letsencrypt · Juneezee · Jan 12, 2025 · Jan 12, 2025 · Jan 14, 2025 · Jan 14, 2025
@@ -318,11 +318,17 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, tbc
 	}
 
 	for _, policyConfig := range profile.Policies {
-		oid, err := parseOID(policyConfig.OID)
+		asnOID, err := parseOID(policyConfig.OID)
 		if err != nil {
 			return nil, err
 		}
-		cert.PolicyIdentifiers = append(cert.PolicyIdentifiers, oid)
+		cert.PolicyIdentifiers = append(cert.PolicyIdentifiers, asnOID)
+
+		x509OID, err := x509.ParseOID(policyConfig.OID)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse %s as OID: %w", policyConfig.OID, err)
+		}
+		cert.Policies = append(cert.Policies, x509OID)
 	}
 
 	return cert, nil

@@ -127,6 +127,7 @@ func TestMakeTemplateRoot(t *testing.T) {
 	test.AssertEquals(t, cert.IssuingCertificateURL[0], profile.IssuerURL)
 	test.AssertEquals(t, cert.KeyUsage, x509.KeyUsageDigitalSignature|x509.KeyUsageCRLSign)
 	test.AssertEquals(t, len(cert.PolicyIdentifiers), 2)
+	test.AssertEquals(t, len(cert.Policies), 2)
 	test.AssertEquals(t, len(cert.ExtKeyUsage), 0)
 
 	cert, err = makeTemplate(randReader, profile, pubKey, nil, intermediateCert)

@@ -18,7 +18,6 @@ import (
 	mrand "math/rand/v2"
 	"os"
 	"slices"
-	"sort"
 	"strings"
 	"sync"
 	"testing"
@@ -585,6 +584,9 @@ func TestIgnoredLint(t *testing.T) {
 	checker := newChecker(saDbMap, clock.NewFake(), pa, kp, time.Hour, testValidityDurations, blog.NewMock())
 	serial := big.NewInt(1337)
 
+	x509OID, err := x509.OIDFromInts([]uint64{1, 2, 3})
+	test.AssertNotError(t, err, "failed to create x509.OID")
+
 	template := &x509.Certificate{
 		Subject: pkix.Name{
 			CommonName: "CPU's Cool CA",
@@ -597,6 +599,7 @@ func TestIgnoredLint(t *testing.T) {
 		PolicyIdentifiers: []asn1.ObjectIdentifier{
 			{1, 2, 3},
 		},
+		Policies:              []x509.OID{x509OID},
 		BasicConstraintsValid: true,
 		IsCA:                  true,
 		IssuingCertificateURL: []string{"http://aia.example.org"},
@@ -639,12 +642,12 @@ func TestIgnoredLint(t *testing.T) {
 		"zlint info: w_ct_sct_policy_count_unsatisfied Certificate had 0 embedded SCTs. Browser policy may require 2 for this certificate.",
 		"zlint error: e_scts_from_same_operator Certificate had too few embedded SCTs; browser policy requires 2.",
 	}
-	sort.Strings(expectedProblems)
+	slices.Sort(expectedProblems)
 
 	// Check the certificate with a nil ignore map. This should return the
 	// expected zlint problems.
 	_, problems := checker.checkCert(context.Background(), cert, nil)
-	sort.Strings(problems)
+	slices.Sort(problems)
 	test.AssertDeepEquals(t, problems, expectedProblems)
 
 	// Check the certificate again with an ignore map that excludes the affected

@@ -193,13 +193,16 @@ func (i *Issuer) requestValid(clk clock.Clock, prof *Profile, req *IssuanceReque
 }
 
 func (i *Issuer) generateTemplate() *x509.Certificate {
+	x509OID, _ := x509.OIDFromInts([]uint64{2, 23, 140, 1, 2, 1})
+
 	template := &x509.Certificate{
 		SignatureAlgorithm:    i.sigAlg,
 		OCSPServer:            []string{i.ocspURL},
 		IssuingCertificateURL: []string{i.issuerURL},
 		BasicConstraintsValid: true,
 		// Baseline Requirements, Section 7.1.6.1: domain-validated
 		PolicyIdentifiers: []asn1.ObjectIdentifier{{2, 23, 140, 1, 2, 1}},
+		Policies:          []x509.OID{x509OID},
 	}
 
 	// TODO(#7294): Use i.crlURLBase and a shard calculation to create a

@@ -22,9 +22,7 @@ import (
 	"github.com/letsencrypt/boulder/test"
 )
 
-var (
-	goodSKID = []byte{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9}
-)
+var goodSKID = []byte{0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9}
 
 func defaultProfile() *Profile {
 	p, _ := NewProfile(defaultProfileConfig())
@@ -33,7 +31,7 @@ func defaultProfile() *Profile {
 
 func TestGenerateValidity(t *testing.T) {
 	fc := clock.NewFake()
-	fc.Set(time.Date(2015, time.June, 04, 11, 04, 38, 0, time.UTC))
+	fc.Set(time.Date(2015, time.June, 0o4, 11, 0o4, 38, 0, time.UTC))
 
 	tests := []struct {
 		name      string
@@ -46,15 +44,15 @@ func TestGenerateValidity(t *testing.T) {
 			name:      "normal usage",
 			backdate:  time.Hour, // 90% of one hour is 54 minutes
 			validity:  7 * 24 * time.Hour,
-			notBefore: time.Date(2015, time.June, 04, 10, 10, 38, 0, time.UTC),
+			notBefore: time.Date(2015, time.June, 0o4, 10, 10, 38, 0, time.UTC),
 			notAfter:  time.Date(2015, time.June, 11, 10, 10, 37, 0, time.UTC),
 		},
 		{
 			name:      "zero backdate",
 			backdate:  0,
 			validity:  7 * 24 * time.Hour,
-			notBefore: time.Date(2015, time.June, 04, 11, 04, 38, 0, time.UTC),
-			notAfter:  time.Date(2015, time.June, 11, 11, 04, 37, 0, time.UTC),
+			notBefore: time.Date(2015, time.June, 0o4, 11, 0o4, 38, 0, time.UTC),
+			notAfter:  time.Date(2015, time.June, 11, 11, 0o4, 37, 0, time.UTC),
 		},
 	}
 
@@ -315,13 +313,17 @@ func TestGenerateTemplate(t *testing.T) {
 
 	actual := issuer.generateTemplate()
 
+	x509OID, err := x509.OIDFromInts([]uint64{2, 23, 140, 1, 2, 1})
+	test.AssertNotError(t, err, "failed to create x509.OID")
+
 	expected := &x509.Certificate{
 		BasicConstraintsValid: true,
 		SignatureAlgorithm:    x509.SHA256WithRSA,
 		IssuingCertificateURL: []string{"http://issuer"},
 		OCSPServer:            []string{"http://ocsp"},
 		CRLDistributionPoints: nil,
 		PolicyIdentifiers:     []asn1.ObjectIdentifier{{2, 23, 140, 1, 2, 1}},
+		Policies:              []x509.OID{x509OID},
 	}
 
 	test.AssertDeepEquals(t, actual, expected)

@@ -195,6 +195,7 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C
 		PermittedIPRanges:           realIssuer.PermittedIPRanges,
 		PermittedURIDomains:         realIssuer.PermittedURIDomains,
 		PolicyIdentifiers:           realIssuer.PolicyIdentifiers,
+		Policies:                    realIssuer.Policies,
 		SerialNumber:                realIssuer.SerialNumber,
 		Subject:                     realIssuer.Subject,
 		SubjectKeyId:                realIssuer.SubjectKeyId,