Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Populate x509.Certificate.Policies field #7940

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions cmd/ceremony/cert.go
Original file line number Diff line number Diff line change
Expand Up @@ -318,11 +318,17 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, tbc
}

for _, policyConfig := range profile.Policies {
oid, err := parseOID(policyConfig.OID)
asnOID, err := parseOID(policyConfig.OID)
if err != nil {
return nil, err
}
cert.PolicyIdentifiers = append(cert.PolicyIdentifiers, oid)
cert.PolicyIdentifiers = append(cert.PolicyIdentifiers, asnOID)

x509OID, err := x509.ParseOID(policyConfig.OID)
if err != nil {
return nil, fmt.Errorf("failed to parse %s as OID: %w", policyConfig.OID, err)
}
cert.Policies = append(cert.Policies, x509OID)
}

return cert, nil
Expand Down
1 change: 1 addition & 0 deletions cmd/ceremony/cert_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -127,6 +127,7 @@ func TestMakeTemplateRoot(t *testing.T) {
test.AssertEquals(t, cert.IssuingCertificateURL[0], profile.IssuerURL)
test.AssertEquals(t, cert.KeyUsage, x509.KeyUsageDigitalSignature|x509.KeyUsageCRLSign)
test.AssertEquals(t, len(cert.PolicyIdentifiers), 2)
test.AssertEquals(t, len(cert.Policies), 2)
test.AssertEquals(t, len(cert.ExtKeyUsage), 0)

cert, err = makeTemplate(randReader, profile, pubKey, nil, intermediateCert)
Expand Down
9 changes: 6 additions & 3 deletions cmd/cert-checker/main_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@ import (
mrand "math/rand/v2"
"os"
"slices"
"sort"
"strings"
"sync"
"testing"
Expand Down Expand Up @@ -585,6 +584,9 @@ func TestIgnoredLint(t *testing.T) {
checker := newChecker(saDbMap, clock.NewFake(), pa, kp, time.Hour, testValidityDurations, blog.NewMock())
serial := big.NewInt(1337)

x509OID, err := x509.OIDFromInts([]uint64{1, 2, 3})
test.AssertNotError(t, err, "failed to create x509.OID")

template := &x509.Certificate{
Subject: pkix.Name{
CommonName: "CPU's Cool CA",
Expand All @@ -597,6 +599,7 @@ func TestIgnoredLint(t *testing.T) {
PolicyIdentifiers: []asn1.ObjectIdentifier{
{1, 2, 3},
},
Policies: []x509.OID{x509OID},
BasicConstraintsValid: true,
IsCA: true,
IssuingCertificateURL: []string{"http://aia.example.org"},
Expand Down Expand Up @@ -639,12 +642,12 @@ func TestIgnoredLint(t *testing.T) {
"zlint info: w_ct_sct_policy_count_unsatisfied Certificate had 0 embedded SCTs. Browser policy may require 2 for this certificate.",
"zlint error: e_scts_from_same_operator Certificate had too few embedded SCTs; browser policy requires 2.",
}
sort.Strings(expectedProblems)
slices.Sort(expectedProblems)

// Check the certificate with a nil ignore map. This should return the
// expected zlint problems.
_, problems := checker.checkCert(context.Background(), cert, nil)
sort.Strings(problems)
slices.Sort(problems)
test.AssertDeepEquals(t, problems, expectedProblems)

// Check the certificate again with an ignore map that excludes the affected
Expand Down
12 changes: 12 additions & 0 deletions issuance/cert.go
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,17 @@ func (i *Issuer) requestValid(clk clock.Clock, prof *Profile, req *IssuanceReque
return nil
}

// Baseline Requirements, Section 7.1.6.1: domain-validated
var domainValidatedOID = mustOIDFromInts([]uint64{2, 23, 140, 1, 2, 1})

func mustOIDFromInts(oid []uint64) x509.OID {
x509OID, err := x509.OIDFromInts(oid)
if err != nil {
panic(fmt.Errorf("failed to create OID using ints %v: %w", oid, err))
}
return x509OID
}

func (i *Issuer) generateTemplate() *x509.Certificate {
template := &x509.Certificate{
SignatureAlgorithm: i.sigAlg,
Expand All @@ -200,6 +211,7 @@ func (i *Issuer) generateTemplate() *x509.Certificate {
BasicConstraintsValid: true,
// Baseline Requirements, Section 7.1.6.1: domain-validated
PolicyIdentifiers: []asn1.ObjectIdentifier{{2, 23, 140, 1, 2, 1}},
Policies: []x509.OID{domainValidatedOID},
}

// TODO(#7294): Use i.crlURLBase and a shard calculation to create a
Expand Down
1 change: 1 addition & 0 deletions issuance/cert_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -322,6 +322,7 @@ func TestGenerateTemplate(t *testing.T) {
OCSPServer: []string{"http://ocsp"},
CRLDistributionPoints: nil,
PolicyIdentifiers: []asn1.ObjectIdentifier{{2, 23, 140, 1, 2, 1}},
Policies: []x509.OID{domainValidatedOID},
}

test.AssertDeepEquals(t, actual, expected)
Expand Down
1 change: 1 addition & 0 deletions linter/linter.go
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,7 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C
PermittedIPRanges: realIssuer.PermittedIPRanges,
PermittedURIDomains: realIssuer.PermittedURIDomains,
PolicyIdentifiers: realIssuer.PolicyIdentifiers,
Policies: realIssuer.Policies,
SerialNumber: realIssuer.SerialNumber,
Subject: realIssuer.Subject,
SubjectKeyId: realIssuer.SubjectKeyId,
Expand Down
Loading