Remove ability to configure policy OIDs (#6992)

Completely remove the ability to configure Certificate Policy OIDs in
the Boulder CA. Instead, hard-code the Baseline Requirements Domain
Validated Reserved Policy Identifier. Boulder will never perform OV or
EV validation, so this is the only identifier that will be necessary.

In the ceremony tool, introduce additional checks that assert that Root
certificates do not have policies, and Intermediate certificates have
exactly the one Baseline Requirements Domain Validated Reserved Policy
Identifier.

Author: aarongable

cmd/ceremony/cert.go

@@ -55,8 +55,9 @@ type certProfile struct {
 	// certificate
 	IssuerURL string `yaml:"issuer-url"`
 
-	// PolicyOIDs should contain any OIDs to be inserted in a certificate
-	// policies extension.
+	// Policies should contain any OIDs to be inserted in a certificate
+	// policies extension. It should be empty for Root certs, and contain the
+	// BRs "domain-validated" Reserved Policy Identifier for Intermediates.
 	Policies []policyInfoConfig `yaml:"policies"`
 
 	// KeyUsages should contain the set of key usage bits to set
@@ -140,13 +141,22 @@ func (profile *certProfile) verifyProfile(ct certType) error {
 		return errors.New("country is required")
 	}
 
+	if ct == rootCert {
+		if len(profile.Policies) != 0 {
+			return errors.New("policies should not be set on root certs")
+		}
+	}
+
 	if ct == intermediateCert {
 		if profile.CRLURL == "" {
 			return errors.New("crl-url is required for intermediates")
 		}
 		if profile.IssuerURL == "" {
 			return errors.New("issuer-url is required for intermediates")
 		}
+		if len(profile.Policies) != 1 || profile.Policies[0].OID != "2.23.140.1.2.1" {
+			return errors.New("policy should be exactly BRs domain-validated for intermediates")
+		}
 	}
 
 	if ct == ocspCert || ct == crlCert {
@@ -170,6 +180,9 @@ func parseOID(oidStr string) (asn1.ObjectIdentifier, error) {
 		if err != nil {
 			return nil, err
 		}
+		if i <= 0 {
+			return nil, errors.New("OID components must be >= 1")
+		}
 		oid = append(oid, i)
 	}
 	return oid, nil

cmd/ceremony/cert_test.go

@@ -38,6 +38,8 @@ func TestParseOID(t *testing.T) {
 	test.AssertError(t, err, "parseOID accepted an empty OID")
 	_, err = parseOID("a.b.c")
 	test.AssertError(t, err, "parseOID accepted an OID containing non-ints")
+	_, err = parseOID("1.0.2")
+	test.AssertError(t, err, "parseOID accepted an OID containing zero")
 	oid, err := parseOID("1.2.3")
 	test.AssertNotError(t, err, "parseOID failed with a valid OID")
 	test.Assert(t, oid.Equal(asn1.ObjectIdentifier{1, 2, 3}), "parseOID returned incorrect OID")
@@ -306,6 +308,21 @@ func TestVerifyProfile(t *testing.T) {
 			certType:    intermediateCert,
 			expectedErr: "issuer-url is required for intermediates",
 		},
+		{
+			profile: certProfile{
+				NotBefore:          "a",
+				NotAfter:           "b",
+				SignatureAlgorithm: "c",
+				CommonName:         "d",
+				Organization:       "e",
+				Country:            "f",
+				OCSPURL:            "g",
+				CRLURL:             "h",
+				IssuerURL:          "i",
+			},
+			certType:    intermediateCert,
+			expectedErr: "policy should be exactly BRs domain-validated for intermediates",
+		},
 		{
 			profile: certProfile{
 				NotBefore:          "a",

cmd/ceremony/main_test.go

@@ -369,6 +369,7 @@ func TestIntermediateConfigValidate(t *testing.T) {
 					OCSPURL:            "g",
 					CRLURL:             "h",
 					IssuerURL:          "i",
+					Policies:           []policyInfoConfig{{OID: "2.23.140.1.2.1"}},
 				},
 				SkipLints: []string{},
 			},

issuance/issuance.go

@@ -17,8 +17,6 @@ import (
 	"fmt"
 	"math/big"
 	"os"
-	"strconv"
-	"strings"
 	"sync"
 	"time"
 
@@ -43,9 +41,11 @@ type ProfileConfig struct {
 	AllowSCTList    bool
 	AllowCommonName bool
 
-	Policies            []PolicyConfig `validate:"min=1,dive"`
 	MaxValidityPeriod   config.Duration
 	MaxValidityBackdate config.Duration
+
+	// Deprecated: we do not respect this field.
+	Policies []PolicyConfig `validate:"-"`
 }
 
 // PolicyConfig describes a policy
@@ -161,27 +161,11 @@ type Profile struct {
 	ocspURL   string
 	crlURL    string
 	issuerURL string
-	policies  []asn1.ObjectIdentifier
 
 	maxBackdate time.Duration
 	maxValidity time.Duration
 }
 
-func parseOID(oidStr string) (asn1.ObjectIdentifier, error) {
-	var oid asn1.ObjectIdentifier
-	for _, a := range strings.Split(oidStr, ".") {
-		i, err := strconv.Atoi(a)
-		if err != nil {
-			return nil, err
-		}
-		if i <= 0 {
-			return nil, errors.New("OID components must be >= 1")
-		}
-		oid = append(oid, i)
-	}
-	return oid, nil
-}
-
 // NewProfile synthesizes the profile config and issuer config into a single
 // object, and checks various aspects for correctness.
 func NewProfile(profileConfig ProfileConfig, issuerConfig IssuerConfig) (*Profile, error) {
@@ -192,15 +176,6 @@ func NewProfile(profileConfig ProfileConfig, issuerConfig IssuerConfig) (*Profil
 		return nil, errors.New("OCSP URL is required")
 	}
 
-	var policies []asn1.ObjectIdentifier
-	for _, policyConfig := range profileConfig.Policies {
-		oid, err := parseOID(policyConfig.OID)
-		if err != nil {
-			return nil, fmt.Errorf("failed parsing policy OID %q: %w", policyConfig.OID, err)
-		}
-		policies = append(policies, oid)
-	}
-
 	sp := &Profile{
 		useForRSALeaves:   issuerConfig.UseForRSALeaves,
 		useForECDSALeaves: issuerConfig.UseForECDSALeaves,
@@ -211,7 +186,6 @@ func NewProfile(profileConfig ProfileConfig, issuerConfig IssuerConfig) (*Profil
 		issuerURL:         issuerConfig.IssuerURL,
 		crlURL:            issuerConfig.CRLURL,
 		ocspURL:           issuerConfig.OCSPURL,
-		policies:          policies,
 		maxBackdate:       profileConfig.MaxValidityBackdate.Duration,
 		maxValidity:       profileConfig.MaxValidityPeriod.Duration,
 	}
@@ -294,7 +268,8 @@ func (p *Profile) generateTemplate() *x509.Certificate {
 		OCSPServer:            []string{p.ocspURL},
 		IssuingCertificateURL: []string{p.issuerURL},
 		BasicConstraintsValid: true,
-		PolicyIdentifiers:     p.policies,
+		// Baseline Requirements, Section 7.1.6.1: domain-validated
+		PolicyIdentifiers: []asn1.ObjectIdentifier{{2, 23, 140, 1, 2, 1}},
 	}
 
 	if p.crlURL != "" {

issuance/issuance_test.go

@@ -32,13 +32,10 @@ import (
 
 func defaultProfileConfig() ProfileConfig {
 	return ProfileConfig{
-		AllowCommonName: true,
-		AllowCTPoison:   true,
-		AllowSCTList:    true,
-		AllowMustStaple: true,
-		Policies: []PolicyConfig{
-			{OID: "1.2.3"},
-		},
+		AllowCommonName:     true,
+		AllowCTPoison:       true,
+		AllowSCTList:        true,
+		AllowMustStaple:     true,
 		MaxValidityPeriod:   config.Duration{Duration: time.Hour},
 		MaxValidityBackdate: config.Duration{Duration: time.Hour},
 	}
@@ -82,16 +79,6 @@ func TestMain(m *testing.M) {
 	os.Exit(m.Run())
 }
 
-func TestNewProfilePolicies(t *testing.T) {
-	config := defaultProfileConfig()
-	config.Policies = append(config.Policies, PolicyConfig{
-		OID: "1.2.3.4",
-	})
-	profile, err := NewProfile(config, defaultIssuerConfig())
-	test.AssertNotError(t, err, "NewProfile failed")
-	test.AssertDeepEquals(t, profile.policies, []asn1.ObjectIdentifier{{1, 2, 3}, {1, 2, 3, 4}})
-}
-
 func TestNewProfileNoIssuerURL(t *testing.T) {
 	_, err := NewProfile(ProfileConfig{}, IssuerConfig{})
 	test.AssertError(t, err, "NewProfile didn't fail with no issuer URL")
@@ -104,16 +91,6 @@ func TestNewProfileNoOCSPURL(t *testing.T) {
 	test.AssertEquals(t, err.Error(), "OCSP URL is required")
 }
 
-func TestNewProfileInvalidOID(t *testing.T) {
-	_, err := NewProfile(ProfileConfig{
-		Policies: []PolicyConfig{{
-			OID: "a.b.c",
-		}},
-	}, defaultIssuerConfig())
-	test.AssertError(t, err, "NewProfile didn't fail with malformed policy OID")
-	test.AssertEquals(t, err.Error(), "failed parsing policy OID \"a.b.c\": strconv.Atoi: parsing \"a\": invalid syntax")
-}
-
 func TestRequestValid(t *testing.T) {
 	fc := clock.NewFake()
 	fc.Add(time.Hour * 24)
@@ -343,21 +320,7 @@ func TestGenerateTemplate(t *testing.T) {
 				IssuingCertificateURL: []string{""},
 				OCSPServer:            []string{""},
 				CRLDistributionPoints: []string{"crl-url"},
-			},
-		},
-		{
-			name: "include policies",
-			profile: &Profile{
-				sigAlg:   x509.SHA256WithRSA,
-				policies: []asn1.ObjectIdentifier{{4, 5, 6}},
-			},
-			expectedTemplate: &x509.Certificate{
-				BasicConstraintsValid: true,
-				SignatureAlgorithm:    x509.SHA256WithRSA,
-				ExtKeyUsage:           defaultEKU,
-				IssuingCertificateURL: []string{""},
-				OCSPServer:            []string{""},
-				PolicyIdentifiers:     []asn1.ObjectIdentifier{{4, 5, 6}},
+				PolicyIdentifiers:     []asn1.ObjectIdentifier{{2, 23, 140, 1, 2, 1}},
 			},
 		},
 	}
@@ -943,7 +906,7 @@ func TestMismatchedProfiles(t *testing.T) {
 	linter, err := linter.New(
 		issuerCert.Certificate,
 		issuerSigner,
-		[]string{},
+		[]string{"n_subject_common_name_included"},
 	)
 	test.AssertNotError(t, err, "failed to create linter")
 
@@ -954,6 +917,7 @@ func TestMismatchedProfiles(t *testing.T) {
 	_, issuanceToken, err := issuer1.Prepare(&IssuanceRequest{
 		PublicKey:       pk.Public(),
 		Serial:          []byte{1, 2, 3, 4, 5, 6, 7, 8, 9},
+		CommonName:      "example.com",
 		DNSNames:        []string{"example.com"},
 		NotBefore:       fc.Now(),
 		NotAfter:        fc.Now().Add(time.Hour - time.Second),
@@ -964,9 +928,9 @@ func TestMismatchedProfiles(t *testing.T) {
 	precertDER, err := issuer1.Issue(issuanceToken)
 	test.AssertNotError(t, err, "signing precert")
 
-	// Create a new profile that differs slightly (one more PolicyInformation than the precert)
+	// Create a new profile that differs slightly (no common name)
 	profileConfig := defaultProfileConfig()
-	profileConfig.Policies = append(profileConfig.Policies, PolicyConfig{OID: "1.2.3.4"})
+	profileConfig.AllowCommonName = false
 	p, err := NewProfile(profileConfig, defaultIssuerConfig())
 	test.AssertNotError(t, err, "NewProfile failed")
 	issuer2, err := NewIssuer(issuerCert, issuerSigner, p, linter, fc)
@@ -988,6 +952,7 @@ func TestMismatchedProfiles(t *testing.T) {
 
 	request2, err := RequestFromPrecert(precert, sctList)
 	test.AssertNotError(t, err, "RequestFromPrecert")
+	request2.CommonName = ""
 
 	_, _, err = issuer2.Prepare(request2)
 	test.AssertError(t, err, "preparing final cert issuance")

test/cert-ceremonies/intermediate-ceremony-ecdsa.yaml

@@ -16,12 +16,10 @@ certificate-profile:
     country: US
     not-before: 2020-01-01 12:00:00
     not-after: 2040-01-01 12:00:00
-    crl-url:  http://example.com/crl
-    issuer-url:  http://example.com/root
+    crl-url:  http://ecdsa.example.com/crl
+    issuer-url:  http://ecdsa.example.com/cert
     policies:
-        - oid: 1.2.3
-        - oid: 1.5.6
-          cps-uri: "http://example.com/cps"
+        - oid: 2.23.140.1.2.1
     key-usages:
         - Digital Signature
         - Cert Sign

test/cert-ceremonies/intermediate-ceremony-rsa.yaml

@@ -16,12 +16,10 @@ certificate-profile:
     country: US
     not-before: 2020-01-01 12:00:00
     not-after: 2040-01-01 12:00:00
-    crl-url:  http://example.com/crl
-    issuer-url:  http://example.com/root
+    crl-url:  http://rsa.example.com/crl
+    issuer-url:  http://rsa.example.com/cert
     policies:
-        - oid: 1.2.3
-        - oid: 1.5.6
-          cps-uri: "http://example.com/cps"
+        - oid: 2.23.140.1.2.1
     key-usages:
         - Digital Signature
         - Cert Sign