Remove organization from subject for GCP CAS issuer

The fields of the Subject proto do not need to be
specified, but the Subject proto is still required.
This does result in an empty subject when viewing
the certificate in openssl or macOS keychain, but
this is something I'll be filing an issue for.

Tested by running a local instance of Fulcio with
my own instance of CA Service.

Fixes #390

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>

pkg/ca/googleca/v1/googleca.go

@@ -83,17 +83,14 @@ func convertID(id asn1.ObjectIdentifier) []int32 {
 }
 
 func Req(parent string, pemBytes []byte, cert *x509.Certificate) (*privatecapb.CreateCertificateRequest, error) {
-	// TODO, use the right fields :)
 	pubkeyFormat, err := getPubKeyFormat(pemBytes)
 	if err != nil {
 		return nil, err
 	}
 
 	// Translate the x509 certificate's subject to Google proto.
 	subject := &privatecapb.CertificateConfig_SubjectConfig{
-		Subject: &privatecapb.Subject{
-			Organization: "sigstore",
-		},
+		Subject: &privatecapb.Subject{},
 		SubjectAltName: &privatecapb.SubjectAltNames{
 			EmailAddresses: cert.EmailAddresses,
 		},

pkg/ca/googleca/v1/googleca_test.go

@@ -22,9 +22,17 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha256"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
+	"net/url"
 	"testing"
+	"time"
 
 	"github.com/sigstore/fulcio/pkg/challenges"
+	"github.com/sigstore/sigstore/pkg/cryptoutils"
+	privatecapb "google.golang.org/genproto/googleapis/cloud/security/privateca/v1"
+	"google.golang.org/protobuf/proto"
 )
 
 func failErr(t *testing.T, err error) {
@@ -79,3 +87,77 @@ func TestCheckSignatureRSA(t *testing.T) {
 		t.Fatal("check should have failed")
 	}
 }
+
+func TestReq(t *testing.T) {
+	parent := "parent-ca"
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	failErr(t, err)
+
+	uri := "sigstore.dev"
+	parsedURI, err := url.Parse(uri)
+	failErr(t, err)
+
+	emailAddress := "foo@sigstore.dev"
+	notAfter := time.Now().Add(time.Minute * 10)
+	pubKeyBytes, err := cryptoutils.MarshalPublicKeyToPEM(priv.Public())
+	failErr(t, err)
+	ext := pkix.Extension{Id: asn1.ObjectIdentifier{1, 2, 3}, Value: []byte{1, 2, 3}}
+
+	cert := &x509.Certificate{
+		NotAfter:        notAfter,
+		EmailAddresses:  []string{emailAddress},
+		URIs:            []*url.URL{parsedURI},
+		ExtraExtensions: []pkix.Extension{ext},
+	}
+
+	expectedReq := &privatecapb.CreateCertificateRequest{
+		Parent: parent,
+		Certificate: &privatecapb.Certificate{
+			CertificateConfig: &privatecapb.Certificate_Config{
+				Config: &privatecapb.CertificateConfig{
+					PublicKey: &privatecapb.PublicKey{
+						Format: privatecapb.PublicKey_PEM,
+						Key:    pubKeyBytes,
+					},
+					X509Config: &privatecapb.X509Parameters{
+						KeyUsage: &privatecapb.KeyUsage{
+							BaseKeyUsage: &privatecapb.KeyUsage_KeyUsageOptions{
+								DigitalSignature: true,
+							},
+							ExtendedKeyUsage: &privatecapb.KeyUsage_ExtendedKeyUsageOptions{
+								CodeSigning: true,
+							},
+						},
+						AdditionalExtensions: []*privatecapb.X509Extension{
+							{
+								ObjectId: &privatecapb.ObjectId{
+									ObjectIdPath: convertID(ext.Id),
+								},
+								Value: ext.Value,
+							},
+						},
+					},
+					SubjectConfig: &privatecapb.CertificateConfig_SubjectConfig{
+						Subject: &privatecapb.Subject{},
+						SubjectAltName: &privatecapb.SubjectAltNames{
+							EmailAddresses: []string{emailAddress},
+							Uris:           []string{uri},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	req, err := Req(parent, pubKeyBytes, cert)
+	// We must copy over this field because we don't inject a clock, so
+	// lifetime will always be different.
+	expectedReq.Certificate.Lifetime = req.Certificate.Lifetime
+
+	if err != nil {
+		t.Fatalf("unexpected error, got: %v", err)
+	}
+	if !proto.Equal(req, expectedReq) {
+		t.Fatalf("proto equality failed, expected: %v, got: %v", req, expectedReq)
+	}
+}