Set empty country, province, and organization subject fields to null …

…in X.509 certificate (#166) * fix certificate partial subject Signed-off-by: taniwa <taniwa@lycorp.co.jp> Signed-off-by: taniwa <taniwa@lycorp.co.jp> * fix rolecert csr Signed-off-by: taniwa <taniwa@lycorp.co.jp> * add ATHENZ_SIA_DEFAULT_COUNTRY in Dockerfile Signed-off-by: taniwa <taniwa@lycorp.co.jp> --------- Signed-off-by: taniwa <taniwa@lycorp.co.jp>
AthenZ · Nov 13, 2024 · 4120536 · 4120536
1 parent 07492bb
commit 4120536
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 7 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -15,6 +15,7 @@ COPY . .
 
 ARG ATHENZ_SIA_VERSION=''
 RUN ATHENZ_SIA_VERSION="${ATHENZ_SIA_VERSION}" make build
+ARG ATHENZ_SIA_DEFAULT_COUNTRY=US
 
 FROM docker.io/alpine:3
 LABEL maintainer "cncf-athenz-maintainers@lists.cncf.io"

diff --git a/pkg/certificate/identity.go b/pkg/certificate/identity.go
@@ -371,9 +371,24 @@ func PrepareIdentityCsrOptions(idCfg *config.IdentityConfig, domain, service str
 	}
 
 	subject := pkix.Name{
-		Country:            []string{config.DEFAULT_COUNTRY},
-		Province:           []string{config.DEFAULT_PROVINCE},
-		Organization:       []string{config.DEFAULT_ORGANIZATION},
+		Country: func() []string {
+			if config.DEFAULT_COUNTRY != "" {
+				return []string{config.DEFAULT_COUNTRY}
+			}
+			return nil
+		}(),
+		Province: func() []string {
+			if config.DEFAULT_PROVINCE != "" {
+				return []string{config.DEFAULT_PROVINCE}
+			}
+			return nil
+		}(),
+		Organization: func() []string {
+			if config.DEFAULT_ORGANIZATION != "" {
+				return []string{config.DEFAULT_ORGANIZATION}
+			}
+			return nil
+		}(),
 		OrganizationalUnit: []string{idCfg.ServiceCert.CopperArgos.Provider},
 		CommonName:         fmt.Sprintf("%s.%s", domain, service),
 	}
@@ -418,9 +433,24 @@ func PrepareRoleCsrOptions(idCfg *config.IdentityConfig, domain, service string)
 		}
 
 		subject := pkix.Name{
-			Country:            []string{config.DEFAULT_COUNTRY},
-			Province:           []string{config.DEFAULT_PROVINCE},
-			Organization:       []string{config.DEFAULT_ORGANIZATION},
+			Country: func() []string {
+				if config.DEFAULT_COUNTRY != "" {
+					return []string{config.DEFAULT_COUNTRY}
+				}
+				return nil
+			}(),
+			Province: func() []string {
+				if config.DEFAULT_PROVINCE != "" {
+					return []string{config.DEFAULT_PROVINCE}
+				}
+				return nil
+			}(),
+			Organization: func() []string {
+				if config.DEFAULT_ORGANIZATION != "" {
+					return []string{config.DEFAULT_ORGANIZATION}
+				}
+				return nil
+			}(),
 			OrganizationalUnit: []string{config.DEFAULT_ORGANIZATIONAL_UNIT},
 			CommonName:         fmt.Sprintf("%s:role.%s", targetDomain, targetRole),
 		}

diff --git a/pkg/config/default.go b/pkg/config/default.go
@@ -22,7 +22,7 @@ import (
 
 var (
 	// default values for X.509 certificate signing request
-	DEFAULT_COUNTRY             = "US"
+	DEFAULT_COUNTRY             string
 	DEFAULT_PROVINCE            string
 	DEFAULT_ORGANIZATION        string
 	DEFAULT_ORGANIZATIONAL_UNIT = "Athenz"