spiffe
diff --git a/‎pkg/server/ca/manager/manager_test.go
Lines changed: 6 additions & 7 deletions b/‎pkg/server/ca/manager/manager_test.go
Lines changed: 6 additions & 7 deletions
diff --git a/‎pkg/server/credtemplate/builder.go
Lines changed: 16 additions & 9 deletions b/‎pkg/server/credtemplate/builder.go
Lines changed: 16 additions & 9 deletions
@@ -7,7 +7,6 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
-	"encoding/asn1"
 	"errors"
 	"fmt"
 	"math/big"
@@ -161,17 +160,17 @@ func TestCAPolicyIdentifiers(t *testing.T) {
 
 	test := setupTest(t)
 	test.initSelfSignedManager()
-	test.cc.policyIdentifiers = []asn1.ObjectIdentifier{
-		asn1.ObjectIdentifier{1, 2, 3, 4},
-	}
+	policy, err := x509.ParseOID("1.2.3.4")
+	require.NoError(t, err)
+	test.cc.policies = append(test.cc.policies, policy)
 
 	t.Run("contains policy identifiers", func(t *testing.T) {
 		require.NoError(t, test.m.PrepareX509CA(ctx))
 
 		currentSlot := test.m.GetCurrentX509CASlot()
 		slot := currentSlot.(*x509CASlot)
 		require.NotNil(t, slot.x509CA)
-		require.Equal(t, slot.x509CA.Certificate.PolicyIdentifiers, test.cc.policyIdentifiers)
+		require.Equal(t, slot.x509CA.Certificate.Policies, test.cc.policies)
 	})
 }
 
@@ -1575,11 +1574,11 @@ func (s *fakeCA) NotifyTaintedX509Authorities(taintedAuthorities []*x509.Certifi
 type fakeCC struct {
 	catalog.PluginInfo
 
-	policyIdentifiers []asn1.ObjectIdentifier
+	policies []x509.OID
 }
 
 func (cc fakeCC) ComposeServerX509CA(_ context.Context, attributes credentialcomposer.X509CAAttributes) (credentialcomposer.X509CAAttributes, error) {
-	attributes.PolicyIdentifiers = append(attributes.PolicyIdentifiers, cc.policyIdentifiers...)
+	attributes.Policies = append(attributes.Policies, cc.policies...)
 	return attributes, nil
 }
 
 
@@ -181,7 +181,9 @@ func (b *Builder) BuildSelfSignedX509CATemplate(ctx context.Context, params Self
 		if err != nil {
 			return nil, err
 		}
-		applyX509CAAttributes(tmpl, attributes)
+		if err := applyX509CAAttributes(tmpl, attributes); err != nil {
+			return nil, err
+		}
 	}
 
 	return tmpl, nil
@@ -198,11 +200,13 @@ func (b *Builder) BuildUpstreamSignedX509CACSR(ctx context.Context, params Upstr
 		if err != nil {
 			return nil, err
 		}
-		applyX509CAAttributes(tmpl, attributes)
+		if err := applyX509CAAttributes(tmpl, attributes); err != nil {
+			return nil, err
+		}
 	}
 
 	// Create the CertificateRequest from the Certificate template. The
-	// PolicyIdentifiers field is ignored since that can be applied by the
+	// Policies field is ignored since that can be applied by the
 	// upstream signer and isn't a part of the native CertificateRequest type.
 	// TODO: maybe revisit this if needed and embed the policy identifiers in
 	// the extra extensions.
@@ -237,7 +241,9 @@ func (b *Builder) BuildDownstreamX509CATemplate(ctx context.Context, params Down
 		if err != nil {
 			return nil, err
 		}
-		applyX509CAAttributes(tmpl, attributes)
+		if err := applyX509CAAttributes(tmpl, attributes); err != nil {
+			return nil, err
+		}
 	}
 
 	return tmpl, nil
@@ -458,9 +464,9 @@ func (b *Builder) computeX509SVIDLifetime(parentChain []*x509.Certificate, ttl t
 
 func x509CAAttributesFromTemplate(tmpl *x509.Certificate) credentialcomposer.X509CAAttributes {
 	return credentialcomposer.X509CAAttributes{
-		Subject:           tmpl.Subject,
-		PolicyIdentifiers: tmpl.PolicyIdentifiers,
-		ExtraExtensions:   tmpl.ExtraExtensions,
+		Subject:         tmpl.Subject,
+		Policies:        tmpl.Policies,
+		ExtraExtensions: tmpl.ExtraExtensions,
 	}
 }
 func x509SVIDAttributesFromTemplate(tmpl *x509.Certificate) credentialcomposer.X509SVIDAttributes {
@@ -471,10 +477,11 @@ func x509SVIDAttributesFromTemplate(tmpl *x509.Certificate) credentialcomposer.X
 	}
 }
 
-func applyX509CAAttributes(tmpl *x509.Certificate, attribs credentialcomposer.X509CAAttributes) {
+func applyX509CAAttributes(tmpl *x509.Certificate, attribs credentialcomposer.X509CAAttributes) error {
 	tmpl.Subject = attribs.Subject
-	tmpl.PolicyIdentifiers = attribs.PolicyIdentifiers
+	tmpl.Policies = attribs.Policies
 	tmpl.ExtraExtensions = attribs.ExtraExtensions
+	return nil
 }
 
 func applyX509SVIDAttributes(tmpl *x509.Certificate, attribs credentialcomposer.X509SVIDAttributes) {
Original file line number	Diff line number	Diff line change
`@@ -181,7 +181,9 @@ func (b *Builder) BuildSelfSignedX509CATemplate(ctx context.Context, params Self`
`181`	`181`	`if err != nil {`
`182`	`182`	`return nil, err`
`183`	`183`	`}`
`184`		`- applyX509CAAttributes(tmpl, attributes)`
	`184`	`+ if err := applyX509CAAttributes(tmpl, attributes); err != nil {`
	`185`	`+ return nil, err`
	`186`	`+ }`
`185`	`187`	`}`
`186`	`188`
`187`	`189`	`return tmpl, nil`
`@@ -198,11 +200,13 @@ func (b *Builder) BuildUpstreamSignedX509CACSR(ctx context.Context, params Upstr`
`198`	`200`	`if err != nil {`
`199`	`201`	`return nil, err`
`200`	`202`	`}`
`201`		`- applyX509CAAttributes(tmpl, attributes)`
	`203`	`+ if err := applyX509CAAttributes(tmpl, attributes); err != nil {`
	`204`	`+ return nil, err`
	`205`	`+ }`
`202`	`206`	`}`
`203`	`207`
`204`	`208`	`// Create the CertificateRequest from the Certificate template. The`
`205`		`- // PolicyIdentifiers field is ignored since that can be applied by the`
	`209`	`+ // Policies field is ignored since that can be applied by the`
`206`	`210`	`// upstream signer and isn't a part of the native CertificateRequest type.`
`207`	`211`	`// TODO: maybe revisit this if needed and embed the policy identifiers in`
`208`	`212`	`// the extra extensions.`
`@@ -237,7 +241,9 @@ func (b *Builder) BuildDownstreamX509CATemplate(ctx context.Context, params Down`
`237`	`241`	`if err != nil {`
`238`	`242`	`return nil, err`
`239`	`243`	`}`
`240`		`- applyX509CAAttributes(tmpl, attributes)`
	`244`	`+ if err := applyX509CAAttributes(tmpl, attributes); err != nil {`
	`245`	`+ return nil, err`
	`246`	`+ }`
`241`	`247`	`}`
`242`	`248`
`243`	`249`	`return tmpl, nil`
`@@ -458,9 +464,9 @@ func (b Builder) computeX509SVIDLifetime(parentChain []x509.Certificate, ttl t`
`458`	`464`
`459`	`465`	`func x509CAAttributesFromTemplate(tmpl *x509.Certificate) credentialcomposer.X509CAAttributes {`
`460`	`466`	`return credentialcomposer.X509CAAttributes{`
`461`		`- Subject: tmpl.Subject,`
`462`		`- PolicyIdentifiers: tmpl.PolicyIdentifiers,`
`463`		`- ExtraExtensions: tmpl.ExtraExtensions,`
	`467`	`+ Subject: tmpl.Subject,`
	`468`	`+ Policies: tmpl.Policies,`
	`469`	`+ ExtraExtensions: tmpl.ExtraExtensions,`
`464`	`470`	`}`
`465`	`471`	`}`
`466`	`472`	`func x509SVIDAttributesFromTemplate(tmpl *x509.Certificate) credentialcomposer.X509SVIDAttributes {`
`@@ -471,10 +477,11 @@ func x509SVIDAttributesFromTemplate(tmpl *x509.Certificate) credentialcomposer.X`
`471`	`477`	`}`
`472`	`478`	`}`
`473`	`479`
`474`		`-func applyX509CAAttributes(tmpl *x509.Certificate, attribs credentialcomposer.X509CAAttributes) {`
	`480`	`+func applyX509CAAttributes(tmpl *x509.Certificate, attribs credentialcomposer.X509CAAttributes) error {`
`475`	`481`	`tmpl.Subject = attribs.Subject`
`476`		`- tmpl.PolicyIdentifiers = attribs.PolicyIdentifiers`
	`482`	`+ tmpl.Policies = attribs.Policies`
`477`	`483`	`tmpl.ExtraExtensions = attribs.ExtraExtensions`
	`484`	`+ return nil`
`478`	`485`	`}`
`479`	`486`
`480`	`487`	`func applyX509SVIDAttributes(tmpl *x509.Certificate, attribs credentialcomposer.X509SVIDAttributes) {`