OLD | NEW |
| (Empty) |
1 // Copyright (c) 2011 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 // | |
5 // This protobuffer is intended to store reports from Chrome users of | |
6 // certificate errors. A report will be sent from Chrome when it gets | |
7 // e.g. a certificate for google.com that chains up to a root CA not expected by | |
8 // Chrome for that origin, such as DigiNotar (compromised in July 2011), or | |
9 // other pinning errors such as a blacklisted cert in the chain, or | |
10 // (when opted in) other certificate validation errors like an expired | |
11 // cert. The report from the user will include the hostname being accessed, | |
12 // the full certificate chain (in PEM format), and the | |
13 // timestamp of when the client tried to access the site. A response is | |
14 // generated by the frontend and logged, including validation and error checking | |
15 // done on the client's input data. | |
16 | |
17 | |
18 syntax = "proto2"; | |
19 | |
20 package chrome_browser_net; | |
21 | |
22 // Chrome requires this. | |
23 option optimize_for = LITE_RUNTIME; | |
24 | |
25 // Protocol types | |
26 message CertLoggerRequest { | |
27 // The hostname being accessed (required as the cert could be valid for | |
28 // multiple hosts, e.g. a wildcard or a SubjectAltName. | |
29 required string hostname = 1; | |
30 // The certificate chain as a series of PEM-encoded certificates, including | |
31 // intermediates but not necessarily the root. | |
32 required string cert_chain = 2; | |
33 // The time (in usec since the epoch) when the client attempted to access the | |
34 // site generating the pinning error. | |
35 required int64 time_usec = 3; | |
36 // public_key_hash contains the string forms of the hashes calculated for | |
37 // the chain. (I.e. "sha1/<base64 data>".) | |
38 repeated string public_key_hash = 4; | |
39 // pin contains the string forms of the pins that were matched against for | |
40 // this host. | |
41 repeated string pin = 5; | |
42 | |
43 enum CertError { | |
44 ERR_CERT_REVOKED = 1; | |
45 ERR_CERT_INVALID = 2; | |
46 ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN = 3; | |
47 ERR_CERT_AUTHORITY_INVALID = 4; | |
48 ERR_CERT_COMMON_NAME_INVALID = 5; | |
49 ERR_CERT_NAME_CONSTRAINT_VIOLATION = 6; | |
50 ERR_CERT_WEAK_SIGNATURE_ALGORITHM = 7; | |
51 ERR_CERT_WEAK_KEY = 8; | |
52 ERR_CERT_DATE_INVALID = 9; | |
53 ERR_CERT_VALIDITY_TOO_LONG = 10; | |
54 ERR_CERT_UNABLE_TO_CHECK_REVOCATION = 11; | |
55 ERR_CERT_NO_REVOCATION_MECHANISM = 12; | |
56 ERR_CERT_NON_UNIQUE_NAME = 13; | |
57 }; | |
58 | |
59 // Certificate errors encountered (if any) when validating this | |
60 // certificate chain. | |
61 repeated CertError cert_error = 6; | |
62 }; | |
63 | |
64 // A wrapper proto containing an encrypted CertLoggerRequest | |
65 message EncryptedCertLoggerRequest { | |
66 // An encrypted, serialized CertLoggerRequest | |
67 required bytes encrypted_report = 1; | |
68 // The server public key version that was used to derive the shared secret. | |
69 required uint32 server_public_key_version = 2; | |
70 // The client public key that corresponds to the private key that was used | |
71 // to derive the shared secret. | |
72 required bytes client_public_key = 3; | |
73 // The encryption algorithm used to encrypt the report. | |
74 enum Algorithm { | |
75 UNKNOWN_ALGORITHM = 0; | |
76 AEAD_ECDH_AES_128_CTR_HMAC_SHA256 = 1; | |
77 } | |
78 optional Algorithm algorithm = 4 | |
79 [default = AEAD_ECDH_AES_128_CTR_HMAC_SHA256]; | |
80 }; | |
81 | |
82 // The response sent back to the user. | |
83 message CertLoggerResponse { | |
84 enum ResponseCode { | |
85 OK = 1; | |
86 MALFORMED_CERT_DATA = 2; | |
87 HOST_CERT_DONT_MATCH = 3; | |
88 ROOT_NOT_RECOGNIZED = 4; | |
89 ROOT_NOT_UNEXPECTED = 5; | |
90 OTHER_ERROR = 6; | |
91 }; | |
92 required ResponseCode response = 1; | |
93 }; | |
OLD | NEW |