// Copyright (c) 2011 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. // // This protobuffer is intended to store reports from Chrome users of // certificate pinning errors. A report will be sent from Chrome when it gets // e.g. a certificate for google.com that chains up to a root CA not expected by // Chrome for that origin, such as DigiNotar (compromised in July 2011), or // other pinning errors such as a blacklisted cert in the chain. The // report from the user will include the hostname being accessed, // the full certificate chain (in PEM format), and the // timestamp of when the client tried to access the site. A response is // generated by the frontend and logged, including validation and error checking // done on the client's input data. syntax = "proto2"; package chrome_browser_net; // Chrome requires this. option optimize_for = LITE_RUNTIME; // Protocol types message CertLoggerRequest { // The hostname being accessed (required as the cert could be valid for // multiple hosts, e.g. a wildcard or a SubjectAltName. required string hostname = 1; // The certificate chain as a series of PEM-encoded certificates, including // intermediates but not necessarily the root. required string cert_chain = 2; // The time (in usec since the epoch) when the client attempted to access the // site generating the pinning error. required int64 time_usec = 3; // public_key_hash contains the string forms of the hashes calculated for // the chain. (I.e. "sha1/".) repeated string public_key_hash = 4; // pin contains the string forms of the pins that were matched against for // this host. repeated string pin = 5; }; // The response sent back to the user. message CertLoggerResponse { enum ResponseCode { OK = 1; MALFORMED_CERT_DATA = 2; HOST_CERT_DONT_MATCH = 3; ROOT_NOT_RECOGNIZED = 4; ROOT_NOT_UNEXPECTED = 5; OTHER_ERROR = 6; }; required ResponseCode response = 1; };