Hash long add-on IDs for use in the CN field when signing

RESOLVED FIXED

Status

RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: kmag, Assigned: magopian)

Tracking

Details

(Reporter)

Description

3 years ago
Due to limitations in the X.509 format, CN values cannot be longer than 64 characters. Since add-on IDs are used as CN values in signing, and may be, and often are, longer than 64 characters, long IDs will need to be hashed prior to signing.

Rather than the current behavior of using all IDs directly as CN values, the new behavior for determining CN values should be as follows:

* If the add-on ID is 64 characters or shorter, the ID string is used directly as the CN value.
* If the add-on ID is longer than 64 characters, a SHA256 hash of the ID string is computed, and its lower-case, hexadecimal representation is used as the CN value.

For signature verification, any add-on ID which is 64 characters or shorter in length *must not* be hashed, or it will be considered invalid. Any ID which is longer than 64 characters *must* be hashed.
(Assignee)

Updated

3 years ago
See Also: → bug 1202880
(Assignee)

Comment 1

3 years ago
PR: https://github.com/mozilla/olympia/pull/727
Assignee: nobody → mathieu

Comment 2

3 years ago
Commits pushed to master at https://github.com/mozilla/olympia

https://github.com/mozilla/olympia/commit/cf0e5d210247f027a91d0c6b5c1e8cac82b4aee5
Hash long addon GUIDs when posting to signing server (bug 1203365)

https://github.com/mozilla/olympia/commit/635e19174f8cd0e35c04ce44850db28f1a678e26
Merge pull request #727 from magopian/1203365-hash-long-GUIDs

Hash long addon GUIDs when posting to signing server (bug 1203365)
(Assignee)

Updated

3 years ago
Blocks: 1203915
(Assignee)

Comment 3

3 years ago
This can go in production whenever we want, because since bug 1202016 we can't submit files with a GUID longer than 64 chars, so we won't be sending hashed GUIDs to the signing server until we re-allow submitting.

Bug 1203915 is about allowing the long GUIDs again.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.