Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove organization from subject for GCP CAS issuer #391

Merged
merged 1 commit into from
Feb 8, 2022

Conversation

haydentherapper
Copy link
Contributor

@haydentherapper haydentherapper commented Feb 7, 2022

The fields of the Subject proto do not need to be
specified, but the Subject proto is still required.
This does result in an empty subject when viewing
the certificate in openssl or macOS keychain, but
this is something I'll be filing an issue with CAS for.

Tested by running a local instance of Fulcio with
my own instance of CA Service.

Fixes #390

Signed-off-by: Hayden Blauzvern hblauzvern@google.com

Summary

Ticket Link

Fixes #390

Release Note

Removed organization from GCP CA Service issued certificates

The fields of the Subject proto do not need to be
specified, but the Subject proto is still required.
This does result in an empty subject when viewing
the certificate in openssl or macOS keychain, but
this is something I'll be filing an issue for.

Tested by running a local instance of Fulcio with
my own instance of CA Service.

Fixes sigstore#390

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
@haydentherapper
Copy link
Contributor Author

Verified with:

go run main.go serve --port 5555 --ca googleca --ct-log-url="" --gcp_private_ca_parent=<path to ca pool>

Used code from locustfile.py to fetch a certificate and confirm contents of certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            8a:0a:e2:69:5a:52:0b:91:a1:70:47:4d:46:50:17:65:6c:15:85
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: O = Google, CN = fulcio-test
        Validity
            Not Before: Feb  7 20:28:46 2022 GMT
            Not After : Feb  7 20:38:45 2022 GMT
        Subject:
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:f1:9d:eb:2b:59:52:e1:2f:a2:b2:c4:aa:16:27:
                    4f:42:d9:ba:88:18:2e:50:3f:0c:22:93:e0:74:39:
                    75:27:c2:2c:57:24:d4:92:5c:85:d1:91:75:93:05:
                    4e:60:ad:ab:45:e6:76:75:6a:60:e8:92:0f:db:00:
                    2c:3d:d7:3a:36
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                Code Signing
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                4D:3A:8F:FA:D2:8B:2D:52:2E:0A:1F:6D:6D:16:69:B2:69:4D:91:ED
            X509v3 Authority Key Identifier:
                keyid:FA:5E:2B:15:32:2D:70:26:B9:8D:92:F9:94:90:43:53:05:92:E5:17

            Authority Information Access:
                CA Issuers - URI:<removed>

            X509v3 Subject Alternative Name: critical
                email:<removed>
            1.3.6.1.4.1.57264.1.1:
                https://accounts.google.com
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:fb:08:e0:67:c6:1a:da:89:59:f6:7f:f3:44:
         3b:4d:f5:d2:e5:a1:52:7d:c5:cf:8f:f4:e0:6b:05:ae:b5:94:
         fd:02:21:00:bb:fc:64:1b:77:f2:6d:f7:1b:be:1d:d6:a1:9b:
         81:8b:27:00:37:92:a8:86:a4:bf:b4:b5:2b:e4:a4:1f:76:d1

@dlorenc
Copy link
Member

dlorenc commented Feb 7, 2022

The fields of the Subject proto do not need to be
specified, but the Subject proto is still required.

Ah! That must have been the issue I ran into.

@haydentherapper
Copy link
Contributor Author

Filed an issue internally to request that empty subjects are not included in issued certs.

I think we can also use a CSR instead of the certificate config proto, I'll take a look at this, but it's definitely less readable.

@dlorenc dlorenc merged commit f9c93a1 into sigstore:main Feb 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Certs issued from GCP CA Service include unneeded subject organization
2 participants