Remove organization from subject for GCP CAS issuer

[haydentherapper]

The fields of the Subject proto do not need to be
specified, but the Subject proto is still required.
This does result in an empty subject when viewing
the certificate in openssl or macOS keychain, but
this is something I'll be filing an issue with CAS for.

Tested by running a local instance of Fulcio with
my own instance of CA Service.

Fixes #390

Signed-off-by: Hayden Blauzvern hblauzvern@google.com

Summary

Ticket Link

Fixes #390

Release Note

Removed organization from GCP CA Service issued certificates

[haydentherapper]

Verified with:

go run main.go serve --port 5555 --ca googleca --ct-log-url="" --gcp_private_ca_parent=<path to ca pool>

Used code from locustfile.py to fetch a certificate and confirm contents of certificate:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            8a:0a:e2:69:5a:52:0b:91:a1:70:47:4d:46:50:17:65:6c:15:85
        Signature Algorithm: ecdsa-with-SHA256
        Issuer: O = Google, CN = fulcio-test
        Validity
            Not Before: Feb  7 20:28:46 2022 GMT
            Not After : Feb  7 20:38:45 2022 GMT
        Subject:
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:f1:9d:eb:2b:59:52:e1:2f:a2:b2:c4:aa:16:27:
                    4f:42:d9:ba:88:18:2e:50:3f:0c:22:93:e0:74:39:
                    75:27:c2:2c:57:24:d4:92:5c:85:d1:91:75:93:05:
                    4e:60:ad:ab:45:e6:76:75:6a:60:e8:92:0f:db:00:
                    2c:3d:d7:3a:36
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                Code Signing
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                4D:3A:8F:FA:D2:8B:2D:52:2E:0A:1F:6D:6D:16:69:B2:69:4D:91:ED
            X509v3 Authority Key Identifier:
                keyid:FA:5E:2B:15:32:2D:70:26:B9:8D:92:F9:94:90:43:53:05:92:E5:17

            Authority Information Access:
                CA Issuers - URI:<removed>

            X509v3 Subject Alternative Name: critical
                email:<removed>
            1.3.6.1.4.1.57264.1.1:
                https://accounts.google.com
    Signature Algorithm: ecdsa-with-SHA256
         30:46:02:21:00:fb:08:e0:67:c6:1a:da:89:59:f6:7f:f3:44:
         3b:4d:f5:d2:e5:a1:52:7d:c5:cf:8f:f4:e0:6b:05:ae:b5:94:
         fd:02:21:00:bb:fc:64:1b:77:f2:6d:f7:1b:be:1d:d6:a1:9b:
         81:8b:27:00:37:92:a8:86:a4:bf:b4:b5:2b:e4:a4:1f:76:d1

[dlorenc]

The fields of the Subject proto do not need to be
specified, but the Subject proto is still required.

Ah! That must have been the issue I ran into.

[haydentherapper]

Filed an issue internally to request that empty subjects are not included in issued certs.

I think we can also use a CSR instead of the certificate config proto, I'll take a look at this, but it's definitely less readable.