1*6777b538SAndroid Build Coastguard Worker// Copyright 2021 The Chromium Authors 2*6777b538SAndroid Build Coastguard Worker// Use of this source code is governed by a BSD-style license that can be 3*6777b538SAndroid Build Coastguard Worker// found in the LICENSE file. 4*6777b538SAndroid Build Coastguard Worker 5*6777b538SAndroid Build Coastguard Worker// Proto definitions supporting the Chrome Root Store. 6*6777b538SAndroid Build Coastguard Worker// This file should be manually kept in sync with the corresponding google3 7*6777b538SAndroid Build Coastguard Worker// file. 8*6777b538SAndroid Build Coastguard Worker 9*6777b538SAndroid Build Coastguard Workersyntax = "proto3"; 10*6777b538SAndroid Build Coastguard Worker 11*6777b538SAndroid Build Coastguard Workerpackage chrome_root_store; 12*6777b538SAndroid Build Coastguard Worker 13*6777b538SAndroid Build Coastguard Worker// Specifies a set of constraints, all of which that have values must be 14*6777b538SAndroid Build Coastguard Worker// satisfied for the ConstraintSet to be satisfied. 15*6777b538SAndroid Build Coastguard Workermessage ConstraintSet { 16*6777b538SAndroid Build Coastguard Worker // The leaf certificate must have at least one valid SCT timestamp that is 17*6777b538SAndroid Build Coastguard Worker // not after the specified value, specified in seconds since the unix epoch. 18*6777b538SAndroid Build Coastguard Worker optional int64 sct_not_after_sec = 1; 19*6777b538SAndroid Build Coastguard Worker 20*6777b538SAndroid Build Coastguard Worker // The leaf certificate must have at least one valid SCT timestamp and all 21*6777b538SAndroid Build Coastguard Worker // valid SCT timestamps must be after the specified value, specified in 22*6777b538SAndroid Build Coastguard Worker // seconds since the unix epoch. 23*6777b538SAndroid Build Coastguard Worker optional int64 sct_all_after_sec = 2; 24*6777b538SAndroid Build Coastguard Worker 25*6777b538SAndroid Build Coastguard Worker // The browser version must be equal to or greater than the specified version. 26*6777b538SAndroid Build Coastguard Worker // Specified as a dotted version string, for example, "121.0.6167.160". A 27*6777b538SAndroid Build Coastguard Worker // partial version is also allowed, for example min_version="121" will match 28*6777b538SAndroid Build Coastguard Worker // any M-121 version or later. 29*6777b538SAndroid Build Coastguard Worker optional string min_version = 3; 30*6777b538SAndroid Build Coastguard Worker 31*6777b538SAndroid Build Coastguard Worker // The browser version must be less than the specified version. 32*6777b538SAndroid Build Coastguard Worker // For example, max_version_exclusive="122" will match any M-121 or earlier 33*6777b538SAndroid Build Coastguard Worker // version, and will not match any M-122 version. 34*6777b538SAndroid Build Coastguard Worker optional string max_version_exclusive = 4; 35*6777b538SAndroid Build Coastguard Worker} 36*6777b538SAndroid Build Coastguard Worker 37*6777b538SAndroid Build Coastguard Workermessage TrustAnchor { 38*6777b538SAndroid Build Coastguard Worker // The human-editable textproto version of the root store references roots in 39*6777b538SAndroid Build Coastguard Worker // a separate file by SHA-256 hash for convenience. It is converted to the DER 40*6777b538SAndroid Build Coastguard Worker // representation as part of the build process. 41*6777b538SAndroid Build Coastguard Worker oneof certificate { 42*6777b538SAndroid Build Coastguard Worker bytes der = 1; 43*6777b538SAndroid Build Coastguard Worker string sha256_hex = 2; 44*6777b538SAndroid Build Coastguard Worker } 45*6777b538SAndroid Build Coastguard Worker 46*6777b538SAndroid Build Coastguard Worker // OID should be expressed as dotted-decimal text (e.g. "1.3.159.1.17.1") 47*6777b538SAndroid Build Coastguard Worker repeated string ev_policy_oids = 3; 48*6777b538SAndroid Build Coastguard Worker 49*6777b538SAndroid Build Coastguard Worker // If not empty, the anchor is only trusted if at least one of the 50*6777b538SAndroid Build Coastguard Worker // ConstraintSets is satisfied. 51*6777b538SAndroid Build Coastguard Worker repeated ConstraintSet constraints = 4; 52*6777b538SAndroid Build Coastguard Worker 53*6777b538SAndroid Build Coastguard Worker // Human-readable display name used to identify the certificate. 54*6777b538SAndroid Build Coastguard Worker optional string display_name = 5; 55*6777b538SAndroid Build Coastguard Worker} 56*6777b538SAndroid Build Coastguard Worker 57*6777b538SAndroid Build Coastguard Worker// Message storing a complete Chrome Root Store. 58*6777b538SAndroid Build Coastguard Workermessage RootStore { 59*6777b538SAndroid Build Coastguard Worker repeated TrustAnchor trust_anchors = 1; 60*6777b538SAndroid Build Coastguard Worker 61*6777b538SAndroid Build Coastguard Worker // Major version # of the Chrome Root Store. It is assumed that if 62*6777b538SAndroid Build Coastguard Worker // root_store_1.version_major > root_store_2.version_major, then root_store_1 63*6777b538SAndroid Build Coastguard Worker // is newer and should be preferred over root_store_2. 64*6777b538SAndroid Build Coastguard Worker int64 version_major = 2; 65*6777b538SAndroid Build Coastguard Worker} 66