Populate x509.Certificate.Policies field (#7940)

Populate the new x509.Certificate.Policies field everywhere we currently populate the x509.Certificate.PolicyIdentifiers field. This allows Go to use whichever field it prefers (go1.23 prefers PolicyIdentifiers, go1.24 prefers Policies) as the source of truth when serializing a certificate.

Part of #7148

Author: Juneezee

cmd/ceremony/cert.go

@@ -318,11 +318,17 @@ func makeTemplate(randReader io.Reader, profile *certProfile, pubKey []byte, tbc
 	}
 
 	for _, policyConfig := range profile.Policies {
-		oid, err := parseOID(policyConfig.OID)
+		asnOID, err := parseOID(policyConfig.OID)
 		if err != nil {
 			return nil, err
 		}
-		cert.PolicyIdentifiers = append(cert.PolicyIdentifiers, oid)
+		cert.PolicyIdentifiers = append(cert.PolicyIdentifiers, asnOID)
+
+		x509OID, err := x509.ParseOID(policyConfig.OID)
+		if err != nil {
+			return nil, fmt.Errorf("failed to parse %s as OID: %w", policyConfig.OID, err)
+		}
+		cert.Policies = append(cert.Policies, x509OID)
 	}
 
 	return cert, nil

cmd/ceremony/cert_test.go

@@ -128,6 +128,7 @@ func TestMakeTemplateRoot(t *testing.T) {
 	test.AssertEquals(t, cert.IssuingCertificateURL[0], profile.IssuerURL)
 	test.AssertEquals(t, cert.KeyUsage, x509.KeyUsageDigitalSignature|x509.KeyUsageCRLSign)
 	test.AssertEquals(t, len(cert.PolicyIdentifiers), 2)
+	test.AssertEquals(t, len(cert.Policies), 2)
 	test.AssertEquals(t, len(cert.ExtKeyUsage), 0)
 
 	cert, err = makeTemplate(randReader, profile, pubKey, nil, intermediateCert)

cmd/cert-checker/main_test.go

@@ -18,7 +18,6 @@ import (
 	mrand "math/rand/v2"
 	"os"
 	"slices"
-	"sort"
 	"strings"
 	"sync"
 	"testing"
@@ -585,6 +584,9 @@ func TestIgnoredLint(t *testing.T) {
 	checker := newChecker(saDbMap, clock.NewFake(), pa, kp, time.Hour, testValidityDurations, blog.NewMock())
 	serial := big.NewInt(1337)
 
+	x509OID, err := x509.OIDFromInts([]uint64{1, 2, 3})
+	test.AssertNotError(t, err, "failed to create x509.OID")
+
 	template := &x509.Certificate{
 		Subject: pkix.Name{
 			CommonName: "CPU's Cool CA",
@@ -597,6 +599,7 @@ func TestIgnoredLint(t *testing.T) {
 		PolicyIdentifiers: []asn1.ObjectIdentifier{
 			{1, 2, 3},
 		},
+		Policies:              []x509.OID{x509OID},
 		BasicConstraintsValid: true,
 		IsCA:                  true,
 		IssuingCertificateURL: []string{"http://aia.example.org"},
@@ -639,12 +642,12 @@ func TestIgnoredLint(t *testing.T) {
 		"zlint info: w_ct_sct_policy_count_unsatisfied Certificate had 0 embedded SCTs. Browser policy may require 2 for this certificate.",
 		"zlint error: e_scts_from_same_operator Certificate had too few embedded SCTs; browser policy requires 2.",
 	}
-	sort.Strings(expectedProblems)
+	slices.Sort(expectedProblems)
 
 	// Check the certificate with a nil ignore map. This should return the
 	// expected zlint problems.
 	_, problems := checker.checkCert(context.Background(), cert, nil)
-	sort.Strings(problems)
+	slices.Sort(problems)
 	test.AssertDeepEquals(t, problems, expectedProblems)
 
 	// Check the certificate again with an ignore map that excludes the affected

issuance/cert.go

@@ -304,14 +304,26 @@ func (i *Issuer) requestValid(clk clock.Clock, prof *Profile, req *IssuanceReque
 	return nil
 }
 
+// Baseline Requirements, Section 7.1.6.1: domain-validated
+var domainValidatedASN1OID = asn1.ObjectIdentifier{2, 23, 140, 1, 2, 1}
+var domainValidatedOID = func() x509.OID {
+	x509OID, err := x509.OIDFromInts([]uint64{2, 23, 140, 1, 2, 1})
+	if err != nil {
+		// This should never happen, as the OID is hardcoded.
+		panic(fmt.Errorf("failed to create OID using ints %v: %s", x509OID, err))
+	}
+	return x509OID
+}()
+
 func (i *Issuer) generateTemplate() *x509.Certificate {
 	template := &x509.Certificate{
 		SignatureAlgorithm:    i.sigAlg,
 		OCSPServer:            []string{i.ocspURL},
 		IssuingCertificateURL: []string{i.issuerURL},
 		BasicConstraintsValid: true,
 		// Baseline Requirements, Section 7.1.6.1: domain-validated
-		PolicyIdentifiers: []asn1.ObjectIdentifier{{2, 23, 140, 1, 2, 1}},
+		PolicyIdentifiers: []asn1.ObjectIdentifier{domainValidatedASN1OID},
+		Policies:          []x509.OID{domainValidatedOID},
 	}
 
 	return template

issuance/cert_test.go

@@ -336,7 +336,8 @@ func TestGenerateTemplate(t *testing.T) {
 		IssuingCertificateURL: []string{"http://issuer"},
 		OCSPServer:            []string{"http://ocsp"},
 		CRLDistributionPoints: nil,
-		PolicyIdentifiers:     []asn1.ObjectIdentifier{{2, 23, 140, 1, 2, 1}},
+		PolicyIdentifiers:     []asn1.ObjectIdentifier{domainValidatedASN1OID},
+		Policies:              []x509.OID{domainValidatedOID},
 	}
 
 	test.AssertDeepEquals(t, actual, expected)

linter/linter.go

@@ -195,6 +195,7 @@ func makeIssuer(realIssuer *x509.Certificate, lintSigner crypto.Signer) (*x509.C
 		PermittedIPRanges:           realIssuer.PermittedIPRanges,
 		PermittedURIDomains:         realIssuer.PermittedURIDomains,
 		PolicyIdentifiers:           realIssuer.PolicyIdentifiers,
+		Policies:                    realIssuer.Policies,
 		SerialNumber:                realIssuer.SerialNumber,
 		Subject:                     realIssuer.Subject,
 		SubjectKeyId:                realIssuer.SubjectKeyId,