Refactor CRX verification in preparation to support CRX₃ files.

components/crx_file/crx_verifier.h

Index: components/crx_file/crx_verifier.h
diff --git a/components/crx_file/crx_verifier.h b/components/crx_file/crx_verifier.h
new file mode 100644
index 0000000000000000000000000000000000000000..1cba048c2a7cb6097734dc5902ed43c83146dd64
--- /dev/null
+++ b/components/crx_file/crx_verifier.h
@@ -0,0 +1,109 @@
+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef COMPONENTS_CRX_FILE_CRX_VERIFIER_H_
+#define COMPONENTS_CRX_FILE_CRX_VERIFIER_H_
+
+#include <stdint.h>
+#include <string>
+#include <vector>
+
+namespace base {
+class FilePath;
+class File;
+}  // namespace base
+
+namespace crypto {
+class SecureHash;
+}  // namespace crypto
+
+namespace crx_file {
+
+// A CrxVerifier is capable of verifying a Crx file. It accepts both Crx2
+// and Crx3 files that fulfill the specified requirements. To accept Crx3 files
+// only, use a Crx3Verifier.
+class CrxVerifier {
+ public:
+  // Constructs a new CrxVerifier that verifies the file is a well-formed
+  // Crx3 or Crx2 file, and verifies each understood proof on the file.
+  // Additionally, a Crx3 file must have a proof whose public key hashes to the
+  // enclosed Crx ID.
+  CrxVerifier();
+
+  virtual ~CrxVerifier();
+
+  // Once called, this verifier requires at least one of the proofs to use a
+  // public key whose SHA256 hash is equal to |key_hash|. Additional calls to
+  // RequireKeyProof accumulate additional requirements.
+  void RequireKeyProof(const std::vector<uint8_t>& key_hash);
+
+  // Once called, this verifier requires that the overall Crx file have a SHA256
+  // hash equal to |expected_hash| (encoded in base 16). Additional calls to
+  // RequireFileHash replace previous expected hashes.
+  void RequireFileHash(const std::vector<uint8_t>& expected_hash);
+
+  // Once called, when Verify is called this verifier will set the contents of
+  // |public_key| to one of the following values: (For Crx2) the public key the
+  // file is signed with, or (for Crx3) the public key that hashes to the
+  // developer proof, or (for Crx3) the empty string if there is no such proof.
+  // In all cases the key is encoded as a base64 string (PEM).
+  // Additional calls to GetPublicKey replace previous
+  // |public_key| parameters.
+  void GetPublicKey(std::string* public_key);
+
+  // Once called, when Verify is called this verifier will set the contents of
+  // |crx_id| to one of the following values: (For Crx2) the id as computed from
+  // the hash of the signing key, or (for Crx3) the id declared in the file.
+  // Additional calls to GetCrxId replace previous
+  // |crx_id| parameters.
+  void GetCrxId(std::string* crx_id);
+
+  enum class Result {
+    OK_FULL,   // The file verifies as a correct full CRX file.
+    OK_DELTA,  // The file verifies as a correct differential CRX file.
+    ERROR_FILE_NOT_READABLE,      // Cannot open the CRX file.
+    ERROR_HEADER_INVALID,         // Failed to parse or understand CRX header.
+    ERROR_EXPECTED_HASH_INVALID,  // Expected hash is not well-formed.
+    ERROR_FILE_HASH_FAILED,  // The file's actual hash != the expected hash.
+    ERROR_SIGNATURE_INITIALIZATION_FAILED,  // A signature or key is malformed.
+    ERROR_SIGNATURE_VERIFICATION_FAILED,    // A signature doesn't match.
+    ERROR_REQUIRED_PROOF_MISSING,           // RequireKeyProof was unsatisfied.
+  };
+
+  // Verify the crx file at |crx_path|, subject to this verifier's requirements.
+  Result Verify(const base::FilePath& crx_path) const;
+
+ protected:
+  bool allow_crx2_ = true;
+  bool require_publisher_proof_ = false;
+
+ private:
+  std::string* crx_id_ = nullptr;
+  std::string* public_key_ = nullptr;
+  std::vector<std::vector<uint8_t>> key_hashes_;
+  std::vector<uint8_t> expected_hash_;
+
+  Result VerifyCrx2(base::File* file, crypto::SecureHash* hash) const;
+  Result VerifyCrx3(base::File* file, crypto::SecureHash* hash) const;
+};
+
+// A Crx3Verifier is a CrxVerifier that implements additional
+// requirements: it accepts Crx3 files only and can be configured to require a
+// publisher proof in addition to the developer proof.
+class Crx3Verifier : CrxVerifier {
+ public:
+  // Constructs a new Crx3Verifier that verifies the file is a well-formed
+  // Crx3 file, and verifies each understood proof on the file.
+  Crx3Verifier();
+
+  ~Crx3Verifier() override;
+
+  // Once called, this verifier requires one of the Crx3 proofs to match a
+  // pinned publisher key. (The publisher key is pinned in the crx_file module).
+  void RequirePublisherProof();
+};
+
+}  // namespace crx_file
+
+#endif  // COMPONENTS_CRX_FILE_CRX_VERIFIER_H_