Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Populate x509.Certificate.Policies field #7940

Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Populate x509.Certificate.Policies field #7940

wants to merge 5 commits into from

Conversation

Juneezee
Copy link
Contributor

@Juneezee Juneezee commented Jan 12, 2025
edited by beautifulentropy
Loading

Part of #7148.

Note

Starting from Go 1.24, x509.Certificate.Policies is the default field used for marshalling certificates. golang/go@918765b

@Juneezee Juneezee requested a review from a team as a code owner January 12, 2025 08:24
@Juneezee Juneezee requested a review from aarongable January 12, 2025 08:24
@Juneezee
Preserve PolicyIdentifiers field
8003a3b 
ZLint requires the field to be set.

Signed-off-by: Eng Zer Jun <[email protected]>
@Juneezee Juneezee changed the title ceremony: Replace x509.Certificate.PolicyIdentifiers with Policies ceremony: Populate x509.Certificate.Policies field Jan 12, 2025
Juneezee
Juneezee commented Jan 12, 2025
View reviewed changes
Copy link
Contributor Author

@Juneezee Juneezee left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ZLint still requires the PolicyIdentifiers field to be populated so we cannot drop the PolicyIdentifiers field completely yet.

https://github.com/letsencrypt/boulder/actions/runs/12731876566/job/35486388841#step:6:22:

failed lint(s): e_sub_ca_certificate_policies_missing ()

I have submitted an issue zmap/zlint#910 to ZLint repository.

aarongable
aarongable requested changes Jan 14, 2025
View reviewed changes
Copy link
Contributor

@aarongable aarongable left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR does not close #7148. In order to fully complete that ticket, it needs to also address the PolicyIdentifiers/Policies fields during issuance of Subscriber certificates, as well as anywhere else we construct an x509.Certificate. There may be other places I missed, you should search for them.

cmd/ceremony/cert.go Outdated Show resolved Hide resolved
@Juneezee
Copy link
Contributor Author

Populated the Policies field in places where PolicyIdentifiers are also populated in commit 4ad9f89.

I performed a search in VSCode and found 8 occurrences of the word PolicyIdentifiers.

vscode search

@Juneezee Juneezee requested a review from aarongable January 14, 2025 01:48
aarongable
aarongable requested changes Jan 14, 2025
View reviewed changes
issuance/cert_test.go Outdated Show resolved Hide resolved
issuance/cert_test.go Outdated Show resolved Hide resolved
issuance/cert.go Outdated Show resolved Hide resolved
@Juneezee Juneezee requested a review from aarongable January 14, 2025 19:46
@Juneezee Juneezee changed the title ceremony: Populate x509.Certificate.Policies field Populate x509.Certificate.Policies field Jan 17, 2025
aarongable
aarongable previously approved these changes Jan 17, 2025
View reviewed changes
Copy link
Contributor

@aarongable aarongable left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, I think this approach makes sense. Requesting second review from the team.

@aarongable aarongable requested a review from jsha January 17, 2025 20:31
@beautifulentropy beautifulentropy self-requested a review January 22, 2025 17:05
beautifulentropy
beautifulentropy requested changes Jan 22, 2025
View reviewed changes
Copy link
Member

@beautifulentropy beautifulentropy left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution @Juneezee! Overall I think this change looks really good, I have just few suggestions to improve it a little more.

issuance/cert.go Show resolved Hide resolved
@beautifulentropy beautifulentropy mentioned this pull request Jan 22, 2025
Open
@beautifulentropy
Copy link
Member

Just FYI, this PR is now on-hold until we're using Go 1.24 in our go.mod. No further action is required on your end.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@beautifulentropy beautifulentropy beautifulentropy approved these changes

@jsha jsha Awaiting requested review from jsha

@aarongable aarongable Awaiting requested review from aarongable

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Juneezee @beautifulentropy @aarongable