• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1// Copyright 2021 The Chromium Authors
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5// Proto definitions supporting the Chrome Root Store.
6// This file should be manually kept in sync with the corresponding google3
7// file.
8
9syntax = "proto3";
10
11package chrome_root_store;
12
13// Specifies a set of constraints, all of which that have values must be
14// satisfied for the ConstraintSet to be satisfied.
15message ConstraintSet {
16  // The leaf certificate must have at least one valid SCT timestamp that is
17  // not after the specified value, specified in seconds since the unix epoch.
18  optional int64 sct_not_after_sec = 1;
19
20  // The leaf certificate must have at least one valid SCT timestamp and all
21  // valid SCT timestamps must be after the specified value, specified in
22  // seconds since the unix epoch.
23  optional int64 sct_all_after_sec = 2;
24
25  // The browser version must be equal to or greater than the specified version.
26  // Specified as a dotted version string, for example, "121.0.6167.160". A
27  // partial version is also allowed, for example min_version="121" will match
28  // any M-121 version or later.
29  optional string min_version = 3;
30
31  // The browser version must be less than the specified version.
32  // For example, max_version_exclusive="122" will match any M-121 or earlier
33  // version, and will not match any M-122 version.
34  optional string max_version_exclusive = 4;
35
36  // All DNS names in the leaf certificate subjectAltNames must fall within the
37  // subtrees defined by `permitted_dns_names`. The constraints are interpereted
38  // as described in RFC 5280 section 4.2.1.10.
39  repeated string permitted_dns_names = 5;
40}
41
42message TrustAnchor {
43  // The human-editable textproto version of the root store references roots in
44  // a separate file by SHA-256 hash for convenience. It is converted to the DER
45  // representation as part of the build process.
46  oneof certificate {
47    bytes der = 1;
48    string sha256_hex = 2;
49  }
50
51  // OID should be expressed as dotted-decimal text (e.g. "1.3.159.1.17.1")
52  repeated string ev_policy_oids = 3;
53
54  // If not empty, the anchor is only trusted if at least one of the
55  // ConstraintSets is satisfied.
56  repeated ConstraintSet constraints = 4;
57
58  // Human-readable display name used to identify the certificate.
59  optional string display_name = 5;
60}
61
62// Message storing a complete Chrome Root Store.
63message RootStore {
64  repeated TrustAnchor trust_anchors = 1;
65
66  // Major version # of the Chrome Root Store. It is assumed that if
67  // root_store_1.version_major > root_store_2.version_major, then root_store_1
68  // is newer and should be preferred over root_store_2.
69  int64 version_major = 2;
70}
71