| OLD | NEW |
|---|
| 1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "extensions/browser/verified_contents.h" | 5 #include "extensions/browser/verified_contents.h" |
| 6 | 6 |
| 7 #include <stddef.h> | 7 #include <stddef.h> |
| 8 | 8 |
| 9 #include "base/base64url.h" | 9 #include "base/base64url.h" |
| 10 #include "base/files/file_util.h" | 10 #include "base/files/file_util.h" |
| 11 #include "base/json/json_reader.h" | 11 #include "base/json/json_reader.h" |
| 12 #include "base/strings/string_util.h" | 12 #include "base/strings/string_util.h" |
| 13 #include "base/values.h" | 13 #include "base/values.h" |
| 14 #include "components/crx_file/id_util.h" | 14 #include "components/crx_file/id_util.h" |
| 15 #include "crypto/signature_verifier.h" | 15 #include "crypto/signature_verifier.h" |
| 16 #include "extensions/common/extension.h" | 16 #include "extensions/common/extension.h" |
| 17 | 17 |
| 18 using base::DictionaryValue; | 18 using base::DictionaryValue; |
| 19 using base::ListValue; | 19 using base::ListValue; |
| 20 using base::Value; | 20 using base::Value; |
| 21 | 21 |
| 22 namespace { | 22 namespace { |
| 23 | 23 |
| 24 // Note: this structure is an ASN.1 which encodes the algorithm used with its | |
| 25 // parameters. The signature algorithm is "RSA256" aka "RSASSA-PKCS-v1_5 using | |
| 26 // SHA-256 hash algorithm". This is defined in PKCS #1 (RFC 3447). | |
| 27 // It is encoding: { OID sha256WithRSAEncryption PARAMETERS NULL } | |
| 28 const uint8_t kSignatureAlgorithm[15] = {0x30, 0x0d, 0x06, 0x09, 0x2a, | |
| 29 0x86, 0x48, 0x86, 0xf7, 0x0d, | |
| 30 0x01, 0x01, 0x0b, 0x05, 0x00}; | |
| 31 | |
| 32 const char kBlockSizeKey[] = "block_size"; | 24 const char kBlockSizeKey[] = "block_size"; |
| 33 const char kContentHashesKey[] = "content_hashes"; | 25 const char kContentHashesKey[] = "content_hashes"; |
| 34 const char kDescriptionKey[] = "description"; | 26 const char kDescriptionKey[] = "description"; |
| 35 const char kFilesKey[] = "files"; | 27 const char kFilesKey[] = "files"; |
| 36 const char kFormatKey[] = "format"; | 28 const char kFormatKey[] = "format"; |
| 37 const char kHashBlockSizeKey[] = "hash_block_size"; | 29 const char kHashBlockSizeKey[] = "hash_block_size"; |
| 38 const char kHeaderKidKey[] = "header.kid"; | 30 const char kHeaderKidKey[] = "header.kid"; |
| 39 const char kItemIdKey[] = "item_id"; | 31 const char kItemIdKey[] = "item_id"; |
| 40 const char kItemVersionKey[] = "item_version"; | 32 const char kItemVersionKey[] = "item_version"; |
| 41 const char kPathKey[] = "path"; | 33 const char kPathKey[] = "path"; |
| (...skipping 259 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 301 return false; | 293 return false; |
| 302 | 294 |
| 303 return true; | 295 return true; |
| 304 } | 296 } |
| 305 | 297 |
| 306 bool VerifiedContents::VerifySignature(const std::string& protected_value, | 298 bool VerifiedContents::VerifySignature(const std::string& protected_value, |
| 307 const std::string& payload, | 299 const std::string& payload, |
| 308 const std::string& signature_bytes) { | 300 const std::string& signature_bytes) { |
| 309 crypto::SignatureVerifier signature_verifier; | 301 crypto::SignatureVerifier signature_verifier; |
| 310 if (!signature_verifier.VerifyInit( | 302 if (!signature_verifier.VerifyInit( |
| 311 kSignatureAlgorithm, sizeof(kSignatureAlgorithm), | 303 crypto::SignatureVerifier::RSA_PKCS1_SHA256, |
| 312 reinterpret_cast<const uint8_t*>(signature_bytes.data()), | 304 reinterpret_cast<const uint8_t*>(signature_bytes.data()), |
| 313 signature_bytes.size(), public_key_, public_key_size_)) { | 305 signature_bytes.size(), public_key_, public_key_size_)) { |
| 314 VLOG(1) << "Could not verify signature - VerifyInit failure"; | 306 VLOG(1) << "Could not verify signature - VerifyInit failure"; |
| 315 return false; | 307 return false; |
| 316 } | 308 } |
| 317 | 309 |
| 318 signature_verifier.VerifyUpdate( | 310 signature_verifier.VerifyUpdate( |
| 319 reinterpret_cast<const uint8_t*>(protected_value.data()), | 311 reinterpret_cast<const uint8_t*>(protected_value.data()), |
| 320 protected_value.size()); | 312 protected_value.size()); |
| 321 | 313 |
| 322 std::string dot("."); | 314 std::string dot("."); |
| 323 signature_verifier.VerifyUpdate(reinterpret_cast<const uint8_t*>(dot.data()), | 315 signature_verifier.VerifyUpdate(reinterpret_cast<const uint8_t*>(dot.data()), |
| 324 dot.size()); | 316 dot.size()); |
| 325 | 317 |
| 326 signature_verifier.VerifyUpdate( | 318 signature_verifier.VerifyUpdate( |
| 327 reinterpret_cast<const uint8_t*>(payload.data()), payload.size()); | 319 reinterpret_cast<const uint8_t*>(payload.data()), payload.size()); |
| 328 | 320 |
| 329 if (!signature_verifier.VerifyFinal()) { | 321 if (!signature_verifier.VerifyFinal()) { |
| 330 VLOG(1) << "Could not verify signature - VerifyFinal failure"; | 322 VLOG(1) << "Could not verify signature - VerifyFinal failure"; |
| 331 return false; | 323 return false; |
| 332 } | 324 } |
| 333 return true; | 325 return true; |
| 334 } | 326 } |
| 335 | 327 |
| 336 } // namespace extensions | 328 } // namespace extensions |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1679873005:
Switch SignatureVerifier to taking an algorithm enum. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master