scion-pki: allow creating voting certificates without ISD-AS

Only for cp-root, cp-ca, and cp-as certificates the ISD-AS is mandatory.

Author: oncilla

scion-pki/certs/create.go

@@ -202,7 +202,7 @@ A valid example for a JSON formatted template::
 			if err != nil {
 				return serrors.Wrap("parsing profile", err)
 			}
-			subject, err := createSubject(args[0], flags.commonName)
+			subject, err := createSubject(args[0], flags.commonName, ct == cppki.Sensitive || ct == cppki.Regular)
 			if err != nil {
 				return serrors.Wrap("creating subject", err)
 			}
@@ -414,8 +414,8 @@ func parseCertType(input string) (cppki.CertType, error) {
 	}
 }
 
-func createSubject(tmpl, commonName string) (pkix.Name, error) {
-	subject, err := loadSubject(tmpl)
+func createSubject(tmpl, commonName string, requireIA bool) (pkix.Name, error) {
+	subject, err := loadSubject(tmpl, requireIA)
 	if err != nil {
 		return pkix.Name{}, err
 	}
@@ -425,7 +425,7 @@ func createSubject(tmpl, commonName string) (pkix.Name, error) {
 	return subject, nil
 }
 
-func loadSubject(tmpl string) (pkix.Name, error) {
+func loadSubject(tmpl string, requireIA bool) (pkix.Name, error) {
 	raw, err := os.ReadFile(tmpl)
 	if err != nil {
 		return pkix.Name{}, err
@@ -449,7 +449,7 @@ func loadSubject(tmpl string) (pkix.Name, error) {
 	if err := json.Unmarshal(raw, &vars); err != nil {
 		return pkix.Name{}, err
 	}
-	return subjectFromVars(vars)
+	return subjectFromVars(vars, requireIA)
 }
 
 func parseCertificate(raw []byte) (*x509.Certificate, error) {

scion-pki/certs/renew.go

@@ -358,7 +358,7 @@ The template is expressed in JSON. A valid example::
 			if flags.subject != "" {
 				template = flags.subject
 			}
-			subject, err := createSubject(template, flags.commonName)
+			subject, err := createSubject(template, flags.commonName, true)
 			if err != nil {
 				return err
 			}
@@ -925,8 +925,8 @@ func extractChainLegacy(rep *cppb.ChainRenewalResponse) ([]*x509.Certificate, er
 	return chain, nil
 }
 
-func subjectFromVars(vars SubjectVars) (pkix.Name, error) {
-	if vars.IA.IsZero() {
+func subjectFromVars(vars SubjectVars, requireIA bool) (pkix.Name, error) {
+	if requireIA && vars.IA.IsZero() {
 		return pkix.Name{}, serrors.New("isd_as required in template")
 	}
 	s := pkix.Name{

scion-pki/certs/renew_test.go

@@ -59,40 +59,52 @@ func TestCSRTemplate(t *testing.T) {
 	testCases := map[string]struct {
 		File         string
 		CommonName   string
+		RequireIA    bool
 		Expected     pkix.RDNSequence
 		ErrAssertion assert.ErrorAssertionFunc
 	}{
 		"valid": {
 			File:         "testdata/renew/ISD1-ASff00_0_111.csr.json",
+			RequireIA:    true,
+			Expected:     wantSubject.ToRDNSequence(),
+			ErrAssertion: assert.NoError,
+		},
+		"valid - no ISD-AS": {
+			File:         "testdata/renew/ISD1-ASff00_0_111.csr.json",
+			RequireIA:    false,
 			Expected:     wantSubject.ToRDNSequence(),
 			ErrAssertion: assert.NoError,
 		},
 		"from chain": {
 			File:         "testdata/renew/ISD1-ASff00_0_111.pem",
+			RequireIA:    true,
 			Expected:     wantSubject.ToRDNSequence(),
 			ErrAssertion: assert.NoError,
 		},
 		"custom common name": {
 			File:         "testdata/renew/ISD1-ASff00_0_111.csr.json",
 			CommonName:   "custom",
+			RequireIA:    true,
 			Expected:     customSubject.ToRDNSequence(),
 			ErrAssertion: assert.NoError,
 		},
 		"custom common name from chain": {
 			File:         "testdata/renew/ISD1-ASff00_0_111.pem",
 			CommonName:   "custom",
+			RequireIA:    true,
 			Expected:     customSubject.ToRDNSequence(),
 			ErrAssertion: assert.NoError,
 		},
 		"no ISD-AS": {
 			File:         "testdata/renew/no_isd_as.json",
+			RequireIA:    true,
 			ErrAssertion: assert.Error,
 		},
 	}
 	for name, tc := range testCases {
 		t.Run(name, func(t *testing.T) {
 			t.Parallel()
-			subject, err := createSubject(tc.File, tc.CommonName)
+			subject, err := createSubject(tc.File, tc.CommonName, tc.RequireIA)
 			tc.ErrAssertion(t, err)
 			if err != nil {
 				return