Configure additional certificate extensions for Buildkite

The Buildkite Issuer was added in #890, prior to the efforts to standardise
certificate extensions for CI providers, and #1074 calls for the Buildkite
issuer to be updated to use the new extensions (where applicable).

This is an early attempt to make those changes. I initially started these in #1307,
however is is a new swing at it using the new CIProvider issuer (see #1729 and #1743).

I've added the extensions that make the most sense in a Buildkite context, like
RunInvocationURI, RunnerEnvironment and SourceRepositoryDigest. Many of the
other extensions don't apply because we're not a code host as well, or need
further discussion.

I have not added tests yet. This is my first contribution to fulcio and I'm
keen to confirm I'm heading in the right direction before adding tests.
However, I have tested this locally with a Buildkite agent and OIDC token, and
the certificate was issued as expected.

I started a local fulcio like this:

    $ go run main.go serve --port 5555 --ca ephemeralca --ct-log-url="" --config-path config/identity/config.yaml

... and signed git commits with gitsign. The relevant bits of the
certificates look like:

    git cat-file commit HEAD | sed -n '/-BEGIN/, /-END/p' | sed 's/^ //g' | sed 's/gpgsig //g' | sed 's/SIGNED MESSAGE/PKCS7/g' | openssl pkcs7 -print -print_certs -text
    ...
    X509v3 extensions:
        X509v3 Key Usage: critical
            Digital Signature
        X509v3 Extended Key Usage:
            Code Signing
        X509v3 Subject Key Identifier:
            36:D2:99:B9:BA:98:4B:3A:77:51:DC:08:05:83:12:9A:F4:EE:41:E5
        X509v3 Authority Key Identifier:
            D2:41:21:29:23:AD:E9:27:69:6F:DB:85:6D:1B:3F:7E:A9:55:F3:02
        X509v3 Subject Alternative Name: critical
            URI:https://buildkite.com/yob-opensource/oidc-signing-experiment
        1.3.6.1.4.1.57264.1.1:
            https://agent.buildkite.com
        1.3.6.1.4.1.57264.1.8:
            ..https://agent.buildkite.com
        1.3.6.1.4.1.57264.1.11:
            ..self-hosted
        1.3.6.1.4.1.57264.1.13:
            .(078a6dd4a32fa40592c21a40aedaf27105503140
        1.3.6.1.4.1.57264.1.20:
            ..ui
        1.3.6.1.4.1.57264.1.21:
            .khttps://buildkite.com/yob-opensource/oidc-signing-experiment/builds/52#01943a38-f93e-4355-abe8-90a30369c270

Signed-off-by: James Healy <[email protected]>

Author: James Healy

config/identity/config.yaml

@@ -236,4 +236,13 @@ ci-issuer-metadata:
   *buildkite-type:
     default-template-values:
       url: "https://buildkite.com"
-    subject-alternative-name-template: "{{.url}}/{{.organization_slug}}/{{.pipeline_slug}}"
+    extension-templates:
+      # Link to the specific Buildkite job that the OIDC token was generated from
+      run-invocation-uri: "{{.url}}/{{.organization_slug}}/{{.pipeline_slug}}/builds/{{.build_number}}#{{.job_id}}"
+      # Was the job executed on Buildkite operated compute or customer hosted compute? (valid values: self-hosted, buildkite-hosted)
+      runner-environment: "runner_environment"
+      # The git sha that job was running, available in the `build_commit` claim
+      source-repository-digest: "build_commit"
+      # build_source: Event that triggered this workflow run. (valid values: api, ui, webhook, trigger_job, schedule)
+      build-trigger: "build_source"
+    subject-alternative-name-template: "{{.url}}/{{.organization_slug}}/{{.pipeline_slug}}" # seems correct, do we still need the code in pkg/identity/buildkite/principal.go ?