icarus: brand new stuff

.gitignore

@@ -0,0 +1,4 @@
+.venv
+__pycache__
+gen
+original

Makefile

@@ -0,0 +1,7 @@
+setup-venv:
+	python3 -m venv .venv
+	exit
+setup-python:
+	mkdir -p gen/python
+	protoc --python_out=gen/python crs.proto
+	exit

crs.proto

@@ -0,0 +1,65 @@
+// Copyright 2021 The Chromium Authors
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+// Proto definitions supporting the Chrome Root Store.
+// This file should be manually kept in sync with the corresponding google3
+// file.
+
+syntax = "proto3";
+
+package chrome_root_store;
+
+// Specifies a set of constraints, all of which that have values must be
+// satisfied for the ConstraintSet to be satisfied.
+message ConstraintSet {
+  // The leaf certificate must have at least one valid SCT timestamp that is
+  // not after the specified value, specified in seconds since the unix epoch.
+  optional int64 sct_not_after_sec = 1;
+
+  // The leaf certificate must have at least one valid SCT timestamp and all
+  // valid SCT timestamps must be after the specified value, specified in
+  // seconds since the unix epoch.
+  optional int64 sct_all_after_sec = 2;
+
+  // The browser version must be equal to or greater than the specified version.
+  // Specified as a dotted version string, for example, "121.0.6167.160". A
+  // partial version is also allowed, for example min_version="121" will match
+  // any M-121 version or later.
+  optional string min_version = 3;
+
+  // The browser version must be less than the specified version.
+  // For example, max_version_exclusive="122" will match any M-121 or earlier
+  // version, and will not match any M-122 version.
+  optional string max_version_exclusive = 4;
+}
+
+message TrustAnchor {
+  // The human-editable textproto version of the root store references roots in
+  // a separate file by SHA-256 hash for convenience. It is converted to the DER
+  // representation as part of the build process.
+  oneof certificate {
+    bytes der = 1;
+    string sha256_hex = 2;
+  }
+
+  // OID should be expressed as dotted-decimal text (e.g. "1.3.159.1.17.1")
+  repeated string ev_policy_oids = 3;
+
+  // If not empty, the anchor is only trusted if at least one of the
+  // ConstraintSets is satisfied.
+  repeated ConstraintSet constraints = 4;
+
+  // Human-readable display name used to identify the certificate.
+  optional string display_name = 5;
+}
+
+// Message storing a complete Chrome Root Store.
+message RootStore {
+  repeated TrustAnchor trust_anchors = 1;
+
+  // Major version # of the Chrome Root Store. It is assumed that if
+  // root_store_1.version_major > root_store_2.version_major, then root_store_1
+  // is newer and should be preferred over root_store_2.
+  int64 version_major = 2;
+}

generate_new_pbs.py

@@ -0,0 +1,16 @@
+import sys
+import os.path as path
+import pathlib
+import importlib.util
+import sys
+import crs_pb2
+def usage():
+    print("Usage: <proto input> <proto output>")
+cwd = path.dirname(path.abspath(sys.argv[0]))
+if len(sys.argv) < 2:
+    usage()
+    exit(-1)
+buf= open(sys.argv[1], 'rb')
+rs = crs_pb2.RootStore()
+rs.ParseFromString(buf.read())
+print(rs.trust_anchors[0])

instructions.md

@@ -0,0 +1 @@
+# TODO: