launchpad-reviewers team mailing list archive

[Andy Whitcroft <apw@xxxxxxxxxxxxx>]

Andy Whitcroft has proposed merging lp:~apw/launchpad/signing-key-generate-subject-limit into lp:launchpad.

Requested reviews:
  Launchpad code reviewers (launchpad-reviewers)

For more details, see:
https://code.launchpad.net/~apw/launchpad/signing-key-generate-subject-limit/+merge/301642

When owner+ppa name is very long the subjects generated for the EFI and KMOD keys are too long to represent in the keys; 64 characters maximum.  As these are purely visual truncate the generated cname strings to 64 characters.

Also drops extraneous framing from kmod keys.
-- 
Your team Launchpad code reviewers is requested to review the proposed merge of lp:~apw/launchpad/signing-key-generate-subject-limit into lp:launchpad.

=== modified file 'lib/lp/archivepublisher/signing.py'
--- lib/lp/archivepublisher/signing.py	2016-06-22 08:54:11 +0000
+++ lib/lp/archivepublisher/signing.py	2016-08-01 14:20:23 +0000
@@ -199,14 +199,14 @@
         if not os.path.exists(directory):
             os.makedirs(directory)
 
-        common_name = '/CN=PPA %s %s/' % (
-            self.archive.owner.name, self.archive.name)
+        common_name = 'PPA %s %s' % (self.archive.owner.name, self.archive.name)
+        subject = '/CN=%s/' % (common_name[0:64])
 
         old_mask = os.umask(0o077)
         try:
             new_key_cmd = [
                 'openssl', 'req', '-new', '-x509', '-newkey', 'rsa:2048',
-                '-subj', common_name, '-keyout', self.uefi_key,
+                '-subj', subject, '-keyout', self.uefi_key,
                 '-out', self.uefi_cert, '-days', '3650', '-nodes', '-sha256',
                 ]
             self.callLog("UEFI keygen", new_key_cmd)
@@ -233,6 +233,10 @@
         if not os.path.exists(directory):
             os.makedirs(directory)
 
+        # Truncate name to 64 character maximum.
+        common_name = "PPA %s %s" % (self.archive.owner.name, self.archive.name)
+        common_name = common_name[0:59] + " kmod"
+
         old_mask = os.umask(0o077)
         try:
             with tempfile.NamedTemporaryFile(suffix='.keygen') as tf:
@@ -245,14 +249,14 @@
                     x509_extensions = myexts
 
                     [ req_distinguished_name ]
-                    CN = /CN=PPA %s %s kmod/
+                    CN = %s
 
                     [ myexts ]
                     basicConstraints=critical,CA:FALSE
                     keyUsage=digitalSignature
                     subjectKeyIdentifier=hash
                     authorityKeyIdentifier=keyid
-                    """ % (self.archive.owner.name, self.archive.name))
+                    """ % common_name)
 
                 print(genkey_text, file=tf)