• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 // Copyright 2014 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include "components/component_updater/component_unpacker.h"
6 
7 #include <stdint.h>
8 #include <string>
9 #include <vector>
10 
11 #include "base/bind.h"
12 #include "base/files/file_path.h"
13 #include "base/files/file_util.h"
14 #include "base/files/scoped_file.h"
15 #include "base/json/json_file_value_serializer.h"
16 #include "base/location.h"
17 #include "base/logging.h"
18 #include "base/numerics/safe_conversions.h"
19 #include "base/strings/string_number_conversions.h"
20 #include "base/strings/stringprintf.h"
21 #include "base/values.h"
22 #include "components/component_updater/component_patcher.h"
23 #include "components/component_updater/component_patcher_operation.h"
24 #include "components/component_updater/component_updater_service.h"
25 #include "components/crx_file/constants.h"
26 #include "components/crx_file/crx_file.h"
27 #include "crypto/secure_hash.h"
28 #include "crypto/signature_verifier.h"
29 #include "third_party/zlib/google/zip.h"
30 
31 using crypto::SecureHash;
32 
33 namespace component_updater {
34 
35 namespace {
36 
37 // This class makes sure that the CRX digital signature is valid
38 // and well formed.
39 class CRXValidator {
40  public:
CRXValidator(FILE * crx_file)41   explicit CRXValidator(FILE* crx_file) : valid_(false), is_delta_(false) {
42     crx_file::CrxFile::Header header;
43     size_t len = fread(&header, 1, sizeof(header), crx_file);
44     if (len < sizeof(header))
45       return;
46 
47     crx_file::CrxFile::Error error;
48     scoped_ptr<crx_file::CrxFile> crx(
49         crx_file::CrxFile::Parse(header, &error));
50     if (!crx.get())
51       return;
52     is_delta_ = crx_file::CrxFile::HeaderIsDelta(header);
53 
54     std::vector<uint8_t> key(header.key_size);
55     len = fread(&key[0], sizeof(uint8_t), header.key_size, crx_file);
56     if (len < header.key_size)
57       return;
58 
59     std::vector<uint8_t> signature(header.signature_size);
60     len =
61         fread(&signature[0], sizeof(uint8_t), header.signature_size, crx_file);
62     if (len < header.signature_size)
63       return;
64 
65     crypto::SignatureVerifier verifier;
66     if (!verifier.VerifyInit(crx_file::kSignatureAlgorithm,
67                              base::checked_cast<int>(
68                                  sizeof(crx_file::kSignatureAlgorithm)),
69                              &signature[0],
70                              base::checked_cast<int>(signature.size()),
71                              &key[0],
72                              base::checked_cast<int>(key.size()))) {
73       // Signature verification initialization failed. This is most likely
74       // caused by a public key in the wrong format (should encode algorithm).
75       return;
76     }
77 
78     const size_t kBufSize = 8 * 1024;
79     scoped_ptr<uint8_t[]> buf(new uint8_t[kBufSize]);
80     while ((len = fread(buf.get(), 1, kBufSize, crx_file)) > 0)
81       verifier.VerifyUpdate(buf.get(), base::checked_cast<int>(len));
82 
83     if (!verifier.VerifyFinal())
84       return;
85 
86     public_key_.swap(key);
87     valid_ = true;
88   }
89 
valid() const90   bool valid() const { return valid_; }
91 
is_delta() const92   bool is_delta() const { return is_delta_; }
93 
public_key() const94   const std::vector<uint8_t>& public_key() const { return public_key_; }
95 
96  private:
97   bool valid_;
98   bool is_delta_;
99   std::vector<uint8_t> public_key_;
100 };
101 
102 }  // namespace
103 
ComponentUnpacker(const std::vector<uint8_t> & pk_hash,const base::FilePath & path,const std::string & fingerprint,ComponentInstaller * installer,scoped_refptr<OutOfProcessPatcher> out_of_process_patcher,scoped_refptr<base::SequencedTaskRunner> task_runner)104 ComponentUnpacker::ComponentUnpacker(
105     const std::vector<uint8_t>& pk_hash,
106     const base::FilePath& path,
107     const std::string& fingerprint,
108     ComponentInstaller* installer,
109     scoped_refptr<OutOfProcessPatcher> out_of_process_patcher,
110     scoped_refptr<base::SequencedTaskRunner> task_runner)
111     : pk_hash_(pk_hash),
112       path_(path),
113       is_delta_(false),
114       fingerprint_(fingerprint),
115       installer_(installer),
116       out_of_process_patcher_(out_of_process_patcher),
117       error_(kNone),
118       extended_error_(0),
119       task_runner_(task_runner) {
120 }
121 
122 // TODO(cpu): add a specific attribute check to a component json that the
123 // extension unpacker will reject, so that a component cannot be installed
124 // as an extension.
ReadManifest(const base::FilePath & unpack_path)125 scoped_ptr<base::DictionaryValue> ReadManifest(
126     const base::FilePath& unpack_path) {
127   base::FilePath manifest =
128       unpack_path.Append(FILE_PATH_LITERAL("manifest.json"));
129   if (!base::PathExists(manifest))
130     return scoped_ptr<base::DictionaryValue>();
131   JSONFileValueSerializer serializer(manifest);
132   std::string error;
133   scoped_ptr<base::Value> root(serializer.Deserialize(NULL, &error));
134   if (!root.get())
135     return scoped_ptr<base::DictionaryValue>();
136   if (!root->IsType(base::Value::TYPE_DICTIONARY))
137     return scoped_ptr<base::DictionaryValue>();
138   return scoped_ptr<base::DictionaryValue>(
139              static_cast<base::DictionaryValue*>(root.release())).Pass();
140 }
141 
UnpackInternal()142 bool ComponentUnpacker::UnpackInternal() {
143   return Verify() && Unzip() && BeginPatching();
144 }
145 
Unpack(const Callback & callback)146 void ComponentUnpacker::Unpack(const Callback& callback) {
147   callback_ = callback;
148   if (!UnpackInternal())
149     Finish();
150 }
151 
Verify()152 bool ComponentUnpacker::Verify() {
153   VLOG(1) << "Verifying component: " << path_.value();
154   if (pk_hash_.empty() || path_.empty()) {
155     error_ = kInvalidParams;
156     return false;
157   }
158   // First, validate the CRX header and signature. As of today
159   // this is SHA1 with RSA 1024.
160   base::ScopedFILE file(base::OpenFile(path_, "rb"));
161   if (!file.get()) {
162     error_ = kInvalidFile;
163     return false;
164   }
165   CRXValidator validator(file.get());
166   file.reset();
167   if (!validator.valid()) {
168     error_ = kInvalidFile;
169     return false;
170   }
171   is_delta_ = validator.is_delta();
172 
173   // File is valid and the digital signature matches. Now make sure
174   // the public key hash matches the expected hash. If they do we fully
175   // trust this CRX.
176   uint8_t hash[32] = {};
177   scoped_ptr<SecureHash> sha256(SecureHash::Create(SecureHash::SHA256));
178   sha256->Update(&(validator.public_key()[0]), validator.public_key().size());
179   sha256->Finish(hash, arraysize(hash));
180 
181   if (!std::equal(pk_hash_.begin(), pk_hash_.end(), hash)) {
182     VLOG(1) << "Hash mismatch: " << path_.value();
183     error_ = kInvalidId;
184     return false;
185   }
186   VLOG(1) << "Verification successful: " << path_.value();
187   return true;
188 }
189 
Unzip()190 bool ComponentUnpacker::Unzip() {
191   base::FilePath& destination = is_delta_ ? unpack_diff_path_ : unpack_path_;
192   VLOG(1) << "Unpacking in: " << destination.value();
193   if (!base::CreateNewTempDirectory(base::FilePath::StringType(),
194                                     &destination)) {
195     VLOG(1) << "Unable to create temporary directory for unpacking.";
196     error_ = kUnzipPathError;
197     return false;
198   }
199   if (!zip::Unzip(path_, destination)) {
200     VLOG(1) << "Unzipping failed.";
201     error_ = kUnzipFailed;
202     return false;
203   }
204   VLOG(1) << "Unpacked successfully";
205   return true;
206 }
207 
BeginPatching()208 bool ComponentUnpacker::BeginPatching() {
209   if (is_delta_) {  // Package is a diff package.
210     // Use a different temp directory for the patch output files.
211     if (!base::CreateNewTempDirectory(base::FilePath::StringType(),
212                                       &unpack_path_)) {
213       error_ = kUnzipPathError;
214       return false;
215     }
216     patcher_ = new ComponentPatcher(unpack_diff_path_,
217                                     unpack_path_,
218                                     installer_,
219                                     out_of_process_patcher_,
220                                     task_runner_);
221     task_runner_->PostTask(
222         FROM_HERE,
223         base::Bind(&ComponentPatcher::Start,
224                    patcher_,
225                    base::Bind(&ComponentUnpacker::EndPatching,
226                               scoped_refptr<ComponentUnpacker>(this))));
227   } else {
228     task_runner_->PostTask(FROM_HERE,
229                            base::Bind(&ComponentUnpacker::EndPatching,
230                                       scoped_refptr<ComponentUnpacker>(this),
231                                       kNone,
232                                       0));
233   }
234   return true;
235 }
236 
EndPatching(Error error,int extended_error)237 void ComponentUnpacker::EndPatching(Error error, int extended_error) {
238   error_ = error;
239   extended_error_ = extended_error;
240   patcher_ = NULL;
241   if (error_ != kNone) {
242     Finish();
243     return;
244   }
245   // Optimization: clean up patch files early, in case disk space is too low to
246   // install otherwise.
247   if (!unpack_diff_path_.empty()) {
248     base::DeleteFile(unpack_diff_path_, true);
249     unpack_diff_path_.clear();
250   }
251   Install();
252   Finish();
253 }
254 
Install()255 void ComponentUnpacker::Install() {
256   // Write the fingerprint to disk.
257   if (static_cast<int>(fingerprint_.size()) !=
258       base::WriteFile(
259           unpack_path_.Append(FILE_PATH_LITERAL("manifest.fingerprint")),
260           fingerprint_.c_str(),
261           base::checked_cast<int>(fingerprint_.size()))) {
262     error_ = kFingerprintWriteFailed;
263     return;
264   }
265   scoped_ptr<base::DictionaryValue> manifest(ReadManifest(unpack_path_));
266   if (!manifest.get()) {
267     error_ = kBadManifest;
268     return;
269   }
270   DCHECK(error_ == kNone);
271   if (!installer_->Install(*manifest, unpack_path_)) {
272     error_ = kInstallerError;
273     return;
274   }
275 }
276 
Finish()277 void ComponentUnpacker::Finish() {
278   if (!unpack_diff_path_.empty())
279     base::DeleteFile(unpack_diff_path_, true);
280   if (!unpack_path_.empty())
281     base::DeleteFile(unpack_path_, true);
282   callback_.Run(error_, extended_error_);
283 }
284 
~ComponentUnpacker()285 ComponentUnpacker::~ComponentUnpacker() {
286 }
287 
288 }  // namespace component_updater
289