Bug 1203787: When the add-on ID is longer than 64 characters compare the signing certificate's common name to the sha256 hash of the ID. r=dveditz

toolkit/mozapps/extensions/internal/XPIProvider.jsm

@@ -1454,14 +1454,28 @@ function verifyZipSigning(aZip, aCertificate) {
  * Returns the signedState for a given return code and certificate by verifying
  * it against the expected ID.
  */
-function getSignedStatus(aRv, aCert, aExpectedID) {
+function getSignedStatus(aRv, aCert, aAddonID) {
+  let expectedCommonName = aAddonID;
+  if (aAddonID.length > 64) {
+    let converter = Cc["@mozilla.org/intl/scriptableunicodeconverter"].
+                    createInstance(Ci.nsIScriptableUnicodeConverter);
+    converter.charset = "UTF-8";
+    let data = converter.convertToByteArray(aAddonID, {});
+
+    let crypto = Cc["@mozilla.org/security/hash;1"].
+                 createInstance(Ci.nsICryptoHash);
+    crypto.init(Ci.nsICryptoHash.SHA256);
+    crypto.update(data, data.length);
+    expectedCommonName = getHashStringForCrypto(crypto);
+  }
+
   switch (aRv) {
     case Cr.NS_OK:
-      if (aExpectedID != aCert.commonName)
+      if (expectedCommonName != aCert.commonName)
         return AddonManager.SIGNEDSTATE_BROKEN;
 
       let hotfixID = Preferences.get(PREF_EM_HOTFIX_ID, undefined);
-      if (hotfixID && hotfixID == aExpectedID && Preferences.get(PREF_EM_CERT_CHECKATTRIBUTES, false)) {
+      if (hotfixID && hotfixID == aAddonID && Preferences.get(PREF_EM_CERT_CHECKATTRIBUTES, false)) {
         // The hotfix add-on has some more rigorous certificate checks
         try {
           CertUtils.validateCert(aCert,

toolkit/mozapps/extensions/test/xpcshell/test_signed_long.js

@@ -0,0 +1,51 @@
+const PREF_XPI_SIGNATURES_DEV_ROOT    = "xpinstall.signatures.dev-root";
+
+// Disable update security
+Services.prefs.setBoolPref(PREF_EM_CHECK_UPDATE_SECURITY, false);
+
+// The test add-ons were signed by the dev root
+Services.prefs.setBoolPref(PREF_XPI_SIGNATURES_DEV_ROOT, true);
+
+const DATA = "data/signing_checks/";
+
+const ID_63 = "123456789012345678901234567890123456789012345@tests.mozilla.org"
+const ID_64 = "1234567890123456789012345678901234567890123456@tests.mozilla.org"
+const ID_65 = "12345678901234567890123456789012345678901234568@tests.mozilla.org"
+
+function run_test() {
+  createAppInfo("xpcshell@tests.mozilla.org", "XPCShell", "1", "1");
+  startupManager();
+
+  run_next_test();
+}
+
+// Installs the cases that should be working
+add_task(function* test_working() {
+  yield promiseInstallAllFiles([do_get_file(DATA + "long_63_plain.xpi"),
+                                do_get_file(DATA + "long_64_plain.xpi"),
+                                do_get_file(DATA + "long_65_hash.xpi")]);
+
+  let addons = yield promiseAddonsByIDs([ID_63, ID_64, ID_65]);
+
+  for (let addon of addons) {
+    do_check_neq(addon, null);
+    do_check_eq(addon.signedState, AddonManager.SIGNEDSTATE_SIGNED);
+
+    addon.uninstall();
+  }
+});
+
+// Installs the cases that should be broken
+add_task(function* test_broken() {
+ yield promiseInstallAllFiles([do_get_file(DATA + "long_63_hash.xpi"),
+                               do_get_file(DATA + "long_64_hash.xpi")]);
+
+  let addons = yield promiseAddonsByIDs([ID_63, ID_64]);
+
+  for (let addon of addons) {
+    do_check_neq(addon, null);
+    do_check_eq(addon.signedState, AddonManager.SIGNEDSTATE_BROKEN);
+
+    addon.uninstall();
+  }
+});

toolkit/mozapps/extensions/test/xpcshell/xpcshell-shared.ini

@@ -247,6 +247,8 @@ run-if = addon_signing
 [test_signed_install.js]
 run-if = addon_signing
 run-sequentially = Uses hardcoded ports in xpi files.
+[test_signed_long.js]
+run-if = addon_signing
 [test_signed_migrate.js]
 run-if = addon_signing
 [test_signed_multi.js]

toolkit/mozapps/extensions/test/xpcshell/xpcshell.ini

@@ -28,7 +28,4 @@ skip-if = appname != "firefox"
 [test_XPIcancel.js]
 [test_XPIStates.js]
 
-
-
-
 [include:xpcshell-shared.ini]