tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit c9bdb15ba18f527aa4693a7949f0a34b37ecf364
parent 56ffabb418a93121bc5af9bcccb0267dc25bbabd
Author: John M. Schanck <jschanck@mozilla.com>
Date:   Sat, 20 Dec 2025 03:02:15 +0000

Bug 2005387 - remove cert_verifier.crlite_vs_ocsp_result metric. r=keeler

Differential Revision: https://phabricator.services.mozilla.com/D277266

Diffstat:

Msecurity/certverifier/NSSCertDBTrustDomain.cpp | 49+++++--------------------------------------------


Msecurity/certverifier/NSSCertDBTrustDomain.h | 5++---


Msecurity/certverifier/metrics.yaml | 27---------------------------


3 files changed, 7 insertions(+), 74 deletions(-)

diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -779,9 +779,8 @@ Result NSSCertDBTrustDomain::CheckRevocation(
     }
   }
 
-  Result ocspResult = CheckRevocationByOCSP(
-      certID, time, validityDuration, aiaLocation, crliteCoversCertificate,
-      crliteResult, stapledOCSPResponse);
+  Result ocspResult = CheckRevocationByOCSP(certID, time, validityDuration,
+                                            aiaLocation, stapledOCSPResponse);
 
   MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
           ("NSSCertDBTrustDomain: end of CheckRevocation"));
@@ -868,8 +867,7 @@ Result NSSCertDBTrustDomain::CheckRevocationByCRLite(
 
 Result NSSCertDBTrustDomain::CheckRevocationByOCSP(
     const CertID& certID, Time time, Duration validityDuration,
-    const nsCString& aiaLocation, const bool crliteCoversCertificate,
-    const Result crliteResult,
+    const nsCString& aiaLocation,
     /*optional*/ const Input* stapledOCSPResponse) {
   const uint16_t maxOCSPLifetimeInDays = 10;
   // If we have a stapled OCSP response then the verification of that response
@@ -1047,7 +1045,7 @@ Result NSSCertDBTrustDomain::CheckRevocationByOCSP(
     // responses from a failing server.
     return SynchronousCheckRevocationWithServer(
         certID, aiaLocation, time, maxOCSPLifetimeInDays, cachedResponseResult,
-        stapledOCSPResponseResult, crliteCoversCertificate, crliteResult);
+        stapledOCSPResponseResult);
   }
 
   return HandleOCSPFailure(cachedResponseResult, stapledOCSPResponseResult,
@@ -1057,8 +1055,7 @@ Result NSSCertDBTrustDomain::CheckRevocationByOCSP(
 Result NSSCertDBTrustDomain::SynchronousCheckRevocationWithServer(
     const CertID& certID, const nsCString& aiaLocation, Time time,
     uint16_t maxOCSPLifetimeInDays, const Result cachedResponseResult,
-    const Result stapledOCSPResponseResult, const bool crliteCoversCertificate,
-    const Result crliteResult) {
+    const Result stapledOCSPResponseResult) {
   if (AppShutdown::IsInOrBeyond(ShutdownPhase::AppShutdownConfirmed)) {
     return Result::FATAL_ERROR_LIBRARY_FAILURE;
   }
@@ -1095,14 +1092,6 @@ Result NSSCertDBTrustDomain::SynchronousCheckRevocationWithServer(
       return cacheRV;
     }
 
-    if (crliteCoversCertificate &&
-        crliteResult == Result::ERROR_REVOKED_CERTIFICATE) {
-      // CRLite says the certificate is revoked, but OCSP fetching failed.
-      mozilla::glean::cert_verifier::crlite_vs_ocsp_result
-          .Get("CRLiteRevOCSPFail"_ns)
-          .Add(1);
-    }
-
     return HandleOCSPFailure(cachedResponseResult, stapledOCSPResponseResult,
                              rv);
   }
@@ -1114,34 +1103,6 @@ Result NSSCertDBTrustDomain::SynchronousCheckRevocationWithServer(
   rv = VerifyAndMaybeCacheEncodedOCSPResponse(certID, time,
                                               maxOCSPLifetimeInDays, response,
                                               ResponseIsFromNetwork, expired);
-
-  // If CRLite said that this certificate is revoked, report the OCSP
-  // status. OCSP may have succeeded, said the certificate is revoked, said the
-  // certificate doesn't exist, or it may have failed for a reason that results
-  // in a "soft fail" (i.e. there is no indication that the certificate is
-  // either definitely revoked or definitely not revoked, so for usability,
-  // revocation checking says the certificate is valid by default).
-  if (crliteCoversCertificate &&
-      crliteResult == Result::ERROR_REVOKED_CERTIFICATE) {
-    if (rv == Success) {
-      mozilla::glean::cert_verifier::crlite_vs_ocsp_result
-          .Get("CRLiteRevOCSPOk"_ns)
-          .Add(1);
-    } else if (rv == Result::ERROR_REVOKED_CERTIFICATE) {
-      mozilla::glean::cert_verifier::crlite_vs_ocsp_result
-          .Get("CRLiteRevOCSPRev"_ns)
-          .Add(1);
-    } else if (rv == Result::ERROR_OCSP_UNKNOWN_CERT) {
-      mozilla::glean::cert_verifier::crlite_vs_ocsp_result
-          .Get("CRLiteRevOCSPUnk"_ns)
-          .Add(1);
-    } else {
-      mozilla::glean::cert_verifier::crlite_vs_ocsp_result
-          .Get("CRLiteRevOCSPSoft"_ns)
-          .Add(1);
-    }
-  }
-
   if (rv == Success || mOCSPFetching == RevocationCheckRequired) {
     MOZ_LOG(gCertVerifierLog, LogLevel::Debug,
             ("NSSCertDBTrustDomain: returning after "
diff --git a/security/certverifier/NSSCertDBTrustDomain.h b/security/certverifier/NSSCertDBTrustDomain.h
@@ -255,14 +255,13 @@ class NSSCertDBTrustDomain : public mozilla::pkix::TrustDomain {
   Result CheckRevocationByOCSP(
       const mozilla::pkix::CertID& certID, mozilla::pkix::Time time,
       mozilla::pkix::Duration validityDuration, const nsCString& aiaLocation,
-      const bool crliteCoversCertificate, const Result crliteResult,
       /*optional*/ const mozilla::pkix::Input* stapledOCSPResponse);
 
   Result SynchronousCheckRevocationWithServer(
       const mozilla::pkix::CertID& certID, const nsCString& aiaLocation,
       mozilla::pkix::Time time, uint16_t maxOCSPLifetimeInDays,
-      const Result cachedResponseResult, const Result stapledOCSPResponseResult,
-      const bool crliteFilterCoversCertificate, const Result crliteResult);
+      const Result cachedResponseResult,
+      const Result stapledOCSPResponseResult);
   Result HandleOCSPFailure(const Result cachedResponseResult,
                            const Result stapledOCSPResponseResult,
                            const Result error);
diff --git a/security/certverifier/metrics.yaml b/security/certverifier/metrics.yaml
@@ -31,33 +31,6 @@ cert_verifier:
       - revoked_in_filter
       - revoked_in_stash
 
-  crlite_vs_ocsp_result:
-    type: labeled_counter
-    description: >
-      The OCSP result when CRLite claims a certificate is revoked.
-    data_sensitivity:
-      - technical
-    bugs:
-      - https://bugzilla.mozilla.org/show_bug.cgi?id=1675655
-      - https://bugzilla.mozilla.org/show_bug.cgi?id=1908549
-    data_reviews:
-      - https://bugzilla.mozilla.org/show_bug.cgi?id=1675655
-      - https://bugzilla.mozilla.org/show_bug.cgi?id=1758827
-      - https://bugzilla.mozilla.org/show_bug.cgi?id=1817102
-      - https://bugzilla.mozilla.org/show_bug.cgi?id=1846898
-      - https://bugzilla.mozilla.org/show_bug.cgi?id=1876443
-      - https://bugzilla.mozilla.org/show_bug.cgi?id=1908549
-      - https://bugzilla.mozilla.org/show_bug.cgi?id=1974141
-    notification_emails:
-      - jschanck@mozilla.com
-    expires: 149
-    labels:
-      - CRLiteRevOCSPFail
-      - CRLiteRevOCSPOk
-      - CRLiteRevOCSPRev
-      - CRLiteRevOCSPUnk
-      - CRLiteRevOCSPSoft
-
   cert_revocation_mechanisms:
     type: labeled_counter
     description: >