ceremony/issuance: Remove PolicyIdentifiers extension and default to Policies (#7969)

cmd/ceremony/cert.go

@@ -318,12 +318,6 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, tbc
 	}
 
 	for _, policyConfig := range profile.Policies {
-		asnOID, err := parseOID(policyConfig.OID)
-		if err != nil {
-			return nil, err
-		}
-		cert.PolicyIdentifiers = append(cert.PolicyIdentifiers, asnOID)
-
 		x509OID, err := x509.ParseOID(policyConfig.OID)
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse %s as OID: %w", policyConfig.OID, err)

cmd/ceremony/cert_test.go

@@ -127,7 +127,6 @@ func TestMakeTemplateRoot(t *testing.T) {
 	test.AssertEquals(t, len(cert.IssuingCertificateURL), 1)
 	test.AssertEquals(t, cert.IssuingCertificateURL[0], profile.IssuerURL)
 	test.AssertEquals(t, cert.KeyUsage, x509.KeyUsageDigitalSignature|x509.KeyUsageCRLSign)
-	test.AssertEquals(t, len(cert.PolicyIdentifiers), 2)
 	test.AssertEquals(t, len(cert.Policies), 2)
 	test.AssertEquals(t, len(cert.ExtKeyUsage), 0)
 

cmd/cert-checker/main_test.go

@@ -591,14 +591,11 @@ func TestIgnoredLint(t *testing.T) {
 		Subject: pkix.Name{
 			CommonName: "CPU's Cool CA",
 		},
-		SerialNumber: serial,
+		SerialNumber:          serial,
-		NotBefore:    time.Now(),
+		NotBefore:             time.Now(),
-		NotAfter:     time.Now().Add(testValidityDuration - time.Second),
+		NotAfter:              time.Now().Add(testValidityDuration - time.Second),
-		KeyUsage:     x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
-		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
-		PolicyIdentifiers: []asn1.ObjectIdentifier{
-			{1, 2, 3},
-		},
 		Policies:              []x509.OID{x509OID},
 		BasicConstraintsValid: true,
 		IsCA:                  true,

issuance/cert.go

@@ -305,7 +305,6 @@ func (i *Issuer) requestValid(clk clock.Clock, prof *Profile, req *IssuanceReque
 }
 
 // Baseline Requirements, Section 7.1.6.1: domain-validated
-var domainValidatedASN1OID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1}
 var domainValidatedOID = func() x509.OID {
 	x509OID, err := x509.OIDFromInts([]uint64{2, 23, 140, 1, 2, 1})
 	if err != nil {
@@ -322,8 +321,7 @@ func (i *Issuer) generateTemplate() *x509.Certificate {
 		IssuingCertificateURL: []string{i.issuerURL},
 		BasicConstraintsValid: true,
 		// Baseline Requirements, Section 7.1.6.1: domain-validated
-		PolicyIdentifiers: []asn1.ObjectIdentifier{domainValidatedASN1OID},
+		Policies: []x509.OID{domainValidatedOID},
-		Policies:          []x509.OID{domainValidatedOID},
 	}
 
 	return template

issuance/cert_test.go

@@ -9,7 +9,6 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
-	"encoding/asn1"
 	"encoding/base64"
 	"fmt"
 	"reflect"
@@ -336,7 +335,6 @@ func TestGenerateTemplate(t *testing.T) {
 		IssuingCertificateURL: []string{"http://issuer"},
 		OCSPServer:            []string{"http://ocsp"},
 		CRLDistributionPoints: nil,
-		PolicyIdentifiers:     []asn1.ObjectIdentifier{domainValidatedASN1OID},
 		Policies:              []x509.OID{domainValidatedOID},
 	}
 

linter/linter.go

@@ -194,7 +194,6 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C
 		PermittedEmailAddresses:     realIssuer.PermittedEmailAddresses,
 		PermittedIPRanges:           realIssuer.PermittedIPRanges,
 		PermittedURIDomains:         realIssuer.PermittedURIDomains,
-		PolicyIdentifiers:           realIssuer.PolicyIdentifiers,
 		Policies:                    realIssuer.Policies,
 		SerialNumber:                realIssuer.SerialNumber,
 		Subject:                     realIssuer.Subject,