scion-pki: allow creating voting certificates without ISD-AS (scionproto#4843)

Only for cp-root, cp-ca, and cp-as certificates the ISD-AS is mandatory.

Author: oncilla

scion-pki/certs/create.go

@@ -142,7 +142,7 @@ func newCreateCmd(pather command.Pather) *cobra.Command {
 		Default: "depends on profile",
 	}
 
-	var cmd = &cobra.Command{
+	cmd := &cobra.Command{
 		Use:   "create [flags] <subject-template> <cert-file> <key-file>",
 		Short: "Create a certificate or certificate signing request",
 		Example: fmt.Sprintf(`  %[1]s create --profile cp-root subject.tmpl cp-root.crt cp-root.key
@@ -202,7 +202,8 @@ A valid example for a JSON formatted template::
 			if err != nil {
 				return serrors.Wrap("parsing profile", err)
 			}
-			subject, err := createSubject(args[0], flags.commonName)
+			requireIA := ct != cppki.Sensitive && ct != cppki.Regular
+			subject, err := createSubject(args[0], flags.commonName, requireIA)
 			if err != nil {
 				return serrors.Wrap("creating subject", err)
 			}
@@ -277,7 +278,7 @@ A valid example for a JSON formatted template::
 					panic("failed to encode CSR")
 				}
 				csrFile := args[1]
-				err = file.WriteFile(csrFile, encodedCSR, 0644, file.WithForce(flags.force))
+				err = file.WriteFile(csrFile, encodedCSR, 0o644, file.WithForce(flags.force))
 				if err != nil {
 					return serrors.Wrap("writing CSR", err)
 				}
@@ -313,7 +314,7 @@ A valid example for a JSON formatted template::
 					encodedCert = append(encodedCert, caCertRaw...)
 				}
 				certFile := args[1]
-				err = file.WriteFile(certFile, encodedCert, 0644, file.WithForce(flags.force))
+				err = file.WriteFile(certFile, encodedCert, 0o644, file.WithForce(flags.force))
 				if err != nil {
 					return serrors.Wrap("writing certificate", err)
 				}
@@ -325,7 +326,7 @@ A valid example for a JSON formatted template::
 				if err := file.CheckDirExists(filepath.Dir(keyFile)); err != nil {
 					return serrors.Wrap("checking that directory of private key exists", err)
 				}
-				err := file.WriteFile(keyFile, encodedKey, 0600, file.WithForce(flags.force))
+				err := file.WriteFile(keyFile, encodedKey, 0o600, file.WithForce(flags.force))
 				if err != nil {
 					return serrors.Wrap("writing private key", err)
 				}
@@ -414,8 +415,8 @@ func parseCertType(input string) (cppki.CertType, error) {
 	}
 }
 
-func createSubject(tmpl, commonName string) (pkix.Name, error) {
-	subject, err := loadSubject(tmpl)
+func createSubject(tmpl, commonName string, requireIA bool) (pkix.Name, error) {
+	subject, err := loadSubject(tmpl, requireIA)
 	if err != nil {
 		return pkix.Name{}, err
 	}
@@ -425,7 +426,7 @@ func createSubject(tmpl, commonName string) (pkix.Name, error) {
 	return subject, nil
 }
 
-func loadSubject(tmpl string) (pkix.Name, error) {
+func loadSubject(tmpl string, requireIA bool) (pkix.Name, error) {
 	raw, err := os.ReadFile(tmpl)
 	if err != nil {
 		return pkix.Name{}, err
@@ -447,7 +448,7 @@ func loadSubject(tmpl string) (pkix.Name, error) {
 	if err := json.Unmarshal(raw, &vars); err != nil {
 		return pkix.Name{}, err
 	}
-	return subjectFromVars(vars)
+	return subjectFromVars(vars, requireIA)
 }
 
 func parseCertificate(raw []byte) (*x509.Certificate, error) {

scion-pki/certs/renew.go

@@ -358,7 +358,7 @@ The template is expressed in JSON. A valid example::
 			if flags.subject != "" {
 				template = flags.subject
 			}
-			subject, err := createSubject(template, flags.commonName)
+			subject, err := createSubject(template, flags.commonName, true)
 			if err != nil {
 				return err
 			}
@@ -925,8 +925,8 @@ func extractChainLegacy(rep *cppb.ChainRenewalResponse) ([]*x509.Certificate, er
 	return chain, nil
 }
 
-func subjectFromVars(vars SubjectVars) (pkix.Name, error) {
-	if vars.IA.IsZero() {
+func subjectFromVars(vars SubjectVars, requireIA bool) (pkix.Name, error) {
+	if requireIA && vars.IA.IsZero() {
 		return pkix.Name{}, serrors.New("isd_as required in template")
 	}
 	s := pkix.Name{

scion-pki/certs/renew_test.go

@@ -59,40 +59,52 @@ func TestCSRTemplate(t *testing.T) {
 	testCases := map[string]struct {
 		File         string
 		CommonName   string
+		RequireIA    bool
 		Expected     pkix.RDNSequence
 		ErrAssertion assert.ErrorAssertionFunc
 	}{
 		"valid": {
 			File:         "testdata/renew/ISD1-ASff00_0_111.csr.json",
+			RequireIA:    true,
+			Expected:     wantSubject.ToRDNSequence(),
+			ErrAssertion: assert.NoError,
+		},
+		"valid - no ISD-AS": {
+			File:         "testdata/renew/ISD1-ASff00_0_111.csr.json",
+			RequireIA:    false,
 			Expected:     wantSubject.ToRDNSequence(),
 			ErrAssertion: assert.NoError,
 		},
 		"from chain": {
 			File:         "testdata/renew/ISD1-ASff00_0_111.pem",
+			RequireIA:    true,
 			Expected:     wantSubject.ToRDNSequence(),
 			ErrAssertion: assert.NoError,
 		},
 		"custom common name": {
 			File:         "testdata/renew/ISD1-ASff00_0_111.csr.json",
 			CommonName:   "custom",
+			RequireIA:    true,
 			Expected:     customSubject.ToRDNSequence(),
 			ErrAssertion: assert.NoError,
 		},
 		"custom common name from chain": {
 			File:         "testdata/renew/ISD1-ASff00_0_111.pem",
 			CommonName:   "custom",
+			RequireIA:    true,
 			Expected:     customSubject.ToRDNSequence(),
 			ErrAssertion: assert.NoError,
 		},
 		"no ISD-AS": {
 			File:         "testdata/renew/no_isd_as.json",
+			RequireIA:    true,
 			ErrAssertion: assert.Error,
 		},
 	}
 	for name, tc := range testCases {
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
-			subject, err := createSubject(tc.File, tc.CommonName)
+			subject, err := createSubject(tc.File, tc.CommonName, tc.RequireIA)
 			tc.ErrAssertion(t, err)
 			if err != nil {
 				return