1
    2
    3
    4
    5
    6
    7
    8
    9
   10
   11
   12
   13
   14
   15
   16
   17
   18
   19
   20
   21
   22
   23
   24
   25
   26
   27
   28
   29
   30
   31
   32
   33
   34
   35
   36
   37
   38
   39
   40
   41
   42
   43
   44
   45
   46
   47
   48
   49
   50
   51
   52
   53
   54
   55
   56
   57
   58
   59
   60
   61
   62
   63
   64
   65
   66
   67
   68
   69
   70
   71
   72
   73
   74
   75
   76
   77
   78
   79
   80
   81
   82
   83
   84
   85
   86
   87
   88
   89
   90
   91
   92
   93
   94
   95
   96


content / browser / web_package / signed_exchange_error.h [blame]

// Copyright 2018 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#ifndef CONTENT_BROWSER_WEB_PACKAGE_SIGNED_EXCHANGE_ERROR_H_
#define CONTENT_BROWSER_WEB_PACKAGE_SIGNED_EXCHANGE_ERROR_H_

#include <optional>
#include <string>
#include <utility>

#include "content/browser/web_package/signed_exchange_signature_verifier.h"

namespace content {

// This enum is used for recording histograms. Treat as append-only.
enum class SignedExchangeLoadResult {
  kSuccess,
  // SXG was served from non-secure origin.
  kSXGServedFromNonHTTPS,
  // SXG parse error (couldn't extract fallback URL).
  kFallbackURLParseError,
  // Unsupported version of SXG (could extract fallback URL).
  kVersionMismatch,
  // SXG parse error (could extract fallback URL).
  kHeaderParseError,
  // Network error occurred while loading SXG header.
  kSXGHeaderNetError,
  // Failed to fetch certificate chain.
  kCertFetchError,
  // Failed to parse certificate chain.
  kCertParseError,
  // Signature verification failed.
  kSignatureVerificationError,
  // Cert verification failed.
  kCertVerificationError,
  // CT verification failed.
  kCTVerificationError,
  // OCSP check failed.
  kOCSPError,
  // Certificate Requirements aren't met.
  // https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html#cross-origin-cert-req
  kCertRequirementsNotMet,
  // SXG was served without "X-Content-Type-Options: nosniff" header.
  kSXGServedWithoutNosniff,
  // Merkle integrity error.
  kMerkleIntegrityError,
  // Invalid integrity header error.
  kInvalidIntegrityHeader,
  // SXG has Variants / Variant-Key headers that don't match the request.
  kVariantMismatch,
  // Certificate's validity period is too long.
  kCertValidityPeriodTooLong,
  // SXG had "Vary: Cookie" inner header but we had a cookie for the URL.
  kHadCookieForCookielessOnlySXG,
  // The certificate didn't match the built-in public key pins for the host
  // name.
  kPKPViolationError,
  kMaxValue = kPKPViolationError
};

struct SignedExchangeError {
 public:
  enum class Field {
    kSignatureSig,
    kSignatureIintegrity,
    kSignatureCertUrl,
    kSignatureCertSha256,
    kSignatureValidityUrl,
    kSignatureTimestamps,
  };

  // |signature_index| will be used when we will support multiple signatures in
  // a signed exchange header to indicate which signature is causing the error.
  using FieldIndexPair = std::pair<int /* signature_index */, Field>;

  static std::optional<Field> GetFieldFromSignatureVerifierResult(
      SignedExchangeSignatureVerifier::Result verify_result);

  SignedExchangeError(const std::string& message,
                      std::optional<FieldIndexPair> field);

  // Copy constructor.
  SignedExchangeError(const SignedExchangeError& other);
  // Move constructor.
  SignedExchangeError(SignedExchangeError&& other);

  ~SignedExchangeError();

  std::string message;
  std::optional<FieldIndexPair> field;
};

}  // namespace content

#endif  // CONTENT_BROWSER_WEB_PACKAGE_SIGNED_EXCHANGE_ERROR_H_