sigstore · dlorenc · Feb 8, 2022 · Feb 7, 2022
diff --git a/pkg/ca/googleca/v1/googleca.go b/pkg/ca/googleca/v1/googleca.go
@@ -83,17 +83,14 @@ func convertID(id asn1.ObjectIdentifier) []int32 {
 }
 
 func Req(parent string, pemBytes []byte, cert *x509.Certificate) (*privatecapb.CreateCertificateRequest, error) {
-	// TODO, use the right fields :)
 	pubkeyFormat, err := getPubKeyFormat(pemBytes)
 	if err != nil {
 		return nil, err
 	}
 
 	// Translate the x509 certificate's subject to Google proto.
 	subject := &privatecapb.CertificateConfig_SubjectConfig{
-		Subject: &privatecapb.Subject{
-			Organization: "sigstore",
-		},
+		Subject: &privatecapb.Subject{},
 		SubjectAltName: &privatecapb.SubjectAltNames{
 			EmailAddresses: cert.EmailAddresses,
 		},

diff --git a/pkg/ca/googleca/v1/googleca_test.go b/pkg/ca/googleca/v1/googleca_test.go
@@ -22,9 +22,17 @@ import (
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/sha256"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/asn1"
+	"net/url"
 	"testing"
+	"time"
 
 	"github.com/sigstore/fulcio/pkg/challenges"
+	"github.com/sigstore/sigstore/pkg/cryptoutils"
+	privatecapb "google.golang.org/genproto/googleapis/cloud/security/privateca/v1"
+	"google.golang.org/protobuf/proto"
 )
 
 func failErr(t *testing.T, err error) {
@@ -79,3 +87,77 @@ func TestCheckSignatureRSA(t *testing.T) {
 		t.Fatal("check should have failed")
 	}
 }
+
+func TestReq(t *testing.T) {
+	parent := "parent-ca"
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	failErr(t, err)
+
+	uri := "sigstore.dev"
+	parsedURI, err := url.Parse(uri)
+	failErr(t, err)
+
+	emailAddress := "foo@sigstore.dev"
+	notAfter := time.Now().Add(time.Minute * 10)
+	pubKeyBytes, err := cryptoutils.MarshalPublicKeyToPEM(priv.Public())
+	failErr(t, err)
+	ext := pkix.Extension{Id: asn1.ObjectIdentifier{1, 2, 3}, Value: []byte{1, 2, 3}}
+
+	cert := &x509.Certificate{
+		NotAfter:        notAfter,
+		EmailAddresses:  []string{emailAddress},
+		URIs:            []*url.URL{parsedURI},
+		ExtraExtensions: []pkix.Extension{ext},
+	}
+
+	expectedReq := &privatecapb.CreateCertificateRequest{
+		Parent: parent,
+		Certificate: &privatecapb.Certificate{
+			CertificateConfig: &privatecapb.Certificate_Config{
+				Config: &privatecapb.CertificateConfig{
+					PublicKey: &privatecapb.PublicKey{
+						Format: privatecapb.PublicKey_PEM,
+						Key:    pubKeyBytes,
+					},
+					X509Config: &privatecapb.X509Parameters{
+						KeyUsage: &privatecapb.KeyUsage{
+							BaseKeyUsage: &privatecapb.KeyUsage_KeyUsageOptions{
+								DigitalSignature: true,
+							},
+							ExtendedKeyUsage: &privatecapb.KeyUsage_ExtendedKeyUsageOptions{
+								CodeSigning: true,
+							},
+						},
+						AdditionalExtensions: []*privatecapb.X509Extension{
+							{
+								ObjectId: &privatecapb.ObjectId{
+									ObjectIdPath: convertID(ext.Id),
+								},
+								Value: ext.Value,
+							},
+						},
+					},
+					SubjectConfig: &privatecapb.CertificateConfig_SubjectConfig{
+						Subject: &privatecapb.Subject{},
+						SubjectAltName: &privatecapb.SubjectAltNames{
+							EmailAddresses: []string{emailAddress},
+							Uris:           []string{uri},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	req, err := Req(parent, pubKeyBytes, cert)
+	// We must copy over this field because we don't inject a clock, so
+	// lifetime will always be different.
+	expectedReq.Certificate.Lifetime = req.Certificate.Lifetime
+
+	if err != nil {
+		t.Fatalf("unexpected error, got: %v", err)
+	}
+	if !proto.Equal(req, expectedReq) {
+		t.Fatalf("proto equality failed, expected: %v, got: %v", req, expectedReq)
+	}
+}