AUT-291 - expanding makecsr options (#1090)

* AUT-291 - expanding makecsr options to have more flexibility This was mainly to hat we need to be able to adjust for some hard coded firefox checks: https://searchfox.org/mozilla-central/rev/7d1b5c88343879056168aa710a9ee743392604c0/taskcluster/kinds/repackage-msix/kind.yml#104 .
mozilla-services · Jan 8, 2025 · 72a535d · 72a535d
1 parent be80e97
commit 72a535d
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 19 deletions.
diff --git a/tools/makecsr/README.md b/tools/makecsr/README.md
@@ -2,7 +2,7 @@
 
 This is a small helper used to generate a PEM-encoded CSR from a private key
 hosted in our HSMs. It's used particularly to issue the CS and AMO intermediates
-used by autograph. See our private hsm repo for how we've invoked it.
+used by autograph.
 
 Note: nearly all of the CSRs attributes can be overridden at signing time, so
 this is not a complete picture of what will be signed. But we include attributes
@@ -87,10 +87,14 @@ docker run -it --rm --user 0:0 \
 
 7. Run the makecsr command with the options you want.
 ```
-makecsr -cn "My Corporation" \
-    -dnsName "my.domain.name.foo" 
-    -l "my-key-label-from-kms" 
-    -ou "Engineering Operations" 
-    -sigAlg "SHA256WithRSA" 
+makecsr -lbl "my-key-label-from-kms" \
+    -o "My Organization" \
+    -cn "My Org Common Name" \
+    -dnsName "my.domain.name.foo" \
+    -ou "My Department Name" \
+    -c "My Country" \
+    -st "My Province/State" \
+    -l "My City" \
+    -sigAlg "SHA256WithRSA" \
     -crypto11Config "/mnt/crypto11-config.json"
 ```
diff --git a/tools/makecsr/makecsr.go b/tools/makecsr/makecsr.go
@@ -34,8 +34,12 @@ func main() {
 	var (
 		crypto11ConfigFilePath string
 		keyLabel               string
+		o                      string
 		ou                     string
 		cn                     string
+		c                      string
+		st                     string
+		l                      string
 		dnsName                string
 		email                  string
 		sigAlgName             string
@@ -44,9 +48,13 @@ func main() {
 	allowedSigNames := slices.Collect(maps.Keys(allowedSigAlgs))
 
 	flag.StringVar(&crypto11ConfigFilePath, "crypto11Config", "crypto11-config.json", "Path to the crypto11 configuration file")
-	flag.StringVar(&keyLabel, "l", "mykey", "Label of the key in the HSM")
+	flag.StringVar(&keyLabel, "lbl", "mykey", "Label of the key in the HSM")
+	flag.StringVar(&o, "o", "Mozilla Corporation", "Organization of the Subject")
 	flag.StringVar(&ou, "ou", "Mozilla AMO Production Signing Service", "OrganizationalUnit of the Subject")
 	flag.StringVar(&cn, "cn", "Content Signing Intermediate", "CommonName of the Subject")
+	flag.StringVar(&c, "c", "", "Country of the Subject")
+	flag.StringVar(&st, "st", "", "State/Province of the Subject")
+	flag.StringVar(&l, "l", "", "City/Locale of the Subject")
 	flag.StringVar(&dnsName, "dnsName", "", "DNS name for use in the Subject Altenative Name")
 	flag.StringVar(&email, "email", "", "email that's added to the EmailAddresses part of the Subject Alternative Name")
 	flag.StringVar(&sigAlgName, "sigAlg", "", fmt.Sprintf("Signature Algorithm to use with the key. Must be one of %q", allowedSigNames))
@@ -100,20 +108,22 @@ func main() {
 		log.Fatal(err)
 	}
 
-	csrPEM, err := generatePEMEncodedCSR(privKey, ou, cn, email, []string{dnsName}, sigAlg)
+	csrPEM, err := generatePEMEncodedCSR(privKey, o, ou, cn, c, st, l, email, []string{dnsName}, sigAlg)
 	if err != nil {
 		log.Fatalf("Failed to generate CSR: %s", err.Error())
 	}
 	fmt.Print(string(csrPEM))
 }
 
-func generatePEMEncodedCSR(privKey any, organizationalUnit, commonName, email string, dnsNames []string, sigAlg x509.SignatureAlgorithm) ([]byte, error) {
+func generatePEMEncodedCSR(privKey any, organization, organizationalUnit, commonName, country, state, locale, email string, dnsNames []string, sigAlg x509.SignatureAlgorithm) ([]byte, error) {
 	crtReq := &x509.CertificateRequest{
 		Subject: pkix.Name{
 			CommonName:         commonName,
-			Organization:       []string{"Mozilla Corporation"},
+			Organization:       []string{organization},
 			OrganizationalUnit: []string{organizationalUnit},
-			Country:            []string{"US"},
+			Country:            []string{country},
+			Locality:           []string{locale},
+			Province:           []string{state},
 		},
 		DNSNames:           dnsNames,
 		SignatureAlgorithm: sigAlg,

diff --git a/tools/makecsr/makecsr_test.go b/tools/makecsr/makecsr_test.go
@@ -18,24 +18,28 @@ import (
 func TestGoldenPath(t *testing.T) {
 	testcases := []struct {
 		privKey       crypto.PrivateKey
+		org           string
 		orgUnit       string
 		commonName    string
+		country       string
+		state         string
+		locale        string
 		email         string
 		dnsNames      []string
 		sigAlg        x509.SignatureAlgorithm
 		expectedError error
 	}{
-		{generateRSAKey(t), "MozOrg", "MozCN", "", []string{"example.com", "biff.com"}, x509.SHA256WithRSA, nil},
-		{generateRSAKey(t), "MozOrg", "MozCN", "", []string{"okay.com"}, x509.SHA384WithRSA, nil},
-		{generateRSAKey(t), "MozOrg", "MozCN/email=foobar.com", "", []string{"okay.com"}, x509.SHA256WithRSA, nil},
-		{generateRSAKey(t), "MozOrg", "MozCN", "[email protected]", []string{"okay.com"}, x509.SHA256WithRSA, nil},
-		{generateECDSAKey(t), "Foo", "foocN", "", []string{"okay.com"}, x509.ECDSAWithSHA256, nil},
-		{generateECDSAKey(t), "Foo", "foocN", "", []string{"okay.com"}, x509.ECDSAWithSHA384, nil},
-		{generateRSAKey(t), "MozOrg", "MozCN", "", []string{"failed.com"}, x509.ECDSAWithSHA256, errors.New("x509: requested SignatureAlgorithm does not match private key type")},
+		{generateRSAKey(t), "Mozilla", "MozOrg", "MozCN", "US", "California", "San Francisoco", "", []string{"example.com", "biff.com"}, x509.SHA256WithRSA, nil},
+		{generateRSAKey(t), "Mozilla Corp", "MozOrg", "MozCN", "US", "California", "San Francisoco", "", []string{"okay.com"}, x509.SHA384WithRSA, nil},
+		{generateRSAKey(t), "Mozilla Corporation", "MozOrg", "MozCN/email=foobar.com", "US", "California", "San Francisoco", "", []string{"okay.com"}, x509.SHA256WithRSA, nil},
+		{generateRSAKey(t), "Mozilla Corporation", "MozOrg", "MozCN", "US", "California", "San Francisoco", "[email protected]", []string{"okay.com"}, x509.SHA256WithRSA, nil},
+		{generateECDSAKey(t), "Mozilla Corporation", "Foo", "foocN", "US", "California", "San Francisoco", "", []string{"okay.com"}, x509.ECDSAWithSHA256, nil},
+		{generateECDSAKey(t), "Mozilla Corporation", "Foo", "foocN", "US", "California", "San Francisoco", "", []string{"okay.com"}, x509.ECDSAWithSHA384, nil},
+		{generateRSAKey(t), "Mozilla Corporation", "MozOrg", "MozCN", "US", "California", "San Francisoco", "", []string{"failed.com"}, x509.ECDSAWithSHA256, errors.New("x509: requested SignatureAlgorithm does not match private key type")},
 	}
 	for i, tc := range testcases {
 		t.Run(strconv.Itoa(i), func(t *testing.T) {
-			out, err := generatePEMEncodedCSR(tc.privKey, tc.orgUnit, tc.commonName, tc.email, tc.dnsNames, tc.sigAlg)
+			out, err := generatePEMEncodedCSR(tc.privKey, tc.org, tc.orgUnit, tc.commonName, tc.country, tc.state, tc.locale, tc.email, tc.dnsNames, tc.sigAlg)
 			if tc.expectedError != nil {
 				if err == nil {
 					t.Fatalf("expectedError: want %v, got nil", tc.expectedError)