I'm generating a crx file in PHP using phpseclib. When I try to install the crx into Chrome, I get the error:
Package is invalid: 'CRX_SIGNATURE_VERIFICATION_INITIALIZATION_FAILED'
Here's my code:
<?php
//Include phpseclib files
include('File/X509.php');
include('Crypt/RSA.php');
//RSA Handler
$rsa = new Crypt_RSA();
//Create key pair
$keyPair = $rsa->createKey();
//Get the keys
$privKey = $keyPair[ "privatekey" ];
$pubKey = $keyPair[ "publickey" ];
//The Zip file contents
$zipContents = file_get_contents( "helloworld.zip" );
//Load the private key into the handler
$rsa->loadKey( $privKey );
//Sign the content (default is SHA1)
$signature = $rsa->sign( $zipContents ) ;
/* Tried this, but it also did not work */
//Convert to openSSH and remove the leading/trailing "comments": "ssh-rsa ", " phpseclib-generated-key"
//$rsa->loadKey( $pubKey );
//$rsa->setPublicKey();
//$pubKey = $rsa->getPublicKey( CRYPT_RSA_PUBLIC_FORMAT_OPENSSH );
//$pubKey = substr( $pubKey, 8, strlen( $pubKey ) - 32 );
//Encode public key in Base64 and remove the "-----BEGIN PUBLIC KEY-----
" and "
-----END PUBLIC KEY-----" (to put in .crx)
$base64Key = base64_decode( substr( $pubKey, 28, strlen( $pubKey ) - 54 ) );
//Create the crx (wb = write in binary mode)
$crxFile = fopen( "helloworld.crx", "wb" );
//Add crx "magic" marker, format version
fwrite( $crxFile, "Cr24" );
fwrite( $crxFile, pack( "V", 2 ) );
//Write public key and signature length
fwrite( $crxFile, pack( "V", strlen( $base64Key ) ) );
fwrite( $crxFile, pack( "V", strlen( $signature ) ) );
//Write public key (base64 encoded) and signature
fwrite( $crxFile, $base64Key );
fwrite( $crxFile, $signature );
//Write the zip file contents
fwrite( $crxFile, $zipContents );
fclose( $crxFile );
?>
What am I doing wrong? I'm guessing it's something to do with the format of the key and the signing?
I found the answer! The signature was using CRYPT_RSA_SIGNATURE_PSS and apparently only works with PKCS1. So you need to add this line:
$rsa->setSignatureMode( CRYPT_RSA_SIGNATURE_PKCS1 );
before the signature creation code. So the signature code now looks like this:
//Load the private key into the handler
$rsa->loadKey( $privKey );
//Sign the content (default is SHA1)
$rsa->setSignatureMode( CRYPT_RSA_SIGNATURE_PKCS1 ); /* <-- This is required */
$signature = $rsa->sign( $zipContents ) ;