// Copyright (c) 2011 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include "chrome/browser/component_updater/component_unpacker.h" #include #include #include "base/file_util.h" #include "base/json/json_value_serializer.h" #include "base/memory/scoped_handle.h" #include "base/string_number_conversions.h" #include "base/stringprintf.h" #include "chrome/browser/extensions/sandboxed_extension_unpacker.h" #include "chrome/browser/component_updater/component_updater_service.h" #include "chrome/common/extensions/extension_constants.h" #include "chrome/common/zip.h" #include "crypto/secure_hash.h" #include "crypto/signature_verifier.h" using crypto::SecureHash; namespace { // This class makes sure that the CRX digital signature is valid // and well formed. class CRXValidator { public: enum Result { kValid, kInvalidHeader, kWrongMagic, kInvalidVersion, kInvalidKey, kInvalidSignature, kWrongKeyFormat, kSignatureMismatch, kLast }; explicit CRXValidator(FILE* crx_file) : result_(kLast) { SXU::ExtensionHeader header; size_t len = fread(&header, 1, sizeof(header), crx_file); if (len < sizeof(header)) { result_ = kInvalidHeader; return; } if (strncmp(SXU::kExtensionHeaderMagic, header.magic, sizeof(header.magic))) { result_ = kWrongMagic; return; } if (header.version != SXU::kCurrentVersion) { result_ = kInvalidVersion; return; } if ((header.key_size > SXU::kMaxPublicKeySize) || (header.key_size == 0)) { result_ = kInvalidKey; return; } if ((header.signature_size > SXU::kMaxSignatureSize) || (header.signature_size == 0)) { result_ = kInvalidSignature; return; } std::vector key(header.key_size); len = fread(&key[0], sizeof(uint8), header.key_size, crx_file); if (len < header.key_size) { result_ = kInvalidKey; return; } std::vector signature(header.signature_size); len = fread(&signature[0], sizeof(uint8), header.signature_size, crx_file); if (len < header.signature_size) { result_ = kInvalidSignature; return; } crypto::SignatureVerifier verifier; if (!verifier.VerifyInit(extension_misc::kSignatureAlgorithm, sizeof(extension_misc::kSignatureAlgorithm), &signature[0], signature.size(), &key[0], key.size())) { // Signature verification initialization failed. This is most likely // caused by a public key in the wrong format (should encode algorithm). result_ = kWrongKeyFormat; return; } const size_t kBufSize = 8 * 1024; scoped_array buf(new uint8[kBufSize]); while ((len = fread(buf.get(), 1, kBufSize, crx_file)) > 0) verifier.VerifyUpdate(buf.get(), len); if (!verifier.VerifyFinal()) { result_ = kSignatureMismatch; return; } public_key_.swap(key); result_ = kValid; } Result result() const { return result_; } const std::vector& public_key() const { return public_key_; } private: // TODO(cpu): Move the kExtensionHeaderMagic constants to a better header // right now it feels we are reaching too deep into the extension code. typedef SandboxedExtensionUnpacker SXU; Result result_; std::vector public_key_; }; // Deserialize the CRX manifest. The top level must be a dictionary. // TODO(cpu): add a specific attribute check to a component json that the // extension unpacker will reject, so that a component cannot be installed // as an extension. base::DictionaryValue* ReadManifest(const FilePath& unpack_path) { FilePath manifest = unpack_path.Append(FILE_PATH_LITERAL("manifest.json")); if (!file_util::PathExists(manifest)) return NULL; JSONFileValueSerializer serializer(manifest); std::string error; scoped_ptr root(serializer.Deserialize(NULL, &error)); if (!root.get()) return NULL; if (!root->IsType(base::Value::TYPE_DICTIONARY)) return NULL; return static_cast(root.release()); } } // namespace. ComponentUnpacker::ComponentUnpacker(const std::vector& pk_hash, const FilePath& path, ComponentInstaller* installer) : error_(kNone) { if (pk_hash.empty() || path.empty()) { error_ = kInvalidParams; return; } // First, validate the CRX header and signature. As of today // this is SHA1 with RSA 1024. ScopedStdioHandle file(file_util::OpenFile(path, "rb")); if (!file.get()) { error_ = kInvalidFile; return; } CRXValidator validator(file.get()); if (validator.result() != CRXValidator::kValid) { error_ = kInvalidFile; return; } file.Close(); // File is vaild and the digital signature matches. Now make sure // the public key hash matches the expected hash. If they do we fully // trust this CRX. uint8 hash[32]; scoped_ptr sha256(SecureHash::Create(SecureHash::SHA256)); sha256->Update(&(validator.public_key()[0]), validator.public_key().size()); sha256->Finish(hash, arraysize(hash)); if (!std::equal(pk_hash.begin(), pk_hash.end(), hash)) { error_ = kInvalidId; return; } // We want the temporary directory to be unique and yet predictable, so // we can easily find the package in a end user machine. std::string dir(StringPrintf("CRX_%s", base::HexEncode(hash, 6).c_str())); unpack_path_ = path.DirName().AppendASCII(dir.c_str()); if (file_util::DirectoryExists(unpack_path_)) { if (!file_util::Delete(unpack_path_, true)) { unpack_path_.clear(); error_ = kUzipPathError; return; } } if (!file_util::CreateDirectory(unpack_path_)) { unpack_path_.clear(); error_ = kUzipPathError; return; } if (!zip::Unzip(path, unpack_path_)) { error_ = kUnzipFailed; return; } scoped_ptr manifest(ReadManifest(unpack_path_)); if (!manifest.get()) { error_ = kBadManifest; return; } if (!installer->Install(manifest.release(), unpack_path_)) { error_ = kInstallerError; return; } // Installation succesful. The directory is not our concern now. unpack_path_.clear(); } ComponentUnpacker::~ComponentUnpacker() { if (!unpack_path_.empty()) { file_util::Delete(unpack_path_, true); } }