components/certificate_reporting/cert_logger.proto - chromium/src.git - Git at Google

 // Copyright 2015 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 //
 // This protobuffer is intended to store reports from Chrome users of
 // certificate errors. A report will be sent from Chrome when it gets
 // e.g. a certificate for google.com that chains up to a root CA not expected by
 // Chrome for that origin, such as DigiNotar (compromised in July 2011), or
 // other pinning errors such as a blacklisted cert in the chain, or
 // (when opted in) other certificate validation errors like an expired
 // cert. The report from the user will include the hostname being accessed,
 // the full certificate chain (in PEM format), and the
 // timestamp of when the client tried to access the site. A response is
 // generated by the frontend and logged, including validation and error checking
 // done on the client's input data.

 syntax = "proto2";

 // Chrome requires this.
 option optimize_for = LITE_RUNTIME;

 package certificate_reporting;

 // Protocol types

 message CertLoggerInterstitialInfo {
   // The different reasons that an SSL warning interstitial could be shown to
   // a user.
   enum InterstitialReason {
     UNKNOWN_INTERSTITIAL_REASON = 0;
     // A standard SSL interstitial
     INTERSTITIAL_SSL = 1;
     // An interstitial alerting the user that they are in a captive portal
     INTERSTITIAL_CAPTIVE_PORTAL = 2;
     // An interstitial telling the user to update their system clock
     INTERSTITIAL_CLOCK = 3;
   }

   // The type of interstitial that was shown
   optional InterstitialReason interstitial_reason = 1;
   // True if the user clicked through to the offending website
   optional bool user_proceeded = 2;
   // True if the user was shown an option to click through
   optional bool overridable = 3;
 }

 message CertLoggerRequest {
   // The hostname being accessed (required as the cert could be valid for
   // multiple hosts, e.g. a wildcard or a SubjectAltName.
   required string hostname = 1;
   // The certificate chain as a series of PEM-encoded certificates, including
   // intermediates but not necessarily the root.
   required string cert_chain = 2;
   // The time (in usec since the epoch) when the client attempted to access the
   // site generating the pinning error.
   required int64 time_usec = 3;
   // public_key_hash contains the string forms of the hashes calculated for
   // the chain. (I.e. "sha1/<base64 data>".)
   repeated string public_key_hash = 4;
   // pin contains the string forms of the pins that were matched against for
   // this host.
   repeated string pin = 5;

   enum CertError {
     UNKNOWN_CERT_ERROR = 0;
     ERR_CERT_REVOKED = 1;
     ERR_CERT_INVALID = 2;
     ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN = 3;
     ERR_CERT_AUTHORITY_INVALID = 4;
     ERR_CERT_COMMON_NAME_INVALID = 5;
     ERR_CERT_NAME_CONSTRAINT_VIOLATION = 6;
     ERR_CERT_WEAK_SIGNATURE_ALGORITHM = 7;
     ERR_CERT_WEAK_KEY = 8;
     ERR_CERT_DATE_INVALID = 9;
     ERR_CERT_VALIDITY_TOO_LONG = 10;
     ERR_CERT_UNABLE_TO_CHECK_REVOCATION = 11;
     ERR_CERT_NO_REVOCATION_MECHANISM = 12;
     ERR_CERT_NON_UNIQUE_NAME = 13;
     ERR_CERTIFICATE_TRANSPARENCY_REQUIRED = 14;
   };

   // Certificate errors encountered (if any) when validating this
   // certificate chain.
   repeated CertError cert_error = 6;

   // Information about the interstitial that was shown to the user for
   // this certificate error.
   optional CertLoggerInterstitialInfo interstitial_info = 7;

   // The unverified certificate chain as received by the client, as a
   // series of PEM-encoded certificates. Can be different than
   // |cert_chain|, which is the chain the client built during
   // verification.
   optional string unverified_cert_chain = 8;

   // True if the certificate was rooted at a standard CA root ,as opposed to a
   // user-installed root, but is only meaningful if the underlying certificate
   // validation library built a trusted chain (i.e. the Chrome net stack set the
   // error, not the library).
   optional bool is_issued_by_known_root = 9;
 };
	// Copyright 2015 The Chromium Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style license that can be
	// found in the LICENSE file.
	//
	// This protobuffer is intended to store reports from Chrome users of
	// certificate errors. A report will be sent from Chrome when it gets
	// e.g. a certificate for google.com that chains up to a root CA not expected by
	// Chrome for that origin, such as DigiNotar (compromised in July 2011), or
	// other pinning errors such as a blacklisted cert in the chain, or
	// (when opted in) other certificate validation errors like an expired
	// cert. The report from the user will include the hostname being accessed,
	// the full certificate chain (in PEM format), and the
	// timestamp of when the client tried to access the site. A response is
	// generated by the frontend and logged, including validation and error checking
	// done on the client's input data.

	syntax = "proto2";

	// Chrome requires this.
	option optimize_for = LITE_RUNTIME;

	package certificate_reporting;

	// Protocol types

	message CertLoggerInterstitialInfo {
	// The different reasons that an SSL warning interstitial could be shown to
	// a user.
	enum InterstitialReason {
	UNKNOWN_INTERSTITIAL_REASON = 0;
	// A standard SSL interstitial
	INTERSTITIAL_SSL = 1;
	// An interstitial alerting the user that they are in a captive portal
	INTERSTITIAL_CAPTIVE_PORTAL = 2;
	// An interstitial telling the user to update their system clock
	INTERSTITIAL_CLOCK = 3;
	}

	// The type of interstitial that was shown
	optional InterstitialReason interstitial_reason = 1;
	// True if the user clicked through to the offending website
	optional bool user_proceeded = 2;
	// True if the user was shown an option to click through
	optional bool overridable = 3;
	}

	message CertLoggerRequest {
	// The hostname being accessed (required as the cert could be valid for
	// multiple hosts, e.g. a wildcard or a SubjectAltName.
	required string hostname = 1;
	// The certificate chain as a series of PEM-encoded certificates, including
	// intermediates but not necessarily the root.
	required string cert_chain = 2;
	// The time (in usec since the epoch) when the client attempted to access the
	// site generating the pinning error.
	required int64 time_usec = 3;
	// public_key_hash contains the string forms of the hashes calculated for
	// the chain. (I.e. "sha1/<base64 data>".)
	repeated string public_key_hash = 4;
	// pin contains the string forms of the pins that were matched against for
	// this host.
	repeated string pin = 5;

	enum CertError {
	UNKNOWN_CERT_ERROR = 0;
	ERR_CERT_REVOKED = 1;
	ERR_CERT_INVALID = 2;
	ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN = 3;
	ERR_CERT_AUTHORITY_INVALID = 4;
	ERR_CERT_COMMON_NAME_INVALID = 5;
	ERR_CERT_NAME_CONSTRAINT_VIOLATION = 6;
	ERR_CERT_WEAK_SIGNATURE_ALGORITHM = 7;
	ERR_CERT_WEAK_KEY = 8;
	ERR_CERT_DATE_INVALID = 9;
	ERR_CERT_VALIDITY_TOO_LONG = 10;
	ERR_CERT_UNABLE_TO_CHECK_REVOCATION = 11;
	ERR_CERT_NO_REVOCATION_MECHANISM = 12;
	ERR_CERT_NON_UNIQUE_NAME = 13;
	ERR_CERTIFICATE_TRANSPARENCY_REQUIRED = 14;
	};

	// Certificate errors encountered (if any) when validating this
	// certificate chain.
	repeated CertError cert_error = 6;

	// Information about the interstitial that was shown to the user for
	// this certificate error.
	optional CertLoggerInterstitialInfo interstitial_info = 7;

	// The unverified certificate chain as received by the client, as a
	// series of PEM-encoded certificates. Can be different than
	// \|cert_chain\|, which is the chain the client built during
	// verification.
	optional string unverified_cert_chain = 8;

	// True if the certificate was rooted at a standard CA root ,as opposed to a
	// user-installed root, but is only meaningful if the underlying certificate
	// validation library built a trusted chain (i.e. the Chrome net stack set the
	// error, not the library).
	optional bool is_issued_by_known_root = 9;
	};