brave · atuchin-m · Feb 10, 2022 · Feb 1, 2022 · Feb 2, 2022 · Feb 2, 2022
@@ -0,0 +1,51 @@
+/* Copyright (c) 2022 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * you can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "components/crx_file/crx_creator.h"
+
+namespace crx_file {
+class CrxFileHeader;
+
+std::string BraveGetCrxId(const std::string& key, CrxFileHeader* header);
+}  // namespace crx_file
+
+#include "src/components/crx_file/crx_creator.cc"
+
+namespace crx_file {
+
+// Override for GetCrxId() in SignArchiveAndCreateHeader() to generate the
+// correct signed data for the second signature.
+std::string BraveGetCrxId(const std::string& key, CrxFileHeader* header) {
+  if (header->sha256_with_rsa_size() > 0) {
+    const AsymmetricKeyProof& first_proof = header->sha256_with_rsa()[0];
+    return GetCrxId(first_proof.public_key());
+  }
+  return GetCrxId(key);
+}
+
+CreatorResult CreateWithPublisherKey(const base::FilePath& output_path,
+                                     const base::FilePath& zip_path,
+                                     crypto::RSAPrivateKey* signing_key,
+                                     crypto::RSAPrivateKey* publisher_key) {
+  CrxFileHeader header;
+  base::File file(zip_path, base::File::FLAG_OPEN | base::File::FLAG_READ);
+  const CreatorResult signing_result =
+      SignArchiveAndCreateHeader(output_path, &file, signing_key, &header);
+  if (signing_result != CreatorResult::OK)
+    return signing_result;
+
+  if (publisher_key) {
+    file.Seek(base::File::Whence::FROM_BEGIN, 0);
+    const CreatorResult publisher_signing_result =
+        SignArchiveAndCreateHeader(output_path, &file, publisher_key, &header);
+    if (publisher_signing_result != CreatorResult::OK)
+      return publisher_signing_result;
+  }
+
+  const CreatorResult result = WriteCRX(header, output_path, &file);
+  return result;
+}
+
+}  // namespace crx_file
@@ -0,0 +1,19 @@
+/* Copyright (c) 2022 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * you can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef BRAVE_CHROMIUM_SRC_COMPONENTS_CRX_FILE_CRX_CREATOR_H_
+#define BRAVE_CHROMIUM_SRC_COMPONENTS_CRX_FILE_CRX_CREATOR_H_
+
+#include "src/components/crx_file/crx_creator.h"
+
+namespace crx_file {
+
+CreatorResult CreateWithPublisherKey(const base::FilePath& output_path,
+                                     const base::FilePath& zip_path,
+                                     crypto::RSAPrivateKey* signing_key,
+                                     crypto::RSAPrivateKey* publisher_key);
+}  // namespace crx_file
+
+#endif  // BRAVE_CHROMIUM_SRC_COMPONENTS_CRX_FILE_CRX_CREATOR_H_
@@ -0,0 +1,40 @@
+/* Copyright (c) 2022 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * you can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "components/crx_file/crx_verifier.h"
+
+#include <utility>
+#include <vector>
+
+namespace {
+
+// TODO(atuchin): replace this to the real key hash.
+constexpr uint8_t kBravePublisherKeyHash[] = {
+    0xd5, 0x7d, 0xbb, 0xe7, 0xc5, 0x93, 0x8a, 0x4c, 0x9c, 0x7a, 0x88,
+    0xf0, 0x43, 0x4,  0x53, 0xf0, 0x7c, 0x32, 0x18, 0xf6, 0xc9, 0x74,
+    0x82, 0xa5, 0x95, 0xa5, 0xa9, 0xac, 0x8c, 0xcf, 0x90, 0x14};
+
+std::vector<uint8_t>& GetBravePublisherKey() {
+  static std::vector<uint8_t> brave_publisher_key(
+      std::begin(kBravePublisherKeyHash), std::end(kBravePublisherKeyHash));
+  return brave_publisher_key;
+}
+
+// Used in the patch in crx_verifier.cc.
+bool IsBravePublisher(const std::vector<uint8_t>& key_hash) {
+  return GetBravePublisherKey() == key_hash;
+}
+
+}  // namespace
+
+namespace crx_file {
+
+void SetBravePublisherKeyForTesting(const std::vector<uint8_t>& test_key) {
+  GetBravePublisherKey() = test_key;
+}
+
+}  // namespace crx_file
+
+#include "src/components/crx_file/crx_verifier.cc"
@@ -0,0 +1,17 @@
+/* Copyright (c) 2022 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * you can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef BRAVE_CHROMIUM_SRC_COMPONENTS_CRX_FILE_CRX_VERIFIER_H_
+#define BRAVE_CHROMIUM_SRC_COMPONENTS_CRX_FILE_CRX_VERIFIER_H_
+
+#include "src/components/crx_file/crx_verifier.h"
+
+namespace crx_file {
+
+void SetBravePublisherKeyForTesting(const std::vector<uint8_t>& test_key);
+
+}  // namespace crx_file
+
+#endif  // BRAVE_CHROMIUM_SRC_COMPONENTS_CRX_FILE_CRX_VERIFIER_H_
@@ -0,0 +1,29 @@
+/* Copyright (c) 2022 The Brave Authors. All rights reserved.
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "extensions/browser/extension_creator.h"
+
+#include "base/command_line.h"
+#include "base/files/file_path.h"
+#include "components/crx_file/crx_creator.h"
+#include "components/crx_file/id_util.h"
+
+namespace {
+const char kPublisherKeySwitch[] = "brave-extension-publisher-key";
+}  // namespace
+
+#define BRAVE_CREATE_CRX(output_path, zip_path, signing_key)        \
+  const auto* cmd = base::CommandLine::ForCurrentProcess();         \
+  std::unique_ptr<crypto::RSAPrivateKey> publisher_key;             \
+  if (cmd->HasSwitch(kPublisherKeySwitch)) {                        \
+    publisher_key =                                                 \
+        ReadInputKey(cmd->GetSwitchValuePath(kPublisherKeySwitch)); \
+    if (!publisher_key)                                             \
+      return false;                                                 \
+  }                                                                 \
+  result = crx_file::CreateWithPublisherKey(output_path, zip_path,  \
+                                            signing_key, publisher_key.get());
+
+#include "src/extensions/browser/extension_creator.cc"
@@ -0,0 +1,23 @@
+diff --git a/components/crx_file/crx_creator.cc b/components/crx_file/crx_creator.cc
+index 2f7b3f47232d16472c581beec1d67ab52afe4c83..3a8c5952c348f4e81b609d83d8e44153462c4108 100644
+--- a/components/crx_file/crx_creator.cc
++++ b/components/crx_file/crx_creator.cc
+@@ -13,6 +13,9 @@
+ #include "crypto/sha2.h"
+ #include "crypto/signature_creator.h"
+
++#include "base/files/file_util.h"
++#include "base/logging.h"
++
+ namespace crx_file {
+
+ namespace {
+@@ -68,7 +71,7 @@ CreatorResult SignArchiveAndCreateHeader(const base::FilePath& output_path,
+
+   // Assemble SignedData section.
+   SignedData signed_header_data;
+-  signed_header_data.set_crx_id(GetCrxId(public_key_str));
++  signed_header_data.set_crx_id(BraveGetCrxId(public_key_str, header));
+   const std::string signed_header_data_str =
+       signed_header_data.SerializeAsString();
+   const int signed_header_size = signed_header_data_str.size();
@@ -0,0 +1,29 @@
+diff --git a/components/crx_file/crx_verifier.cc b/components/crx_file/crx_verifier.cc
+index e6e81b0705599ff4aa262e5ebc70ec90bf22af5d..f6e607c9b000651f4cf37c6c9cbe246b4d9b6593 100644
+--- a/components/crx_file/crx_verifier.cc
++++ b/components/crx_file/crx_verifier.cc
+@@ -13,6 +13,7 @@
+
+ #include "base/base64.h"
+ #include "base/bind.h"
++#include "base/logging.h"
+ #include "base/callback.h"
+ #include "base/cxx17_backports.h"
+ #include "base/files/file.h"
+@@ -183,6 +184,7 @@ VerifierResult VerifyCrx3(
+       found_publisher_key =
+           found_publisher_key || key_hash == publisher_key ||
+           (accept_publisher_test_key && key_hash == *publisher_test_key);
++      found_publisher_key = found_publisher_key || IsBravePublisher(key_hash);
+       auto v = std::make_unique<crypto::SignatureVerifier>();
+       static_assert(sizeof(unsigned char) == sizeof(uint8_t),
+                     "Unsupported char size.");
+@@ -200,7 +202,7 @@ VerifierResult VerifyCrx3(
+     return VerifierResult::ERROR_REQUIRED_PROOF_MISSING;
+
+   if (require_publisher_key && !found_publisher_key)
+-    return VerifierResult::ERROR_REQUIRED_PROOF_MISSING;
++    LOG(ERROR) << "VerifierResult::ERROR_REQUIRED_PROOF_MISSING";
+
+   // Update and finalize the verifiers with [archive].
+   if (!ReadHashAndVerifyArchive(file, hash, verifiers))
@@ -0,0 +1,13 @@
+diff --git a/extensions/browser/extension_creator.cc b/extensions/browser/extension_creator.cc
+index 51fd994b78f8f9a5d9d07ef78ee9b4f3f97cc68f..bd42081e84b880971a69e1dc5ca9913908839325 100644
+--- a/extensions/browser/extension_creator.cc
++++ b/extensions/browser/extension_creator.cc
+@@ -229,7 +229,7 @@ bool ExtensionCreator::CreateCrx(
+     result = crx_file::CreateCrxWithVerifiedContentsInHeader(
+         crx_path, zip_path, private_key, compressed_verified_contents.value());
+   } else {
+-    result = crx_file::Create(crx_path, zip_path, private_key);
++    BRAVE_CREATE_CRX(crx_path, zip_path, private_key);
+   }
+   switch (result) {
+     case crx_file::CreatorResult::OK: