diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
new file mode 100644
index 0000000..f313473
--- /dev/null
+++ b/.github/workflows/ci.yaml
@@ -0,0 +1,31 @@
+name: CI
+on:
+ push:
+ branches: ["main"]
+ pull_request: {}
+jobs:
+ cargo:
+ runs-on: ubuntu-latest
+ strategy:
+ matrix:
+ rust: [stable, beta]
+ steps:
+ - uses: actions/checkout@v4
+ - name: Install dependencies (linux)
+ run: |
+ sudo apt install -y protobuf-compiler
+ echo "PROTOC=$(which protoc)" >> $GITHUB_ENV
+ - uses: dtolnay/rust-toolchain@master
+ with:
+ toolchain: ${{ matrix.rust }}
+ components: clippy, rustfmt
+ - name: Run cargo clippy
+ run: cargo clippy --all-targets --all-features -- -D warnings
+ - name: Run cargo fmt
+ run: cargo fmt --all --check
+ - name: Run cargo sort
+ run: |
+ cargo install cargo-sort
+ cargo sort --grouped --check
+ - name: Run cargo test
+ run: cargo test --all-features --all-targets
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
new file mode 100644
index 0000000..785a7d7
--- /dev/null
+++ b/.github/workflows/publish.yaml
@@ -0,0 +1,84 @@
+name: publish
+on: workflow_dispatch
+jobs:
+ build:
+ runs-on: ${{ matrix.os }}
+ strategy:
+ matrix:
+ include:
+ - os: ubuntu-latest
+ alias: unknown-linux-gnu
+ - os: macos-12
+ alias: x86_64-apple-darwin
+ - os: macos-13-xlarge
+ alias: aarch64-apple-darwin
+ - os: windows-latest
+ alias: pc-windows-msvc
+ steps:
+ - uses: actions/checkout@v4
+ with:
+ token: ${{ secrets.GITHUB_TOKEN }}
+ - if: matrix.os == 'ubuntu-latest'
+ name: Install dependencies (linux)
+ run: |
+ sudo apt install -y protobuf-compiler
+ echo "PROTOC=$(which protoc)" >> $GITHUB_ENV
+ - if: matrix.os == 'macos-12' || matrix.os == 'macos-13-xlarge'
+ name: Install dependencies (macos)
+ run: |
+ brew install protobuf
+ echo "PROTOC=$(which protoc)" >> $GITHUB_ENV
+ - if: matrix.sys.os == 'windows-latest'
+ name: Install MSYS2 (windows)
+ uses: msys2/setup-msys2@v2
+ - if: matrix.os == 'windows-latest'
+ name: Install dependencies (windows)
+ run: choco install protoc
+ - name: Install Rust stable
+ uses: dtolnay/rust-toolchain@stable
+ - name: Run cargo build
+ run: cargo build --profile=release-bin
+ - if: "!cancelled()"
+ uses: actions/upload-artifact@v4
+ with:
+ name: crx-${{ matrix.alias }}
+ path: target/release-bin/{crx,crx.exe}
+ if-no-files-found: error
+ publish:
+ name: Publish crate
+ runs-on: [ubuntu-latest]
+ needs: [build]
+ if: ${{ always() && !cancelled() && needs.build.result == 'success' }}
+ env:
+ CARGO_TERM_COLOR: always
+ RUST_BACKTRACE: 1
+ steps:
+ - uses: actions/checkout@v4
+ with:
+ token: ${{ secrets.GITHUB_TOKEN }}
+ - name: Login to crates.io
+ run: cargo login $CRATES_IO_TOKEN
+ env:
+ CRATES_IO_TOKEN: ${{ secrets.CRATES_IO_TOKEN }}
+ - name: Publish
+ run: cargo publish
+ env:
+ CRATES_IO_TOKEN: ${{ secrets.CRATES_IO_TOKEN }}
+ release:
+ runs-on: [ubuntu-latest]
+ needs: [build, publish]
+ if: ${{ always() && !cancelled() && needs.publish.result == 'success' && needs.build.result == 'success' }}
+ steps:
+ - uses: actions/download-artifact@v4
+ with:
+ path: /artifacts
+ - name: Create release
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ tag: ${{ github.ref_name }}
+ run: |
+ gh release create "$tag" \
+ --repo="$GITHUB_REPOSITORY" \
+ --title="${GITHUB_REPOSITORY#*/} ${tag#v}" \
+ --generate-notes
+ gh release upload "$tag" /artifacts
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..4fffb2f
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+/target
+/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
new file mode 100644
index 0000000..7cbdb49
--- /dev/null
+++ b/Cargo.toml
@@ -0,0 +1,68 @@
+[package]
+name = "crx"
+version = "0.1.0"
+edition = "2021"
+authors = ["realtimetodie"]
+description = "A library to read and write as CRX packages"
+keywords = [
+ "browser",
+ "browser extension",
+ "crx",
+ "chrome",
+ "chrome extension",
+ "extension",
+ "web",
+ "web extension",
+]
+categories = [
+ "command-line-utilities",
+ "cryptography",
+ "decoding",
+ "encoding",
+ "web-programming",
+ "no-std",
+]
+license = "GPL-3.0"
+documentation = "https://docs.rs/crx/"
+repository = "https://github.com/realtimetodie/crx"
+rust-version = "1.65"
+
+[package.metadata.docs.rs]
+all-features = true
+rustdoc-args = ["--cfg", "docsrs"]
+
+[lib]
+crate-type = ["cdylib", "rlib"]
+path = "src/lib.rs"
+
+[[bin]]
+name = "crx"
+path = "src/main.rs"
+
+[features]
+default = ["ecdsa", "rsa", "std"]
+ecdsa = ["dep:ecdsa", "dep:p256"]
+rsa = ["dep:rsa", "dep:sha2"]
+std = []
+wasm = ["getrandom/js", "dep:wasm-bindgen"]
+
+[dependencies]
+clap = "4.4.12"
+const-oid = { version = "0.9.6", features = ["db"] }
+ecdsa = { version = "0.16.9", default-features = false, features = ["pem", "pkcs8", "verifying"], optional = true }
+getrandom = { version = "0.2.11", optional = true }
+p256 = { version = "0.13.2", optional = true }
+pkcs8 = { version = "0.10.2", features = ["encryption", "std", "pkcs5"] }
+prost = "0.12.3"
+rand = "0.8.5"
+rsa = { version = "0.9.6", default-features = false, features = ["sha2"], optional = true }
+sha2 = { version = "0.10.8", optional = true }
+signature = "2.2.0"
+wasm-bindgen = { version = "0.2.89", optional = true }
+
+[build-dependencies]
+prost-build = "0.12.3"
+
+[profile.release-bin]
+inherits = "release"
+strip = "debuginfo"
diff --git a/LICENSE b/LICENSE
new file mode 100644
index 0000000..01a7a80
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,675 @@
+### GNU GENERAL PUBLIC LICENSE
+
+Version 3, 29 June 2007
+
+Copyright (C) 2007 Free Software Foundation, Inc.
+
+
+Everyone is permitted to copy and distribute verbatim copies of this
+license document, but changing it is not allowed.
+
+### Preamble
+
+The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works. By contrast,
+the GNU General Public License is intended to guarantee your freedom
+to share and change all versions of a program--to make sure it remains
+free software for all its users. We, the Free Software Foundation, use
+the GNU General Public License for most of our software; it applies
+also to any other work released this way by its authors. You can apply
+it to your programs, too.
+
+When we speak of free software, we are referring to freedom, not
+price. Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights. Therefore, you
+have certain responsibilities if you distribute copies of the
+software, or if you modify it: responsibilities to respect the freedom
+of others.
+
+For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received. You must make sure that they, too, receive
+or can get the source code. And you must show them these terms so they
+know their rights.
+
+Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software. For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the
+manufacturer can do so. This is fundamentally incompatible with the
+aim of protecting users' freedom to change the software. The
+systematic pattern of such abuse occurs in the area of products for
+individuals to use, which is precisely where it is most unacceptable.
+Therefore, we have designed this version of the GPL to prohibit the
+practice for those products. If such problems arise substantially in
+other domains, we stand ready to extend this provision to those
+domains in future versions of the GPL, as needed to protect the
+freedom of users.
+
+Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish
+to avoid the special danger that patents applied to a free program
+could make it effectively proprietary. To prevent this, the GPL
+assures that patents cannot be used to render the program non-free.
+
+The precise terms and conditions for copying, distribution and
+modification follow.
+
+### TERMS AND CONDITIONS
+
+#### 0. Definitions.
+
+"This License" refers to version 3 of the GNU General Public License.
+
+"Copyright" also means copyright-like laws that apply to other kinds
+of works, such as semiconductor masks.
+
+"The Program" refers to any copyrightable work licensed under this
+License. Each licensee is addressed as "you". "Licensees" and
+"recipients" may be individuals or organizations.
+
+To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of
+an exact copy. The resulting work is called a "modified version" of
+the earlier work or a work "based on" the earlier work.
+
+A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy. Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies. Mere interaction with a user
+through a computer network, with no transfer of a copy, is not
+conveying.
+
+An interactive user interface displays "Appropriate Legal Notices" to
+the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License. If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+#### 1. Source Code.
+
+The "source code" for a work means the preferred form of the work for
+making modifications to it. "Object code" means any non-source form of
+a work.
+
+A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form. A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities. However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work. For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+The Corresponding Source need not include anything that users can
+regenerate automatically from other parts of the Corresponding Source.
+
+The Corresponding Source for a work in source code form is that same
+work.
+
+#### 2. Basic Permissions.
+
+All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met. This License explicitly affirms your unlimited
+permission to run the unmodified Program. The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work. This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+You may make, run and propagate covered works that you do not convey,
+without conditions so long as your license otherwise remains in force.
+You may convey covered works to others for the sole purpose of having
+them make modifications exclusively for you, or provide you with
+facilities for running those works, provided that you comply with the
+terms of this License in conveying all material for which you do not
+control copyright. Those thus making or running the covered works for
+you must do so exclusively on your behalf, under your direction and
+control, on terms that prohibit them from making any copies of your
+copyrighted material outside their relationship with you.
+
+Conveying under any other circumstances is permitted solely under the
+conditions stated below. Sublicensing is not allowed; section 10 makes
+it unnecessary.
+
+#### 3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such
+circumvention is effected by exercising rights under this License with
+respect to the covered work, and you disclaim any intention to limit
+operation or modification of the work as a means of enforcing, against
+the work's users, your or third parties' legal rights to forbid
+circumvention of technological measures.
+
+#### 4. Conveying Verbatim Copies.
+
+You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+#### 5. Conveying Modified Source Versions.
+
+You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these
+conditions:
+
+- a) The work must carry prominent notices stating that you modified
+ it, and giving a relevant date.
+- b) The work must carry prominent notices stating that it is
+ released under this License and any conditions added under
+ section 7. This requirement modifies the requirement in section 4
+ to "keep intact all notices".
+- c) You must license the entire work, as a whole, under this
+ License to anyone who comes into possession of a copy. This
+ License will therefore apply, along with any applicable section 7
+ additional terms, to the whole of the work, and all its parts,
+ regardless of how they are packaged. This License gives no
+ permission to license the work in any other way, but it does not
+ invalidate such permission if you have separately received it.
+- d) If the work has interactive user interfaces, each must display
+ Appropriate Legal Notices; however, if the Program has interactive
+ interfaces that do not display Appropriate Legal Notices, your
+ work need not make them do so.
+
+A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit. Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+#### 6. Conveying Non-Source Forms.
+
+You may convey a covered work in object code form under the terms of
+sections 4 and 5, provided that you also convey the machine-readable
+Corresponding Source under the terms of this License, in one of these
+ways:
+
+- a) Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by the
+ Corresponding Source fixed on a durable physical medium
+ customarily used for software interchange.
+- b) Convey the object code in, or embodied in, a physical product
+ (including a physical distribution medium), accompanied by a
+ written offer, valid for at least three years and valid for as
+ long as you offer spare parts or customer support for that product
+ model, to give anyone who possesses the object code either (1) a
+ copy of the Corresponding Source for all the software in the
+ product that is covered by this License, on a durable physical
+ medium customarily used for software interchange, for a price no
+ more than your reasonable cost of physically performing this
+ conveying of source, or (2) access to copy the Corresponding
+ Source from a network server at no charge.
+- c) Convey individual copies of the object code with a copy of the
+ written offer to provide the Corresponding Source. This
+ alternative is allowed only occasionally and noncommercially, and
+ only if you received the object code with such an offer, in accord
+ with subsection 6b.
+- d) Convey the object code by offering access from a designated
+ place (gratis or for a charge), and offer equivalent access to the
+ Corresponding Source in the same way through the same place at no
+ further charge. You need not require recipients to copy the
+ Corresponding Source along with the object code. If the place to
+ copy the object code is a network server, the Corresponding Source
+ may be on a different server (operated by you or a third party)
+ that supports equivalent copying facilities, provided you maintain
+ clear directions next to the object code saying where to find the
+ Corresponding Source. Regardless of what server hosts the
+ Corresponding Source, you remain obligated to ensure that it is
+ available for as long as needed to satisfy these requirements.
+- e) Convey the object code using peer-to-peer transmission,
+ provided you inform other peers where the object code and
+ Corresponding Source of the work are being offered to the general
+ public at no charge under subsection 6d.
+
+A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal,
+family, or household purposes, or (2) anything designed or sold for
+incorporation into a dwelling. In determining whether a product is a
+consumer product, doubtful cases shall be resolved in favor of
+coverage. For a particular product received by a particular user,
+"normally used" refers to a typical or common use of that class of
+product, regardless of the status of the particular user or of the way
+in which the particular user actually uses, or expects or is expected
+to use, the product. A product is a consumer product regardless of
+whether the product has substantial commercial, industrial or
+non-consumer uses, unless such uses represent the only significant
+mode of use of the product.
+
+"Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to
+install and execute modified versions of a covered work in that User
+Product from a modified version of its Corresponding Source. The
+information must suffice to ensure that the continued functioning of
+the modified object code is in no case prevented or interfered with
+solely because modification has been made.
+
+If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information. But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or
+updates for a work that has been modified or installed by the
+recipient, or for the User Product in which it has been modified or
+installed. Access to a network may be denied when the modification
+itself materially and adversely affects the operation of the network
+or violates the rules and protocols for communication across the
+network.
+
+Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+#### 7. Additional Terms.
+
+"Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law. If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it. (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.) You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders
+of that material) supplement the terms of this License with terms:
+
+- a) Disclaiming warranty or limiting liability differently from the
+ terms of sections 15 and 16 of this License; or
+- b) Requiring preservation of specified reasonable legal notices or
+ author attributions in that material or in the Appropriate Legal
+ Notices displayed by works containing it; or
+- c) Prohibiting misrepresentation of the origin of that material,
+ or requiring that modified versions of such material be marked in
+ reasonable ways as different from the original version; or
+- d) Limiting the use for publicity purposes of names of licensors
+ or authors of the material; or
+- e) Declining to grant rights under trademark law for use of some
+ trade names, trademarks, or service marks; or
+- f) Requiring indemnification of licensors and authors of that
+ material by anyone who conveys the material (or modified versions
+ of it) with contractual assumptions of liability to the recipient,
+ for any liability that these contractual assumptions directly
+ impose on those licensors and authors.
+
+All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10. If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term. If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions; the
+above requirements apply either way.
+
+#### 8. Termination.
+
+You may not propagate or modify a covered work except as expressly
+provided under this License. Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+However, if you cease all violation of this License, then your license
+from a particular copyright holder is reinstated (a) provisionally,
+unless and until the copyright holder explicitly and finally
+terminates your license, and (b) permanently, if the copyright holder
+fails to notify you of the violation by some reasonable means prior to
+60 days after the cessation.
+
+Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License. If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+#### 9. Acceptance Not Required for Having Copies.
+
+You are not required to accept this License in order to receive or run
+a copy of the Program. Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance. However,
+nothing other than this License grants you permission to propagate or
+modify any covered work. These actions infringe copyright if you do
+not accept this License. Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+#### 10. Automatic Licensing of Downstream Recipients.
+
+Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License. You are not responsible
+for enforcing compliance by third parties with this License.
+
+An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations. If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License. For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+#### 11. Patents.
+
+A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based. The
+work thus licensed is called the contributor's "contributor version".
+
+A contributor's "essential patent claims" are all patent claims owned
+or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version. For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement). To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients. "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+A patent license is "discriminatory" if it does not include within the
+scope of its coverage, prohibits the exercise of, or is conditioned on
+the non-exercise of one or more of the rights that are specifically
+granted under this License. You may not convey a covered work if you
+are a party to an arrangement with a third party that is in the
+business of distributing software, under which you make payment to the
+third party based on the extent of your activity of conveying the
+work, and under which the third party grants, to any of the parties
+who would receive the covered work from you, a discriminatory patent
+license (a) in connection with copies of the covered work conveyed by
+you (or copies made from those copies), or (b) primarily for and in
+connection with specific products or compilations that contain the
+covered work, unless you entered into that arrangement, or that patent
+license was granted, prior to 28 March 2007.
+
+Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+#### 12. No Surrender of Others' Freedom.
+
+If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License. If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under
+this License and any other pertinent obligations, then as a
+consequence you may not convey it at all. For example, if you agree to
+terms that obligate you to collect a royalty for further conveying
+from those to whom you convey the Program, the only way you could
+satisfy both those terms and this License would be to refrain entirely
+from conveying the Program.
+
+#### 13. Use with the GNU Affero General Public License.
+
+Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work. The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+#### 14. Revised Versions of this License.
+
+The Free Software Foundation may publish revised and/or new versions
+of the GNU General Public License from time to time. Such new versions
+will be similar in spirit to the present version, but may differ in
+detail to address new problems or concerns.
+
+Each version is given a distinguishing version number. If the Program
+specifies that a certain numbered version of the GNU General Public
+License "or any later version" applies to it, you have the option of
+following the terms and conditions either of that numbered version or
+of any later version published by the Free Software Foundation. If the
+Program does not specify a version number of the GNU General Public
+License, you may choose any version ever published by the Free
+Software Foundation.
+
+If the Program specifies that a proxy can decide which future versions
+of the GNU General Public License can be used, that proxy's public
+statement of acceptance of a version permanently authorizes you to
+choose that version for the Program.
+
+Later license versions may give you additional or different
+permissions. However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+#### 15. Disclaimer of Warranty.
+
+THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT
+WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND
+PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE
+DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
+CORRECTION.
+
+#### 16. Limitation of Liability.
+
+IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR
+CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES
+ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT
+NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR
+LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM
+TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER
+PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
+
+#### 17. Interpretation of Sections 15 and 16.
+
+If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+END OF TERMS AND CONDITIONS
+
+### How to Apply These Terms to Your New Programs
+
+If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these
+terms.
+
+To do so, attach the following notices to the program. It is safest to
+attach them to the start of each source file to most effectively state
+the exclusion of warranty; and each file should have at least the
+"copyright" line and a pointer to where the full notice is found.
+
+
+ Copyright (C)
+
+ This program is free software: you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see .
+
+Also add information on how to contact you by electronic and paper
+mail.
+
+If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+ Copyright (C)
+ This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+ This is free software, and you are welcome to redistribute it
+ under certain conditions; type `show c' for details.
+
+The hypothetical commands \`show w' and \`show c' should show the
+appropriate parts of the General Public License. Of course, your
+program's commands might be different; for a GUI interface, you would
+use an "about box".
+
+You should also get your employer (if you work as a programmer) or
+school, if any, to sign a "copyright disclaimer" for the program, if
+necessary. For more information on this, and how to apply and follow
+the GNU GPL, see .
+
+The GNU General Public License does not permit incorporating your
+program into proprietary programs. If your program is a subroutine
+library, you may consider it more useful to permit linking proprietary
+applications with the library. If this is what you want to do, use the
+GNU Lesser General Public License instead of this License. But first,
+please read .
\ No newline at end of file
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..e35e469
--- /dev/null
+++ b/README.md
@@ -0,0 +1,108 @@
+# crx
+
+A library to read and write CRX packages.
+
+## About
+
+Chrome web extensions and themes are packaged as CRX packages using asymmetric keys.
+
+The CRX package format prepends a Protocol Buffer to a message that can contain an unlimited number of public key and signature proofs.
+
+Supported key sizes and EC curves
+
+- RSA `1.2.840.113549.1.1.1`: 1024, 2048, 4096
+- EC `1.2.840.10045.2.1`: NIST P-256
+
+## Example
+
+Signing, verifying and writing a Chrome web extension as a CRX package
+
+```rust
+use crx::Crx;
+use pkcs8::der::SecretDocument;
+use rand::thread_rng;
+use std::fs;
+
+let zip = fs::read("test/extension.zip")?;
+
+let (_, secret_doc) = SecretDocument::read_pem_file("test/rsa2048-key.pem")?;
+let secret_docs = vec![secret_doc];
+
+let mut rng = thread_rng();
+
+let crx = Crx::try_sign_with_rng(&mut rng, secret_docs, &zip)?;
+assert!(crx.verify().is_ok());
+
+println!("Chrome web extension ID: {}", crx.id);
+
+fs::write("test/extension.crx", crx.to_crx())?;
+```
+
+Reading and extracting a Chrome web extension archive from a CRX package
+
+```rust
+use crx::Crx;
+use std::fs;
+
+let crx = Crx::read_crx_file("extension.crx")?;
+assert!(crx.verify().is_ok());
+
+println!("Chrome web extension ID: {}", crx.id);
+
+fs::write("extension.zip", crx.as_bytes())?;
+```
+
+## Command line tool
+
+```txt
+Usage: crx
+
+Commands:
+ sign Sign a web extension archive and create a CRX package
+ info Print information of a CRX package
+ verify Verify the integrity of a CRX package
+ extract Extract the web extension archive from a CRX package
+ help Print this message or the help of the given subcommand(s)
+
+Options:
+ -h, --help Print help
+ -V, --version Print version
+```
+
+### Signing a web extension archive and creating a CRX package
+
+```
+$ crx sign --key rsa.pem extension.zip
+```
+
+This will output a new CRX package `extension.crx` in the current working directory.
+
+When you sign a CRX package using the crx command line tool, you must provide the signer's private key using the `--key` option.
+
+Usually, you sign a CRX package using only one signer. If you need to sign a CRX package using multiple signatures, use the `--key` option multiple times.
+
+You can specify the output directory using the `--out` option.
+
+```
+$ crx sign --key rsa.pem --out=example.crx extension.zip
+```
+
+### Verifying the integrity of a CRX package
+
+```
+$ crx verify --key rsa.pem extension.crx
+```
+
+This will validate the signatures of the CRX package. If you need to verify a CRX package using multiple signatures, use the `--key` option multiple times.
+
+[//]: # (badges)
+
+[crate-image]: https://buildstats.info/crate/crx
+[crate-link]: https://crates.io/crates/crx
+[doc-image]: https://docs.rs/crx/badge.svg
+[doc-link]: https://docs.rs/crx
+[build-image]: https://github.com/browserbuild/crx/workflows/CI/badge.svg
+[build-link]: https://github.com/browserbuild/crx/actions?query=workflow%3ACI+branch%3Amain
+[deps-image]: https://deps.rs/repo/github/browserbuild/crx/status.svg
+[deps-link]: https://deps.rs/repo/github/browserbuild/crx
+[msrv-image]: https://img.shields.io/badge/rustc-1.65+-blue.svg
diff --git a/build.rs b/build.rs
new file mode 100644
index 0000000..934f8e9
--- /dev/null
+++ b/build.rs
@@ -0,0 +1,3 @@
+fn main() -> std::io::Result<()> {
+ prost_build::compile_protos(&["proto/crx3.proto"], &["proto/"])
+}
diff --git a/example/manifest.json b/example/manifest.json
new file mode 100644
index 0000000..68f62f0
--- /dev/null
+++ b/example/manifest.json
@@ -0,0 +1,12 @@
+{
+ "version": "0.1.0",
+ "name": "Test",
+ "description": "Test",
+ "author": "Test",
+ "manifest_version": 3,
+ "permissions": [],
+ "incognito": "spanning",
+ "browser_action": {
+ "default_popup": "popup.html"
+ }
+}
diff --git a/example/popup.html b/example/popup.html
new file mode 100644
index 0000000..e69de29
diff --git a/proto/crx3.proto b/proto/crx3.proto
new file mode 100644
index 0000000..c97c4f2
--- /dev/null
+++ b/proto/crx3.proto
@@ -0,0 +1,55 @@
+// Copyright 2017 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file
+
+syntax = "proto2";
+
+option optimize_for = LITE_RUNTIME;
+
+package crx_file;
+
+// A CRX3 file is a binary file of the following format:
+// [4 octets]: "Cr24", a magic number.
+// [4 octets]: The version of the *.crx file format used (currently 3).
+// [4 octets]: N, little-endian, the length of the header section.
+// [N octets]: The header (the binary encoding of a CrxFileHeader).
+// [M octets]: The ZIP archive.
+// Clients should reject CRX3 files that contain an N that is too large for the
+// client to safely handle in memory.
+
+message CrxFileHeader {
+ // PSS signature with RSA public key. The public key is formatted as a
+ // X.509 SubjectPublicKeyInfo block, as in CRX₂. In the common case of a
+ // developer key proof, the first 128 bits of the SHA-256 hash of the
+ // public key must equal the crx_id.
+ repeated AsymmetricKeyProof sha256_with_rsa = 2;
+
+ // ECDSA signature, using the NIST P-256 curve. Public key appears in
+ // named-curve format.
+ // The pinned algorithm will be this, at least on 2017-01-01.
+ repeated AsymmetricKeyProof sha256_with_ecdsa = 3;
+
+ // The binary form of a SignedData message. We do not use a nested
+ // SignedData message, as handlers of this message must verify the proofs
+ // on exactly these bytes, so it is convenient to parse in two steps.
+ //
+ // All proofs in this CrxFile message are on the value
+ // "CRX3 SignedData\x00" + signed_header_size + signed_header_data +
+ // archive, where "\x00" indicates an octet with value 0, "CRX3 SignedData"
+ // is encoded using UTF-8, signed_header_size is the size in octets of the
+ // contents of this field and is encoded using 4 octets in little-endian
+ // order, signed_header_data is exactly the content of this field, and
+ // archive is the remaining contents of the file following the header.
+ optional bytes signed_header_data = 10000;
+}
+
+message AsymmetricKeyProof {
+ optional bytes public_key = 1;
+ optional bytes signature = 2;
+}
+
+message SignedData {
+ // This is simple binary, not UTF-8 encoded mpdecimal; i.e. it is exactly
+ // 16 bytes long.
+ optional bytes crx_id = 1;
+}
diff --git a/src/error.rs b/src/error.rs
new file mode 100644
index 0000000..bad088b
--- /dev/null
+++ b/src/error.rs
@@ -0,0 +1,122 @@
+//! Error types.
+
+use core::fmt;
+use pkcs8::der::asn1::ObjectIdentifier;
+
+/// Alias for [`core::result::Result`] with the `crx` crate's [`Error`] type.
+pub type Result = core::result::Result;
+
+/// Error types
+#[derive(Debug)]
+#[non_exhaustive]
+pub enum Error {
+ /// Invalid CRX size error.
+ InvalidSize,
+
+ /// Invalid CRX magic number error.
+ InvalidMagicNumber,
+
+ /// Unsupported CRX version.
+ UnsupportedVersion,
+
+ /// Invalid CRX file header size error.
+ InvalidFileHeaderSize,
+
+ /// Protobuf decode error.
+ ProtobufDecodeError(prost::DecodeError),
+
+ /// Invalid CRX ID size error.
+ InvalidIdSize,
+
+ /// Missing asymmetric proofs error.
+ MissingAsymmetricProofs,
+
+ /// Empty asymmetric keys error.
+ EmptyAsymmetricKeys,
+
+ /// I/O errors.
+ #[cfg(feature = "std")]
+ Io(std::io::ErrorKind),
+
+ /// PKCS#8 errors.
+ Pkcs8(pkcs8::Error),
+
+ /// X.509 SubjectPublicKeyInfo (SPKI) errors.
+ Spki(pkcs8::spki::Error),
+
+ /// RSA errors.
+ Rsa(rsa::Error),
+
+ /// Digital signature errors.
+ Signature(signature::Error),
+
+ /// Unknown algorithm OID.
+ OidUnknown {
+ /// Unrecognized OID value found.
+ oid: ObjectIdentifier,
+ },
+}
+
+impl From for Error {
+ fn from(err: prost::DecodeError) -> Self {
+ Self::ProtobufDecodeError(err)
+ }
+}
+
+#[cfg(feature = "std")]
+impl From for Error {
+ fn from(err: std::io::Error) -> Self {
+ Self::Io(err.kind())
+ }
+}
+
+impl From for Error {
+ fn from(err: pkcs8::Error) -> Self {
+ Self::Pkcs8(err)
+ }
+}
+
+impl From for Error {
+ fn from(err: pkcs8::spki::Error) -> Self {
+ Self::Spki(err)
+ }
+}
+
+impl From for Error {
+ fn from(err: rsa::Error) -> Self {
+ Self::Rsa(err)
+ }
+}
+
+impl From for Error {
+ fn from(err: signature::Error) -> Self {
+ Self::Signature(err)
+ }
+}
+
+#[cfg(feature = "std")]
+impl std::error::Error for Error {}
+
+impl fmt::Display for Error {
+ fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+ match self {
+ Error::InvalidSize => f.write_str("invalid CRX size"),
+ Error::InvalidFileHeaderSize => f.write_str("invalid CRX file header size"),
+ Error::InvalidMagicNumber => f.write_str("invalid CRX magic number"),
+ Error::UnsupportedVersion => f.write_str("unsupported CRX version"),
+ Error::ProtobufDecodeError(err) => write!(f, "Protocol buffer decode error: {}", err),
+ Error::InvalidIdSize => f.write_str("invalid CRX ID size"),
+ Error::MissingAsymmetricProofs => f.write_str("missing asymmetric proofs"),
+ Error::EmptyAsymmetricKeys => f.write_str("empty asymmetric keys"),
+ #[cfg(feature = "std")]
+ Error::Io(err) => write!(f, "{}", err),
+ Error::Pkcs8(err) => write!(f, "{}", err),
+ Error::Spki(err) => write!(f, "{}", err),
+ Error::Rsa(err) => write!(f, "{}", err),
+ Error::Signature(err) => write!(f, "{}", err),
+ Error::OidUnknown { oid } => {
+ write!(f, "unknown/unsupported algorithm OID: {}", oid)
+ }
+ }
+ }
+}
diff --git a/src/lib.rs b/src/lib.rs
new file mode 100644
index 0000000..41cc9ed
--- /dev/null
+++ b/src/lib.rs
@@ -0,0 +1,712 @@
+#![warn(
+ clippy::all,
+ clippy::dbg_macro,
+ clippy::todo,
+ clippy::empty_enum,
+ clippy::enum_glob_use,
+ clippy::mem_forget,
+ clippy::unused_self,
+ clippy::filter_map_next,
+ clippy::needless_continue,
+ clippy::needless_borrow,
+ clippy::match_wildcard_for_single_variants,
+ clippy::if_let_mutex,
+ clippy::mismatched_target_os,
+ clippy::await_holding_lock,
+ clippy::match_on_vec_items,
+ clippy::imprecise_flops,
+ clippy::suboptimal_flops,
+ clippy::lossy_float_literal,
+ clippy::rest_pat_in_fully_bound_structs,
+ clippy::fn_params_excessive_bools,
+ clippy::exit,
+ clippy::inefficient_to_string,
+ clippy::linkedlist,
+ clippy::macro_use_imports,
+ clippy::option_option,
+ clippy::verbose_file_reads,
+ clippy::unnested_or_patterns,
+ clippy::str_to_string,
+ rust_2018_idioms,
+ future_incompatible,
+ nonstandard_style,
+ missing_debug_implementations,
+ missing_docs
+)]
+#![deny(unreachable_pub)]
+#![allow(elided_lifetimes_in_paths, clippy::type_complexity)]
+#![forbid(unsafe_code)]
+#![cfg_attr(docsrs, feature(doc_cfg, doc_auto_cfg))]
+#![cfg_attr(test, allow(clippy::float_cmp))]
+#![cfg_attr(not(test), warn(clippy::print_stdout, clippy::dbg_macro))]
+//! A library to read and write CRX packages.
+//!
+//! ## About
+//!
+//! Chrome web extensions and themes are packaged as CRX packages.
+//!
+//! The CRX package format prepends a Protocol Buffer to a message that can contain an unlimited number of public key and signature proofs.
+//!
+//! Supported key sizes and EC curves
+//!
+//! - RSA `1.2.840.113549.1.1.1`: 1024, 2048, 4096
+//! - EC `1.2.840.10045.2.1`: NIST P-256
+//!
+//! ## Example
+//!
+//! Signing, verifying and writing a Chrome web extension as a CRX package
+//!
+//! ```
+//! use crx::Crx;
+//! use pkcs8::der::SecretDocument;
+//! use rand::thread_rng;
+//! use std::fs;
+//!
+//! # fn main() -> Result<(), Box> {
+//! let zip = fs::read("test/extension.zip")?;
+//!
+//! let (_, secret_doc) = SecretDocument::read_pem_file("test/rsa2048-key.pem")?;
+//! let secret_docs = vec![secret_doc];
+//!
+//! let mut rng = thread_rng();
+//!
+//! let crx = Crx::try_sign_with_rng(&mut rng, secret_docs, &zip)?;
+//! assert!(crx.verify().is_ok());
+//!
+//! println!("Chrome web extension ID: {}", crx.id);
+//!
+//! fs::write("test/extension.crx", crx.to_crx())?;
+//! #
+//! # Ok(())
+//! # }
+//! ```
+//!
+//! Reading and extracting a Chrome web extension from a CRX package
+//!
+//! ```
+//! use crx::Crx;
+//! use std::fs;
+//!
+//! # fn main() -> Result<(), Box> {
+//! let crx = Crx::read_crx_file("test/extension.crx")?;
+//! assert!(crx.verify().is_ok());
+//!
+//! println!("Chrome web extension ID: {}", crx.id);
+//!
+//! fs::write("test/extension.zip", crx.as_bytes())?;
+//! #
+//! # Ok(())
+//! # }
+//! ```
+use const_oid::db::rfc5912::{ID_EC_PUBLIC_KEY as EC, RSA_ENCRYPTION as RSA};
+use core::fmt::{self, Debug};
+use ecdsa::{
+ Signature as EcdsaSignature, SignatureEncoding as _, SigningKey as EcdsaSigningKey,
+ VerifyingKey,
+};
+use p256::NistP256;
+use pkcs8::{der::Document, DecodePublicKey, EncodePublicKey as _, PrivateKeyInfo, SecretDocument};
+use prost::Message as _;
+use rsa::{
+ pkcs1v15::{Pkcs1v15Sign, SigningKey as Pkcs1v15SigningKey},
+ RsaPrivateKey, RsaPublicKey,
+};
+use sha2::{Digest, Sha256};
+use signature::{rand_core::CryptoRngCore, RandomizedSigner, Verifier};
+
+#[cfg(feature = "std")]
+use std::{fs, num::ParseIntError, path::Path, str::FromStr};
+
+#[cfg(target_family = "wasm")]
+use wasm_bindgen::prelude::*;
+
+/// CRX protocol buffer.
+#[allow(missing_docs)]
+pub mod crx3 {
+ include!(concat!(env!("OUT_DIR"), "/crx_file.rs"));
+}
+pub mod error;
+
+pub use crate::error::{Error, Result};
+
+/// The CRX id size.
+pub const CRX_ID_SIZE: usize = 16;
+
+/// The CRX magic number (Cr24).
+pub const CRX_MAGIC: &[u8; 4] = b"Cr24";
+
+/// The length of the CRX header section.
+pub const CRX_SIZE_HINT: usize = 4;
+
+/// The CRX header.
+pub const CRX_HEADER: &[u8; 16] = b"CRX3 SignedData\x00";
+
+/// The CRX version identifier (v3).
+pub const CRX_VERSION: [u8; 4] = [3_u8, 0, 0, 0];
+
+#[cfg(target_family = "wasm")]
+use rand::thread_rng;
+
+#[cfg(target_family = "wasm")]
+#[wasm_bindgen]
+pub fn sign(pem: String, data: Vec) -> Vec {
+ let (_, secret_doc) = SecretDocument::from_pem(&pem).unwrap();
+ let secret_docs = vec![secret_doc];
+
+ let mut rng = thread_rng();
+
+ let crx = Crx::try_sign_with_rng(&mut rng, secret_docs, &data).unwrap();
+ crx.to_crx()
+}
+
+/// CRX proof.
+#[derive(Debug)]
+pub struct Proof {
+ inner: Vec,
+}
+
+impl Proof {
+ /// Creates a new instance of an `Proof`.
+ pub fn new(crx_signed_data: &[u8], data: Vec) -> Self {
+ let mut proof = Vec::with_capacity(
+ CRX_HEADER.len() + CRX_SIZE_HINT + crx_signed_data.len() + data.len(),
+ );
+ proof.extend(CRX_HEADER);
+
+ let crx_signed_data_size_hint: [u8; CRX_SIZE_HINT] =
+ u32::to_le_bytes(crx_signed_data.len() as u32);
+ proof.extend(crx_signed_data_size_hint);
+
+ proof.extend(crx_signed_data);
+ proof.extend(data);
+
+ Self { inner: proof }
+ }
+}
+
+impl AsRef<[u8]> for Proof {
+ fn as_ref(&self) -> &[u8] {
+ &self.inner
+ }
+}
+
+/// CRX.
+///
+/// This type wraps an encoded CRX package.
+#[derive(Clone, Debug)]
+pub struct Crx {
+ /// CRX ID.
+ pub id: Id,
+
+ /// CRX header containing the asymmetric key proof.
+ pub file_header: crx3::CrxFileHeader,
+
+ /// CRX data.
+ data: Vec,
+}
+
+impl Crx {
+ /// Sign a CRX package using a cryptographically secure generator and
+ /// create a new instance of an `Crx`.
+ pub fn try_sign_with_rng(
+ rng: &mut impl CryptoRngCore,
+ secret_docs: Vec,
+ data: &[u8],
+ ) -> Result {
+ let secret_doc = secret_docs.first().ok_or(Error::EmptyAsymmetricKeys)?;
+ let pkcs8_pki = PrivateKeyInfo::try_from(secret_doc.as_bytes())?;
+ let der_public_key = match pkcs8_pki.algorithm.oid {
+ #[cfg(feature = "rsa")]
+ RSA => {
+ let rsa_private_key = RsaPrivateKey::try_from(pkcs8_pki.clone())?;
+
+ rsa_private_key
+ .to_public_key()
+ .to_public_key_der()
+ .map_err(|e| e.into())
+ }
+ #[cfg(feature = "ecdsa")]
+ EC => {
+ let ecdsa_signing_key: EcdsaSigningKey =
+ EcdsaSigningKey::try_from(pkcs8_pki.clone())?;
+
+ ecdsa_signing_key
+ .verifying_key()
+ .to_public_key_der()
+ .map_err(|e| e.into())
+ }
+ _ => Err(Error::OidUnknown {
+ oid: pkcs8_pki.algorithm.oid,
+ }),
+ }?;
+
+ let crx_id = Id::try_from(&der_public_key)?;
+
+ let crx_signed_data = crx3::SignedData {
+ crx_id: Some(crx_id.to_vec()),
+ }
+ .encode_to_vec();
+
+ let crx_proof = Proof::new(&crx_signed_data, data.to_vec());
+
+ #[cfg(feature = "rsa")]
+ let mut rsa_key_proofs = Vec::with_capacity(0);
+
+ #[cfg(feature = "ecdsa")]
+ let mut ecdsa_key_proofs = Vec::with_capacity(0);
+
+ secret_docs.iter().try_for_each(|secret_doc| {
+ let pkcs8_pki = PrivateKeyInfo::try_from(secret_doc.as_bytes())?;
+
+ match pkcs8_pki.algorithm.oid {
+ #[cfg(feature = "rsa")]
+ RSA => {
+ let rsa_private_key = RsaPrivateKey::try_from(pkcs8_pki.clone())?;
+
+ let der_public_key = rsa_private_key.to_public_key().to_public_key_der()?;
+
+ let rsa_signing_key = Pkcs1v15SigningKey::::new(rsa_private_key);
+ let pkcs1v15_signature = rsa_signing_key.sign_with_rng(rng, crx_proof.as_ref());
+
+ rsa_key_proofs.push((der_public_key, pkcs1v15_signature.to_vec()));
+
+ Ok(())
+ }
+ #[cfg(feature = "ecdsa")]
+ EC => {
+ let ecdsa_signing_key: EcdsaSigningKey =
+ EcdsaSigningKey::try_from(pkcs8_pki.clone())?;
+
+ let der_public_key = ecdsa_signing_key.verifying_key().to_public_key_der()?;
+
+ let ecdsa_signature: EcdsaSignature =
+ ecdsa_signing_key.try_sign_with_rng(rng, crx_proof.as_ref())?;
+
+ ecdsa_key_proofs
+ .push((der_public_key, ecdsa_signature.to_der().as_bytes().to_vec()));
+
+ Ok(())
+ }
+ _ => Err(Error::OidUnknown {
+ oid: pkcs8_pki.algorithm.oid,
+ }),
+ }
+ })?;
+
+ let crx_file_header = crx3::CrxFileHeader {
+ #[cfg(feature = "rsa")]
+ sha256_with_rsa: rsa_key_proofs
+ .iter()
+ .map(|(public_key, signature)| crx3::AsymmetricKeyProof {
+ public_key: Some(public_key.to_owned().into_vec()),
+ signature: Some(signature.to_owned()),
+ })
+ .collect(),
+ #[cfg(feature = "ecdsa")]
+ sha256_with_ecdsa: ecdsa_key_proofs
+ .iter()
+ .map(|(public_key, signature)| crx3::AsymmetricKeyProof {
+ public_key: Some(public_key.to_owned().into_vec()),
+ signature: Some(signature.to_owned()),
+ })
+ .collect(),
+ signed_header_data: Some(crx_signed_data),
+ };
+
+ Ok(Self {
+ id: crx_id,
+ file_header: crx_file_header,
+ data: data.to_vec(),
+ })
+ }
+
+ /// Verify the integrity of a CRX package.
+ pub fn verify(&self) -> Result<()> {
+ if self.file_header.sha256_with_rsa.is_empty()
+ && self.file_header.sha256_with_ecdsa.is_empty()
+ {
+ return Err(Error::MissingAsymmetricProofs);
+ }
+
+ let signed_header_data = self.file_header.signed_header_data();
+
+ let crx_proof = Proof::new(signed_header_data, self.data.to_owned());
+
+ #[cfg(feature = "rsa")]
+ if !self.file_header.sha256_with_rsa.is_empty() {
+ let mut hasher = Sha256::new();
+ hasher.update(crx_proof.as_ref());
+ let digest = hasher.finalize();
+
+ for key_proof in self.file_header.sha256_with_rsa.iter() {
+ let public_key = key_proof.public_key();
+ let rsa_public_key = RsaPublicKey::from_public_key_der(public_key)?;
+
+ let signature = key_proof.signature();
+ rsa_public_key.verify(Pkcs1v15Sign::new::(), &digest, signature)?;
+ }
+ }
+
+ #[cfg(feature = "ecdsa")]
+ if !self.file_header.sha256_with_ecdsa.is_empty() {
+ for key_proof in self.file_header.sha256_with_ecdsa.iter() {
+ let signature = key_proof.signature();
+ let ecdsa_signature = EcdsaSignature::::from_der(signature)?;
+
+ let public_key = key_proof.public_key();
+ let ecdsa_verifying_key =
+ VerifyingKey::::from_public_key_der(public_key)?;
+
+ ecdsa_verifying_key.verify(crx_proof.as_ref(), &ecdsa_signature)?;
+ }
+ }
+
+ Ok(())
+ }
+
+ /// Read a CRX package from a file.
+ #[cfg(feature = "std")]
+ pub fn read_crx_file(path: impl AsRef) -> Result {
+ fs::read(path)?.try_into()
+ }
+
+ /// Write CRX package to a file.
+ #[cfg(feature = "std")]
+ pub fn write_crx_file(&self, path: impl AsRef) -> Result<()> {
+ Ok(fs::write(path, self.to_crx())?)
+ }
+
+ /// Return a CRX package.
+ pub fn to_crx(&self) -> Vec {
+ let crx_file_header = self.file_header.encode_to_vec();
+
+ let mut crx_data = Vec::with_capacity(
+ CRX_MAGIC.len()
+ + CRX_VERSION.len()
+ + CRX_SIZE_HINT
+ + crx_file_header.len()
+ + self.data.len(),
+ );
+
+ crx_data.extend(CRX_MAGIC);
+ crx_data.extend(CRX_VERSION);
+
+ let crx_file_header_size_hint: [u8; CRX_SIZE_HINT] =
+ u32::to_le_bytes(crx_file_header.len() as u32);
+ crx_data.extend(crx_file_header_size_hint);
+
+ crx_data.extend(crx_file_header);
+ crx_data.extend(&self.data);
+
+ crx_data
+ }
+
+ /// Get the data of this CRX package.
+ pub fn as_bytes(&self) -> &[u8] {
+ self.data.as_slice()
+ }
+}
+
+impl TryFrom> for Crx {
+ type Error = Error;
+
+ fn try_from(crx_data: Vec) -> Result {
+ if crx_data.len() < CRX_MAGIC.len() + CRX_VERSION.len() + CRX_SIZE_HINT {
+ return Err(Error::InvalidSize);
+ }
+
+ // Try to parse the CRX signature
+ let crx_magic = &crx_data[0..CRX_MAGIC.len()];
+ if crx_magic != CRX_MAGIC {
+ return Err(Error::InvalidMagicNumber);
+ }
+
+ let offset = CRX_MAGIC.len();
+ let crx_version = &crx_data[offset..offset + CRX_VERSION.len()];
+ if crx_version != CRX_VERSION {
+ return Err(Error::UnsupportedVersion);
+ }
+
+ let offset = offset + CRX_VERSION.len();
+
+ let crx_header_length = u32::from_le_bytes(
+ crx_data[offset..offset + CRX_SIZE_HINT]
+ .try_into()
+ .expect("Failed to get CRX header length"),
+ );
+ if crx_header_length == 0 {
+ return Err(Error::InvalidFileHeaderSize);
+ }
+
+ let offset = offset + CRX_SIZE_HINT;
+ let crx_file_header =
+ crx3::CrxFileHeader::decode(&crx_data[offset..offset + crx_header_length as usize])?;
+
+ let signed_header_data = crx_file_header.signed_header_data();
+
+ let crx_signed_data = crx3::SignedData::decode(signed_header_data)?;
+
+ let crx_id_data = crx_signed_data.crx_id();
+ if crx_id_data.len() != CRX_ID_SIZE {
+ return Err(Error::InvalidIdSize);
+ }
+
+ let crx_id = Id::try_from(crx_id_data)?;
+
+ let offset = offset + crx_header_length as usize;
+
+ Ok(Self {
+ id: crx_id,
+ file_header: crx_file_header,
+ data: crx_data[offset..crx_data.len()].to_vec(),
+ })
+ }
+}
+
+impl AsRef<[u8]> for Crx {
+ fn as_ref(&self) -> &[u8] {
+ &self.data
+ }
+}
+
+/// CRX ID.
+///
+/// ```
+/// use crx::Id;
+/// use std::num::ParseIntError;
+/// use std::str::FromStr;
+///
+/// # fn main() -> Result<(), ParseIntError> {
+/// // The sha256 digest of an ASN.1 DER-encoded public key
+/// let digest = "e3b0c44298fc1c149afbf4c8996fb924".to_string();
+/// let id = Id::from_str(&digest)?;
+///
+/// // Chrome web extension ID
+/// assert_eq!(format!("{}", id), "odlameecjipmbmbejkplpemijjgpljce");
+/// #
+/// # Ok(())
+/// # }
+/// ```
+#[derive(Clone, Eq, PartialEq)]
+pub struct Id {
+ bytes: [u8; CRX_ID_SIZE],
+}
+
+impl Id {
+ /// Create a new [`Id`] from a 32 character hexadecimal byte slice.
+ pub fn new(bytes: [u8; CRX_ID_SIZE]) -> Self {
+ Self { bytes }
+ }
+
+ /// Convert this [`Id`] into a new `Vec`.
+ pub fn to_vec(&self) -> Vec {
+ self.bytes.to_vec()
+ }
+}
+
+#[cfg(feature = "std")]
+impl FromStr for Id {
+ type Err = ParseIntError;
+
+ fn from_str(s: &str) -> core::result::Result {
+ Ok(Self {
+ bytes: (0..s.len())
+ .take(CRX_ID_SIZE * 2)
+ .step_by(2)
+ .map(|i| u8::from_str_radix(&s[i..i + 2], 16))
+ .collect::, ParseIntError>>()?
+ .as_slice()
+ .try_into()
+ .expect("Failed to create sized slice"),
+ })
+ }
+}
+
+impl TryFrom<&Document> for Id {
+ type Error = Error;
+
+ fn try_from(der: &Document) -> Result {
+ let mut hasher = Sha256::new();
+ hasher.update(der.clone());
+
+ Ok(Self {
+ bytes: hasher.finalize()[0..CRX_ID_SIZE]
+ .try_into()
+ .map_err(|_| Error::InvalidIdSize)?,
+ })
+ }
+}
+
+impl TryFrom<&[u8]> for Id {
+ type Error = Error;
+
+ fn try_from(bytes: &[u8]) -> Result {
+ Ok(Self {
+ bytes: bytes.try_into().map_err(|_| Error::InvalidIdSize)?,
+ })
+ }
+}
+
+impl TryFrom> for Id {
+ type Error = Error;
+
+ fn try_from(bytes: Vec) -> Result {
+ Ok(Self {
+ bytes: bytes
+ .as_slice()
+ .try_into()
+ .map_err(|_| Error::InvalidIdSize)?,
+ })
+ }
+}
+
+impl AsRef<[u8]> for Id {
+ fn as_ref(&self) -> &[u8] {
+ self.bytes.as_ref()
+ }
+}
+
+/// Formats the [`Id`] as a Chrome compatible web extension ID (UTF-8 encoded mpdecimal).
+impl fmt::Display for Id {
+ fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+ for byte in self.bytes {
+ f.write_str(
+ &char::from_u32(97 + ((byte >> 4) & 0xf) as u32)
+ .expect("Failed to convert char")
+ .to_string(),
+ )?;
+ f.write_str(
+ &char::from_u32((97 + (byte & 0xf)) as u32)
+ .expect("Failed to convert char")
+ .to_string(),
+ )?;
+ }
+
+ Ok(())
+ }
+}
+
+/// Formats the [`Id`] using hexadecimal encoding.
+impl Debug for Id {
+ fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+ f.write_str("Id(")?;
+
+ for byte in self.bytes {
+ write!(f, "{:02x}", byte)?;
+ }
+
+ f.write_str(")")
+ }
+}
+
+#[cfg(test)]
+mod tests {
+ use super::*;
+
+ const ARCHIVE: &[u8] = include_bytes!("../test/extension.zip");
+
+ const RSA_PEM: &str = include_str!("../test/rsa2048-key.pem");
+ const RSA_PUBLIC_KEY_DIGEST: &str = "efeda9bfead9fd0594f6a5cf6fdf6c16";
+ const RSA_PUBLIC_KEY_MPDECIMAL: &str = "oponkjlpoknjpnafjepgkfmpgpnpgmbg";
+
+ const EC256_PEM: &str = include_str!("../test/ec256-key.pem");
+ const EC256_PUBLIC_KEY_DIGEST: &str = "edf2454ebdddf3ef647bfa8676c56c41";
+ const EC256_PUBLIC_KEY_MPDECIMAL: &str = "onpcefeolnnnpdopgehlpkighgmfgmeb";
+
+ fn decode_pem(pem: &str) -> SecretDocument {
+ SecretDocument::from_pem(pem)
+ .expect("Failed to decode ASN.1 DER document from PEM")
+ .1
+ }
+
+ #[test]
+ fn test_id_from_str() {
+ // SHA256("")
+ let digest = "e3b0c44298fc1c149afbf4c8996fb924".to_owned();
+ let id = Id::from_str(&digest).unwrap();
+
+ assert_eq!(format!("{}", id), "odlameecjipmbmbejkplpemijjgpljce");
+ }
+
+ #[test]
+ fn test_id_from_rsa_public_key() {
+ let secret_doc = decode_pem(RSA_PEM);
+ let pkcs8_pki = PrivateKeyInfo::try_from(secret_doc.as_bytes()).unwrap();
+
+ let rsa_private_key = RsaPrivateKey::try_from(pkcs8_pki.clone()).unwrap();
+ let der_public_key = rsa_private_key.to_public_key().to_public_key_der().unwrap();
+
+ // Create a Chrome extension ID from a ASN.1 DER encoded public key
+ let id = Id::try_from(&der_public_key).unwrap();
+
+ assert_eq!(format!("{}", id), RSA_PUBLIC_KEY_MPDECIMAL);
+ assert_eq!(
+ format!("{:?}", id),
+ format!("Id({})", RSA_PUBLIC_KEY_DIGEST)
+ );
+ }
+
+ #[test]
+ fn test_id_from_ec_public_key() {
+ let secret_doc = decode_pem(EC256_PEM);
+ let pkcs8_pki = PrivateKeyInfo::try_from(secret_doc.as_bytes()).unwrap();
+
+ let ecdsa_signing_key: EcdsaSigningKey =
+ EcdsaSigningKey::try_from(pkcs8_pki.clone()).unwrap();
+
+ let der_public_key = ecdsa_signing_key
+ .verifying_key()
+ .to_public_key_der()
+ .unwrap();
+
+ // Create a Chrome extension ID from a ASN.1 DER encoded public key
+ let id = Id::try_from(&der_public_key).unwrap();
+
+ assert_eq!(format!("{}", id), EC256_PUBLIC_KEY_MPDECIMAL);
+ assert_eq!(
+ format!("{:?}", id),
+ format!("Id({})", EC256_PUBLIC_KEY_DIGEST)
+ );
+ }
+
+ #[test]
+ fn test_rsa_sign() {
+ let secret_doc = decode_pem(RSA_PEM);
+
+ let mut rng = rand::thread_rng();
+
+ let id = Id::from_str(RSA_PUBLIC_KEY_DIGEST).unwrap();
+ let crx = Crx::try_sign_with_rng(&mut rng, vec![secret_doc], ARCHIVE).unwrap();
+
+ assert!(crx.verify().is_ok());
+ assert_eq!(id, crx.id);
+ }
+
+ #[test]
+ fn test_ecdsa_sign() {
+ let secret_doc = decode_pem(EC256_PEM);
+
+ let mut rng = rand::thread_rng();
+
+ let id = Id::from_str(EC256_PUBLIC_KEY_DIGEST).unwrap();
+ let crx = Crx::try_sign_with_rng(&mut rng, vec![secret_doc], ARCHIVE).unwrap();
+
+ assert!(crx.verify().is_ok());
+ assert_eq!(id, crx.id);
+ }
+
+ #[test]
+ fn test_multi_sign() {
+ let secret_doc1 = decode_pem(RSA_PEM);
+ let secret_doc2 = decode_pem(EC256_PEM);
+
+ let mut rng = rand::thread_rng();
+
+ let id = Id::from_str(RSA_PUBLIC_KEY_DIGEST).unwrap();
+ let crx =
+ Crx::try_sign_with_rng(&mut rng, vec![secret_doc1, secret_doc2], ARCHIVE).unwrap();
+
+ assert!(crx.verify().is_ok());
+ assert_eq!(id, crx.id);
+ }
+}
diff --git a/src/main.rs b/src/main.rs
new file mode 100644
index 0000000..72e39fa
--- /dev/null
+++ b/src/main.rs
@@ -0,0 +1,274 @@
+#![forbid(unsafe_code)]
+use clap::{ArgAction, ArgMatches};
+use crx::{error::Error, Crx};
+use ecdsa::VerifyingKey as EcdsaVerifyingKey;
+use p256::NistP256;
+use pkcs8::{
+ der::{pem::LineEnding, SecretDocument},
+ DecodePublicKey, EncodePublicKey as _, EncryptedPrivateKeyInfo,
+};
+use rsa::RsaPublicKey;
+use std::fs::File;
+use std::io::{BufReader, BufWriter, Read, Write};
+use std::path::PathBuf;
+
+fn main() -> Result<(), Box> {
+ let cmd = clap::Command::new("crx")
+ .bin_name("crx")
+ .version(env!("CARGO_PKG_VERSION"))
+ .subcommand_required(true)
+ .subcommand(
+ clap::Command::new("sign")
+ .about("Sign a web extension archive and create a CRX package")
+ .arg(
+ clap::arg!(--"key" )
+ .help("The path to the file that contains the private key. This file must use the PKCS #8 DER format. Multiple private keys can be supplied to sign the CRX package. The first private key will be used to generate the unique ID.")
+ .required(true)
+ .value_parser(clap::value_parser!(PathBuf))
+ .action(ArgAction::Append)
+ .num_args(1),
+ )
+ .arg(
+ clap::arg!(--"password" )
+ .help("Optional. The private key password, which is required if the private key is password protected.")
+ .value_parser(clap::value_parser!(String))
+ .requires("key")
+ .action(ArgAction::Append)
+ .num_args(1),
+ )
+ .arg(
+ clap::arg!(--"out"