Due to limitations in the X.509 format, CN values cannot be longer than 64 characters. Since add-on IDs are used as CN values in signing, and may be, and often are, longer than 64 characters, long IDs will need to be hashed prior to signing. Rather than the current behavior of using all IDs directly as CN values, the new behavior for determining CN values should be as follows: * If the add-on ID is 64 characters or shorter, the ID string is used directly as the CN value. * If the add-on ID is longer than 64 characters, a SHA256 hash of the ID string is computed, and its lower-case, hexadecimal representation is used as the CN value. For signature verification, any add-on ID which is 64 characters or shorter in length *must not* be hashed, or it will be considered invalid. Any ID which is longer than 64 characters *must* be hashed.
Assignee: nobody → mathieu
Commits pushed to master at https://github.com/mozilla/olympia https://github.com/mozilla/olympia/commit/cf0e5d210247f027a91d0c6b5c1e8cac82b4aee5 Hash long addon GUIDs when posting to signing server (bug 1203365) https://github.com/mozilla/olympia/commit/635e19174f8cd0e35c04ce44850db28f1a678e26 Merge pull request #727 from magopian/1203365-hash-long-GUIDs Hash long addon GUIDs when posting to signing server (bug 1203365)
This can go in production whenever we want, because since bug 1202016 we can't submit files with a GUID longer than 64 chars, so we won't be sending hashed GUIDs to the signing server until we re-allow submitting. Bug 1203915 is about allowing the long GUIDs again.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.