ceremony/issuance: Remove PolicyIdentifiers extension and default to Policies (#7969)
This commit is contained in:
Samantha Frank
GitHub
parent
358bdab8f4
commit
5889d6a2a6
|
|
@ -318,12 +318,6 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, tbc
|
|||
}
|
||||
|
||||
for _, policyConfig := range profile.Policies {
|
||||
asnOID, err := parseOID(policyConfig.OID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
cert.PolicyIdentifiers = append(cert.PolicyIdentifiers, asnOID)
|
||||
|
||||
x509OID, err := x509.ParseOID(policyConfig.OID)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to parse %s as OID: %w", policyConfig.OID, err)
|
||||
|
|
|
|||
|
|
@ -127,7 +127,6 @@ func TestMakeTemplateRoot(t *testing.T) {
|
|||
test.AssertEquals(t, len(cert.IssuingCertificateURL), 1)
|
||||
test.AssertEquals(t, cert.IssuingCertificateURL[0], profile.IssuerURL)
|
||||
test.AssertEquals(t, cert.KeyUsage, x509.KeyUsageDigitalSignature|x509.KeyUsageCRLSign)
|
||||
test.AssertEquals(t, len(cert.PolicyIdentifiers), 2)
|
||||
test.AssertEquals(t, len(cert.Policies), 2)
|
||||
test.AssertEquals(t, len(cert.ExtKeyUsage), 0)
|
||||
|
||||
|
|
|
|||
|
|
@ -591,14 +591,11 @@ func TestIgnoredLint(t *testing.T) {
|
|||
Subject: pkix.Name{
|
||||
CommonName: "CPU's Cool CA",
|
||||
},
|
||||
SerialNumber: serial,
|
||||
NotBefore: time.Now(),
|
||||
NotAfter: time.Now().Add(testValidityDuration - time.Second),
|
||||
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
|
||||
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
|
||||
PolicyIdentifiers: []asn1.ObjectIdentifier{
|
||||
{1, 2, 3},
|
||||
},
|
||||
SerialNumber: serial,
|
||||
NotBefore: time.Now(),
|
||||
NotAfter: time.Now().Add(testValidityDuration - time.Second),
|
||||
KeyUsage: x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
|
||||
ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
|
||||
Policies: []x509.OID{x509OID},
|
||||
BasicConstraintsValid: true,
|
||||
IsCA: true,
|
||||
|
|
|
|||
|
|
@ -305,7 +305,6 @@ func (i *Issuer) requestValid(clk clock.Clock, prof *Profile, req *IssuanceReque
|
|||
}
|
||||
|
||||
// Baseline Requirements, Section 7.1.6.1: domain-validated
|
||||
var domainValidatedASN1OID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1}
|
||||
var domainValidatedOID = func() x509.OID {
|
||||
x509OID, err := x509.OIDFromInts([]uint64{2, 23, 140, 1, 2, 1})
|
||||
if err != nil {
|
||||
|
|
@ -322,8 +321,7 @@ func (i *Issuer) generateTemplate() *x509.Certificate {
|
|||
IssuingCertificateURL: []string{i.issuerURL},
|
||||
BasicConstraintsValid: true,
|
||||
// Baseline Requirements, Section 7.1.6.1: domain-validated
|
||||
PolicyIdentifiers: []asn1.ObjectIdentifier{domainValidatedASN1OID},
|
||||
Policies: []x509.OID{domainValidatedOID},
|
||||
Policies: []x509.OID{domainValidatedOID},
|
||||
}
|
||||
|
||||
return template
|
||||
|
|
|
|||
|
|
@ -9,7 +9,6 @@ import (
|
|||
"crypto/rsa"
|
||||
"crypto/x509"
|
||||
"crypto/x509/pkix"
|
||||
"encoding/asn1"
|
||||
"encoding/base64"
|
||||
"fmt"
|
||||
"reflect"
|
||||
|
|
@ -336,7 +335,6 @@ func TestGenerateTemplate(t *testing.T) {
|
|||
IssuingCertificateURL: []string{"http://issuer"},
|
||||
OCSPServer: []string{"http://ocsp"},
|
||||
CRLDistributionPoints: nil,
|
||||
PolicyIdentifiers: []asn1.ObjectIdentifier{domainValidatedASN1OID},
|
||||
Policies: []x509.OID{domainValidatedOID},
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -194,7 +194,6 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C
|
|||
PermittedEmailAddresses: realIssuer.PermittedEmailAddresses,
|
||||
PermittedIPRanges: realIssuer.PermittedIPRanges,
|
||||
PermittedURIDomains: realIssuer.PermittedURIDomains,
|
||||
PolicyIdentifiers: realIssuer.PolicyIdentifiers,
|
||||
Policies: realIssuer.Policies,
|
||||
SerialNumber: realIssuer.SerialNumber,
|
||||
Subject: realIssuer.Subject,
|
||||
|
|
|
|||
Loading…
Reference in New Issue