Remove policy qualifiers from all issuance paths (#6980)

The inclusion of Policy Qualifiers inside Policy Information elements of
a Certificate Policies extension is now NOT RECOMMENDED by the Baseline
Requirements. We have already removed these fields from all of our
Boulder configuration, and ceased issuing certificates with Policy
Qualifiers.

Remove all support for configuring and including Policy Qualifiers in
our certificates, both in Boulder's main issuance path and in our
ceremony tool. Switch from using the policyasn1 library to manually
encode these extensions, to using the crypto/x509's
Certificate.PolicyIdentifiers field. Delete the policyasn1 package as it
is no longer necessary.

Fixes #6880

Author: aarongable

ca/ca_test.go

@@ -192,7 +192,7 @@ func setup(t *testing.T) *testCtx {
 				AllowCTPoison:   true,
 				AllowSCTList:    true,
 				AllowCommonName: true,
-				Policies: []issuance.PolicyInformation{
+				Policies: []issuance.PolicyConfig{
 					{OID: "2.23.140.1.2.1"},
 				},
 				MaxValidityPeriod:   config.Duration{Duration: time.Hour * 8760},

cmd/ceremony/cert.go

@@ -13,12 +13,12 @@ import (
 	"strconv"
 	"strings"
 	"time"
-
-	"github.com/letsencrypt/boulder/policyasn1"
 )
 
 type policyInfoConfig struct {
-	OID    string
+	OID string
+	// Deprecated: we do not include the id-qt-cps policy qualifier in our
+	// certificate policy extensions anymore.
 	CPSURI string `yaml:"cps-uri"`
 }
 
@@ -56,9 +56,7 @@ type certProfile struct {
 	IssuerURL string `yaml:"issuer-url"`
 
 	// PolicyOIDs should contain any OIDs to be inserted in a certificate
-	// policies extension. If the CPSURI field of a policyInfoConfig element
-	// is set it will result in a PolicyInformation structure containing a
-	// single id-qt-cps type qualifier indicating the CPS URI.
+	// policies extension.
 	Policies []policyInfoConfig `yaml:"policies"`
 
 	// KeyUsages should contain the set of key usage bits to set
@@ -183,33 +181,7 @@ var stringToKeyUsage = map[string]x509.KeyUsage{
 	"Cert Sign":         x509.KeyUsageCertSign,
 }
 
-var (
-	oidExtensionCertificatePolicies = asn1.ObjectIdentifier{2, 5, 29, 32}
-
-	oidOCSPNoCheck = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1, 5}
-)
-
-func buildPolicies(policies []policyInfoConfig) (pkix.Extension, error) {
-	policyExt := pkix.Extension{Id: oidExtensionCertificatePolicies}
-	var policyInfo []policyasn1.PolicyInformation
-	for _, p := range policies {
-		oid, err := parseOID(p.OID)
-		if err != nil {
-			return pkix.Extension{}, err
-		}
-		pi := policyasn1.PolicyInformation{Policy: oid}
-		if p.CPSURI != "" {
-			pi.Qualifiers = []policyasn1.PolicyQualifier{{OID: policyasn1.CPSQualifierOID, Value: p.CPSURI}}
-		}
-		policyInfo = append(policyInfo, pi)
-	}
-	v, err := asn1.Marshal(policyInfo)
-	if err != nil {
-		return pkix.Extension{}, err
-	}
-	policyExt.Value = v
-	return policyExt, nil
-}
+var oidOCSPNoCheck = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 48, 1, 5}
 
 func generateSKID(pk []byte) ([]byte, error) {
 	var pkixPublicKey struct {
@@ -316,12 +288,12 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, ct
 		cert.MaxPathLenZero = true
 	}
 
-	if len(profile.Policies) > 0 {
-		policyExt, err := buildPolicies(profile.Policies)
+	for _, policyConfig := range profile.Policies {
+		oid, err := parseOID(policyConfig.OID)
 		if err != nil {
 			return nil, err
 		}
-		cert.ExtraExtensions = append(cert.ExtraExtensions, policyExt)
+		cert.PolicyIdentifiers = append(cert.PolicyIdentifiers, oid)
 	}
 
 	return cert, nil

cmd/ceremony/cert_test.go

@@ -97,9 +97,9 @@ func TestMakeTemplate(t *testing.T) {
 	profile.KeyUsages = []string{"Digital Signature", "CRL Sign"}
 	profile.Policies = []policyInfoConfig{{}}
 	_, err = makeTemplate(randReader, profile, pubKey, rootCert)
-	test.AssertError(t, err, "makeTemplate didn't fail with invalid policy OID")
+	test.AssertError(t, err, "makeTemplate didn't fail with invalid (empty) policy OID")
 
-	profile.Policies = []policyInfoConfig{{OID: "1.2.3"}, {OID: "1.2.3.4", CPSURI: "hello"}}
+	profile.Policies = []policyInfoConfig{{OID: "1.2.3"}, {OID: "1.2.3.4"}}
 	profile.CommonName = "common name"
 	profile.Organization = "organization"
 	profile.Country = "country"
@@ -120,7 +120,7 @@ func TestMakeTemplate(t *testing.T) {
 	test.AssertEquals(t, len(cert.IssuingCertificateURL), 1)
 	test.AssertEquals(t, cert.IssuingCertificateURL[0], profile.IssuerURL)
 	test.AssertEquals(t, cert.KeyUsage, x509.KeyUsageDigitalSignature|x509.KeyUsageCRLSign)
-	test.AssertEquals(t, len(cert.ExtraExtensions), 1)
+	test.AssertEquals(t, len(cert.PolicyIdentifiers), 2)
 	test.AssertEquals(t, len(cert.ExtKeyUsage), 0)
 
 	cert, err = makeTemplate(randReader, profile, pubKey, intermediateCert)
@@ -469,8 +469,7 @@ func TestVerifyProfile(t *testing.T) {
 		},
 		{
 			profile: certProfile{
-				Policies: []policyInfoConfig{
-					{OID: "1.2.3"}, {OID: "1.2.3.4", CPSURI: "hello"}},
+				Policies: []policyInfoConfig{{OID: "1.2.3"}},
 			},
 			certType:    requestCert,
 			expectedErr: "policies cannot be set for a CSR",

issuance/issuance.go

@@ -31,7 +31,6 @@ import (
 	"github.com/letsencrypt/boulder/config"
 	"github.com/letsencrypt/boulder/core"
 	"github.com/letsencrypt/boulder/linter"
-	"github.com/letsencrypt/boulder/policyasn1"
 	"github.com/letsencrypt/boulder/precert"
 	"github.com/letsencrypt/boulder/privatekey"
 	"github.com/letsencrypt/pkcs11key/v4"
@@ -44,21 +43,14 @@ type ProfileConfig struct {
 	AllowSCTList    bool
 	AllowCommonName bool
 
-	Policies            []PolicyInformation `validate:"omitempty,dive"`
+	Policies            []PolicyConfig `validate:"min=1,dive"`
 	MaxValidityPeriod   config.Duration
 	MaxValidityBackdate config.Duration
 }
 
-// PolicyInformation describes a policy
-type PolicyInformation struct {
-	OID        string
-	Qualifiers []PolicyQualifier `validate:"excluded_without=OID,dive"`
-}
-
-// PolicyQualifier describes a policy qualifier
-type PolicyQualifier struct {
-	Type  string `validate:"required"`
-	Value string `validate:"required"`
+// PolicyConfig describes a policy
+type PolicyConfig struct {
+	OID string `validate:"required"`
 }
 
 // IssuerConfig describes the constraints on and URLs used by a single issuer.
@@ -143,7 +135,7 @@ func loadSigner(location IssuerLoc, cert *Certificate) (crypto.Signer, error) {
 	if pkcs11Config.Module == "" ||
 		pkcs11Config.TokenLabel == "" ||
 		pkcs11Config.PIN == "" {
-		return nil, fmt.Errorf("Missing a field in pkcs11Config %#v", pkcs11Config)
+		return nil, fmt.Errorf("missing a field in pkcs11Config %#v", pkcs11Config)
 	}
 
 	numSessions := location.NumSessions
@@ -169,7 +161,7 @@ type Profile struct {
 	ocspURL   string
 	crlURL    string
 	issuerURL string
-	policies  *pkix.Extension
+	policies  []asn1.ObjectIdentifier
 
 	maxBackdate time.Duration
 	maxValidity time.Duration
@@ -190,10 +182,6 @@ func parseOID(oidStr string) (asn1.ObjectIdentifier, error) {
 	return oid, nil
 }
 
-var stringToQualifierType = map[string]asn1.ObjectIdentifier{
-	"id-qt-cps": policyasn1.CPSQualifierOID,
-}
-
 // NewProfile synthesizes the profile config and issuer config into a single
 // object, and checks various aspects for correctness.
 func NewProfile(profileConfig ProfileConfig, issuerConfig IssuerConfig) (*Profile, error) {
@@ -203,6 +191,16 @@ func NewProfile(profileConfig ProfileConfig, issuerConfig IssuerConfig) (*Profil
 	if issuerConfig.OCSPURL == "" {
 		return nil, errors.New("OCSP URL is required")
 	}
+
+	var policies []asn1.ObjectIdentifier
+	for _, policyConfig := range profileConfig.Policies {
+		oid, err := parseOID(policyConfig.OID)
+		if err != nil {
+			return nil, fmt.Errorf("failed parsing policy OID %q: %w", policyConfig.OID, err)
+		}
+		policies = append(policies, oid)
+	}
+
 	sp := &Profile{
 		useForRSALeaves:   issuerConfig.UseForRSALeaves,
 		useForECDSALeaves: issuerConfig.UseForECDSALeaves,
@@ -213,39 +211,11 @@ func NewProfile(profileConfig ProfileConfig, issuerConfig IssuerConfig) (*Profil
 		issuerURL:         issuerConfig.IssuerURL,
 		crlURL:            issuerConfig.CRLURL,
 		ocspURL:           issuerConfig.OCSPURL,
+		policies:          policies,
 		maxBackdate:       profileConfig.MaxValidityBackdate.Duration,
 		maxValidity:       profileConfig.MaxValidityPeriod.Duration,
 	}
-	if len(profileConfig.Policies) > 0 {
-		var policies []policyasn1.PolicyInformation
-		for _, policyConfig := range profileConfig.Policies {
-			id, err := parseOID(policyConfig.OID)
-			if err != nil {
-				return nil, fmt.Errorf("failed parsing policy OID %q: %s", policyConfig.OID, err)
-			}
-			pi := policyasn1.PolicyInformation{Policy: id}
-			for _, qualifierConfig := range policyConfig.Qualifiers {
-				qt, ok := stringToQualifierType[qualifierConfig.Type]
-				if !ok {
-					return nil, fmt.Errorf("unknown qualifier type: %s", qualifierConfig.Type)
-				}
-				pq := policyasn1.PolicyQualifier{
-					OID:   qt,
-					Value: qualifierConfig.Value,
-				}
-				pi.Qualifiers = append(pi.Qualifiers, pq)
-			}
-			policies = append(policies, pi)
-		}
-		policyExtBytes, err := asn1.Marshal(policies)
-		if err != nil {
-			return nil, err
-		}
-		sp.policies = &pkix.Extension{
-			Id:    asn1.ObjectIdentifier{2, 5, 29, 32},
-			Value: policyExtBytes,
-		}
-	}
+
 	return sp, nil
 }
 
@@ -324,16 +294,13 @@ func (p *Profile) generateTemplate() *x509.Certificate {
 		OCSPServer:            []string{p.ocspURL},
 		IssuingCertificateURL: []string{p.issuerURL},
 		BasicConstraintsValid: true,
+		PolicyIdentifiers:     p.policies,
 	}
 
 	if p.crlURL != "" {
 		template.CRLDistributionPoints = []string{p.crlURL}
 	}
 
-	if p.policies != nil {
-		template.ExtraExtensions = []pkix.Extension{*p.policies}
-	}
-
 	return template
 }
 

issuance/issuance_test.go

@@ -27,7 +27,6 @@ import (
 	"github.com/letsencrypt/boulder/core"
 	"github.com/letsencrypt/boulder/ctpolicy/loglist"
 	"github.com/letsencrypt/boulder/linter"
-	"github.com/letsencrypt/boulder/policyasn1"
 	"github.com/letsencrypt/boulder/test"
 )
 
@@ -37,7 +36,7 @@ func defaultProfileConfig() ProfileConfig {
 		AllowCTPoison:   true,
 		AllowSCTList:    true,
 		AllowMustStaple: true,
-		Policies: []PolicyInformation{
+		Policies: []PolicyConfig{
 			{OID: "1.2.3"},
 		},
 		MaxValidityPeriod:   config.Duration{Duration: time.Hour},
@@ -85,47 +84,12 @@ func TestMain(m *testing.M) {
 
 func TestNewProfilePolicies(t *testing.T) {
 	config := defaultProfileConfig()
-	config.Policies = append(config.Policies, PolicyInformation{
+	config.Policies = append(config.Policies, PolicyConfig{
 		OID: "1.2.3.4",
-		Qualifiers: []PolicyQualifier{
-			{
-				Type:  "id-qt-cps",
-				Value: "cps-url",
-			},
-		},
 	})
 	profile, err := NewProfile(config, defaultIssuerConfig())
 	test.AssertNotError(t, err, "NewProfile failed")
-	test.AssertDeepEquals(t, *profile, Profile{
-		useForRSALeaves:   true,
-		useForECDSALeaves: true,
-		allowMustStaple:   true,
-		allowCTPoison:     true,
-		allowSCTList:      true,
-		allowCommonName:   true,
-		issuerURL:         "http://issuer-url",
-		ocspURL:           "http://ocsp-url",
-		policies: &pkix.Extension{
-			Id:    asn1.ObjectIdentifier{2, 5, 29, 32},
-			Value: []byte{48, 36, 48, 4, 6, 2, 42, 3, 48, 28, 6, 3, 42, 3, 4, 48, 21, 48, 19, 6, 8, 43, 6, 1, 5, 5, 7, 2, 1, 22, 7, 99, 112, 115, 45, 117, 114, 108},
-		},
-		maxBackdate: time.Hour,
-		maxValidity: time.Hour,
-	})
-	var policies []policyasn1.PolicyInformation
-	_, err = asn1.Unmarshal(profile.policies.Value, &policies)
-	test.AssertNotError(t, err, "failed to parse policies extension")
-	test.AssertEquals(t, len(policies), 2)
-	test.AssertDeepEquals(t, policies[0], policyasn1.PolicyInformation{
-		Policy: asn1.ObjectIdentifier{1, 2, 3},
-	})
-	test.AssertDeepEquals(t, policies[1], policyasn1.PolicyInformation{
-		Policy: asn1.ObjectIdentifier{1, 2, 3, 4},
-		Qualifiers: []policyasn1.PolicyQualifier{{
-			OID:   asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 2, 1},
-			Value: "cps-url",
-		}},
-	})
+	test.AssertDeepEquals(t, profile.policies, []asn1.ObjectIdentifier{{1, 2, 3}, {1, 2, 3, 4}})
 }
 
 func TestNewProfileNoIssuerURL(t *testing.T) {
@@ -142,28 +106,14 @@ func TestNewProfileNoOCSPURL(t *testing.T) {
 
 func TestNewProfileInvalidOID(t *testing.T) {
 	_, err := NewProfile(ProfileConfig{
-		Policies: []PolicyInformation{{
+		Policies: []PolicyConfig{{
 			OID: "a.b.c",
 		}},
 	}, defaultIssuerConfig())
-	test.AssertError(t, err, "NewProfile didn't fail with unknown policy qualifier type")
+	test.AssertError(t, err, "NewProfile didn't fail with malformed policy OID")
 	test.AssertEquals(t, err.Error(), "failed parsing policy OID \"a.b.c\": strconv.Atoi: parsing \"a\": invalid syntax")
 }
 
-func TestNewProfileUnknownQualifierType(t *testing.T) {
-	_, err := NewProfile(ProfileConfig{
-		Policies: []PolicyInformation{{
-			OID: "1.2.3",
-			Qualifiers: []PolicyQualifier{{
-				Type:  "asd",
-				Value: "bad",
-			}},
-		}},
-	}, defaultIssuerConfig())
-	test.AssertError(t, err, "NewProfile didn't fail with unknown policy qualifier type")
-	test.AssertEquals(t, err.Error(), "unknown qualifier type: asd")
-}
-
 func TestRequestValid(t *testing.T) {
 	fc := clock.NewFake()
 	fc.Add(time.Hour * 24)
@@ -398,24 +348,16 @@ func TestGenerateTemplate(t *testing.T) {
 		{
 			name: "include policies",
 			profile: &Profile{
-				sigAlg: x509.SHA256WithRSA,
-				policies: &pkix.Extension{
-					Id:    asn1.ObjectIdentifier{1, 2, 3},
-					Value: []byte{4, 5, 6},
-				},
+				sigAlg:   x509.SHA256WithRSA,
+				policies: []asn1.ObjectIdentifier{{4, 5, 6}},
 			},
 			expectedTemplate: &x509.Certificate{
 				BasicConstraintsValid: true,
 				SignatureAlgorithm:    x509.SHA256WithRSA,
 				ExtKeyUsage:           defaultEKU,
 				IssuingCertificateURL: []string{""},
 				OCSPServer:            []string{""},
-				ExtraExtensions: []pkix.Extension{
-					{
-						Id:    asn1.ObjectIdentifier{1, 2, 3},
-						Value: []byte{4, 5, 6},
-					},
-				},
+				PolicyIdentifiers:     []asn1.ObjectIdentifier{{4, 5, 6}},
 			},
 		},
 	}
@@ -1024,7 +966,7 @@ func TestMismatchedProfiles(t *testing.T) {
 
 	// Create a new profile that differs slightly (one more PolicyInformation than the precert)
 	profileConfig := defaultProfileConfig()
-	profileConfig.Policies = append(profileConfig.Policies, PolicyInformation{OID: "1.2.3.4", Qualifiers: nil})
+	profileConfig.Policies = append(profileConfig.Policies, PolicyConfig{OID: "1.2.3.4"})
 	p, err := NewProfile(profileConfig, defaultIssuerConfig())
 	test.AssertNotError(t, err, "NewProfile failed")
 	issuer2, err := NewIssuer(issuerCert, issuerSigner, p, linter, fc)