From 3140c3f16038163682f91a20cae754bbb8508ae4 Mon Sep 17 00:00:00 2001 From: Roland Bracewell Shoemaker Date: Fri, 18 Aug 2017 07:09:24 -0700 Subject: [PATCH] Add CSR signature algorithm usage metric (#2990) --- wfe/wfe.go | 26 +++++++++++++++++++++----- wfe/wfe_test.go | 14 ++++++++++++++ 2 files changed, 35 insertions(+), 5 deletions(-) diff --git a/wfe/wfe.go b/wfe/wfe.go index 4952f17d7..4f19eff17 100644 --- a/wfe/wfe.go +++ b/wfe/wfe.go @@ -19,6 +19,7 @@ import ( "time" "github.com/jmhodges/clock" + "github.com/prometheus/client_golang/prometheus" "golang.org/x/net/context" jose "gopkg.in/square/go-jose.v2" @@ -94,6 +95,8 @@ type WebFrontEndImpl struct { AcceptRevocationReason bool AllowAuthzDeactivation bool + + csrSignatureAlgs *prometheus.CounterVec } // signatureValidationError indicates that the user's signature could not @@ -115,12 +118,22 @@ func NewWebFrontEndImpl( return WebFrontEndImpl{}, err } + csrSignatureAlgs := prometheus.NewCounterVec( + prometheus.CounterOpts{ + Name: "csrSignatureAlgs", + Help: "Number of CSR signatures by algorithm", + }, + []string{"type"}, + ) + stats.MustRegister(csrSignatureAlgs) + return WebFrontEndImpl{ - log: logger, - clk: clk, - nonceService: nonceService, - stats: stats, - keyPolicy: keyPolicy, + log: logger, + clk: clk, + nonceService: nonceService, + stats: stats, + keyPolicy: keyPolicy, + csrSignatureAlgs: csrSignatureAlgs, }, nil } @@ -948,6 +961,9 @@ func (wfe *WebFrontEndImpl) NewCertificate(ctx context.Context, logEvent *reques logEvent.Extra["CSREmailAddresses"] = certificateRequest.CSR.EmailAddresses logEvent.Extra["CSRIPAddresses"] = certificateRequest.CSR.IPAddresses + // Inc CSR signature algorithm counter + wfe.csrSignatureAlgs.With(prometheus.Labels{"type": certificateRequest.CSR.SignatureAlgorithm.String()}).Inc() + // Create new certificate and return // TODO IMPORTANT: The RA trusts the WFE to provide the correct key. If the // WFE is compromised, *and* the attacker knows the public key of an account diff --git a/wfe/wfe_test.go b/wfe/wfe_test.go index e8d5b841a..dd993ef09 100644 --- a/wfe/wfe_test.go +++ b/wfe/wfe_test.go @@ -21,6 +21,8 @@ import ( "time" "github.com/jmhodges/clock" + "github.com/prometheus/client_golang/prometheus" + "github.com/prometheus/client_model/go" "golang.org/x/net/context" "gopkg.in/square/go-jose.v2" @@ -1008,6 +1010,9 @@ func TestIssueCertificate(t *testing.T) { assertJSONEquals(t, responseWriter.Body.String(), `{"type":"urn:acme:error:malformed","detail":"CSR generated using a pre-1.0.2 OpenSSL with a client that doesn't properly specify the CSR version. See https://community.letsencrypt.org/t/openssl-bug-information/19591","status":400}`) + + // Test the CSR signature type counter works + test.AssertEquals(t, count("type", "SHA256-RSA", wfe.csrSignatureAlgs), 4) } func TestGetChallenge(t *testing.T) { @@ -2242,3 +2247,12 @@ func TestKeyRollover(t *testing.T) { assertJSONEquals(t, responseWriter.Body.String(), testCase.expectedResponse) } } + +func count(key string, value string, counter *prometheus.CounterVec) int { + ch := make(chan prometheus.Metric, 10) + counter.With(prometheus.Labels{key: value}).Collect(ch) + m := <-ch + var iom io_prometheus_client.Metric + _ = m.Write(&iom) + return int(iom.Counter.GetValue()) +}