Include raw subject in certificates

wlynch · wlynch · commit f30059235bff · 2026-03-27T15:59:25.000-04:00
Sometimes identities have a different identifier that isn't captured by existing certificates, usually
because the identifier isn't useful as a human friendly reference. For example - GCP accounts have
an opaque numerical identifier.

That said, subject is particularly useful to preserve since OIDC spec requires
(issuer, subject) to be the canonical representation for an identity, and sometimes
these opaque identifiers can be difficult to otherwise resolve.

This change preserves the incoming subject as-is. While this may result in some duplicative
data for some providers, this helps give a consistent reference point across OIDC issuers.

Signed-off-by: Billy Lynch &lt;billy@chainguard.dev&gt;
diff --git a/docs/oid-info.md b/docs/oid-info.md
@@ -52,7 +52,7 @@ Nice-to-haves:
 
 `1.3.6.1.4.1.57264.1.7` is formatted as a DER-encoded string in the SubjectAlternativeName extension, as per RFC 5280 4.2.1.6.
 
-`1.3.6.1.4.1.57264.1.8` through `1.3.6.1.4.1.57264.1.22` are formatted as DER-encoded strings; the ASN.1 tag is
+`1.3.6.1.4.1.57264.1.8` through `1.3.6.1.4.1.57264.1.24` are formatted as DER-encoded strings; the ASN.1 tag is
 UTF8String (0x0C) and the tag class is universal.
 
 ## Directory
@@ -186,6 +186,10 @@ Source repository visibility at the time of signing the certificate. MAY be empt
 
 Deployment target for a given job that maps to deployment protection rules. May be empty if no environment is defined. For example: `production` or `staging`.
 
+### 1.3.6.1.4.1.57264.1.24 | Token Subject
+
+The raw `sub` claim from the OIDC ID token that was presented at the time the code signing certificate was requested. This preserves the original token subject as-is, regardless of how the provider maps it to certificate SANs or other extensions. For example: `repo:sigstore/fulcio:ref:refs/heads/main` for GitHub Actions, or `project_path:mygroup/myproject:ref_type:branch:ref:main` for GitLab.
+
 ## 1.3.6.1.4.1.57264.2 | Policy OID for Sigstore Timestamp Authority
 
 Not used by Fulcio. This specifies the policy OID for the [timestamp authority](https://github.com/sigstore/timestamp-authority)
@@ -197,6 +201,7 @@ that Sigstore operates.
 | -------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | aud                                                                              | aud                                                                                               | aud                                                                                                 | aud                                                                             | aud                                                                                                                                | N/A                                     | Only used to validate the JWT.                                                                                                                                                         |
 | iss                                                                              | iss                                                                                               | iss                                                                                                 | iss                                                                             | iss                                                                                                                                | Issuer                                  | This already exists. For example: <https://token.actions.githubusercontent.com>                                                                                                        |
+| sub                                                                              | sub                                                                                               | sub                                                                                                 | sub                                                                             | sub                                                                                                                                | Token Subject                           | The raw `sub` claim from the OIDC ID token                                                                                                                                             |
 | exp                                                                              | exp                                                                                               | exp                                                                                                 | exp                                                                             | exp                                                                                                                                | N/A                                     | Only used to validate the JWT.                                                                                                                                                         |
 | nbf                                                                              | nbf                                                                                               | nbf                                                                                                 | nbf                                                                             | N/A                                                                                                                                | N/A                                     | Only used to validate the JWT. Optional, as per the OIDC spec                                                                                                                          |
 | iat                                                                              | iat                                                                                               | iat                                                                                                 | iat                                                                             | iat                                                                                                                                | N/A                                     | Only used to validate the JWT.                                                                                                                                                         |
diff --git a/pkg/certificate/extensions.go b/pkg/certificate/extensions.go
@@ -35,8 +35,9 @@ var (
 	// Deprecated: Use OIDSourceRepositoryRef
 	OIDGitHubWorkflowRef = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 6}
 
-	OIDOtherName = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 7}
-	OIDIssuerV2  = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 8}
+	OIDOtherName    = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 7}
+	OIDIssuerV2     = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 8}
+	OIDTokenSubject = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 24}
 
 	// CI extensions
 	OIDBuildSignerURI                      = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 57264, 1, 9}
@@ -136,6 +137,9 @@ type Extensions struct {
 
 	// Deployment target for a workflow or job
 	DeploymentEnvironment string `json:"DeploymentEnvironment,omitempty" yaml:"deployment-environment,omitempty"` // 1.3.6.1.4.1.57264.1.23
+
+	// Raw OIDC token subject (`sub` claim).
+	Subject string `json:"Subject,omitempty" yaml:"subject,omitempty"` // 1.3.6.1.4.1.57264.1.24
 }
 
 func (e Extensions) Render() ([]pkix.Extension, error) {
@@ -348,6 +352,16 @@ func (e Extensions) Render() ([]pkix.Extension, error) {
 			Value: val,
 		})
 	}
+	if e.Subject != "" {
+		val, err := asn1.MarshalWithParams(e.Subject, "utf8")
+		if err != nil {
+			return nil, err
+		}
+		exts = append(exts, pkix.Extension{
+			Id:    OIDTokenSubject,
+			Value: val,
+		})
+	}
 
 	return exts, nil
 }
@@ -435,6 +449,10 @@ func ParseExtensions(ext []pkix.Extension) (Extensions, error) {
 			if err := ParseDERString(e.Value, &out.DeploymentEnvironment); err != nil {
 				return Extensions{}, err
 			}
+		case e.Id.Equal(OIDTokenSubject):
+			if err := ParseDERString(e.Value, &out.Subject); err != nil {
+				return Extensions{}, err
+			}
 		}
 	}
 
diff --git a/pkg/certificate/extensions_test.go b/pkg/certificate/extensions_test.go
@@ -58,6 +58,7 @@ func TestExtensions(t *testing.T) {
 				RunInvocationURI:                    "21",     // 1.3.6.1.4.1.57264.1.21
 				SourceRepositoryVisibilityAtSigning: "22",     // 1.3.6.1.4.1.57264.1.22
 				DeploymentEnvironment:               "23",     // 1.3.6.1.4.1.57264.1.23
+				Subject:                             "24",     // 1.3.6.1.4.1.57264.1.24
 			},
 			Expect: []pkix.Extension{
 				{
@@ -148,6 +149,10 @@ func TestExtensions(t *testing.T) {
 					Id:    OIDDeploymentEnvironment,
 					Value: marshalDERString(t, "23"),
 				},
+				{
+					Id:    OIDTokenSubject,
+					Value: marshalDERString(t, "24"),
+				},
 			},
 			WantErr: false,
 		},
diff --git a/pkg/identity/buildkite/principal.go b/pkg/identity/buildkite/principal.go
@@ -80,7 +80,8 @@ func (p jobPrincipal) Embed(_ context.Context, cert *x509.Certificate) error {
 
 	// Embed additional information into custom extensions
 	cert.ExtraExtensions, err = certificate.Extensions{
-		Issuer: p.issuer,
+		Issuer:  p.issuer,
+		Subject: p.subject,
 	}.Render()
 	if err != nil {
 		return err
diff --git a/pkg/identity/chainguard/principal.go b/pkg/identity/chainguard/principal.go
@@ -80,7 +80,8 @@ func (w workflowPrincipal) Embed(_ context.Context, cert *x509.Certificate) erro
 	cert.URIs = []*url.URL{baseURL.JoinPath(w.subject)}
 
 	cert.ExtraExtensions, err = certificate.Extensions{
-		Issuer: w.issuer,
+		Issuer:  w.issuer,
+		Subject: w.subject,
 
 		// TODO(mattmoor): Embed more of the Chainguard token structure via OIDs.
 	}.Render()
diff --git a/pkg/identity/ciprovider/principal.go b/pkg/identity/ciprovider/principal.go
@@ -168,7 +168,7 @@ func (principal ciPrincipal) Embed(_ context.Context, cert *x509.Certificate) er
 		s := v.Field(i).String() // value of each field, e.g the template string
 		// We check the field name to avoid applying the template for the Issuer.
 		// The Issuer field should always come from the token issuer.
-		if strings.TrimSpace(s) == "" || vType.Field(i).Name == "Issuer" {
+		if strings.TrimSpace(s) == "" || vType.Field(i).Name == "Issuer" || vType.Field(i).Name == "Subject" {
 			continue
 		}
 		extValue, err := applyTemplateOrReplace(s, claims, defaults,
@@ -182,9 +182,10 @@ func (principal ciPrincipal) Embed(_ context.Context, cert *x509.Certificate) er
 		v.Field(i).SetString(extValue)
 	}
 
-	// Guarantee that the extension issuer is set to the token issuer,
-	// regardless of whether this field has been set before
+	// Guarantee that the extension issuer and subject are set to the token values,
+	// regardless of whether these fields have been set before
 	claimsTemplates.Issuer = principal.Token.Issuer
+	claimsTemplates.Subject = principal.Token.Subject
 	// Embed additional information into custom extensions
 	cert.ExtraExtensions, err = claimsTemplates.Render()
 	if err != nil {
diff --git a/pkg/identity/codefresh/principal.go b/pkg/identity/codefresh/principal.go
@@ -150,7 +150,8 @@ func (w workflowPrincipal) Embed(_ context.Context, cert *x509.Certificate) erro
 	cert.URIs = []*url.URL{baseURL.JoinPath(w.accountName, fmt.Sprintf("%s:%s/%s", w.pipelineName, w.accountID, w.pipelineID))}
 
 	cert.ExtraExtensions, err = certificate.Extensions{
-		Issuer: w.issuer,
+		Issuer:  w.issuer,
+		Subject: w.subject,
 		// URL of the build in Codefresh.
 		// The workflow url is used for build signer in Codefresh because for public builds unauthenticated users only have access to the workflow, not the pipeline definition.
 		// Also, the workflow contains the definition of the pipeline that was used at the time of the build, making it ideal to be used as the signer url.
diff --git a/pkg/identity/email/principal.go b/pkg/identity/email/principal.go
@@ -31,6 +31,7 @@ import (
 type principal struct {
 	address string
 	issuer  string
+	subject string
 }
 
 func PrincipalFromIDToken(ctx context.Context, token *oidc.IDToken) (identity.Principal, error) {
@@ -61,6 +62,7 @@ func PrincipalFromIDToken(ctx context.Context, token *oidc.IDToken) (identity.Pr
 	return principal{
 		issuer:  issuer,
 		address: emailAddress,
+		subject: token.Subject,
 	}, nil
 }
 
@@ -73,7 +75,8 @@ func (p principal) Embed(_ context.Context, cert *x509.Certificate) error {
 
 	var err error
 	cert.ExtraExtensions, err = certificate.Extensions{
-		Issuer: p.issuer,
+		Issuer:  p.issuer,
+		Subject: p.subject,
 	}.Render()
 	if err != nil {
 		return err
diff --git a/pkg/identity/email/principal_test.go b/pkg/identity/email/principal_test.go
@@ -57,6 +57,7 @@ func TestPrincipalFromIDToken(t *testing.T) {
 			ExpectedPrincipal: principal{
 				issuer:  "https://iss.example.com",
 				address: "alice@example.com",
+				subject: "doesntmatter",
 			},
 			WantErr: false,
 		},
@@ -84,6 +85,7 @@ func TestPrincipalFromIDToken(t *testing.T) {
 			ExpectedPrincipal: principal{
 				issuer:  "https://example.com",
 				address: "alice@example.com",
+				subject: "doesntmatter",
 			},
 			WantErr: false,
 		},
@@ -111,6 +113,7 @@ func TestPrincipalFromIDToken(t *testing.T) {
 			ExpectedPrincipal: principal{
 				issuer:  "https://example.com",
 				address: "alice@example.com",
+				subject: "doesntmatter",
 			},
 			WantErr: false,
 		},
@@ -173,6 +176,7 @@ func TestPrincipalFromIDToken(t *testing.T) {
 			ExpectedPrincipal: principal{
 				issuer:  "https://internal.example.com",
 				address: "alice@example.com",
+				subject: "doesntmatter",
 			},
 			WantErr: false,
 		},
@@ -197,6 +201,7 @@ func TestPrincipalFromIDToken(t *testing.T) {
 			ExpectedPrincipal: principal{
 				issuer:  "https://internal.example.com",
 				address: "alice@example.com",
+				subject: "doesntmatter",
 			},
 			WantErr: false,
 		},
@@ -221,6 +226,7 @@ func TestPrincipalFromIDToken(t *testing.T) {
 			ExpectedPrincipal: principal{
 				issuer:  "https://internal.example.com",
 				address: "alice@example.com",
+				subject: "doesntmatter",
 			},
 			WantErr: false,
 		},
diff --git a/pkg/identity/github/principal.go b/pkg/identity/github/principal.go
@@ -199,7 +199,8 @@ func (w workflowPrincipal) Embed(_ context.Context, cert *x509.Certificate) erro
 
 	// Embed additional information into custom extensions
 	cert.ExtraExtensions, err = certificate.Extensions{
-		Issuer: w.issuer,
+		Issuer:  w.issuer,
+		Subject: w.subject,
 		// BEGIN: Deprecated
 		GithubWorkflowTrigger:    w.eventName,
 		GithubWorkflowSHA:        w.sha,
diff --git a/pkg/identity/gitlabcom/principal.go b/pkg/identity/gitlabcom/principal.go
@@ -220,6 +220,7 @@ func (p jobPrincipal) Embed(_ context.Context, cert *x509.Certificate) error {
 	// Embed additional information into custom extensions
 	cert.ExtraExtensions, err = certificate.Extensions{
 		Issuer:                              p.issuer,
+		Subject:                             p.subject,
 		BuildConfigURI:                      ciConfigRefURL.String(),
 		BuildConfigDigest:                   p.ciConfigSha,
 		BuildSignerURI:                      ciConfigRefURL.String(),
diff --git a/pkg/identity/kubernetes/principal.go b/pkg/identity/kubernetes/principal.go
@@ -60,7 +60,8 @@ func (p principal) Embed(_ context.Context, cert *x509.Certificate) error {
 	cert.URIs = []*url.URL{parsed}
 
 	cert.ExtraExtensions, err = certificate.Extensions{
-		Issuer: p.issuer,
+		Issuer:  p.issuer,
+		Subject: p.subject,
 	}.Render()
 	if err != nil {
 		return err
diff --git a/pkg/identity/spiffe/principal.go b/pkg/identity/spiffe/principal.go
@@ -83,7 +83,8 @@ func (p principal) Embed(_ context.Context, cert *x509.Certificate) error {
 	cert.URIs = []*url.URL{parsed}
 
 	cert.ExtraExtensions, err = certificate.Extensions{
-		Issuer: p.issuer,
+		Issuer:  p.issuer,
+		Subject: p.id,
 	}.Render()
 	if err != nil {
 		return err
diff --git a/pkg/identity/uri/principal.go b/pkg/identity/uri/principal.go
@@ -79,7 +79,8 @@ func (p principal) Embed(_ context.Context, cert *x509.Certificate) error {
 	cert.URIs = []*url.URL{subjectURI}
 
 	cert.ExtraExtensions, err = certificate.Extensions{
-		Issuer: p.issuer,
+		Issuer:  p.issuer,
+		Subject: p.uri,
 	}.Render()
 	if err != nil {
 		return err
diff --git a/pkg/identity/username/principal.go b/pkg/identity/username/principal.go
@@ -75,7 +75,8 @@ func (p principal) Embed(_ context.Context, cert *x509.Certificate) error {
 	exts = append(exts, *ext)
 
 	issuerExt, err := certificate.Extensions{
-		Issuer: p.issuer,
+		Issuer:  p.issuer,
+		Subject: p.username,
 	}.Render()
 	if err != nil {
 		return err
