// Copyright 2015 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. // // This protobuffer is intended to store reports from Chrome users of // certificate errors. A report will be sent from Chrome when it gets // e.g. a certificate for google.com that chains up to a root CA not expected by // Chrome for that origin, such as DigiNotar (compromised in July 2011), or // other pinning errors such as a blacklisted cert in the chain, or // (when opted in) other certificate validation errors like an expired // cert. The report from the user will include the hostname being accessed, // the full certificate chain (in PEM format), and the // timestamp of when the client tried to access the site. A response is // generated by the frontend and logged, including validation and error checking // done on the client's input data. syntax = "proto2"; // Chrome requires this. option optimize_for = LITE_RUNTIME; package certificate_reporting; // Protocol types message CertLoggerInterstitialInfo { // The different reasons that an SSL warning interstitial could be shown to // a user. enum InterstitialReason { UNKNOWN_INTERSTITIAL_REASON = 0; // A standard SSL interstitial INTERSTITIAL_SSL = 1; // An interstitial alerting the user that they are in a captive portal INTERSTITIAL_CAPTIVE_PORTAL = 2; // An interstitial telling the user to update their system clock INTERSTITIAL_CLOCK = 3; } // The type of interstitial that was shown optional InterstitialReason interstitial_reason = 1; // True if the user clicked through to the offending website optional bool user_proceeded = 2; // True if the user was shown an option to click through optional bool overridable = 3; } message CertLoggerRequest { // The hostname being accessed (required as the cert could be valid for // multiple hosts, e.g. a wildcard or a SubjectAltName. required string hostname = 1; // The certificate chain as a series of PEM-encoded certificates, including // intermediates but not necessarily the root. required string cert_chain = 2; // The time (in usec since the epoch) when the client attempted to access the // site generating the pinning error. required int64 time_usec = 3; // public_key_hash contains the string forms of the hashes calculated for // the chain. (I.e. "sha1/".) repeated string public_key_hash = 4; // pin contains the string forms of the pins that were matched against for // this host. repeated string pin = 5; enum CertError { UNKNOWN_CERT_ERROR = 0; ERR_CERT_REVOKED = 1; ERR_CERT_INVALID = 2; ERR_SSL_PINNED_KEY_NOT_IN_CERT_CHAIN = 3; ERR_CERT_AUTHORITY_INVALID = 4; ERR_CERT_COMMON_NAME_INVALID = 5; ERR_CERT_NAME_CONSTRAINT_VIOLATION = 6; ERR_CERT_WEAK_SIGNATURE_ALGORITHM = 7; ERR_CERT_WEAK_KEY = 8; ERR_CERT_DATE_INVALID = 9; ERR_CERT_VALIDITY_TOO_LONG = 10; ERR_CERT_UNABLE_TO_CHECK_REVOCATION = 11; ERR_CERT_NO_REVOCATION_MECHANISM = 12; ERR_CERT_NON_UNIQUE_NAME = 13; }; // Certificate errors encountered (if any) when validating this // certificate chain. repeated CertError cert_error = 6; // Information about the interstitial that was shown to the user for // this certificate error. optional CertLoggerInterstitialInfo interstitial_info = 7; // The unverified certificate chain as received by the client, as a // series of PEM-encoded certificates. Can be different than // |cert_chain|, which is the chain the client built during // verification. optional string unverified_cert_chain = 8; };