proto, pkg, docs: update CSR docstrings

.github/workflows/main.yml

@@ -35,10 +35,10 @@ jobs:
       - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
         with:
           go-version: ${{ env.GOVERSION }}
-      - uses: arduino/setup-protoc@64c0c85d18e984422218383b81c52f8b077404d3 # v1.1.2
+      - uses: trail-of-forks/setup-protoc@a97892a429d98fae78d26f40334ab7eb616d08b9
         name: Install protobuf
         with:
-          version: '3.20.3'
+          version: '21.11'
 
       - name: Build
         run: make -C $GITHUB_WORKSPACE all

fulcio.proto

@@ -102,6 +102,9 @@ message CreateSigningCertificateRequest {
         * Contains the public key to be stored in the requested certificate. All other CSR fields
         * are ignored. Since the CSR is self-signed, it also acts as a proof of posession of
         * the private key.
+        *
+        * In particular, the CSR's subject name is not verified, or tested for
+        * compatibility with its specified X.509 name type (e.g. email address).
         */
         bytes certificate_signing_request  = 3 [(google.api.field_behavior) = REQUIRED];
     }
@@ -234,4 +237,4 @@ message OIDCIssuer {
     string challenge_claim = 4;
     // The expected SPIFFE trust domain. Only present when the OIDC issuer issues tokens for SPIFFE identities.
     string spiffe_trust_domain = 5;
-}
+}

fulcio.swagger.json

@@ -124,7 +124,7 @@
         "certificateSigningRequest": {
           "type": "string",
           "format": "byte",
-          "description": "Contains the public key to be stored in the requested certificate. All other CSR fields\nare ignored. Since the CSR is self-signed, it also acts as a proof of posession of\nthe private key.",
+          "description": "Contains the public key to be stored in the requested certificate. All other CSR fields\nare ignored. Since the CSR is self-signed, it also acts as a proof of posession of\nthe private key.\n\nIn particular, the CSR's subject name is not verified, or tested for\ncompatibility with its specified X.509 name type (e.g. email address).",
           "title": "PKCS#10 PEM-encoded certificate signing request"
         }
       },

fulcio_legacy.proto

@@ -101,6 +101,9 @@ message CreateSigningCertificateRequest {
      * certificate. All other CSR fields are ignored. Since
      * the CSR is self-signed, it also acts as a proof of
      * posession of the private key.
+     *
+     * In particular, the CSR's subject name is not verified, or tested for
+     * compatibility with its specified X.509 name type (e.g. email address).
      */
     bytes certificateSigningRequest  = 3 [
         deprecated=true,

fulcio_legacy.swagger.json

@@ -124,7 +124,7 @@
         "certificateSigningRequest": {
           "type": "string",
           "format": "byte",
-          "description": "Optional: PKCS#10 PEM-encoded certificate signing request\nContains the public key to be stored in the requested\ncertificate. All other CSR fields are ignored. Since\nthe CSR is self-signed, it also acts as a proof of\nposession of the private key."
+          "description": "Optional: PKCS#10 PEM-encoded certificate signing request\nContains the public key to be stored in the requested\ncertificate. All other CSR fields are ignored. Since\nthe CSR is self-signed, it also acts as a proof of\nposession of the private key.\n\nIn particular, the CSR's subject name is not verified, or tested for\ncompatibility with its specified X.509 name type (e.g. email address)."
         }
       }
     },