openssl_x509_certificate handles CN in a way that violates the x509 spec

[femiagbabiaka]

Description

RFC5280 subsection 4.1.2.6 sez:

The subject field identifies the entity associated with the public
   key stored in the subject public key field.  The subject name MAY be
   carried in the subject field and/or the subjectAltName extension.  If
   the subject is a CA (e.g., the basic constraints extension, as
   discussed in [Section 4.2.1.9](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.9), is present and the value of cA is
   TRUE), then the subject field MUST be populated with a non-empty
   distinguished name matching the contents of the issuer field ([Section](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.4)
   [4.1.2.4](https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.2.4)) in all certificates issued by the subject CA.  If the
   subject is a CRL issuer (e.g., the key usage extension, as discussed
   in [Section 4.2.1.3](https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.3), is present and the value of cRLSign is TRUE),
   then the subject field MUST be populated with a non-empty
   distinguished name matching the contents of the issuer field ([Section](https://datatracker.ietf.org/doc/html/rfc5280#section-5.1.2.3)
   [5.1.2.3](https://datatracker.ietf.org/doc/html/rfc5280#section-5.1.2.3)) in all CRLs issued by the subject CRL issuer.  If subject
   naming information is present only in the subjectAltName extension
   (e.g., a key bound only to an email address or URI), then the subject
   name MUST be an empty sequence and the subjectAltName extension MUST
   be critical.

TL;DR, as I understand it, you must have one of common_name or a subject_alt_name entry. If you have a common_name entry, it must match the subject_alt_name entry. But common_name is not required.

Currently, the resource implicitly requires common_name to be specified: https://github.com/chef/chef/blob/main/lib/chef/resource/openssl_x509_certificate.rb#L221. Implicit because common_name isn't marked as required: https://github.com/chef/chef/blob/main/lib/chef/resource/openssl_x509_certificate.rb#L101.

I believe the correct solution is to leave the common_name and subject_alt_name property definitions as-is, add an unless check on the nilness of common_name, and require that one of subject_alt_name or common_name be set.

Chef Version

I'm using CINC version 15.7.32, but the bug applies to the main branch.

Platform Version

I'm running on Ubuntu 20.04, but the bug applies to all platforms.

Replication Case

Attempt to create a certificate that does not specify common_name.

Client Output

 ================================================================================
             Error executing action `create` on resource 'openssl_x509_certificate[/tmp/elastic-test.pem]'
 ================================================================================
             
             TypeError
             ---------
             no implicit conversion of nil into String

Stacktrace