// Copyright 2021 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

// Proto definitions supporting the Chrome Root Store.
// This file should be manually kept in sync with the corresponding google3
// file.

syntax = "proto3";

package chrome_root_store;

// Specifies a set of constraints, all of which that have values must be
// satisfied for the ConstraintSet to be satisfied.
message ConstraintSet {
  // The leaf certificate must have at least one valid SCT timestamp that is
  // not after the specified value, specified in seconds since the unix epoch.
  optional int64 sct_not_after_sec = 1;

  // The leaf certificate must have at least one valid SCT timestamp and all
  // valid SCT timestamps must be after the specified value, specified in
  // seconds since the unix epoch.
  optional int64 sct_all_after_sec = 2;

  // The browser version must be equal to or greater than the specified version.
  // Specified as a dotted version string, for example, "121.0.6167.160". A
  // partial version is also allowed, for example min_version="121" will match
  // any M-121 version or later.
  optional string min_version = 3;

  // The browser version must be less than the specified version.
  // For example, max_version_exclusive="122" will match any M-121 or earlier
  // version, and will not match any M-122 version.
  optional string max_version_exclusive = 4;
}

message TrustAnchor {
  // The human-editable textproto version of the root store references roots in
  // a separate file by SHA-256 hash for convenience. It is converted to the DER
  // representation as part of the build process.
  oneof certificate {
    bytes der = 1;
    string sha256_hex = 2;
  }

  // OID should be expressed as dotted-decimal text (e.g. "1.3.159.1.17.1")
  repeated string ev_policy_oids = 3;

  // If not empty, the anchor is only trusted if at least one of the
  // ConstraintSets is satisfied.
  repeated ConstraintSet constraints = 4;

  // Human-readable display name used to identify the certificate.
  optional string display_name = 5;
}

// Message storing a complete Chrome Root Store.
message RootStore {
  repeated TrustAnchor trust_anchors = 1;

  // Major version # of the Chrome Root Store. It is assumed that if
  // root_store_1.version_major > root_store_2.version_major, then root_store_1
  // is newer and should be preferred over root_store_2.
  int64 version_major = 2;
}