extensions/browser/verified_contents.h

   1 // Copyright 2014 The Chromium Authors. All rights reserved.
   2 // Use of this source code is governed by a BSD-style license that can be
   3 // found in the LICENSE file.
   4
   5 #ifndef EXTENSIONS_BROWSER_VERIFIED_CONTENTS_H_
   6 #define EXTENSIONS_BROWSER_VERIFIED_CONTENTS_H_
   7
   8 #include <map>
   9 #include <string>
  10 #include <vector>
  11
  12 #include "base/files/file_path.h"
  13 #include "base/version.h"
  14
  15 namespace extensions {
  16
  17 // This class encapsulates the data in a "verified_contents.json" file
  18 // generated by the webstore for a .crx file. That data includes a set of
  19 // signed expected hashes of file content which can be used to check for
  20 // corruption of extension files on local disk.
  21 class VerifiedContents {
  22  public:
  23   // This function fixes up a string in base64url encoding to be in standard
  24   // base64.
  25   //
  26   // The JSON signing spec we're following uses "base64url" encoding (RFC 4648
  27   // section 5 without padding). The slight differences from regular base64
  28   // encoding are:
  29   //   1. uses '_' instead of '/'
  30   //   2. uses '-' instead of '+'
  31   //   3. omits trailing '=' padding
  32   static bool FixupBase64Encoding(std::string* input);
  33
  34   // Note: the public_key must remain valid for the lifetime of this object.
  35   VerifiedContents(const uint8* public_key, int public_key_size);
  36   ~VerifiedContents();
  37
  38   // Returns true if we successfully parsed the verified_contents.json file at
  39   // |path| and validated the enclosed signature. The
  40   // |ignore_invalid_signature| argument can be set to make this still succeed
  41   // if the contents of the file were parsed successfully but the signature did
  42   // not validate. (Use with caution!)
  43   bool InitFrom(const base::FilePath& path, bool ignore_invalid_signature);
  44
  45   int block_size() const { return block_size_; }
  46   const std::string& extension_id() const { return extension_id_; }
  47   const base::Version& version() const { return version_; }
  48
  49   bool HasTreeHashRoot(const base::FilePath& relative_path) const;
  50
  51   bool TreeHashRootEquals(const base::FilePath& relative_path,
  52                           const std::string& expected) const;
  53
  54   // If InitFrom has not been called yet, or was used in "ignore invalid
  55   // signature" mode, this can return false.
  56   bool valid_signature() { return valid_signature_; }
  57
  58  private:
  59   // Returns the base64url-decoded "payload" field from the json at |path|, if
  60   // the signature was valid (or ignore_invalid_signature was set to true).
  61   bool GetPayload(const base::FilePath& path,
  62                   std::string* payload,
  63                   bool ignore_invalid_signature);
  64
  65   // The |protected_value| and |payload| arguments should be base64url encoded
  66   // strings, and |signature_bytes| should be a byte array. See comments in the
  67   // .cc file on GetPayload for where these come from in the overall input
  68   // file.
  69   bool VerifySignature(const std::string& protected_value,
  70                        const std::string& payload,
  71                        const std::string& signature_bytes);
  72
  73   // The public key we should use for signature verification.
  74   const uint8* public_key_;
  75   const int public_key_size_;
  76
  77   // Indicates whether the signature was successfully validated or not.
  78   bool valid_signature_;
  79
  80   // The block size used for computing the treehash root hashes.
  81   int block_size_;
  82
  83   // Information about which extension these signed hashes are for.
  84   std::string extension_id_;
  85   base::Version version_;
  86
  87   // The expected treehash root hashes for each file, lower cased so we can do
  88   // case-insensitive lookups.
  89   //
  90   // We use a multi-map here so that we can do fast lookups of paths from
  91   // requests on case-insensitive systems (windows, mac) where the request path
  92   // might not have the exact right capitalization, but not break
  93   // case-sensitive systems (linux, chromeos). TODO(asargent) - we should give
  94   // developers client-side warnings in each of those cases, and have the
  95   // webstore reject the cases they can statically detect. See crbug.com/29941
  96   typedef std::multimap<base::FilePath::StringType, std::string> RootHashes;
  97   RootHashes root_hashes_;
  98
  99   DISALLOW_COPY_AND_ASSIGN(VerifiedContents);
 100 };
 101
 102 }  // namespace extensions
 103
 104 #endif  // EXTENSIONS_BROWSER_VERIFIED_CONTENTS_H_