| Yavor Goulishev | 9c08e84 | 2020-04-29 14:03:33 -0700 | [diff] [blame] | 1 | // Copyright 2017 The Chromium Authors. All rights reserved. |
| 2 | // Use of this source code is governed by a BSD-style license that can be |
| 3 | // found in the LICENSE file |
| 4 | |
| 5 | syntax = "proto2"; |
| 6 | |
| 7 | option optimize_for = LITE_RUNTIME; |
| 8 | |
| 9 | package crx_file; |
| 10 | |
| 11 | // A CRX₃ file is a binary file of the following format: |
| 12 | // [4 octets]: "Cr24", a magic number. |
| 13 | // [4 octets]: The version of the *.crx file format used (currently 3). |
| 14 | // [4 octets]: N, little-endian, the length of the header section. |
| 15 | // [N octets]: The header (the binary encoding of a CrxFileHeader). |
| 16 | // [M octets]: The ZIP archive. |
| 17 | // Clients should reject CRX₃ files that contain an N that is too large for the |
| 18 | // client to safely handle in memory. |
| 19 | |
| 20 | message CrxFileHeader { |
| 21 | // PSS signature with RSA public key. The public key is formatted as a |
| 22 | // X.509 SubjectPublicKeyInfo block, as in CRX₂. In the common case of a |
| 23 | // developer key proof, the first 128 bits of the SHA-256 hash of the |
| 24 | // public key must equal the crx_id. |
| 25 | repeated AsymmetricKeyProof sha256_with_rsa = 2; |
| 26 | |
| 27 | // ECDSA signature, using the NIST P-256 curve. Public key appears in |
| 28 | // named-curve format. |
| 29 | // The pinned algorithm will be this, at least on 2017-01-01. |
| 30 | repeated AsymmetricKeyProof sha256_with_ecdsa = 3; |
| 31 | |
| 32 | // The binary form of a SignedData message. We do not use a nested |
| 33 | // SignedData message, as handlers of this message must verify the proofs |
| 34 | // on exactly these bytes, so it is convenient to parse in two steps. |
| 35 | // |
| 36 | // All proofs in this CrxFile message are on the value |
| 37 | // "CRX3 SignedData\x00" + signed_header_size + signed_header_data + |
| 38 | // archive, where "\x00" indicates an octet with value 0, "CRX3 SignedData" |
| 39 | // is encoded using UTF-8, signed_header_size is the size in octets of the |
| 40 | // contents of this field and is encoded using 4 octets in little-endian |
| 41 | // order, signed_header_data is exactly the content of this field, and |
| 42 | // archive is the remaining contents of the file following the header. |
| 43 | optional bytes signed_header_data = 10000; |
| 44 | } |
| 45 | |
| 46 | message AsymmetricKeyProof { |
| 47 | optional bytes public_key = 1; |
| 48 | optional bytes signature = 2; |
| 49 | } |
| 50 | |
| 51 | message SignedData { |
| 52 | // This is simple binary, not UTF-8 encoded mpdecimal; i.e. it is exactly |
| 53 | // 16 bytes long. |
| 54 | optional bytes crx_id = 1; |
| 55 | } |
