diff --git a/Makefile b/Makefile index ddac521..098c9d0 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,11 @@ enter-venv: setup-python: mkdir -p gen/python protoc --python_out=gen/python crs.proto + protoc --python_out=gen/python pins.proto + protoc --python_out=gen/python ct.proto cp gen/python/crs_pb2.py src/root_store_gen + cp gen/python/pins_pb2.py src/root_store_gen + cp gen/python/ct_pb2.py src/root_store_gen exit build-packed-data: mkdir -p out/PKIMetadata diff --git a/ct.proto b/ct.proto new file mode 100644 index 0000000..5794665 --- /dev/null +++ b/ct.proto @@ -0,0 +1,135 @@ +// Copyright 2021 The Chromium Authors +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +syntax = "proto3"; + +package chrome_browser_certificate_transparency; + +// Copyright 2021 The Chromium Authors +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. +option optimize_for = LITE_RUNTIME; + +message CTTimestamp { + int64 seconds = 1; + + int32 nanos = 2; +} + + +// Represents the final state of a log at the time it was made read-only. +message FinalTreeHead { + // Size of the log at the time it was made read-only. + uint64 tree_size = 1; + // Root hash of the log (base64-encoded) at the time it was made read-only. + string sha256_root_hash = 2; +} + +message CTLog { + // Human-readable description to identify log. + string description = 1; + // Public key of the log, as a DER-encoded ASN.1 SubjectPublicKeyInfo + // structure, then encoded as base64 + // (https://tools.ietf.org/html/rfc5280#section-4.1.2.7). + string key = 2; + // The base64-encoded LogID found in SCTs issued by this log + // (https://tools.ietf.org/html/rfc6962#section-3.2). + string log_id = 3; + // Maximum merge delay, in seconds. The log should not take longer than this + // to incorporate a certificate. + uint64 mmd_secs = 4; + // URL of the log's HTTP API. + string url = 5; + + message Interval { + CTTimestamp start = 1; + CTTimestamp end = 2; + } + // The log will only accept certificates that expire between those dates. + // Start time is inclusive, end time is not inclusive. + Interval temporal_interval = 6; + + enum Purpose { + UNSET_PURPOSE = 0; + PROD = 1; + TEST = 2; + } + // Whether the log is for production purposes, or test only. + Purpose purpose = 7; + + enum CurrentState { + UNSET_STATE = 0; + PENDING = 1; + QUALIFIED = 2; + USABLE = 3; + READ_ONLY = 4; + RETIRED = 5; + REJECTED = 6; + } + message State { + // Current state of the log. + CurrentState current_state = 1; + // Time at which the log entered this state. + CTTimestamp state_start = 2; + } + // State history of the log. Inverse chronological order, first element should + // be the current state. + repeated State state = 8; + + message OperatorChange { + // Name of the log operator. + string name = 1; + // Timestamp at which this operator started operating this log. + CTTimestamp operator_start = 2; + } + // History of all log operators that have ever operated this log, including + // the timestamp at which each started operating it. Inverse chronological + // order, first element should be the current operator. + repeated OperatorChange operator_history = 9; + + // State of the log at the time it was made read-only. Should only be set if + // state is READ_ONLY. + FinalTreeHead read_only_info = 16; +} + +message LogOperator { + // Name of this log operator. + string name = 1; + // Email addresses at which the log operator can be reached. + repeated string email = 2; +} + +message CTLogList { + // Major version of the list, incremented any time there are changes in the + // list, except for trivial (i.e. timestamp-only) changes. + uint64 list_version_major = 1; + // Minor version of the list, incremented any time the list is modified with + // only trivial (i.e. timestamp-only) changes. Allows consumers to determine + // the timestamp at which certain changes occur; for example, if a log is + // rejected, a consumer can look at the minor version 1 of that major version + // to determine at what timestamp that change was made. + uint64 list_version_minor = 2; + // Log list timestamp. This is meant to be used for freshness checks, and is + // updated periodically regardless of whether the list contents' have changed. + // Use list_version_major instead if monitoring for list contents' changes. + CTTimestamp timestamp = 3; + // Compatibility version, incremented if the list structure is changed in a + // non-backwards-compatible way. + uint64 compatibility_version = 4; + // Contains all known log operators. + repeated LogOperator operators = 5; + // Contains all known logs. + repeated CTLog logs = 6; +} + +// Certificate transparency configuration as used by Chrome. +message CTConfig { + // Emergency switch to disable all CT enforcement. + bool disable_ct_enforcement = 1; + // Logs Chrome should recognize. + CTLogList log_list = 2; + // A list of the leaf hashes for the most popular SCTs encountered in Chrome + // recently. Sorted lexicographically. + repeated bytes popular_scts = 3; +} \ No newline at end of file diff --git a/pins.proto b/pins.proto new file mode 100644 index 0000000..0495dfa --- /dev/null +++ b/pins.proto @@ -0,0 +1,56 @@ +// Copyright 2022 The Chromium Authors +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + +syntax = "proto3"; + +package chrome_browser_key_pinning; + + +option optimize_for = LITE_RUNTIME; +// Copyright 2022 The Chromium Authors +// Use of this source code is governed by a BSD-style license that can be +// found in the LICENSE file. + + + +message KPTimestamp { + int64 seconds = 1; + + int32 nanos = 2; +} +message PinSet { + // Name of the pinset. + string name = 1; + // Set of allowed SPKIs hashes, represented as the SHA256 of the public key. + repeated bytes static_spki_hashes_sha256 = 2; + // Optional set of forbidden SPKIs hashes, represented as the SHA256 of the + // public key. + repeated bytes bad_static_spki_hashes_sha256 = 3; + // Optional URI to send bad pin reports to. + string report_uri = 4; +} + +message PinSetInfo { + // Hostname this pinset applies to. + string hostname = 1; + // Name of the pinset. + string pinset_name = 2; + // Whether this pinset applies to subdomains. + bool include_subdomains = 3; +} + +message PinList { + // Timestamp at which the list was last considered up-to-date. This is updated + // periodically even if the list contents do not change. + KPTimestamp timestamp = 1; + // Compatibility version incremented if the list structure changes in a non + // backwards compatible way. + uint64 compatibility_version = 2; + // All known pinsets. + repeated PinSet pinsets = 3; + // List of known hosts with pins. Each element represents a different + // hostname, and includes the name of the pinset that applies to it, and + // whether it applies to subdomains. + repeated PinSetInfo host_pins = 4; +} \ No newline at end of file diff --git a/src/root_store_gen/generate_new_pbs.py b/src/root_store_gen/generate_new_pbs.py index 4c54638..119ecfe 100644 --- a/src/root_store_gen/generate_new_pbs.py +++ b/src/root_store_gen/generate_new_pbs.py @@ -4,6 +4,9 @@ import pathlib import importlib.util import sys import crs_pb2 +from pathlib import Path +import pins_pb2 +import ct_pb2 def usage(): print("Usage: ... ") cwd = path.dirname(path.abspath(sys.argv[0])) @@ -15,6 +18,8 @@ for a in sys.argv[2:-1:]: print(f"Registering CA from {a}") cas.append(a) outfile = sys.argv[-1] + + print(f'reading from: {sys.argv[1]}') print(f"Outputing to: {outfile}") out = open(outfile, 'wb') @@ -32,5 +37,20 @@ for ca in cas: next_trust_anchor.display_name = "Success!" print(next_trust_anchor.constraints) rs.trust_anchors.append(next_trust_anchor) +rs.version_major = 30 out.write(rs.SerializeToString()) -out.close() \ No newline at end of file +out.close() + + +pins = Path(path.join(path.dirname(sys.argv[-1]), 'kp_pinslist.pb')) + +pins_pb = pins_pb2.PinList() +pins_pb.ParseFromString(pins.read_bytes()) +while len(pins_pb.host_pins) != 0: + pins_pb.host_pins.pop() +pins.write_bytes(pins_pb.SerializeToString()) +ct = Path(path.join(path.dirname(sys.argv[-1]), 'ct_config.pb')) +ct_pb = ct_pb2.CTConfig() +ct_pb.ParseFromString(ct.read_bytes()) +ct_pb.disable_ct_enforcement = True +ct.write_bytes(ct_pb.SerializeToString()) \ No newline at end of file