OLD | NEW |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | 1 // Copyright 2014 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "extensions/browser/verified_contents.h" | 5 #include "extensions/browser/verified_contents.h" |
6 | 6 |
7 #include <stddef.h> | 7 #include <stddef.h> |
8 | 8 |
9 #include "base/base64url.h" | 9 #include "base/base64url.h" |
10 #include "base/files/file_util.h" | 10 #include "base/files/file_util.h" |
(...skipping 72 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
83 // "files": [ | 83 // "files": [ |
84 // { | 84 // { |
85 // "path": "foo/bar", | 85 // "path": "foo/bar", |
86 // "root_hash": "<base64url encoded bytes>" | 86 // "root_hash": "<base64url encoded bytes>" |
87 // }, | 87 // }, |
88 // ... | 88 // ... |
89 // ] | 89 // ] |
90 // } | 90 // } |
91 // ] | 91 // ] |
92 // } | 92 // } |
93 bool VerifiedContents::InitFrom(const base::FilePath& path, | 93 bool VerifiedContents::InitFrom(const base::FilePath& path) { |
94 bool ignore_invalid_signature) { | |
95 std::string payload; | 94 std::string payload; |
96 if (!GetPayload(path, &payload, ignore_invalid_signature)) | 95 if (!GetPayload(path, &payload)) |
97 return false; | 96 return false; |
98 | 97 |
99 std::unique_ptr<base::Value> value(base::JSONReader::Read(payload)); | 98 std::unique_ptr<base::Value> value(base::JSONReader::Read(payload)); |
100 if (!value.get() || !value->IsType(Value::Type::DICTIONARY)) | 99 if (!value.get() || !value->IsType(Value::Type::DICTIONARY)) |
101 return false; | 100 return false; |
102 DictionaryValue* dictionary = static_cast<DictionaryValue*>(value.get()); | 101 DictionaryValue* dictionary = static_cast<DictionaryValue*>(value.get()); |
103 | 102 |
104 std::string item_id; | 103 std::string item_id; |
105 if (!dictionary->GetString(kItemIdKey, &item_id) || | 104 if (!dictionary->GetString(kItemIdKey, &item_id) || |
106 !crx_file::id_util::IdIsValid(item_id)) | 105 !crx_file::id_util::IdIsValid(item_id)) |
(...skipping 116 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
223 // } | 222 // } |
224 // } | 223 // } |
225 // ] | 224 // ] |
226 // There might be both a signature generated with a webstore private key and a | 225 // There might be both a signature generated with a webstore private key and a |
227 // signature generated with the extension's private key - for now we only | 226 // signature generated with the extension's private key - for now we only |
228 // verify the webstore one (since the id is in the payload, so we can trust | 227 // verify the webstore one (since the id is in the payload, so we can trust |
229 // that it is for a given extension), but in the future we may validate using | 228 // that it is for a given extension), but in the future we may validate using |
230 // the extension's key too (eg for non-webstore hosted extensions such as | 229 // the extension's key too (eg for non-webstore hosted extensions such as |
231 // enterprise installs). | 230 // enterprise installs). |
232 bool VerifiedContents::GetPayload(const base::FilePath& path, | 231 bool VerifiedContents::GetPayload(const base::FilePath& path, |
233 std::string* payload, | 232 std::string* payload) { |
234 bool ignore_invalid_signature) { | |
235 std::string contents; | 233 std::string contents; |
236 if (!base::ReadFileToString(path, &contents)) | 234 if (!base::ReadFileToString(path, &contents)) |
237 return false; | 235 return false; |
238 std::unique_ptr<base::Value> value(base::JSONReader::Read(contents)); | 236 std::unique_ptr<base::Value> value(base::JSONReader::Read(contents)); |
239 if (!value.get() || !value->IsType(Value::Type::LIST)) | 237 if (!value.get() || !value->IsType(Value::Type::LIST)) |
240 return false; | 238 return false; |
241 ListValue* top_list = static_cast<ListValue*>(value.get()); | 239 ListValue* top_list = static_cast<ListValue*>(value.get()); |
242 | 240 |
243 // Find the "treehash per file" signed content, e.g. | 241 // Find the "treehash per file" signed content, e.g. |
244 // [ | 242 // [ |
(...skipping 32 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
277 base::Base64UrlDecodePolicy::IGNORE_PADDING, | 275 base::Base64UrlDecodePolicy::IGNORE_PADDING, |
278 &decoded_signature)) | 276 &decoded_signature)) |
279 return false; | 277 return false; |
280 | 278 |
281 std::string encoded_payload; | 279 std::string encoded_payload; |
282 if (!signed_content->GetString(kPayloadKey, &encoded_payload)) | 280 if (!signed_content->GetString(kPayloadKey, &encoded_payload)) |
283 return false; | 281 return false; |
284 | 282 |
285 valid_signature_ = | 283 valid_signature_ = |
286 VerifySignature(protected_value, encoded_payload, decoded_signature); | 284 VerifySignature(protected_value, encoded_payload, decoded_signature); |
287 if (!valid_signature_ && !ignore_invalid_signature) | 285 if (!valid_signature_) |
288 return false; | 286 return false; |
289 | 287 |
290 if (!base::Base64UrlDecode(encoded_payload, | 288 if (!base::Base64UrlDecode(encoded_payload, |
291 base::Base64UrlDecodePolicy::IGNORE_PADDING, | 289 base::Base64UrlDecodePolicy::IGNORE_PADDING, |
292 payload)) | 290 payload)) |
293 return false; | 291 return false; |
294 | 292 |
295 return true; | 293 return true; |
296 } | 294 } |
297 | 295 |
(...skipping 21 matching lines...) Expand all Loading... |
319 reinterpret_cast<const uint8_t*>(payload.data()), payload.size()); | 317 reinterpret_cast<const uint8_t*>(payload.data()), payload.size()); |
320 | 318 |
321 if (!signature_verifier.VerifyFinal()) { | 319 if (!signature_verifier.VerifyFinal()) { |
322 VLOG(1) << "Could not verify signature - VerifyFinal failure"; | 320 VLOG(1) << "Could not verify signature - VerifyFinal failure"; |
323 return false; | 321 return false; |
324 } | 322 } |
325 return true; | 323 return true; |
326 } | 324 } |
327 | 325 |
328 } // namespace extensions | 326 } // namespace extensions |
OLD | NEW |