Verify signed .crx extension installations

chrome/browser/extensions/extensions_service.cc

 // Copyright (c) 2009 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/extensions/extensions_service.h"
 
 #include "app/l10n_util.h"
 #include "base/command_line.h"
+#include "base/crypto/signature_verifier.h"
 #include "base/file_util.h"
 #include "base/gfx/png_encoder.h"
 #include "base/scoped_handle.h"
 #include "base/scoped_temp_dir.h"
 #include "base/string_util.h"
 #include "base/third_party/nss/blapi.h"
 #include "base/third_party/nss/sha256.h"
 #include "base/thread.h"
 #include "base/values.h"
 #include "net/base/file_stream.h"
 #include "chrome/browser/browser.h"
 #include "chrome/browser/browser_list.h"
 #include "chrome/browser/browser_process.h"
 #include "chrome/browser/chrome_thread.h"
+#include "chrome/browser/extensions/extension_creator.h"
 #include "chrome/browser/extensions/extension_browser_event_router.h"
 #include "chrome/browser/extensions/extension_process_manager.h"
 #include "chrome/browser/extensions/external_extension_provider.h"
 #include "chrome/browser/extensions/external_pref_extension_provider.h"
 #include "chrome/browser/profile.h"
 #include "chrome/browser/utility_process_host.h"
 #include "chrome/common/chrome_switches.h"
 #include "chrome/common/extensions/extension.h"
 #include "chrome/common/extensions/extension_error_reporter.h"
 #include "chrome/common/extensions/extension_unpacker.h"
 #include "chrome/common/json_value_serializer.h"
 #include "chrome/common/notification_service.h"
 #include "chrome/common/pref_names.h"
 #include "chrome/common/pref_service.h"
 #include "chrome/common/zip.h"
 #include "chrome/common/url_constants.h"
 #include "grit/chromium_strings.h"
 #include "grit/generated_resources.h"
+#include "net/base/base64.h"
 #include "third_party/skia/include/core/SkBitmap.h"
 
 #if defined(OS_WIN)
 #include "app/win_util.h"
 #include "base/win_util.h"
 #include "chrome/browser/extensions/external_registry_extension_provider_win.h"
 #endif
 
 // ExtensionsService.
 
+const char ExtensionsService::kExtensionHeaderMagic[] = "Cr24";
+
 const char* ExtensionsService::kInstallDirectoryName = "Extensions";
 const char* ExtensionsService::kCurrentVersionFileName = "Current Version";
 const char* ExtensionsServiceBackend::kTempExtensionName = "TEMP_INSTALL";
 
 namespace {
 
 // A preference that keeps track of extension settings. This is a dictionary
 // object read from the Preferences file, keyed off of extension id's.
 const wchar_t kExternalExtensionsPref[] = L"extensions.settings";
 
 // A preference keeping track of how the extension was installed.
 const wchar_t kLocation[] = L"location";
 const wchar_t kState[] = L"state";
 
 // A temporary subdirectory where we unpack extensions.
 const char* kUnpackExtensionDir = "TEMP_UNPACK";
 
-// The version of the extension package that this code understands.
-const uint32 kExpectedVersion = 1;
+// Unpacking errors
+const char* kBadMagicNumberError = "Bad magic number";
+const char* kBadHeaderSizeError = "Excessively large key or signature";
+const char* kBadVersionNumberError = "Bad version number";
+const char* kInvalidExtensionHeaderError = "Invalid extension header";
+const char* kInvalidPublicKeyError = "Invalid public key";
+const char* kInvalidSignatureError = "Invalid signature";
+const char* kSignatureVerificationFailed = "Signature verification failed";
+const char* kSignatureVerificationInitFailed =
+    "Signature verification initialization failed. This is most likely "
+    "caused by a public key in the wrong format (should encode algorithm).";
 }
 
 // This class coordinates an extension unpack task which is run in a separate
 // process.  Results are sent back to this class, which we route to the
 // ExtensionServiceBackend.
 class ExtensionsServiceBackend::UnpackerClient
     : public UtilityProcessHost::Client {
  public:
   UnpackerClient(ExtensionsServiceBackend* backend,
                  const FilePath& extension_path,
+                 const std::string& public_key,
                  const std::string& expected_id,
                  bool from_external)
     : backend_(backend), extension_path_(extension_path),
-      expected_id_(expected_id), from_external_(from_external),
-      got_response_(false) {
+      public_key_(public_key), expected_id_(expected_id),
+      from_external_(from_external), got_response_(false) {
   }
 
   // Starts the unpack task.  We call back to the backend when the task is done,
   // or a problem occurs.
   void Start() {
     AddRef();  // balanced in OnUnpackExtensionReply()
 
     // TODO(mpcomplete): handle multiple installs
     FilePath temp_dir = backend_->install_directory_.AppendASCII(
         kUnpackExtensionDir);
@@ skipping 44 matching lines @@
                                                 &images)) {
        OnUnpackExtensionFailed("Couldn't read image data from disk.");
      } else {
        OnUnpackExtensionSucceededImpl(manifest, images);
      }
   }
 
   void OnUnpackExtensionSucceededImpl(
       const DictionaryValue& manifest,
       const ExtensionUnpacker::DecodedImages& images) {
+    // Add our public key into the parsed manifest. We want it to be saved so
+    // that we can later refer to it (eg for generating ids, validating
+    // signatures, etc).
+    // The const_cast is hacky, but seems like the right thing here, rather than
+    // making a full copy just to make this change.
+    const_cast<DictionaryValue*>(&manifest)->SetString(
+        Extension::kPublicKeyKey, public_key_);
+
     // The extension was unpacked to the temp dir inside our unpacking dir.
     FilePath extension_dir = temp_extension_path_.DirName().AppendASCII(
         ExtensionsServiceBackend::kTempExtensionName);
     backend_->OnExtensionUnpacked(extension_path_, extension_dir,
                                   expected_id_, from_external_,
                                   manifest, images);
     Cleanup();
   }
 
   virtual void OnUnpackExtensionFailed(const std::string& error_message) {
@@ skipping 16 matching lines @@
                               MessageLoop* file_loop) {
     UtilityProcessHost* host = new UtilityProcessHost(rdh, this, file_loop);
     host->StartExtensionUnpacker(temp_extension_path_);
   }
 
   scoped_refptr<ExtensionsServiceBackend> backend_;
 
   // The path to the crx file that we're installing.
   FilePath extension_path_;
 
+  // The public key of the extension we're installing.
+  std::string public_key_;
+
   // The path to the copy of the crx file in the temporary directory where we're
   // unpacking it.
   FilePath temp_extension_path_;
 
   // The ID we expect this extension to have, if any.
   std::string expected_id_;
 
   // True if this is being installed from an external source.
   bool from_external_;
 
@@ skipping 153 matching lines @@
 
   NotificationService::current()->Notify(
       NotificationType::EXTENSIONS_LOADED,
       NotificationService::AllSources(),
       Details<ExtensionList>(&enabled_extensions));
 
   delete new_extensions;
 }
 
 void ExtensionsService::OnExtensionInstalled(Extension* extension,
-                                             bool update) {
+    Extension::InstallType install_type) {
   UpdateExtensionPref(ASCIIToWide(extension->id()), kState,
                       Value::CreateIntegerValue(Extension::ENABLED), false);
   UpdateExtensionPref(ASCIIToWide(extension->id()), kLocation,
                       Value::CreateIntegerValue(Extension::INTERNAL), true);
 
   // If the extension is a theme, tell the profile (and therefore ThemeProvider)
   // to apply it.
   if (extension->IsTheme()) {
     NotificationService::current()->Notify(
         NotificationType::THEME_INSTALLED,
         NotificationService::AllSources(),
         Details<Extension>(extension));
   } else {
     NotificationService::current()->Notify(
         NotificationType::EXTENSION_INSTALLED,
         NotificationService::AllSources(),
         Details<Extension>(extension));
   }
 }
 
 void ExtensionsService::OnExternalExtensionInstalled(
     const std::string& id, Extension::Location location) {
   DCHECK(Extension::IsExternalLocation(location));
   UpdateExtensionPref(ASCIIToWide(id), kState,
                       Value::CreateIntegerValue(Extension::ENABLED), false);
   UpdateExtensionPref(ASCIIToWide(id), kLocation,
                       Value::CreateIntegerValue(location), true);
 }
 
-void ExtensionsService::OnExtensionVersionReinstalled(const std::string& id) {
+void ExtensionsService::OnExtensionOverinstallAttempted(const std::string& id) {
   Extension* extension = GetExtensionByID(id);
   if (extension && extension->IsTheme()) {
     NotificationService::current()->Notify(
         NotificationType::THEME_INSTALLED,
         NotificationService::AllSources(),
         Details<Extension>(extension));
   }
 }
 
 Extension* ExtensionsService::GetExtensionByID(std::string id) {
@@ skipping 224 matching lines @@
   Extension* extension = LoadExtension(extension_path,
                                        Extension::LOAD,
                                        false);  // don't require ID
   if (extension) {
     ExtensionList* extensions = new ExtensionList;
     extensions->push_back(extension);
     ReportExtensionsLoaded(extensions);
   }
 }
 
+DictionaryValue* ExtensionsServiceBackend::ReadManifest(FilePath manifest_path,
+                                                        std::string* error) {
+  JSONFileValueSerializer serializer(manifest_path);
+  scoped_ptr<Value> root(serializer.Deserialize(error));
+  if (!root.get())
+    return NULL;
+
+  if (!root->IsType(Value::TYPE_DICTIONARY)) {
+    *error = Extension::kInvalidManifestError;
+    return NULL;
+  }
+
+  return static_cast<DictionaryValue*>(root.release());
+}
+
 Extension* ExtensionsServiceBackend::LoadExtension(
     const FilePath& extension_path,
     Extension::Location location,
     bool require_id) {
   FilePath manifest_path =
       extension_path.AppendASCII(Extension::kManifestFilename);
   if (!file_util::PathExists(manifest_path)) {
     ReportExtensionLoadError(extension_path, Extension::kInvalidManifestError);
     return NULL;
   }
 
-  JSONFileValueSerializer serializer(manifest_path);
   std::string error;
-  scoped_ptr<Value> root(serializer.Deserialize(&error));
+  scoped_ptr<DictionaryValue> root(ReadManifest(manifest_path, &error));
   if (!root.get()) {
     ReportExtensionLoadError(extension_path, error);
     return NULL;
   }
 
-  if (!root->IsType(Value::TYPE_DICTIONARY)) {
-    ReportExtensionLoadError(extension_path, Extension::kInvalidManifestError);
-    return NULL;
-  }
-
   scoped_ptr<Extension> extension(new Extension(extension_path));
-  if (!extension->InitFromValue(*static_cast<DictionaryValue*>(root.get()),
-                                require_id, &error)) {
+  if (!extension->InitFromValue(*root.get(), require_id, &error)) {
     ReportExtensionLoadError(extension_path, error);
     return NULL;
   }
 
   extension->set_location(location);
 
   // Theme resource validation.
   if (extension->IsTheme()) {
     DictionaryValue* images_value = extension->GetThemeImages();
     DictionaryValue::key_iterator iter = images_value->begin_keys();
@@ skipping 88 matching lines @@
       dir.AppendASCII(ExtensionsService::kCurrentVersionFileName);
   if (file_util::PathExists(current_version)) {
     if (file_util::ReadFileToString(current_version, version_string)) {
       TrimWhitespace(*version_string, TRIM_ALL, version_string);
       return true;
     }
   }
   return false;
 }
 
-bool ExtensionsServiceBackend::CheckCurrentVersion(
+Extension::InstallType ExtensionsServiceBackend::CompareToInstalledVersion(
+    const std::string& id,
     const std::string& new_version_str,
-    const std::string& current_version_str,
-    const FilePath& dest_dir) {
+    std::string *current_version_str) {
+  CHECK(current_version_str);
+  FilePath dir(install_directory_.AppendASCII(id.c_str()));
+  if (!ReadCurrentVersion(dir, current_version_str))
+    return Extension::NEW_INSTALL;
+
   scoped_ptr<Version> current_version(
-      Version::GetVersionFromString(current_version_str));
+    Version::GetVersionFromString(*current_version_str));
   scoped_ptr<Version> new_version(
-      Version::GetVersionFromString(new_version_str));
-  if (current_version->CompareTo(*new_version) >= 0) {
-    // Verify that the directory actually exists.  If it doesn't we'll return
-    // true so that the install code will repair the broken installation.
-    // TODO(erikkay): A further step would be to verify that the extension
-    // has actually loaded successfully.
-    FilePath version_dir = dest_dir.AppendASCII(current_version_str);
-    if (file_util::PathExists(version_dir)) {
-      std::string id = WideToASCII(dest_dir.BaseName().ToWStringHack());
-      StringToLowerASCII(&id);
-      ReportExtensionVersionReinstalled(id);
-      return false;
-    }
-  }
-  return true;
+    Version::GetVersionFromString(new_version_str));
+  int comp = new_version->CompareTo(*current_version);
+  if (comp > 0)
+    return Extension::UPGRADE;
+  else if (comp == 0)
+    return Extension::REINSTALL;
+  else
+    return Extension::DOWNGRADE;
+}
+
+bool ExtensionsServiceBackend::NeedsReinstall(const std::string& id,
+    const std::string& current_version) {
+  // Verify that the directory actually exists.
+  // TODO(erikkay): A further step would be to verify that the extension
+  // has actually loaded successfully.
+  FilePath dir(install_directory_.AppendASCII(id.c_str()));
+  FilePath version_dir(dir.AppendASCII(current_version));
+  return !file_util::PathExists(version_dir);
 }
 
 bool ExtensionsServiceBackend::InstallDirSafely(const FilePath& source_dir,
                                                 const FilePath& dest_dir) {
   if (file_util::PathExists(dest_dir)) {
     // By the time we get here, it should be safe to assume that this directory
     // is not currently in use (it's not the current active version).
     if (!file_util::Delete(dest_dir, true)) {
       ReportExtensionInstallError(source_dir,
           "Can't delete existing version directory.");
@@ skipping 66 matching lines @@
   LOG(INFO) << "Installing extension " << extension_path.value();
 
   frontend_ = frontend;
   alert_on_error_ = true;
 
   bool from_external = false;
   InstallOrUpdateExtension(extension_path, std::string(), from_external);
 }
 
 void ExtensionsServiceBackend::InstallOrUpdateExtension(
-    const FilePath& extension_path, const std::string& expected_id,
+    const FilePath& extension_path,
+    const std::string& expected_id,
     bool from_external) {
-  UnpackerClient* client =
-      new UnpackerClient(this, extension_path, expected_id, from_external);
+  std::string actual_public_key;
+  if (!ValidateSignature(extension_path, &actual_public_key))
+    return;  // Failures reported within ValidateSignature().
+
+  UnpackerClient* client = new UnpackerClient(
+      this, extension_path, actual_public_key, expected_id, from_external);
   client->Start();
 }
 
+bool ExtensionsServiceBackend::ValidateSignature(const FilePath& extension_path,
+                                                 std::string* key_out) {
+  ScopedStdioHandle file(file_util::OpenFile(extension_path, "rb"));
+  if (!file.get()) {
+    ReportExtensionInstallError(extension_path, "Could not open file.");
+    return NULL;
+  }
+
+  // Read and verify the header.
+  ExtensionsService::ExtensionHeader header;
+  size_t len;
+
+  // TODO(erikkay): Yuck.  I'm not a big fan of this kind of code, but it
+  // appears that we don't have any endian/alignment aware serialization
+  // code in the code base.  So for now, this assumes that we're running
+  // on a little endian machine with 4 byte alignment.
+  len = fread(&header, 1, sizeof(ExtensionsService::ExtensionHeader),
+      file.get());
+  if (len < sizeof(ExtensionsService::ExtensionHeader)) {
+    ReportExtensionInstallError(extension_path, kInvalidExtensionHeaderError);
+    return false;
+  }
+  if (strncmp(ExtensionsService::kExtensionHeaderMagic, header.magic,
+      sizeof(header.magic))) {
+    ReportExtensionInstallError(extension_path, kBadMagicNumberError);
+    return false;
+  }
+  if (header.version != ExtensionsService::kCurrentVersion) {
+    ReportExtensionInstallError(extension_path, kBadVersionNumberError);
+    return false;
+  }
+  if (header.key_size > ExtensionsService::kMaxPublicKeySize ||
+      header.signature_size > ExtensionsService::kMaxSignatureSize) {
+    ReportExtensionInstallError(extension_path, kBadHeaderSizeError);
+    return false;
+  }
+
+  std::vector<uint8> key;
+  key.resize(header.key_size);
+  len = fread(&key.front(), sizeof(uint8), header.key_size, file.get());
+  if (len < header.key_size) {
+    ReportExtensionInstallError(extension_path, kInvalidPublicKeyError);
+    return false;
+  }
+
+  std::vector<uint8> signature;
+  signature.resize(header.signature_size);
+  len = fread(&signature.front(), sizeof(uint8), header.signature_size,
+      file.get());
+  if (len < header.signature_size) {
+    ReportExtensionInstallError(extension_path, kInvalidSignatureError);
+    return false;
+  }
+
+  // Note: this structure is an ASN.1 which encodes the algorithm used
+  // with its parameters. This is defined in PKCS #1 v2.1 (RFC 3447).
+  // It is encoding: { OID sha1WithRSAEncryption      PARAMETERS NULL }
+  // TODO(aa): This needs to be factored away someplace common.
+  const uint8 signature_algorithm[15] = {
+    0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
+    0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00
+  };
+
+  base::SignatureVerifier verifier;
+  if (!verifier.VerifyInit(signature_algorithm,
+                           sizeof(signature_algorithm),
+                           &signature.front(),
+                           signature.size(),
+                           &key.front(),
+                           key.size())) {
+    ReportExtensionInstallError(extension_path,
+        kSignatureVerificationInitFailed);
+    return false;
+  }
+
+  unsigned char buf[1 << 12];
+  while ((len = fread(buf, 1, sizeof(buf), file.get())) > 0)
+    verifier.VerifyUpdate(buf, len);
+
+  if (!verifier.VerifyFinal()) {
+    ReportExtensionInstallError(extension_path, kSignatureVerificationFailed);
+    return false;
+  }
+
+  net::Base64Encode(std::string(reinterpret_cast<char*>(&key.front()),
+      key.size()), key_out);
+  return true;
+}
+
 void ExtensionsServiceBackend::OnExtensionUnpacked(
     const FilePath& extension_path,
     const FilePath& temp_extension_dir,
     const std::string expected_id,
     bool from_external,
     const DictionaryValue& manifest,
     const std::vector< Tuple2<SkBitmap, FilePath> >& images) {
   Extension extension;
   std::string error;
   if (!extension.InitFromValue(manifest,
@@ skipping 42 matching lines @@
     error_msg += expected_id;
     error_msg += ")";
     ReportExtensionInstallError(extension_path, error_msg);
     return;
   }
 
   // <profile>/Extensions/<id>
   FilePath dest_dir = install_directory_.AppendASCII(extension.id());
   std::string version = extension.VersionString();
   std::string current_version;
-  bool was_update = false;
-  if (ReadCurrentVersion(dest_dir, &current_version)) {
-    if (!CheckCurrentVersion(version, current_version, dest_dir))
+  Extension::InstallType install_type =
+      CompareToInstalledVersion(extension.id(), version, &current_version);
+
+  // Do not allow downgrade.
+  if (install_type == Extension::DOWNGRADE) {
+    ReportExtensionInstallError(extension_path,
+        "Error: Attempt to downgrade extension from more recent version.");
+    return;
+  }
+
+  if (install_type == Extension::REINSTALL) {
+    if (NeedsReinstall(extension.id(), current_version)) {
+      // Treat corrupted existing installation as new install case.
+      install_type = Extension::NEW_INSTALL;
+    } else {
+      // The client may use this as a signal (to switch themes, for instance).
+      ReportExtensionOverinstallAttempted(extension.id());
       return;
-    was_update = true;
+    }
   }
 
   // Write our parsed manifest back to disk, to ensure it doesn't contain an
   // exploitable bug that can be used to compromise the browser.
   std::string manifest_json;
   JSONStringValueSerializer serializer(&manifest_json);
   serializer.set_pretty_print(true);
   if (!serializer.Serialize(manifest)) {
     ReportExtensionInstallError(extension_path,
                                 "Error serializing manifest.json.");
@@ skipping 77 matching lines @@
   // the preferences for these extensions to reflect that they've just been
   // installed.
   if (!from_external) {
     Extension* extension = LoadExtension(version_dir,
                                          location,
                                          true);  // require id
     CHECK(extension);
 
     frontend_loop_->PostTask(FROM_HERE, NewRunnableMethod(
         frontend_, &ExtensionsService::OnExtensionInstalled, extension,
-        was_update));
+        install_type));
 
     // Only one extension, but ReportExtensionsLoaded can handle multiple,
     // so we need to construct a list.
     scoped_ptr<ExtensionList> extensions(new ExtensionList);
     extensions->push_back(extension);
     LOG(INFO) << "Done.";
     // Hand off ownership of the loaded extensions to the frontend.
     ReportExtensionsLoaded(extensions.release());
   } else {
     frontend_loop_->PostTask(FROM_HERE, NewRunnableMethod(
         frontend_, &ExtensionsService::OnExternalExtensionInstalled,
         extension.id(), location));
   }
 
   scoped_version_dir.Take();
 }
 
 void ExtensionsServiceBackend::ReportExtensionInstallError(
     const FilePath& extension_path,  const std::string &error) {
 
   // TODO(erikkay): note that this isn't guaranteed to work properly on Linux.
   std::string path_str = WideToASCII(extension_path.ToWStringHack());
   std::string message =
       StringPrintf("Could not install extension from '%s'. %s",
                    path_str.c_str(), error.c_str());
   ExtensionErrorReporter::GetInstance()->ReportError(message, alert_on_error_);
 }
 
-void ExtensionsServiceBackend::ReportExtensionVersionReinstalled(
+void ExtensionsServiceBackend::ReportExtensionOverinstallAttempted(
     const std::string& id) {
   frontend_loop_->PostTask(FROM_HERE, NewRunnableMethod(
-      frontend_, &ExtensionsService::OnExtensionVersionReinstalled, id));
+      frontend_, &ExtensionsService::OnExtensionOverinstallAttempted, id));
 }
 
 bool ExtensionsServiceBackend::ShouldSkipInstallingExtension(
     const std::set<std::string>& ids_to_ignore,
     const std::string& id) {
   if (ids_to_ignore.find(id) != ids_to_ignore.end()) {
     LOG(INFO) << "Skipping uninstalled external extension " << id;
     return true;
   }
   return false;
@@ skipping 127 matching lines @@
 }
 
 void ExtensionsServiceBackend::OnExternalExtensionFound(
     const std::string& id, const Version* version, const FilePath& path) {
   bool from_external = true;
   CheckVersionAndInstallExtension(id, version, path, from_external);
 }
 
 bool ExtensionsServiceBackend::ShouldInstall(const std::string& id,
                                              const Version* version) {
-  FilePath dir(install_directory_.AppendASCII(id.c_str()));
   std::string current_version;
-  if (ReadCurrentVersion(dir, &current_version))
-    return CheckCurrentVersion(version->GetString(), current_version, dir);
-  return true;
+  Extension::InstallType install_type =
+      CompareToInstalledVersion(id, version->GetString(), &current_version);
+
+  if (install_type == Extension::DOWNGRADE)
+    return false;
+
+  return (install_type == Extension::UPGRADE ||
+          install_type == Extension::NEW_INSTALL ||
+          NeedsReinstall(id, current_version));
 }