Fixed interceptor

Makefile

@@ -7,7 +7,11 @@ enter-venv:
 setup-python:
 	mkdir -p gen/python
 	protoc --python_out=gen/python crs.proto
+	protoc --python_out=gen/python pins.proto
+	protoc --python_out=gen/python ct.proto
 	cp gen/python/crs_pb2.py src/root_store_gen
+	cp gen/python/pins_pb2.py src/root_store_gen
+	cp gen/python/ct_pb2.py src/root_store_gen
 	exit
 build-packed-data:
 	mkdir -p out/PKIMetadata

ct.proto

@@ -0,0 +1,135 @@
+// Copyright 2021 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+syntax = "proto3";
+
+package chrome_browser_certificate_transparency;
+
+// Copyright 2021 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+option optimize_for = LITE_RUNTIME;
+
+message CTTimestamp {
+  int64 seconds = 1;
+
+  int32 nanos = 2;
+}
+
+
+// Represents the final state of a log at the time it was made read-only.
+message FinalTreeHead {
+  // Size of the log at the time it was made read-only.
+  uint64 tree_size = 1;
+  // Root hash of the log (base64-encoded) at the time it was made read-only.
+  string sha256_root_hash = 2;
+}
+
+message CTLog {
+  // Human-readable description to identify log.
+  string description = 1;
+  // Public key of the log, as a DER-encoded ASN.1 SubjectPublicKeyInfo
+  // structure, then encoded as base64
+  // (https://tools.ietf.org/html/rfc5280#section-4.1.2.7).
+  string key = 2;
+  // The base64-encoded LogID found in SCTs issued by this log
+  // (https://tools.ietf.org/html/rfc6962#section-3.2).
+  string log_id = 3;
+  // Maximum merge delay, in seconds. The log should not take longer than this
+  // to incorporate a certificate.
+  uint64 mmd_secs = 4;
+  // URL of the log's HTTP API.
+  string url = 5;
+
+  message Interval {
+    CTTimestamp start = 1;
+    CTTimestamp end = 2;
+  }
+  // The log will only accept certificates that expire between those dates.
+  // Start time is inclusive, end time is not inclusive.
+  Interval temporal_interval = 6;
+
+  enum Purpose {
+    UNSET_PURPOSE = 0;
+    PROD = 1;
+    TEST = 2;
+  }
+  // Whether the log is for production purposes, or test only.
+  Purpose purpose = 7;
+
+  enum CurrentState {
+    UNSET_STATE = 0;
+    PENDING = 1;
+    QUALIFIED = 2;
+    USABLE = 3;
+    READ_ONLY = 4;
+    RETIRED = 5;
+    REJECTED = 6;
+  }
+  message State {
+    // Current state of the log.
+    CurrentState current_state = 1;
+    // Time at which the log entered this state.
+    CTTimestamp state_start = 2;
+  }
+  // State history of the log. Inverse chronological order, first element should
+  // be the current state.
+  repeated State state = 8;
+
+  message OperatorChange {
+    // Name of the log operator.
+    string name = 1;
+    // Timestamp at which this operator started operating this log.
+    CTTimestamp operator_start = 2;
+  }
+  // History of all log operators that have ever operated this log, including
+  // the timestamp at which each started operating it. Inverse chronological
+  // order, first element should be the current operator.
+  repeated OperatorChange operator_history = 9;
+
+  // State of the log at the time it was made read-only. Should only be set if
+  // state is READ_ONLY.
+  FinalTreeHead read_only_info = 16;
+}
+
+message LogOperator {
+  // Name of this log operator.
+  string name = 1;
+  // Email addresses at which the log operator can be reached.
+  repeated string email = 2;
+}
+
+message CTLogList {
+  // Major version of the list, incremented any time there are changes in the
+  // list, except for trivial (i.e. timestamp-only) changes.
+  uint64 list_version_major = 1;
+  // Minor version of the list, incremented any time the list is modified with
+  // only trivial (i.e. timestamp-only) changes. Allows consumers to determine
+  // the timestamp at which certain changes occur; for example, if a log is
+  // rejected, a consumer can look at the minor version 1 of that major version
+  // to determine at what timestamp that change was made.
+  uint64 list_version_minor = 2;
+  // Log list timestamp. This is meant to be used for freshness checks, and is
+  // updated periodically regardless of whether the list contents' have changed.
+  // Use list_version_major instead if monitoring for list contents' changes.
+  CTTimestamp timestamp = 3;
+  // Compatibility version, incremented if the list structure is changed in a
+  // non-backwards-compatible way.
+  uint64 compatibility_version = 4;
+  // Contains all known log operators.
+  repeated LogOperator operators = 5;
+  // Contains all known logs.
+  repeated CTLog logs = 6;
+}
+
+// Certificate transparency configuration as used by Chrome.
+message CTConfig {
+  // Emergency switch to disable all CT enforcement.
+  bool disable_ct_enforcement = 1;
+  // Logs Chrome should recognize.
+  CTLogList log_list = 2;
+  // A list of the leaf hashes for the most popular SCTs encountered in Chrome
+  // recently. Sorted lexicographically.
+  repeated bytes popular_scts = 3;
+}

pins.proto

@@ -0,0 +1,56 @@
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+syntax = "proto3";
+
+package chrome_browser_key_pinning;
+
+
+option optimize_for = LITE_RUNTIME;
+// Copyright 2022 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+
+
+message KPTimestamp {
+  int64 seconds = 1;
+
+  int32 nanos = 2;
+}
+message PinSet {
+  // Name of the pinset.
+  string name = 1;
+  // Set of allowed SPKIs hashes, represented as the SHA256 of the public key.
+  repeated bytes static_spki_hashes_sha256 = 2;
+  // Optional set of forbidden SPKIs hashes, represented as the SHA256 of the
+  // public key.
+  repeated bytes bad_static_spki_hashes_sha256 = 3;
+  // Optional URI to send bad pin reports to.
+  string report_uri = 4;
+}
+
+message PinSetInfo {
+  // Hostname this pinset applies to.
+  string hostname = 1;
+  // Name of the pinset.
+  string pinset_name = 2;
+  // Whether this pinset applies to subdomains.
+  bool include_subdomains = 3;
+}
+
+message PinList {
+  // Timestamp at which the list was last considered up-to-date. This is updated
+  // periodically even if the list contents do not change.
+  KPTimestamp timestamp = 1;
+  // Compatibility version incremented if the list structure changes in a non
+  // backwards compatible way.
+  uint64 compatibility_version = 2;
+  // All known pinsets.
+  repeated PinSet pinsets = 3;
+  // List of known hosts with pins. Each element represents a different
+  // hostname, and includes the name of the pinset that applies to it, and
+  // whether it applies to subdomains.
+  repeated PinSetInfo host_pins = 4;
+}

src/root_store_gen/generate_new_pbs.py

@@ -4,6 +4,9 @@ import pathlib
 import importlib.util
 import sys
 import crs_pb2
+from pathlib import Path
+import pins_pb2
+import ct_pb2
 def usage():
     print("Usage: <proto input> <new ca key>... <proto output>")
 cwd = path.dirname(path.abspath(sys.argv[0]))
@@ -15,6 +18,8 @@ for a in sys.argv[2:-1:]:
     print(f"Registering CA from {a}")
     cas.append(a)
 outfile = sys.argv[-1]
+
+
 print(f'reading from: {sys.argv[1]}')
 print(f"Outputing to: {outfile}")
 out = open(outfile, 'wb')
@@ -32,5 +37,20 @@ for ca in cas:
         next_trust_anchor.display_name = "Success!"
         print(next_trust_anchor.constraints)
         rs.trust_anchors.append(next_trust_anchor)
+rs.version_major = 30
 out.write(rs.SerializeToString())
 out.close()
+
+
+pins = Path(path.join(path.dirname(sys.argv[-1]), 'kp_pinslist.pb'))
+
+pins_pb = pins_pb2.PinList()
+pins_pb.ParseFromString(pins.read_bytes())
+while len(pins_pb.host_pins) != 0:
+    pins_pb.host_pins.pop()
+pins.write_bytes(pins_pb.SerializeToString())
+ct = Path(path.join(path.dirname(sys.argv[-1]), 'ct_config.pb'))
+ct_pb = ct_pb2.CTConfig()
+ct_pb.ParseFromString(ct.read_bytes())
+ct_pb.disable_ct_enforcement = True
+ct.write_bytes(ct_pb.SerializeToString())