diff --git a/Package.swift b/Package.swift index d5b7f84d55a..6b899cd9ba5 100644 --- a/Package.swift +++ b/Package.swift @@ -732,10 +732,10 @@ if ProcessInfo.processInfo.environment["SWIFTCI_USE_LOCAL_DEPS"] == nil { // dependency version changes here with those projects. .package(url: "https://github.com/apple/swift-argument-parser.git", .upToNextMinor(from: "1.2.2")), .package(url: "https://github.com/apple/swift-driver.git", branch: relatedDependenciesBranch), - .package(url: "https://github.com/apple/swift-crypto.git", .upToNextMinor(from: "2.5.0")), + .package(url: "https://github.com/apple/swift-crypto.git", .upToNextMinor(from: "3.0.0")), .package(url: "https://github.com/apple/swift-system.git", .upToNextMinor(from: "1.1.1")), .package(url: "https://github.com/apple/swift-collections.git", .upToNextMinor(from: "1.0.1")), - .package(url: "https://github.com/apple/swift-certificates.git", .upToNextMinor(from: "0.6.0")), + .package(url: "https://github.com/apple/swift-certificates.git", .upToNextMinor(from: "1.0.1")), ] } else { package.dependencies += [ diff --git a/Sources/PackageCollectionsSigning/CertificatePolicy.swift b/Sources/PackageCollectionsSigning/CertificatePolicy.swift index ae036cc51f2..9c716781844 100644 --- a/Sources/PackageCollectionsSigning/CertificatePolicy.swift +++ b/Sources/PackageCollectionsSigning/CertificatePolicy.swift @@ -402,27 +402,31 @@ struct _OCSPVerifierPolicy: VerifierPolicy { private struct _OCSPRequester: OCSPRequester { let httpClient: HTTPClient - func query(request: [UInt8], uri: String) async throws -> [UInt8] { + func query(request: [UInt8], uri: String) async -> OCSPRequesterQueryResult { guard let url = URL(string: uri), let host = url.host else { - throw SwiftOCSPRequesterError.invalidURL(uri) + return .terminalError(SwiftOCSPRequesterError.invalidURL(uri)) } - let response = try await self.httpClient.post( - url, - body: Data(request), - headers: [ - "Content-Type": "application/ocsp-request", - "Host": host, - ] - ) + do { + let response = try await self.httpClient.post( + url, + body: Data(request), + headers: [ + "Content-Type": "application/ocsp-request", + "Host": host, + ] + ) - guard response.statusCode == 200 else { - throw SwiftOCSPRequesterError.invalidResponse(statusCode: response.statusCode) - } - guard let responseBody = response.body else { - throw SwiftOCSPRequesterError.emptyResponse + guard response.statusCode == 200 else { + throw SwiftOCSPRequesterError.invalidResponse(statusCode: response.statusCode) + } + guard let responseBody = response.body else { + throw SwiftOCSPRequesterError.emptyResponse + } + return .response(Array(responseBody)) + } catch { + return .nonTerminalError(error) } - return Array(responseBody) } } diff --git a/Sources/PackageCollectionsSigning/X509Extensions.swift b/Sources/PackageCollectionsSigning/X509Extensions.swift index dfaedca9428..acfae591629 100644 --- a/Sources/PackageCollectionsSigning/X509Extensions.swift +++ b/Sources/PackageCollectionsSigning/X509Extensions.swift @@ -59,29 +59,9 @@ extension DistinguishedName { private func stringAttribute(oid: ASN1ObjectIdentifier) -> String? { for relativeDistinguishedName in self { for attribute in relativeDistinguishedName where attribute.type == oid { - if let stringValue = attribute.stringValue { - return stringValue - } + return attribute.value.description } } return nil } } - -extension RelativeDistinguishedName.Attribute { - fileprivate var stringValue: String? { - let asn1StringBytes: ArraySlice? - do { - asn1StringBytes = try ASN1PrintableString(asn1Any: self.value).bytes - } catch { - asn1StringBytes = try? ASN1UTF8String(asn1Any: self.value).bytes - } - - guard let asn1StringBytes, - let stringValue = String(bytes: asn1StringBytes, encoding: .utf8) - else { - return nil - } - return stringValue - } -} diff --git a/Sources/PackageSigning/VerifierPolicies.swift b/Sources/PackageSigning/VerifierPolicies.swift index a962be9df47..290fa2e494b 100644 --- a/Sources/PackageSigning/VerifierPolicies.swift +++ b/Sources/PackageSigning/VerifierPolicies.swift @@ -24,7 +24,7 @@ extension SignatureProviderProtocol { func buildPolicySet(configuration: VerifierConfiguration, httpClient: HTTPClient) -> some VerifierPolicy { _CodeSigningPolicy() _ADPCertificatePolicy() - + let now = Date() switch (configuration.certificateExpiration, configuration.certificateRevocation) { case (.enabled(let expiryValidationTime), .strict(let revocationValidationTime)): @@ -158,27 +158,31 @@ struct _OCSPVerifierPolicy: VerifierPolicy { private struct _OCSPRequester: OCSPRequester { let httpClient: HTTPClient - func query(request: [UInt8], uri: String) async throws -> [UInt8] { + func query(request: [UInt8], uri: String) async -> OCSPRequesterQueryResult { guard let url = URL(string: uri), let host = url.host else { - throw SwiftOCSPRequesterError.invalidURL(uri) + return .terminalError(SwiftOCSPRequesterError.invalidURL(uri)) } - let response = try await self.httpClient.post( - url, - body: Data(request), - headers: [ - "Content-Type": "application/ocsp-request", - "Host": host, - ] - ) + do { + let response = try await self.httpClient.post( + url, + body: Data(request), + headers: [ + "Content-Type": "application/ocsp-request", + "Host": host, + ] + ) - guard response.statusCode == 200 else { - throw SwiftOCSPRequesterError.invalidResponse(statusCode: response.statusCode) - } - guard let responseBody = response.body else { - throw SwiftOCSPRequesterError.emptyResponse + guard response.statusCode == 200 else { + throw SwiftOCSPRequesterError.invalidResponse(statusCode: response.statusCode) + } + guard let responseBody = response.body else { + throw SwiftOCSPRequesterError.emptyResponse + } + return .response(Array(responseBody)) + } catch { + return .nonTerminalError(error) } - return Array(responseBody) } } diff --git a/Sources/PackageSigning/X509Extensions.swift b/Sources/PackageSigning/X509Extensions.swift index 8c1603138fa..a5ac1ba5d8b 100644 --- a/Sources/PackageSigning/X509Extensions.swift +++ b/Sources/PackageSigning/X509Extensions.swift @@ -30,7 +30,7 @@ extension Certificate { init(secIdentity: SecIdentity) throws { var secCertificate: SecCertificate? let status = SecIdentityCopyCertificate(secIdentity, &secCertificate) - guard status == errSecSuccess, let secCertificate = secCertificate else { + guard status == errSecSuccess, let secCertificate else { throw StringError("failed to get certificate from SecIdentity: status \(status)") } self = try Certificate(secCertificate: secCertificate) @@ -60,33 +60,13 @@ extension DistinguishedName { private func stringAttribute(oid: ASN1ObjectIdentifier) -> String? { for relativeDistinguishedName in self { for attribute in relativeDistinguishedName where attribute.type == oid { - if let stringValue = attribute.stringValue { - return stringValue - } + return attribute.value.description } } return nil } } -extension RelativeDistinguishedName.Attribute { - fileprivate var stringValue: String? { - let asn1StringBytes: ArraySlice? - do { - asn1StringBytes = try ASN1PrintableString(asn1Any: self.value).bytes - } catch { - asn1StringBytes = try? ASN1UTF8String(asn1Any: self.value).bytes - } - - guard let asn1StringBytes, - let stringValue = String(bytes: asn1StringBytes, encoding: .utf8) - else { - return nil - } - return stringValue - } -} - // MARK: - Certificate cache extension Certificate { diff --git a/Tests/PackageSigningTests/SigningTests.swift b/Tests/PackageSigningTests/SigningTests.swift index e71fddc61a5..7be3c6bd2e7 100644 --- a/Tests/PackageSigningTests/SigningTests.swift +++ b/Tests/PackageSigningTests/SigningTests.swift @@ -517,8 +517,8 @@ final class SigningTests: XCTestCase { responses: [OCSPSingleResponse( certID: singleRequest.certID, certStatus: .unknown, - thisUpdate: try .init(validationTime - .days(1)), - nextUpdate: try .init(validationTime + .days(1)) + thisUpdate: try GeneralizedTime(validationTime - .days(1)), + nextUpdate: try GeneralizedTime(validationTime + .days(1)) )], privateKey: intermediatePrivateKey, responseExtensions: { nonce } @@ -1150,7 +1150,7 @@ enum OCSPTestHelper { } if isCodeSigning { Critical( - ExtendedKeyUsage([ExtendedKeyUsage.Usage.codeSigning]) + try ExtendedKeyUsage([ExtendedKeyUsage.Usage.codeSigning]) ) } if let ocspServer {