Add CSR signature algorithm usage metric (#2990)
This commit is contained in:
Roland Bracewell Shoemaker
Daniel McCarney
parent
11a2149746
commit
3140c3f160
26
wfe/wfe.go
26
wfe/wfe.go
|
|
@ -19,6 +19,7 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/jmhodges/clock"
|
||||
"github.com/prometheus/client_golang/prometheus"
|
||||
"golang.org/x/net/context"
|
||||
jose "gopkg.in/square/go-jose.v2"
|
||||
|
||||
|
|
@ -94,6 +95,8 @@ type WebFrontEndImpl struct {
|
|||
|
||||
AcceptRevocationReason bool
|
||||
AllowAuthzDeactivation bool
|
||||
|
||||
csrSignatureAlgs *prometheus.CounterVec
|
||||
}
|
||||
|
||||
// signatureValidationError indicates that the user's signature could not
|
||||
|
|
@ -115,12 +118,22 @@ func NewWebFrontEndImpl(
|
|||
return WebFrontEndImpl{}, err
|
||||
}
|
||||
|
||||
csrSignatureAlgs := prometheus.NewCounterVec(
|
||||
prometheus.CounterOpts{
|
||||
Name: "csrSignatureAlgs",
|
||||
Help: "Number of CSR signatures by algorithm",
|
||||
},
|
||||
[]string{"type"},
|
||||
)
|
||||
stats.MustRegister(csrSignatureAlgs)
|
||||
|
||||
return WebFrontEndImpl{
|
||||
log: logger,
|
||||
clk: clk,
|
||||
nonceService: nonceService,
|
||||
stats: stats,
|
||||
keyPolicy: keyPolicy,
|
||||
log: logger,
|
||||
clk: clk,
|
||||
nonceService: nonceService,
|
||||
stats: stats,
|
||||
keyPolicy: keyPolicy,
|
||||
csrSignatureAlgs: csrSignatureAlgs,
|
||||
}, nil
|
||||
}
|
||||
|
||||
|
|
@ -948,6 +961,9 @@ func (wfe *WebFrontEndImpl) NewCertificate(ctx context.Context, logEvent *reques
|
|||
logEvent.Extra["CSREmailAddresses"] = certificateRequest.CSR.EmailAddresses
|
||||
logEvent.Extra["CSRIPAddresses"] = certificateRequest.CSR.IPAddresses
|
||||
|
||||
// Inc CSR signature algorithm counter
|
||||
wfe.csrSignatureAlgs.With(prometheus.Labels{"type": certificateRequest.CSR.SignatureAlgorithm.String()}).Inc()
|
||||
|
||||
// Create new certificate and return
|
||||
// TODO IMPORTANT: The RA trusts the WFE to provide the correct key. If the
|
||||
// WFE is compromised, *and* the attacker knows the public key of an account
|
||||
|
|
|
|||
|
|
@ -21,6 +21,8 @@ import (
|
|||
"time"
|
||||
|
||||
"github.com/jmhodges/clock"
|
||||
"github.com/prometheus/client_golang/prometheus"
|
||||
"github.com/prometheus/client_model/go"
|
||||
"golang.org/x/net/context"
|
||||
"gopkg.in/square/go-jose.v2"
|
||||
|
||||
|
|
@ -1008,6 +1010,9 @@ func TestIssueCertificate(t *testing.T) {
|
|||
assertJSONEquals(t,
|
||||
responseWriter.Body.String(),
|
||||
`{"type":"urn:acme:error:malformed","detail":"CSR generated using a pre-1.0.2 OpenSSL with a client that doesn't properly specify the CSR version. See https://community.letsencrypt.org/t/openssl-bug-information/19591","status":400}`)
|
||||
|
||||
// Test the CSR signature type counter works
|
||||
test.AssertEquals(t, count("type", "SHA256-RSA", wfe.csrSignatureAlgs), 4)
|
||||
}
|
||||
|
||||
func TestGetChallenge(t *testing.T) {
|
||||
|
|
@ -2242,3 +2247,12 @@ func TestKeyRollover(t *testing.T) {
|
|||
assertJSONEquals(t, responseWriter.Body.String(), testCase.expectedResponse)
|
||||
}
|
||||
}
|
||||
|
||||
func count(key string, value string, counter *prometheus.CounterVec) int {
|
||||
ch := make(chan prometheus.Metric, 10)
|
||||
counter.With(prometheus.Labels{key: value}).Collect(ch)
|
||||
m := <-ch
|
||||
var iom io_prometheus_client.Metric
|
||||
_ = m.Write(&iom)
|
||||
return int(iom.Counter.GetValue())
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue