components/crx_file/crx_verifier.h - Issue 2874503002: Refactor CRX verification in preparation to support CRX₃ files.

Side by Side Diff: components/crx_file/crx_verifier.h

Issue 2874503002: Refactor CRX verification in preparation to support CRX₃ files. (Closed)

Patch Set: No subclass Created 3 years, 7 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
(Empty)
	1 // Copyright 2017 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #ifndef COMPONENTS_CRX_FILE_CRX_VERIFIER_H_

	6 #define COMPONENTS_CRX_FILE_CRX_VERIFIER_H_

	7

	8 #include <stdint.h>

	9 #include <string>

	10 #include <vector>

	11

	12 namespace base {

	13 class FilePath;

	14 class File;

	15 } // namespace base

	16

	17 namespace crypto {

	18 class SecureHash;

	19 } // namespace crypto

	20

	21 namespace crx_file {

	22

	23 // A CrxVerifier is capable of verifying a Crx file. It accepts both Crx2

	24 // and Crx3 files that fulfill the specified requirements. To accept Crx3 files

	25 // only, use a Crx3Verifier.
	Sorin Jianu 2017/05/15 19:49:53 comment seems obsolete. comment seems obsolete. waffles 2017/05/16 00:29:03 Done. Show quoted text On 2017/05/15 19:49:53, Sorin Jianu wrote: > comment seems obsolete. Done.
	26 class CrxVerifier final {

	27 public:

	28 // Constructs a new CrxVerifier that verifies the file is a well-formed
	Sorin Jianu 2017/05/15 19:49:53 Comment seems appropriate as a class comment. Comment seems appropriate as a class comment. waffles 2017/05/16 00:29:03 Acknowledged. Show quoted text On 2017/05/15 19:49:53, Sorin Jianu wrote: > Comment seems appropriate as a class comment. Acknowledged.
	29 // Crx3 or Crx2 file, and verifies each understood proof on the file.

	30 // Additionally, a Crx3 file must have a proof whose public key hashes to the

	31 // enclosed Crx ID.

	32 CrxVerifier();

	33

	34 ~CrxVerifier();

	35

	36 // Once called, this verifier requires at least one of the proofs to use a

	37 // public key whose SHA256 hash is equal to \|key_hash\|. Additional calls to

	38 // RequireKeyProof accumulate additional requirements.
	Sorin Jianu 2017/05/15 19:49:53 Is there any reason the caller wants to accumulate Is there any reason the caller wants to accumulate these instead of providing them at once? waffles 2017/05/16 00:29:02 Obsolete. Show quoted text On 2017/05/15 19:49:53, Sorin Jianu wrote: > Is there any reason the caller wants to accumulate these instead of providing > them at once? Obsolete.
	39 void RequireKeyProof(const std::vector<uint8_t>& key_hash);

	40

	41 // Once called, this verifier requires that the overall Crx file have a SHA256

	42 // hash equal to \|expected_hash\| (encoded in base 16). Additional calls to

	43 // RequireFileHash replace previous expected hashes.
	Sorin Jianu 2017/05/15 19:49:53 Why would the caller want to replace the file hash Why would the caller want to replace the file hash? Can an instance of this class be used to verify more than one file? If yes, what is the motivation for this? waffles 2017/05/16 00:29:03 Obsolete. Show quoted text On 2017/05/15 19:49:53, Sorin Jianu wrote: > Why would the caller want to replace the file hash? Can an instance of this > class be used to verify more than one file? If yes, what is the motivation for > this? Obsolete.
	44 void RequireFileHash(const std::vector<uint8_t>& expected_hash);

	45

	46 // Once called, this verifier rejects Crx2 files.

	47 void RequireCrx3();

	48

	49 // Once called, this verifier requires one of the Crx3 proofs to match a

	50 // pinned publisher key. (The publisher key is pinned in the crx_file module).

	51 // It is an error to call this without first calling RequireCrx3.

	52 void RequirePublisherProof();
	Sorin Jianu 2017/05/15 19:49:53 Should this function return an error to indicate t Should this function return an error to indicate this? waffles 2017/05/16 00:29:03 Not sure what you mean. Show quoted text On 2017/05/15 19:49:53, Sorin Jianu wrote: > Should this function return an error to indicate this? Not sure what you mean.
	53

	54 // Once called, when Verify is called this verifier will set the contents of

	55 // \|public_key\| to one of the following values: (For Crx2) the public key the

	56 // file is signed with, or (for Crx3) the public key that hashes to the

	57 // developer proof, or (for Crx3) the empty string if there is no such proof.

	58 // In all cases the key is encoded as a base64 string (PEM).

	59 // Additional calls to GetPublicKey replace previous

	60 // \|public_key\| parameters.

	61 void GetPublicKey(std::string* public_key);
	Sorin Jianu 2017/05/15 19:49:53 const? const? Sorin Jianu 2017/05/15 19:49:53 why not return by value? why not return by value? waffles 2017/05/16 00:29:02 Explained this in person. Anyways, obsolete. Show quoted text On 2017/05/15 19:49:53, Sorin Jianu wrote: > const? Explained this in person. Anyways, obsolete. waffles 2017/05/16 00:29:03 Explained this in person. Anyways, obsolete. Show quoted text On 2017/05/15 19:49:53, Sorin Jianu wrote: > why not return by value? Explained this in person. Anyways, obsolete.
	62

	63 // Once called, when Verify is called this verifier will set the contents of

	64 // \|crx_id\| to one of the following values: (For Crx2) the id as computed from

	65 // the hash of the signing key, or (for Crx3) the id declared in the file.

	66 // Additional calls to GetCrxId replace previous

	67 // \|crx_id\| parameters.

	68 void GetCrxId(std::string* crx_id);
	Sorin Jianu 2017/05/15 19:49:53 const? const? Sorin Jianu 2017/05/15 19:49:53 return by value? return by value? waffles 2017/05/16 00:29:02 Explained this in person. Anyways, obsolete. Show quoted text On 2017/05/15 19:49:53, Sorin Jianu wrote: > return by value? Explained this in person. Anyways, obsolete. waffles 2017/05/16 00:29:03 Explained this in person. Anyways, obsolete. Show quoted text On 2017/05/15 19:49:53, Sorin Jianu wrote: > const? Explained this in person. Anyways, obsolete.
	69

	70 enum class Result {
	Sorin Jianu 2017/05/15 19:49:53 types usually declared toward the beginning of the types usually declared toward the beginning of the section? Maybe move both the type and the function toward the top. Also, could add more errors to handle calling functions which currently return void. waffles 2017/05/16 00:29:02 Done. Show quoted text On 2017/05/15 19:49:53, Sorin Jianu wrote: > types usually declared toward the beginning of the section? Maybe move both the > type and the function toward the top. Also, could add more errors to handle > calling functions which currently return void. Done.
	71 OK_FULL, // The file verifies as a correct full CRX file.

	72 OK_DELTA, // The file verifies as a correct differential CRX file.

	73 ERROR_FILE_NOT_READABLE, // Cannot open the CRX file.

	74 ERROR_HEADER_INVALID, // Failed to parse or understand CRX header.

	75 ERROR_EXPECTED_HASH_INVALID, // Expected hash is not well-formed.

	76 ERROR_FILE_HASH_FAILED, // The file's actual hash != the expected hash.

	77 ERROR_SIGNATURE_INITIALIZATION_FAILED, // A signature or key is malformed.

	78 ERROR_SIGNATURE_VERIFICATION_FAILED, // A signature doesn't match.

	79 ERROR_REQUIRED_PROOF_MISSING, // RequireKeyProof was unsatisfied.

	80 };

	81

	82 // Verify the crx file at \|crx_path\|, subject to this verifier's requirements.

	83 Result Verify(const base::FilePath& crx_path) const;

	84

	85 private:

	86 bool allow_crx2_ = true;

	87 bool require_publisher_proof_ = false;

	88 std::string* crx_id_ = nullptr;
	Sorin Jianu 2017/05/15 19:49:53 why pointers? why pointers? waffles 2017/05/16 00:29:02 Explained this in person. Anyways, obsolete. Show quoted text On 2017/05/15 19:49:53, Sorin Jianu wrote: > why pointers? Explained this in person. Anyways, obsolete.
	89 std::string* public_key_ = nullptr;

	90 std::vector<std::vector<uint8_t>> key_hashes_;

	91 std::vector<uint8_t> expected_hash_;
	Sorin Jianu 2017/05/15 19:49:53 Is this type copyable? Is this type copyable? waffles 2017/05/16 00:29:03 Assuming you are referring to Verifier, obsolete. Show quoted text On 2017/05/15 19:49:53, Sorin Jianu wrote: > Is this type copyable? Assuming you are referring to Verifier, obsolete.
	92

	93 Result VerifyCrx2(base::File* file, crypto::SecureHash* hash) const;

	94 Result VerifyCrx3(base::File* file, crypto::SecureHash* hash) const;
	Sorin Jianu 2017/05/15 19:49:52 Member function declaration precede data in class Member function declaration precede data in class definitions, afair. waffles 2017/05/16 00:29:03 Obsolete. Show quoted text On 2017/05/15 19:49:52, Sorin Jianu wrote: > Member function declaration precede data in class definitions, afair. Obsolete.
	95 };

	96

	97 } // namespace crx_file

	98

	99 #endif // COMPONENTS_CRX_FILE_CRX_VERIFIER_H_

OLD	NEW

« components/crx_file/crx2_file.cc ('K') | « components/crx_file/crx_file.cc ('k') | components/crx_file/crx_verifier.cc » ('j') | components/crx_file/crx_verifier.cc » ('J')