Home | History | Annotate | Download | only in extensions
      1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #include "chrome/browser/extensions/sandboxed_unpacker.h"
      6 
      7 #include <set>
      8 
      9 #include "base/base64.h"
     10 #include "base/bind.h"
     11 #include "base/command_line.h"
     12 #include "base/file_util.h"
     13 #include "base/files/file_util_proxy.h"
     14 #include "base/json/json_string_value_serializer.h"
     15 #include "base/memory/scoped_handle.h"
     16 #include "base/message_loop/message_loop.h"
     17 #include "base/metrics/histogram.h"
     18 #include "base/path_service.h"
     19 #include "base/safe_numerics.h"
     20 #include "base/sequenced_task_runner.h"
     21 #include "base/strings/utf_string_conversions.h"
     22 #include "base/threading/sequenced_worker_pool.h"
     23 #include "chrome/browser/extensions/extension_service.h"
     24 #include "chrome/common/chrome_paths.h"
     25 #include "chrome/common/chrome_switches.h"
     26 #include "chrome/common/chrome_utility_messages.h"
     27 #include "chrome/common/extensions/extension_file_util.h"
     28 #include "chrome/common/extensions/extension_l10n_util.h"
     29 #include "chrome/common/extensions/manifest_handlers/icons_handler.h"
     30 #include "content/public/browser/browser_thread.h"
     31 #include "content/public/browser/utility_process_host.h"
     32 #include "content/public/common/common_param_traits.h"
     33 #include "crypto/signature_verifier.h"
     34 #include "extensions/common/constants.h"
     35 #include "extensions/common/crx_file.h"
     36 #include "extensions/common/extension.h"
     37 #include "extensions/common/id_util.h"
     38 #include "extensions/common/manifest_constants.h"
     39 #include "grit/generated_resources.h"
     40 #include "third_party/skia/include/core/SkBitmap.h"
     41 #include "ui/base/l10n/l10n_util.h"
     42 #include "ui/gfx/codec/png_codec.h"
     43 
     44 using content::BrowserThread;
     45 using content::UtilityProcessHost;
     46 
     47 // The following macro makes histograms that record the length of paths
     48 // in this file much easier to read.
     49 // Windows has a short max path length. If the path length to a
     50 // file being unpacked from a CRX exceeds the max length, we might
     51 // fail to install. To see if this is happening, see how long the
     52 // path to the temp unpack directory is. See crbug.com/69693 .
     53 #define PATH_LENGTH_HISTOGRAM(name, path) \
     54     UMA_HISTOGRAM_CUSTOM_COUNTS(name, path.value().length(), 0, 500, 100)
     55 
     56 // Record a rate (kB per second) at which extensions are unpacked.
     57 // Range from 1kB/s to 100mB/s.
     58 #define UNPACK_RATE_HISTOGRAM(name, rate) \
     59     UMA_HISTOGRAM_CUSTOM_COUNTS(name, rate, 1, 100000, 100);
     60 
     61 namespace extensions {
     62 namespace {
     63 
     64 void RecordSuccessfulUnpackTimeHistograms(
     65     const base::FilePath& crx_path, const base::TimeDelta unpack_time) {
     66 
     67   const int64 kBytesPerKb = 1024;
     68   const int64 kBytesPerMb = 1024 * 1024;
     69 
     70   UMA_HISTOGRAM_TIMES("Extensions.SandboxUnpackSuccessTime", unpack_time);
     71 
     72   // To get a sense of how CRX size impacts unpack time, record unpack
     73   // time for several increments of CRX size.
     74   int64 crx_file_size;
     75   if (!base::GetFileSize(crx_path, &crx_file_size)) {
     76     UMA_HISTOGRAM_COUNTS("Extensions.SandboxUnpackSuccessCantGetCrxSize", 1);
     77     return;
     78   }
     79 
     80   // Cast is safe as long as the number of bytes in the CRX is less than
     81   // 2^31 * 2^10.
     82   int crx_file_size_kb = static_cast<int>(crx_file_size / kBytesPerKb);
     83   UMA_HISTOGRAM_COUNTS(
     84       "Extensions.SandboxUnpackSuccessCrxSize", crx_file_size_kb);
     85 
     86   // We have time in seconds and file size in bytes.  We want the rate bytes are
     87   // unpacked in kB/s.
     88   double file_size_kb =
     89       static_cast<double>(crx_file_size) / static_cast<double>(kBytesPerKb);
     90   int unpack_rate_kb_per_s =
     91       static_cast<int>(file_size_kb / unpack_time.InSecondsF());
     92   UNPACK_RATE_HISTOGRAM("Extensions.SandboxUnpackRate", unpack_rate_kb_per_s);
     93 
     94   if (crx_file_size < 50.0 * kBytesPerKb) {
     95     UNPACK_RATE_HISTOGRAM(
     96         "Extensions.SandboxUnpackRateUnder50kB", unpack_rate_kb_per_s);
     97 
     98   } else if (crx_file_size < 1 * kBytesPerMb) {
     99     UNPACK_RATE_HISTOGRAM(
    100         "Extensions.SandboxUnpackRate50kBTo1mB", unpack_rate_kb_per_s);
    101 
    102   } else if (crx_file_size < 2 * kBytesPerMb) {
    103     UNPACK_RATE_HISTOGRAM(
    104         "Extensions.SandboxUnpackRate1To2mB", unpack_rate_kb_per_s);
    105 
    106   } else if (crx_file_size < 5 * kBytesPerMb) {
    107     UNPACK_RATE_HISTOGRAM(
    108         "Extensions.SandboxUnpackRate2To5mB", unpack_rate_kb_per_s);
    109 
    110   } else if (crx_file_size < 10 * kBytesPerMb) {
    111     UNPACK_RATE_HISTOGRAM(
    112         "Extensions.SandboxUnpackRate5To10mB", unpack_rate_kb_per_s);
    113 
    114   } else {
    115     UNPACK_RATE_HISTOGRAM(
    116         "Extensions.SandboxUnpackRateOver10mB", unpack_rate_kb_per_s);
    117   }
    118 }
    119 
    120 // Work horse for FindWritableTempLocation. Creates a temp file in the folder
    121 // and uses NormalizeFilePath to check if the path is junction free.
    122 bool VerifyJunctionFreeLocation(base::FilePath* temp_dir) {
    123   if (temp_dir->empty())
    124     return false;
    125 
    126   base::FilePath temp_file;
    127   if (!base::CreateTemporaryFileInDir(*temp_dir, &temp_file)) {
    128     LOG(ERROR) << temp_dir->value() << " is not writable";
    129     return false;
    130   }
    131   // NormalizeFilePath requires a non-empty file, so write some data.
    132   // If you change the exit points of this function please make sure all
    133   // exit points delete this temp file!
    134   if (file_util::WriteFile(temp_file, ".", 1) != 1)
    135     return false;
    136 
    137   base::FilePath normalized_temp_file;
    138   bool normalized = base::NormalizeFilePath(temp_file, &normalized_temp_file);
    139   if (!normalized) {
    140     // If |temp_file| contains a link, the sandbox will block al file system
    141     // operations, and the install will fail.
    142     LOG(ERROR) << temp_dir->value() << " seem to be on remote drive.";
    143   } else {
    144     *temp_dir = normalized_temp_file.DirName();
    145   }
    146   // Clean up the temp file.
    147   base::DeleteFile(temp_file, false);
    148 
    149   return normalized;
    150 }
    151 
    152 // This function tries to find a location for unpacking the extension archive
    153 // that is writable and does not lie on a shared drive so that the sandboxed
    154 // unpacking process can write there. If no such location exists we can not
    155 // proceed and should fail.
    156 // The result will be written to |temp_dir|. The function will write to this
    157 // parameter even if it returns false.
    158 bool FindWritableTempLocation(const base::FilePath& extensions_dir,
    159                               base::FilePath* temp_dir) {
    160 // On ChromeOS, we will only attempt to unpack extension in cryptohome (profile)
    161 // directory to provide additional security/privacy and speed up the rest of
    162 // the extension install process.
    163 #if !defined(OS_CHROMEOS)
    164   PathService::Get(base::DIR_TEMP, temp_dir);
    165   if (VerifyJunctionFreeLocation(temp_dir))
    166     return true;
    167 #endif
    168 
    169   *temp_dir = extension_file_util::GetInstallTempDir(extensions_dir);
    170   if (VerifyJunctionFreeLocation(temp_dir))
    171     return true;
    172   // Neither paths is link free chances are good installation will fail.
    173   LOG(ERROR) << "Both the %TEMP% folder and the profile seem to be on "
    174              << "remote drives or read-only. Installation can not complete!";
    175   return false;
    176 }
    177 
    178 // Read the decoded images back from the file we saved them to.
    179 // |extension_path| is the path to the extension we unpacked that wrote the
    180 // data. Returns true on success.
    181 bool ReadImagesFromFile(const base::FilePath& extension_path,
    182                         DecodedImages* images) {
    183   base::FilePath path =
    184       extension_path.AppendASCII(kDecodedImagesFilename);
    185   std::string file_str;
    186   if (!base::ReadFileToString(path, &file_str))
    187     return false;
    188 
    189   IPC::Message pickle(file_str.data(), file_str.size());
    190   PickleIterator iter(pickle);
    191   return IPC::ReadParam(&pickle, &iter, images);
    192 }
    193 
    194 // Read the decoded message catalogs back from the file we saved them to.
    195 // |extension_path| is the path to the extension we unpacked that wrote the
    196 // data. Returns true on success.
    197 bool ReadMessageCatalogsFromFile(const base::FilePath& extension_path,
    198                                  base::DictionaryValue* catalogs) {
    199   base::FilePath path = extension_path.AppendASCII(
    200       kDecodedMessageCatalogsFilename);
    201   std::string file_str;
    202   if (!base::ReadFileToString(path, &file_str))
    203     return false;
    204 
    205   IPC::Message pickle(file_str.data(), file_str.size());
    206   PickleIterator iter(pickle);
    207   return IPC::ReadParam(&pickle, &iter, catalogs);
    208 }
    209 
    210 }  // namespace
    211 
    212 SandboxedUnpacker::SandboxedUnpacker(
    213     const base::FilePath& crx_path,
    214     Manifest::Location location,
    215     int creation_flags,
    216     const base::FilePath& extensions_dir,
    217     base::SequencedTaskRunner* unpacker_io_task_runner,
    218     SandboxedUnpackerClient* client)
    219     : crx_path_(crx_path),
    220       client_(client),
    221       extensions_dir_(extensions_dir),
    222       got_response_(false),
    223       location_(location),
    224       creation_flags_(creation_flags),
    225       unpacker_io_task_runner_(unpacker_io_task_runner) {
    226 }
    227 
    228 bool SandboxedUnpacker::CreateTempDirectory() {
    229   CHECK(unpacker_io_task_runner_->RunsTasksOnCurrentThread());
    230 
    231   base::FilePath temp_dir;
    232   if (!FindWritableTempLocation(extensions_dir_, &temp_dir)) {
    233     ReportFailure(
    234         COULD_NOT_GET_TEMP_DIRECTORY,
    235         l10n_util::GetStringFUTF16(
    236             IDS_EXTENSION_PACKAGE_INSTALL_ERROR,
    237             ASCIIToUTF16("COULD_NOT_GET_TEMP_DIRECTORY")));
    238     return false;
    239   }
    240 
    241   if (!temp_dir_.CreateUniqueTempDirUnderPath(temp_dir)) {
    242     ReportFailure(
    243         COULD_NOT_CREATE_TEMP_DIRECTORY,
    244         l10n_util::GetStringFUTF16(
    245             IDS_EXTENSION_PACKAGE_INSTALL_ERROR,
    246             ASCIIToUTF16("COULD_NOT_CREATE_TEMP_DIRECTORY")));
    247     return false;
    248   }
    249 
    250   return true;
    251 }
    252 
    253 void SandboxedUnpacker::Start() {
    254   // We assume that we are started on the thread that the client wants us to do
    255   // file IO on.
    256   CHECK(unpacker_io_task_runner_->RunsTasksOnCurrentThread());
    257 
    258   unpack_start_time_ = base::TimeTicks::Now();
    259 
    260   PATH_LENGTH_HISTOGRAM("Extensions.SandboxUnpackInitialCrxPathLength",
    261                         crx_path_);
    262   if (!CreateTempDirectory())
    263     return;  // ReportFailure() already called.
    264 
    265   // Initialize the path that will eventually contain the unpacked extension.
    266   extension_root_ = temp_dir_.path().AppendASCII(kTempExtensionName);
    267   PATH_LENGTH_HISTOGRAM("Extensions.SandboxUnpackUnpackedCrxPathLength",
    268                         extension_root_);
    269 
    270   // Extract the public key and validate the package.
    271   if (!ValidateSignature())
    272     return;  // ValidateSignature() already reported the error.
    273 
    274   // Copy the crx file into our working directory.
    275   base::FilePath temp_crx_path = temp_dir_.path().Append(crx_path_.BaseName());
    276   PATH_LENGTH_HISTOGRAM("Extensions.SandboxUnpackTempCrxPathLength",
    277                         temp_crx_path);
    278 
    279   if (!base::CopyFile(crx_path_, temp_crx_path)) {
    280     // Failed to copy extension file to temporary directory.
    281     ReportFailure(
    282         FAILED_TO_COPY_EXTENSION_FILE_TO_TEMP_DIRECTORY,
    283         l10n_util::GetStringFUTF16(
    284             IDS_EXTENSION_PACKAGE_INSTALL_ERROR,
    285             ASCIIToUTF16("FAILED_TO_COPY_EXTENSION_FILE_TO_TEMP_DIRECTORY")));
    286     return;
    287   }
    288 
    289   // The utility process will have access to the directory passed to
    290   // SandboxedUnpacker.  That directory should not contain a symlink or NTFS
    291   // reparse point.  When the path is used, following the link/reparse point
    292   // will cause file system access outside the sandbox path, and the sandbox
    293   // will deny the operation.
    294   base::FilePath link_free_crx_path;
    295   if (!base::NormalizeFilePath(temp_crx_path, &link_free_crx_path)) {
    296     LOG(ERROR) << "Could not get the normalized path of "
    297                << temp_crx_path.value();
    298     ReportFailure(
    299         COULD_NOT_GET_SANDBOX_FRIENDLY_PATH,
    300         l10n_util::GetStringUTF16(IDS_EXTENSION_UNPACK_FAILED));
    301     return;
    302   }
    303   PATH_LENGTH_HISTOGRAM("Extensions.SandboxUnpackLinkFreeCrxPathLength",
    304                         link_free_crx_path);
    305 
    306   BrowserThread::PostTask(
    307       BrowserThread::IO, FROM_HERE,
    308       base::Bind(
    309           &SandboxedUnpacker::StartProcessOnIOThread,
    310           this,
    311           link_free_crx_path));
    312 }
    313 
    314 SandboxedUnpacker::~SandboxedUnpacker() {
    315 }
    316 
    317 bool SandboxedUnpacker::OnMessageReceived(const IPC::Message& message) {
    318   bool handled = true;
    319   IPC_BEGIN_MESSAGE_MAP(SandboxedUnpacker, message)
    320     IPC_MESSAGE_HANDLER(ChromeUtilityHostMsg_UnpackExtension_Succeeded,
    321                         OnUnpackExtensionSucceeded)
    322     IPC_MESSAGE_HANDLER(ChromeUtilityHostMsg_UnpackExtension_Failed,
    323                         OnUnpackExtensionFailed)
    324     IPC_MESSAGE_UNHANDLED(handled = false)
    325   IPC_END_MESSAGE_MAP()
    326   return handled;
    327 }
    328 
    329 void SandboxedUnpacker::OnProcessCrashed(int exit_code) {
    330   // Don't report crashes if they happen after we got a response.
    331   if (got_response_)
    332     return;
    333 
    334   // Utility process crashed while trying to install.
    335   ReportFailure(
    336      UTILITY_PROCESS_CRASHED_WHILE_TRYING_TO_INSTALL,
    337      l10n_util::GetStringFUTF16(
    338          IDS_EXTENSION_PACKAGE_INSTALL_ERROR,
    339          ASCIIToUTF16("UTILITY_PROCESS_CRASHED_WHILE_TRYING_TO_INSTALL")));
    340 }
    341 
    342 void SandboxedUnpacker::StartProcessOnIOThread(
    343     const base::FilePath& temp_crx_path) {
    344   UtilityProcessHost* host =
    345       UtilityProcessHost::Create(this, unpacker_io_task_runner_.get());
    346   // Grant the subprocess access to the entire subdir the extension file is
    347   // in, so that it can unpack to that dir.
    348   host->SetExposedDir(temp_crx_path.DirName());
    349   host->Send(
    350       new ChromeUtilityMsg_UnpackExtension(
    351           temp_crx_path, extension_id_, location_, creation_flags_));
    352 }
    353 
    354 void SandboxedUnpacker::OnUnpackExtensionSucceeded(
    355     const DictionaryValue& manifest) {
    356   CHECK(unpacker_io_task_runner_->RunsTasksOnCurrentThread());
    357   got_response_ = true;
    358 
    359   scoped_ptr<DictionaryValue> final_manifest(RewriteManifestFile(manifest));
    360   if (!final_manifest)
    361     return;
    362 
    363   // Create an extension object that refers to the temporary location the
    364   // extension was unpacked to. We use this until the extension is finally
    365   // installed. For example, the install UI shows images from inside the
    366   // extension.
    367 
    368   // Localize manifest now, so confirm UI gets correct extension name.
    369 
    370   // TODO(rdevlin.cronin): Continue removing std::string errors and replacing
    371   // with base::string16
    372   std::string utf8_error;
    373   if (!extension_l10n_util::LocalizeExtension(extension_root_,
    374                                               final_manifest.get(),
    375                                               &utf8_error)) {
    376     ReportFailure(
    377         COULD_NOT_LOCALIZE_EXTENSION,
    378         l10n_util::GetStringFUTF16(
    379             IDS_EXTENSION_PACKAGE_ERROR_MESSAGE,
    380             UTF8ToUTF16(utf8_error)));
    381     return;
    382   }
    383 
    384   extension_ = Extension::Create(
    385       extension_root_,
    386       location_,
    387       *final_manifest,
    388       Extension::REQUIRE_KEY | creation_flags_,
    389       &utf8_error);
    390 
    391   if (!extension_.get()) {
    392     ReportFailure(INVALID_MANIFEST,
    393                   ASCIIToUTF16("Manifest is invalid: " + utf8_error));
    394     return;
    395   }
    396 
    397   SkBitmap install_icon;
    398   if (!RewriteImageFiles(&install_icon))
    399     return;
    400 
    401   if (!RewriteCatalogFiles())
    402     return;
    403 
    404   ReportSuccess(manifest, install_icon);
    405 }
    406 
    407 void SandboxedUnpacker::OnUnpackExtensionFailed(const base::string16& error) {
    408   CHECK(unpacker_io_task_runner_->RunsTasksOnCurrentThread());
    409   got_response_ = true;
    410   ReportFailure(
    411       UNPACKER_CLIENT_FAILED,
    412       l10n_util::GetStringFUTF16(
    413            IDS_EXTENSION_PACKAGE_ERROR_MESSAGE,
    414            error));
    415 }
    416 
    417 bool SandboxedUnpacker::ValidateSignature() {
    418   ScopedStdioHandle file(base::OpenFile(crx_path_, "rb"));
    419 
    420   if (!file.get()) {
    421     // Could not open crx file for reading.
    422 #if defined (OS_WIN)
    423     // On windows, get the error code.
    424     uint32 error_code = ::GetLastError();
    425     // TODO(skerner): Use this histogram to understand why so many
    426     // windows users hit this error.  crbug.com/69693
    427 
    428     // Windows errors are unit32s, but all of likely errors are in
    429     // [1, 1000].  See winerror.h for the meaning of specific values.
    430     // Clip errors outside the expected range to a single extra value.
    431     // If there are errors in that extra bucket, we will know to expand
    432     // the range.
    433     const uint32 kMaxErrorToSend = 1001;
    434     error_code = std::min(error_code, kMaxErrorToSend);
    435     UMA_HISTOGRAM_ENUMERATION("Extensions.ErrorCodeFromCrxOpen",
    436                               error_code, kMaxErrorToSend);
    437 #endif
    438 
    439     ReportFailure(
    440         CRX_FILE_NOT_READABLE,
    441         l10n_util::GetStringFUTF16(
    442             IDS_EXTENSION_PACKAGE_ERROR_CODE,
    443             ASCIIToUTF16("CRX_FILE_NOT_READABLE")));
    444     return false;
    445   }
    446 
    447   // Read and verify the header.
    448   // TODO(erikkay): Yuck.  I'm not a big fan of this kind of code, but it
    449   // appears that we don't have any endian/alignment aware serialization
    450   // code in the code base.  So for now, this assumes that we're running
    451   // on a little endian machine with 4 byte alignment.
    452   CrxFile::Header header;
    453   size_t len = fread(&header, 1, sizeof(header), file.get());
    454   if (len < sizeof(header)) {
    455     // Invalid crx header
    456     ReportFailure(
    457         CRX_HEADER_INVALID,
    458         l10n_util::GetStringFUTF16(
    459             IDS_EXTENSION_PACKAGE_ERROR_CODE,
    460             ASCIIToUTF16("CRX_HEADER_INVALID")));
    461     return false;
    462   }
    463 
    464   CrxFile::Error error;
    465   scoped_ptr<CrxFile> crx(CrxFile::Parse(header, &error));
    466   if (!crx) {
    467     switch (error) {
    468       case CrxFile::kWrongMagic:
    469         ReportFailure(
    470             CRX_MAGIC_NUMBER_INVALID,
    471             l10n_util::GetStringFUTF16(
    472                 IDS_EXTENSION_PACKAGE_ERROR_CODE,
    473                 ASCIIToUTF16("CRX_MAGIC_NUMBER_INVALID")));
    474         break;
    475       case CrxFile::kInvalidVersion:
    476         // Bad version numer
    477         ReportFailure(
    478             CRX_VERSION_NUMBER_INVALID,
    479             l10n_util::GetStringFUTF16(
    480                 IDS_EXTENSION_PACKAGE_ERROR_CODE,
    481                 ASCIIToUTF16("CRX_VERSION_NUMBER_INVALID")));
    482         break;
    483       case CrxFile::kInvalidKeyTooLarge:
    484       case CrxFile::kInvalidSignatureTooLarge:
    485         // Excessively large key or signature
    486         ReportFailure(
    487             CRX_EXCESSIVELY_LARGE_KEY_OR_SIGNATURE,
    488             l10n_util::GetStringFUTF16(
    489                 IDS_EXTENSION_PACKAGE_ERROR_CODE,
    490                 ASCIIToUTF16("CRX_EXCESSIVELY_LARGE_KEY_OR_SIGNATURE")));
    491         break;
    492       case CrxFile::kInvalidKeyTooSmall:
    493         // Key length is zero
    494         ReportFailure(
    495             CRX_ZERO_KEY_LENGTH,
    496             l10n_util::GetStringFUTF16(
    497                 IDS_EXTENSION_PACKAGE_ERROR_CODE,
    498                 ASCIIToUTF16("CRX_ZERO_KEY_LENGTH")));
    499         break;
    500       case CrxFile::kInvalidSignatureTooSmall:
    501         // Signature length is zero
    502         ReportFailure(
    503             CRX_ZERO_SIGNATURE_LENGTH,
    504             l10n_util::GetStringFUTF16(
    505                 IDS_EXTENSION_PACKAGE_ERROR_CODE,
    506                 ASCIIToUTF16("CRX_ZERO_SIGNATURE_LENGTH")));
    507         break;
    508     }
    509     return false;
    510   }
    511 
    512   std::vector<uint8> key;
    513   key.resize(header.key_size);
    514   len = fread(&key.front(), sizeof(uint8), header.key_size, file.get());
    515   if (len < header.key_size) {
    516     // Invalid public key
    517     ReportFailure(
    518         CRX_PUBLIC_KEY_INVALID,
    519         l10n_util::GetStringFUTF16(
    520             IDS_EXTENSION_PACKAGE_ERROR_CODE,
    521             ASCIIToUTF16("CRX_PUBLIC_KEY_INVALID")));
    522     return false;
    523   }
    524 
    525   std::vector<uint8> signature;
    526   signature.resize(header.signature_size);
    527   len = fread(&signature.front(), sizeof(uint8), header.signature_size,
    528       file.get());
    529   if (len < header.signature_size) {
    530     // Invalid signature
    531     ReportFailure(
    532         CRX_SIGNATURE_INVALID,
    533         l10n_util::GetStringFUTF16(
    534             IDS_EXTENSION_PACKAGE_ERROR_CODE,
    535             ASCIIToUTF16("CRX_SIGNATURE_INVALID")));
    536     return false;
    537   }
    538 
    539   crypto::SignatureVerifier verifier;
    540   if (!verifier.VerifyInit(extension_misc::kSignatureAlgorithm,
    541                            sizeof(extension_misc::kSignatureAlgorithm),
    542                            &signature.front(),
    543                            signature.size(),
    544                            &key.front(),
    545                            key.size())) {
    546     // Signature verification initialization failed. This is most likely
    547     // caused by a public key in the wrong format (should encode algorithm).
    548     ReportFailure(
    549         CRX_SIGNATURE_VERIFICATION_INITIALIZATION_FAILED,
    550         l10n_util::GetStringFUTF16(
    551             IDS_EXTENSION_PACKAGE_ERROR_CODE,
    552             ASCIIToUTF16("CRX_SIGNATURE_VERIFICATION_INITIALIZATION_FAILED")));
    553     return false;
    554   }
    555 
    556   unsigned char buf[1 << 12];
    557   while ((len = fread(buf, 1, sizeof(buf), file.get())) > 0)
    558     verifier.VerifyUpdate(buf, len);
    559 
    560   if (!verifier.VerifyFinal()) {
    561     // Signature verification failed
    562     ReportFailure(
    563         CRX_SIGNATURE_VERIFICATION_FAILED,
    564         l10n_util::GetStringFUTF16(
    565             IDS_EXTENSION_PACKAGE_ERROR_CODE,
    566             ASCIIToUTF16("CRX_SIGNATURE_VERIFICATION_FAILED")));
    567     return false;
    568   }
    569 
    570   std::string public_key =
    571       std::string(reinterpret_cast<char*>(&key.front()), key.size());
    572   base::Base64Encode(public_key, &public_key_);
    573 
    574   extension_id_ = id_util::GenerateId(public_key);
    575 
    576   return true;
    577 }
    578 
    579 void SandboxedUnpacker::ReportFailure(FailureReason reason,
    580                                       const base::string16& error) {
    581   UMA_HISTOGRAM_ENUMERATION("Extensions.SandboxUnpackFailureReason",
    582                             reason, NUM_FAILURE_REASONS);
    583   UMA_HISTOGRAM_TIMES("Extensions.SandboxUnpackFailureTime",
    584                       base::TimeTicks::Now() - unpack_start_time_);
    585   Cleanup();
    586   client_->OnUnpackFailure(error);
    587 }
    588 
    589 void SandboxedUnpacker::ReportSuccess(
    590     const DictionaryValue& original_manifest,
    591     const SkBitmap& install_icon) {
    592   UMA_HISTOGRAM_COUNTS("Extensions.SandboxUnpackSuccess", 1);
    593 
    594   RecordSuccessfulUnpackTimeHistograms(
    595       crx_path_, base::TimeTicks::Now() - unpack_start_time_);
    596 
    597   // Client takes ownership of temporary directory and extension.
    598   client_->OnUnpackSuccess(
    599       temp_dir_.Take(), extension_root_, &original_manifest, extension_.get(),
    600       install_icon);
    601   extension_ = NULL;
    602 }
    603 
    604 DictionaryValue* SandboxedUnpacker::RewriteManifestFile(
    605     const DictionaryValue& manifest) {
    606   // Add the public key extracted earlier to the parsed manifest and overwrite
    607   // the original manifest. We do this to ensure the manifest doesn't contain an
    608   // exploitable bug that could be used to compromise the browser.
    609   scoped_ptr<DictionaryValue> final_manifest(manifest.DeepCopy());
    610   final_manifest->SetString(manifest_keys::kPublicKey, public_key_);
    611 
    612   std::string manifest_json;
    613   JSONStringValueSerializer serializer(&manifest_json);
    614   serializer.set_pretty_print(true);
    615   if (!serializer.Serialize(*final_manifest)) {
    616     // Error serializing manifest.json.
    617     ReportFailure(
    618         ERROR_SERIALIZING_MANIFEST_JSON,
    619         l10n_util::GetStringFUTF16(
    620             IDS_EXTENSION_PACKAGE_INSTALL_ERROR,
    621             ASCIIToUTF16("ERROR_SERIALIZING_MANIFEST_JSON")));
    622     return NULL;
    623   }
    624 
    625   base::FilePath manifest_path =
    626       extension_root_.Append(kManifestFilename);
    627   int size = base::checked_numeric_cast<int>(manifest_json.size());
    628   if (file_util::WriteFile(manifest_path, manifest_json.data(), size) != size) {
    629     // Error saving manifest.json.
    630     ReportFailure(
    631         ERROR_SAVING_MANIFEST_JSON,
    632         l10n_util::GetStringFUTF16(
    633             IDS_EXTENSION_PACKAGE_INSTALL_ERROR,
    634             ASCIIToUTF16("ERROR_SAVING_MANIFEST_JSON")));
    635     return NULL;
    636   }
    637 
    638   return final_manifest.release();
    639 }
    640 
    641 bool SandboxedUnpacker::RewriteImageFiles(SkBitmap* install_icon) {
    642   DecodedImages images;
    643   if (!ReadImagesFromFile(temp_dir_.path(), &images)) {
    644     // Couldn't read image data from disk.
    645     ReportFailure(
    646         COULD_NOT_READ_IMAGE_DATA_FROM_DISK,
    647         l10n_util::GetStringFUTF16(
    648             IDS_EXTENSION_PACKAGE_INSTALL_ERROR,
    649             ASCIIToUTF16("COULD_NOT_READ_IMAGE_DATA_FROM_DISK")));
    650     return false;
    651   }
    652 
    653   // Delete any images that may be used by the browser.  We're going to write
    654   // out our own versions of the parsed images, and we want to make sure the
    655   // originals are gone for good.
    656   std::set<base::FilePath> image_paths =
    657       extension_file_util::GetBrowserImagePaths(extension_.get());
    658   if (image_paths.size() != images.size()) {
    659     // Decoded images don't match what's in the manifest.
    660     ReportFailure(
    661         DECODED_IMAGES_DO_NOT_MATCH_THE_MANIFEST,
    662         l10n_util::GetStringFUTF16(
    663             IDS_EXTENSION_PACKAGE_INSTALL_ERROR,
    664             ASCIIToUTF16("DECODED_IMAGES_DO_NOT_MATCH_THE_MANIFEST")));
    665     return false;
    666   }
    667 
    668   for (std::set<base::FilePath>::iterator it = image_paths.begin();
    669        it != image_paths.end(); ++it) {
    670     base::FilePath path = *it;
    671     if (path.IsAbsolute() || path.ReferencesParent()) {
    672       // Invalid path for browser image.
    673       ReportFailure(
    674           INVALID_PATH_FOR_BROWSER_IMAGE,
    675           l10n_util::GetStringFUTF16(
    676               IDS_EXTENSION_PACKAGE_INSTALL_ERROR,
    677               ASCIIToUTF16("INVALID_PATH_FOR_BROWSER_IMAGE")));
    678       return false;
    679     }
    680     if (!base::DeleteFile(extension_root_.Append(path), false)) {
    681       // Error removing old image file.
    682       ReportFailure(
    683           ERROR_REMOVING_OLD_IMAGE_FILE,
    684           l10n_util::GetStringFUTF16(
    685               IDS_EXTENSION_PACKAGE_INSTALL_ERROR,
    686               ASCIIToUTF16("ERROR_REMOVING_OLD_IMAGE_FILE")));
    687       return false;
    688     }
    689   }
    690 
    691   std::string install_icon_path = IconsInfo::GetIcons(extension_).Get(
    692       extension_misc::EXTENSION_ICON_LARGE,
    693       ExtensionIconSet::MATCH_BIGGER);
    694 
    695   // Write our parsed images back to disk as well.
    696   for (size_t i = 0; i < images.size(); ++i) {
    697     if (BrowserThread::GetBlockingPool()->IsShutdownInProgress()) {
    698       // Abort package installation if shutdown was initiated, crbug.com/235525
    699       ReportFailure(
    700           ABORTED_DUE_TO_SHUTDOWN,
    701           l10n_util::GetStringFUTF16(
    702               IDS_EXTENSION_PACKAGE_INSTALL_ERROR,
    703               ASCIIToUTF16("ABORTED_DUE_TO_SHUTDOWN")));
    704       return false;
    705     }
    706 
    707     const SkBitmap& image = images[i].a;
    708     base::FilePath path_suffix = images[i].b;
    709     if (path_suffix.MaybeAsASCII() == install_icon_path)
    710       *install_icon = image;
    711 
    712     if (path_suffix.IsAbsolute() || path_suffix.ReferencesParent()) {
    713       // Invalid path for bitmap image.
    714       ReportFailure(
    715           INVALID_PATH_FOR_BITMAP_IMAGE,
    716           l10n_util::GetStringFUTF16(
    717               IDS_EXTENSION_PACKAGE_INSTALL_ERROR,
    718               ASCIIToUTF16("INVALID_PATH_FOR_BITMAP_IMAGE")));
    719       return false;
    720     }
    721     base::FilePath path = extension_root_.Append(path_suffix);
    722 
    723     std::vector<unsigned char> image_data;
    724     // TODO(mpcomplete): It's lame that we're encoding all images as PNG, even
    725     // though they may originally be .jpg, etc.  Figure something out.
    726     // http://code.google.com/p/chromium/issues/detail?id=12459
    727     if (!gfx::PNGCodec::EncodeBGRASkBitmap(image, false, &image_data)) {
    728       // Error re-encoding theme image.
    729       ReportFailure(
    730           ERROR_RE_ENCODING_THEME_IMAGE,
    731           l10n_util::GetStringFUTF16(
    732               IDS_EXTENSION_PACKAGE_INSTALL_ERROR,
    733               ASCIIToUTF16("ERROR_RE_ENCODING_THEME_IMAGE")));
    734       return false;
    735     }
    736 
    737     // Note: we're overwriting existing files that the utility process wrote,
    738     // so we can be sure the directory exists.
    739     const char* image_data_ptr = reinterpret_cast<const char*>(&image_data[0]);
    740     int size = base::checked_numeric_cast<int>(image_data.size());
    741     if (file_util::WriteFile(path, image_data_ptr, size) != size) {
    742       // Error saving theme image.
    743       ReportFailure(
    744           ERROR_SAVING_THEME_IMAGE,
    745           l10n_util::GetStringFUTF16(
    746               IDS_EXTENSION_PACKAGE_INSTALL_ERROR,
    747               ASCIIToUTF16("ERROR_SAVING_THEME_IMAGE")));
    748       return false;
    749     }
    750   }
    751 
    752   return true;
    753 }
    754 
    755 bool SandboxedUnpacker::RewriteCatalogFiles() {
    756   DictionaryValue catalogs;
    757   if (!ReadMessageCatalogsFromFile(temp_dir_.path(), &catalogs)) {
    758     // Could not read catalog data from disk.
    759     ReportFailure(
    760         COULD_NOT_READ_CATALOG_DATA_FROM_DISK,
    761         l10n_util::GetStringFUTF16(
    762             IDS_EXTENSION_PACKAGE_INSTALL_ERROR,
    763             ASCIIToUTF16("COULD_NOT_READ_CATALOG_DATA_FROM_DISK")));
    764     return false;
    765   }
    766 
    767   // Write our parsed catalogs back to disk.
    768   for (DictionaryValue::Iterator it(catalogs); !it.IsAtEnd(); it.Advance()) {
    769     const DictionaryValue* catalog = NULL;
    770     if (!it.value().GetAsDictionary(&catalog)) {
    771       // Invalid catalog data.
    772       ReportFailure(
    773           INVALID_CATALOG_DATA,
    774           l10n_util::GetStringFUTF16(
    775               IDS_EXTENSION_PACKAGE_INSTALL_ERROR,
    776               ASCIIToUTF16("INVALID_CATALOG_DATA")));
    777       return false;
    778     }
    779 
    780     base::FilePath relative_path = base::FilePath::FromUTF8Unsafe(it.key());
    781     relative_path = relative_path.Append(kMessagesFilename);
    782     if (relative_path.IsAbsolute() || relative_path.ReferencesParent()) {
    783       // Invalid path for catalog.
    784       ReportFailure(
    785           INVALID_PATH_FOR_CATALOG,
    786           l10n_util::GetStringFUTF16(
    787               IDS_EXTENSION_PACKAGE_INSTALL_ERROR,
    788               ASCIIToUTF16("INVALID_PATH_FOR_CATALOG")));
    789       return false;
    790     }
    791     base::FilePath path = extension_root_.Append(relative_path);
    792 
    793     std::string catalog_json;
    794     JSONStringValueSerializer serializer(&catalog_json);
    795     serializer.set_pretty_print(true);
    796     if (!serializer.Serialize(*catalog)) {
    797       // Error serializing catalog.
    798       ReportFailure(
    799           ERROR_SERIALIZING_CATALOG,
    800           l10n_util::GetStringFUTF16(
    801               IDS_EXTENSION_PACKAGE_INSTALL_ERROR,
    802               ASCIIToUTF16("ERROR_SERIALIZING_CATALOG")));
    803       return false;
    804     }
    805 
    806     // Note: we're overwriting existing files that the utility process read,
    807     // so we can be sure the directory exists.
    808     int size = base::checked_numeric_cast<int>(catalog_json.size());
    809     if (file_util::WriteFile(path, catalog_json.c_str(), size) != size) {
    810       // Error saving catalog.
    811       ReportFailure(
    812           ERROR_SAVING_CATALOG,
    813           l10n_util::GetStringFUTF16(
    814               IDS_EXTENSION_PACKAGE_INSTALL_ERROR,
    815               ASCIIToUTF16("ERROR_SAVING_CATALOG")));
    816       return false;
    817     }
    818   }
    819 
    820   return true;
    821 }
    822 
    823 void SandboxedUnpacker::Cleanup() {
    824   DCHECK(unpacker_io_task_runner_->RunsTasksOnCurrentThread());
    825   if (!temp_dir_.Delete()) {
    826     LOG(WARNING) << "Can not delete temp directory at "
    827                  << temp_dir_.path().value();
    828   }
    829 }
    830 
    831 }  // namespace extensions
    832