CRX Unpack Utilities

This module contains several utilities for working with Google Chrome extension files (CRXs), which have the *.crx file extension. The goal of this project is to mimic as closely as possible the functionality of Google Chrome when these extensions are unpacked and installed.

The first module is crx_unpack, which handles the headers and structure of the CRX itself (see below for more details on this).

The second module is Encrypted Temp Directory, which gives a way to use eCryptfs to encrypt a directory that only ever exists in memory by inheriting from the TemporaryDirectory class and hooking into some eCryptfs tools to handle the encryption of the file contents and file names (handled by different keys).

Structure of CRX Package Format

The information in this section introduces the structure and contents of CRX files.

As explained at https://developer.chrome.com/extensions/crx

Package Header

The header contains the author’s public key and the extension’s signature. The signature is generated from the ZIP file using SHA-1 with the author’s private key. The header requires a little-endian byte ordering with 4-byte alignment. The following table describes the fields of the .crx header in order:

Field Type Length Value Description
magic number char[] 32 bits Cr24 Chrome requires this constant at the beginning of every .crx package.
version unsigned int 32 bits 2 The version of the *.crx file format used (currently 2).
public key length unsigned int 32 bits pubkey.length The length of the RSA public key in bytes.
signature length unsigned int 32 bits sig.length The length of the signature in bytes.
public key byte[] pubkey.length pubkey.contents The contents of the author’s RSA public key formatted as an X509 SubjectPublicKeyInfo block.
signature byte[] sig.length sig.contents The signature of the ZIP content using the author’s private key. The signature is created using the RSA algorithm with the SHA-1 hash function.

Extension Contents

The extension’s ZIP file is appended to the *.crx package after the header. This should be the same ZIP file that the signature in the header was generated from.