  // 1 = DV
                                                            : 2;        // 2 = EV
-  Telemetry::Accumulate(Telemetry::CERT_EV_STATUS, evStatus);
+  glean::cert::ev_status.AccumulateSingleSample(evStatus);
 
   if (aOcspStaplingStatus != CertVerifier::OCSP_STAPLING_NEVER_CHECKED) {
     Telemetry::Accumulate(Telemetry::SSL_OCSP_STAPLING, aOcspStaplingStatus);
   }
 
   if (aKeySizeStatus != KeySizeStatus::NeverChecked) {
-    Telemetry::Accumulate(Telemetry::CERT_CHAIN_KEY_SIZE_STATUS,
-                          static_cast<uint32_t>(aKeySizeStatus));
+    glean::cert::chain_key_size_status.AccumulateSingleSample(
+        static_cast<uint32_t>(aKeySizeStatus));
   }
 
   if (aPinningTelemetryInfo.accumulateForRoot) {
-    Telemetry::Accumulate(Telemetry::CERT_PINNING_FAILURES_BY_CA_2,
-                          aPinningTelemetryInfo.rootBucket);
+    glean::cert_pinning::failures_by_ca.AccumulateSingleSample(
+        aPinningTelemetryInfo.rootBucket);
   }
 
   if (aPinningTelemetryInfo.accumulateResult) {
-    MOZ_ASSERT(aPinningTelemetryInfo.certPinningResultHistogram.isSome());
-    Telemetry::Accumulate(
-        aPinningTelemetryInfo.certPinningResultHistogram.value(),
-        aPinningTelemetryInfo.certPinningResultBucket);
+    if (aPinningTelemetryInfo.isMoz) {
+      if (aPinningTelemetryInfo.testMode) {
+        glean::cert_pinning::moz_test_results_by_host.AccumulateSingleSample(
+            aPinningTelemetryInfo.certPinningResultBucket);
+      } else {
+        glean::cert_pinning::moz_results_by_host.AccumulateSingleSample(
+            aPinningTelemetryInfo.certPinningResultBucket);
+      }
+    } else {
+      if (aPinningTelemetryInfo.testMode) {
+        glean::cert_pinning::test_results
+            .EnumGet(static_cast<glean::cert_pinning::TestResultsLabel>(
+                aPinningTelemetryInfo.certPinningResultBucket))
+            .Add();
+      } else {
+        glean::cert_pinning::results
+            .EnumGet(static_cast<glean::cert_pinning::ResultsLabel>(
+                aPinningTelemetryInfo.certPinningResultBucket))
+            .Add();
+      }
+    }
   }
 
   if (aCertVerificationResult == Success && aBuiltCertChain.Length() > 0) {
     const nsTArray<uint8_t>& rootCert = aBuiltCertChain.LastElement();
-    AccumulateTelemetryForRootCA(Telemetry::CERT_VALIDATION_SUCCESS_BY_CA_2,
-                                 rootCert);
+    int32_t binId = RootCABinNumber(rootCert);
+    if (binId != ROOT_CERTIFICATE_HASH_FAILURE) {
+      glean::cert::validation_success_by_ca.AccumulateSingleSample(binId);
+    }
 
     mozilla::glean::tls::certificate_verifications.Add(1);
     if (issuerSources.contains(IssuerSource::TLSHandshake)) {
 
@@ -358,3 +358,204 @@ security:
       - dkeeler@mozilla.com
     expires: never
     telemetry_mirror: SECURITY_CLIENT_AUTH_CERT_USAGE
+
+cert:
+  ev_status:
+    type: custom_distribution
+    description: >
+      EV status of a certificate, recorded on each TLS connection. 0=invalid,
+      1=DV, 2=EV
+
+      This metric was generated to correspond to the Legacy Telemetry enumerated
+      histogram CERT_EV_STATUS.
+    range_min: 0
+    range_max: 10
+    bucket_count: 11
+    histogram_type: linear
+    bugs:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1254653
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1862062
+    data_reviews:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1254653
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1862062
+    notification_emails:
+      - seceng-telemetry@mozilla.com
+    expires: never
+    telemetry_mirror: CERT_EV_STATUS
+
+  validation_success_by_ca:
+    type: custom_distribution
+    description: >
+      Successful SSL server cert validations by CA (see RootHashes.inc for names
+      of CAs)
+
+      This metric was generated to correspond to the Legacy Telemetry enumerated
+      histogram CERT_VALIDATION_SUCCESS_BY_CA_2.
+    range_min: 0
+    range_max: 256
+    bucket_count: 257
+    histogram_type: linear
+    bugs:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1364159
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1369747
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1441550
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1909978
+    data_reviews:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1364159
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1369747
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1441550
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1909978
+    notification_emails:
+      - seceng-telemetry@mozilla.com
+      - dkeeler@mozilla.com
+    expires: never
+    telemetry_mirror: CERT_VALIDATION_SUCCESS_BY_CA_2
+
+  chain_key_size_status:
+    type: custom_distribution
+    description: >
+      Does enforcing a larger minimum RSA key size cause verification failures?
+      1 = no, 2 = yes, 3 = another error prevented finding a verified chain
+
+      This metric was generated to correspond to the Legacy Telemetry enumerated
+      histogram CERT_CHAIN_KEY_SIZE_STATUS.
+    range_min: 0
+    range_max: 4
+    bucket_count: 5
+    histogram_type: linear
+    bugs:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1862062
+    data_reviews:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1862062
+    notification_emails:
+      - seceng-telemetry@mozilla.com
+    expires: never
+    telemetry_mirror: CERT_CHAIN_KEY_SIZE_STATUS
+
+  validation_http_request_result:
+    type: custom_distribution
+    description: >
+      HTTP result of OCSP, etc.. (0=canceled, 1=OK, 2=FAILED, 3=internal-error)
+
+      This metric was generated to correspond to the Legacy Telemetry enumerated
+      histogram CERT_VALIDATION_HTTP_REQUEST_RESULT.
+    range_min: 0
+    range_max: 16
+    bucket_count: 17
+    histogram_type: linear
+    bugs:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1862062
+    data_reviews:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1862062
+    notification_emails:
+      - seceng-telemetry@mozilla.com
+    expires: never
+    telemetry_mirror: CERT_VALIDATION_HTTP_REQUEST_RESULT
+
+cert_pinning:
+  failures_by_ca:
+    type: custom_distribution
+    description: >
+      Pinning failures by CA (see RootHashes.inc for names of CAs)
+
+      This metric was generated to correspond to the Legacy Telemetry enumerated
+      histogram CERT_PINNING_FAILURES_BY_CA_2.
+    range_min: 0
+    range_max: 256
+    bucket_count: 257
+    histogram_type: linear
+    bugs:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1862062
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1909978
+    data_reviews:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1862062
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1909978
+    notification_emails:
+      - pinning@mozilla.org
+      - dkeeler@mozilla.com
+    expires: never
+    telemetry_mirror: CERT_PINNING_FAILURES_BY_CA_2
+
+  results:
+    type: labeled_counter
+    description: >
+      Certificate pinning results (0 = failure, 1 = success)
+
+      This metric was generated to correspond to the Legacy Telemetry boolean
+      histogram CERT_PINNING_RESULTS.
+    labels:
+      - "false"
+      - "true"
+    bugs:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1862062
+    data_reviews:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1862062
+    notification_emails:
+      - pinning@mozilla.org
+    expires: never
+    telemetry_mirror: h#CERT_PINNING_RESULTS
+
+  test_results:
+    type: labeled_counter
+    description: >
+      Certificate pinning test results (0 = failure, 1 = success)
+
+      This metric was generated to correspond to the Legacy Telemetry boolean
+      histogram CERT_PINNING_TEST_RESULTS.
+    labels:
+      - "false"
+      - "true"
+    bugs:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1862062
+    data_reviews:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1862062
+    notification_emails:
+      - pinning@mozilla.org
+    expires: never
+    telemetry_mirror: h#CERT_PINNING_TEST_RESULTS
+
+  moz_results_by_host:
+    type: custom_distribution
+    description: >
+      Certificate pinning results by host for Mozilla operational sites
+
+      This metric was generated to correspond to the Legacy Telemetry enumerated
+      histogram CERT_PINNING_MOZ_RESULTS_BY_HOST.
+    range_min: 0
+    range_max: 512
+    bucket_count: 513
+    histogram_type: linear
+    bugs:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1007844
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1521940
+    data_reviews:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1007844
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1521940
+    notification_emails:
+      - dkeeler@mozilla.com
+      - pinning@mozilla.org
+    expires: never
+    telemetry_mirror: CERT_PINNING_MOZ_RESULTS_BY_HOST
+
+  moz_test_results_by_host:
+    type: custom_distribution
+    description: >
+      Certificate pinning test results by host for Mozilla operational sites
+
+      This metric was generated to correspond to the Legacy Telemetry enumerated
+      histogram CERT_PINNING_MOZ_TEST_RESULTS_BY_HOST.
+    range_min: 0
+    range_max: 512
+    bucket_count: 513
+    histogram_type: linear
+    bugs:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1007844
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1521940
+    data_reviews:
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1007844
+      - https://bugzilla.mozilla.org/show_bug.cgi?id=1521940
+    notification_emails:
+      - dkeeler@mozilla.com
+      - pinning@mozilla.org
+    expires: never
+    telemetry_mirror: CERT_PINNING_MOZ_TEST_RESULTS_BY_HOST
@@ -158,17 +158,17 @@ nsresult OCSPRequest::DispatchToMainThreadAndWait() {
   // If mStartTime was never set, we consider this an internal error.
   // Otherwise, we managed to at least send the request.
   if (mStartTime.IsNull()) {
-    Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 3);
+    glean::cert::validation_http_request_result.AccumulateSingleSample(3);
   } else if (mResponseResult == NS_ERROR_NET_TIMEOUT) {
-    Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 0);
+    glean::cert::validation_http_request_result.AccumulateSingleSample(0);
     mozilla::glean::ocsp_request_time::cancel.AccumulateRawDuration(
         TimeStamp::Now() - mStartTime);
   } else if (NS_SUCCEEDED(mResponseResult)) {
-    Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 1);
+    glean::cert::validation_http_request_result.AccumulateSingleSample(1);
     mozilla::glean::ocsp_request_time::success.AccumulateRawDuration(
         TimeStamp::Now() - mStartTime);
   } else {
-    Telemetry::Accumulate(Telemetry::CERT_VALIDATION_HTTP_REQUEST_RESULT, 2);
+    glean::cert::validation_http_request_result.AccumulateSingleSample(2);
     mozilla::glean::ocsp_request_time::failure.AccumulateRawDuration(
         TimeStamp::Now() - mStartTime);
   }