Add histograms for domain bound certs.

BUG=124105
TEST=run with or without --enable-origin-bound-certs, check about:histograms


Review URL: http://codereview.chromium.org/10174027

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@134229 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 98 insertions, 9 deletions

diff --git a/net/base/server_bound_cert_service.cc b/net/base/server_bound_cert_service.cc
index cd158c7..278c585 100644
--- a/net/base/server_bound_cert_service.cc
+++ b/net/base/server_bound_cert_service.cc
@@ -15,6 +15,7 @@
 #include "base/memory/ref_counted.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/message_loop.h"
+#include "base/metrics/histogram.h"
 #include "base/rand_util.h"
 #include "base/stl_util.h"
 #include "base/threading/worker_pool.h"
@@ -46,16 +47,56 @@ bool IsSupportedCertType(uint8 type) {
   }
 }
 
+// Used by the GetDomainBoundCertResult histogram to record the final
+// outcome of each GetDomainBoundCert call.  Do not re-use values.
+enum GetCertResult {
+  // Synchronously found and returned an existing domain bound cert.
+  SYNC_SUCCESS = 0,
+  // Generated and returned a domain bound cert asynchronously.
+  ASYNC_SUCCESS = 1,
+  // Generation request was cancelled before the cert generation completed.
+  ASYNC_CANCELLED = 2,
+  // Cert generation failed.
+  ASYNC_FAILURE_KEYGEN = 3,
+  ASYNC_FAILURE_CREATE_CERT = 4,
+  ASYNC_FAILURE_EXPORT_KEY = 5,
+  ASYNC_FAILURE_UNKNOWN = 6,
+  // GetDomainBoundCert was called with invalid arguments.
+  INVALID_ARGUMENT = 7,
+  // We don't support any of the cert types the server requested.
+  UNSUPPORTED_TYPE = 8,
+  // Server asked for a different type of certs while we were generating one.
+  TYPE_MISMATCH = 9,
+  // Couldn't start a worker to generate a cert.
+  WORKER_FAILURE = 10,
+  GET_CERT_RESULT_MAX
+};
+
+void RecordGetDomainBoundCertResult(GetCertResult result) {
+  UMA_HISTOGRAM_ENUMERATION("DomainBoundCerts.GetDomainBoundCertResult", result,
+                            GET_CERT_RESULT_MAX);
+}
+
+void RecordGetCertTime(base::TimeDelta request_time) {
+  UMA_HISTOGRAM_CUSTOM_TIMES("DomainBoundCerts.GetCertTime",
+                             request_time,
+                             base::TimeDelta::FromMilliseconds(1),
+                             base::TimeDelta::FromMinutes(5),
+                             50);
+}
+
 }  // namespace
 
 // Represents the output and result callback of a request.
 class ServerBoundCertServiceRequest {
  public:
-  ServerBoundCertServiceRequest(const CompletionCallback& callback,
+  ServerBoundCertServiceRequest(base::TimeTicks request_start,
+                                const CompletionCallback& callback,
                                 SSLClientCertType* type,
                                 std::string* private_key,
                                 std::string* cert)
-      : callback_(callback),
+      : request_start_(request_start),
+        callback_(callback),
         type_(type),
         private_key_(private_key),
         cert_(cert) {
@@ -63,6 +104,7 @@ class ServerBoundCertServiceRequest {
 
   // Ensures that the result callback will never be made.
   void Cancel() {
+    RecordGetDomainBoundCertResult(ASYNC_CANCELLED);
     callback_.Reset();
     type_ = NULL;
     private_key_ = NULL;
@@ -75,6 +117,31 @@ class ServerBoundCertServiceRequest {
             SSLClientCertType type,
             const std::string& private_key,
             const std::string& cert) {
+    switch (error) {
+      case OK: {
+        base::TimeDelta request_time = base::TimeTicks::Now() - request_start_;
+        UMA_HISTOGRAM_CUSTOM_TIMES("DomainBoundCerts.GetCertTimeAsync",
+                                   request_time,
+                                   base::TimeDelta::FromMilliseconds(1),
+                                   base::TimeDelta::FromMinutes(5),
+                                   50);
+        RecordGetCertTime(request_time);
+        RecordGetDomainBoundCertResult(ASYNC_SUCCESS);
+        break;
+      }
+      case ERR_KEY_GENERATION_FAILED:
+        RecordGetDomainBoundCertResult(ASYNC_FAILURE_KEYGEN);
+        break;
+      case ERR_ORIGIN_BOUND_CERT_GENERATION_FAILED:
+        RecordGetDomainBoundCertResult(ASYNC_FAILURE_CREATE_CERT);
+        break;
+      case ERR_PRIVATE_KEY_EXPORT_FAILED:
+        RecordGetDomainBoundCertResult(ASYNC_FAILURE_EXPORT_KEY);
+        break;
+      default:
+        RecordGetDomainBoundCertResult(ASYNC_FAILURE_UNKNOWN);
+        break;
+    }
     if (!callback_.is_null()) {
       *type_ = type;
       *private_key_ = private_key;
@@ -87,6 +154,7 @@ class ServerBoundCertServiceRequest {
   bool canceled() const { return callback_.is_null(); }
 
  private:
+  base::TimeTicks request_start_;
   CompletionCallback callback_;
   SSLClientCertType* type_;
   std::string* private_key_;
@@ -313,17 +381,21 @@ int ServerBoundCertService::GetDomainBoundCert(
     const CompletionCallback& callback,
     RequestHandle* out_req) {
   DCHECK(CalledOnValidThread());
+  base::TimeTicks request_start = base::TimeTicks::Now();
 
   *out_req = NULL;
 
   if (callback.is_null() || !private_key || !cert || origin.empty() ||
       requested_types.empty()) {
+    RecordGetDomainBoundCertResult(INVALID_ARGUMENT);
     return ERR_INVALID_ARGUMENT;
   }
 
   std::string domain = GetDomainForHost(GURL(origin).host());
-  if (domain.empty())
+  if (domain.empty()) {
+    RecordGetDomainBoundCertResult(INVALID_ARGUMENT);
     return ERR_INVALID_ARGUMENT;
+  }
 
   SSLClientCertType preferred_type = CLIENT_CERT_INVALID_TYPE;
   for (size_t i = 0; i < requested_types.size(); ++i) {
@@ -333,6 +405,7 @@ int ServerBoundCertService::GetDomainBoundCert(
     }
   }
   if (preferred_type == CLIENT_CERT_INVALID_TYPE) {
+    RecordGetDomainBoundCertResult(UNSUPPORTED_TYPE);
     // None of the requested types are supported.
     return ERR_CLIENT_AUTH_CERT_TYPE_UNSUPPORTED;
   }
@@ -359,6 +432,10 @@ int ServerBoundCertService::GetDomainBoundCert(
                << domain;
     } else {
       cert_store_hits_++;
+      RecordGetDomainBoundCertResult(SYNC_SUCCESS);
+      base::TimeDelta request_time = base::TimeTicks::Now() - request_start;
+      UMA_HISTOGRAM_TIMES("DomainBoundCerts.GetCertTimeSync", request_time);
+      RecordGetCertTime(request_time);
       return OK;
     }
   }
@@ -382,6 +459,7 @@ int ServerBoundCertService::GetDomainBoundCert(
       // misconfigured.  Since we only store one type of cert per domain, we
       // are unable to handle this well.  Just return an error and let the first
       // job finish.
+      RecordGetDomainBoundCertResult(TYPE_MISMATCH);
       return ERR_ORIGIN_BOUND_CERT_GENERATION_TYPE_MISMATCH;
     }
     inflight_joins_++;
@@ -397,13 +475,14 @@ int ServerBoundCertService::GetDomainBoundCert(
       delete worker;
       // TODO(rkn): Log to the NetLog.
       LOG(ERROR) << "ServerBoundCertServiceWorker couldn't be started.";
+      RecordGetDomainBoundCertResult(WORKER_FAILURE);
       return ERR_INSUFFICIENT_RESOURCES;  // Just a guess.
     }
     inflight_[domain] = job;
   }
 
-  ServerBoundCertServiceRequest* request =
-      new ServerBoundCertServiceRequest(callback, type, private_key, cert);
+  ServerBoundCertServiceRequest* request = new ServerBoundCertServiceRequest(
+      request_start, callback, type, private_key, cert);
   job->AddRequest(request);
   *out_req = request;
   return ERR_IO_PENDING;
@@ -421,9 +500,10 @@ int ServerBoundCertService::GenerateCert(const std::string& server_identifier,
                                          base::Time* expiration_time,
                                          std::string* private_key,
                                          std::string* cert) {
-  base::Time now = base::Time::Now();
+  base::TimeTicks start = base::TimeTicks::Now();
+  base::Time not_valid_before = base::Time::Now();
   base::Time not_valid_after =
-      now + base::TimeDelta::FromDays(kValidityPeriodInDays);
+      not_valid_before + base::TimeDelta::FromDays(kValidityPeriodInDays);
   std::string der_cert;
   std::vector<uint8> private_key_info;
   switch (type) {
@@ -437,7 +517,7 @@ int ServerBoundCertService::GenerateCert(const std::string& server_identifier,
           key.get(),
           server_identifier,
           serial_number,
-          now,
+          not_valid_before,
           not_valid_after,
           &der_cert)) {
         DLOG(ERROR) << "Unable to create x509 cert for client";
@@ -462,8 +542,13 @@ int ServerBoundCertService::GenerateCert(const std::string& server_identifier,
 
   private_key->swap(key_out);
   cert->swap(der_cert);
-  *creation_time = now;
+  *creation_time = not_valid_before;
   *expiration_time = not_valid_after;
+  UMA_HISTOGRAM_CUSTOM_TIMES("DomainBoundCerts.GenerateCertTime",
+                             base::TimeTicks::Now() - start,
+                             base::TimeDelta::FromMilliseconds(1),
+                             base::TimeDelta::FromMinutes(5),
+                             50);
   return OK;
 }
 
diff --git a/net/socket/ssl_client_socket_nss.cc b/net/socket/ssl_client_socket_nss.cc
index 5b24440..23c1d15 100644
--- a/net/socket/ssl_client_socket_nss.cc
+++ b/net/socket/ssl_client_socket_nss.cc
@@ -959,10 +959,14 @@ int SSLClientSocketNSS::InitializeSSLOptions() {
 #endif
 
 #ifdef SSL_ENABLE_OB_CERTS
+  UMA_HISTOGRAM_BOOLEAN("DBC.Advertised",
+                        ssl_config_.domain_bound_certs_enabled);
   rv = SSL_OptionSet(nss_fd_, SSL_ENABLE_OB_CERTS,
                      ssl_config_.domain_bound_certs_enabled);
   if (rv != SECSuccess)
     LogFailedNSSFunction(net_log_, "SSL_OptionSet", "SSL_ENABLE_OB_CERTS");
+#else
+  UMA_HISTOGRAM_BOOLEAN("DBC.Advertised", false);
 #endif
 
 #ifdef SSL_ENCRYPT_CLIENT_CERTS