diff --git a/Package.swift b/Package.swift index 396dbf51c14..d88b9913a06 100644 --- a/Package.swift +++ b/Package.swift @@ -736,10 +736,10 @@ if ProcessInfo.processInfo.environment["SWIFTCI_USE_LOCAL_DEPS"] == nil { // dependency version changes here with those projects. .package(url: "https://github.com/apple/swift-argument-parser.git", .upToNextMinor(from: "1.2.2")), .package(url: "https://github.com/apple/swift-driver.git", branch: relatedDependenciesBranch), - .package(url: "https://github.com/apple/swift-crypto.git", .upToNextMinor(from: "3.0.0")), + .package(url: "https://github.com/apple/swift-crypto.git", .upToNextMinor(from: "2.5.0")), .package(url: "https://github.com/apple/swift-system.git", .upToNextMinor(from: "1.1.1")), .package(url: "https://github.com/apple/swift-collections.git", .upToNextMinor(from: "1.0.1")), - .package(url: "https://github.com/apple/swift-certificates.git", .upToNextMinor(from: "1.0.1")), + .package(url: "https://github.com/apple/swift-certificates.git", .upToNextMinor(from: "0.6.0")), ] } else { package.dependencies += [ diff --git a/Sources/PackageCollectionsSigning/CertificatePolicy.swift b/Sources/PackageCollectionsSigning/CertificatePolicy.swift index 9c716781844..ae036cc51f2 100644 --- a/Sources/PackageCollectionsSigning/CertificatePolicy.swift +++ b/Sources/PackageCollectionsSigning/CertificatePolicy.swift @@ -402,31 +402,27 @@ struct _OCSPVerifierPolicy: VerifierPolicy { private struct _OCSPRequester: OCSPRequester { let httpClient: HTTPClient - func query(request: [UInt8], uri: String) async -> OCSPRequesterQueryResult { + func query(request: [UInt8], uri: String) async throws -> [UInt8] { guard let url = URL(string: uri), let host = url.host else { - return .terminalError(SwiftOCSPRequesterError.invalidURL(uri)) + throw SwiftOCSPRequesterError.invalidURL(uri) } - do { - let response = try await self.httpClient.post( - url, - body: Data(request), - headers: [ - "Content-Type": "application/ocsp-request", - "Host": host, - ] - ) + let response = try await self.httpClient.post( + url, + body: Data(request), + headers: [ + "Content-Type": "application/ocsp-request", + "Host": host, + ] + ) - guard response.statusCode == 200 else { - throw SwiftOCSPRequesterError.invalidResponse(statusCode: response.statusCode) - } - guard let responseBody = response.body else { - throw SwiftOCSPRequesterError.emptyResponse - } - return .response(Array(responseBody)) - } catch { - return .nonTerminalError(error) + guard response.statusCode == 200 else { + throw SwiftOCSPRequesterError.invalidResponse(statusCode: response.statusCode) + } + guard let responseBody = response.body else { + throw SwiftOCSPRequesterError.emptyResponse } + return Array(responseBody) } } diff --git a/Sources/PackageCollectionsSigning/X509Extensions.swift b/Sources/PackageCollectionsSigning/X509Extensions.swift index acfae591629..dfaedca9428 100644 --- a/Sources/PackageCollectionsSigning/X509Extensions.swift +++ b/Sources/PackageCollectionsSigning/X509Extensions.swift @@ -59,9 +59,29 @@ extension DistinguishedName { private func stringAttribute(oid: ASN1ObjectIdentifier) -> String? { for relativeDistinguishedName in self { for attribute in relativeDistinguishedName where attribute.type == oid { - return attribute.value.description + if let stringValue = attribute.stringValue { + return stringValue + } } } return nil } } + +extension RelativeDistinguishedName.Attribute { + fileprivate var stringValue: String? { + let asn1StringBytes: ArraySlice? + do { + asn1StringBytes = try ASN1PrintableString(asn1Any: self.value).bytes + } catch { + asn1StringBytes = try? ASN1UTF8String(asn1Any: self.value).bytes + } + + guard let asn1StringBytes, + let stringValue = String(bytes: asn1StringBytes, encoding: .utf8) + else { + return nil + } + return stringValue + } +} diff --git a/Sources/PackageSigning/VerifierPolicies.swift b/Sources/PackageSigning/VerifierPolicies.swift index 290fa2e494b..a962be9df47 100644 --- a/Sources/PackageSigning/VerifierPolicies.swift +++ b/Sources/PackageSigning/VerifierPolicies.swift @@ -24,7 +24,7 @@ extension SignatureProviderProtocol { func buildPolicySet(configuration: VerifierConfiguration, httpClient: HTTPClient) -> some VerifierPolicy { _CodeSigningPolicy() _ADPCertificatePolicy() - + let now = Date() switch (configuration.certificateExpiration, configuration.certificateRevocation) { case (.enabled(let expiryValidationTime), .strict(let revocationValidationTime)): @@ -158,31 +158,27 @@ struct _OCSPVerifierPolicy: VerifierPolicy { private struct _OCSPRequester: OCSPRequester { let httpClient: HTTPClient - func query(request: [UInt8], uri: String) async -> OCSPRequesterQueryResult { + func query(request: [UInt8], uri: String) async throws -> [UInt8] { guard let url = URL(string: uri), let host = url.host else { - return .terminalError(SwiftOCSPRequesterError.invalidURL(uri)) + throw SwiftOCSPRequesterError.invalidURL(uri) } - do { - let response = try await self.httpClient.post( - url, - body: Data(request), - headers: [ - "Content-Type": "application/ocsp-request", - "Host": host, - ] - ) + let response = try await self.httpClient.post( + url, + body: Data(request), + headers: [ + "Content-Type": "application/ocsp-request", + "Host": host, + ] + ) - guard response.statusCode == 200 else { - throw SwiftOCSPRequesterError.invalidResponse(statusCode: response.statusCode) - } - guard let responseBody = response.body else { - throw SwiftOCSPRequesterError.emptyResponse - } - return .response(Array(responseBody)) - } catch { - return .nonTerminalError(error) + guard response.statusCode == 200 else { + throw SwiftOCSPRequesterError.invalidResponse(statusCode: response.statusCode) + } + guard let responseBody = response.body else { + throw SwiftOCSPRequesterError.emptyResponse } + return Array(responseBody) } } diff --git a/Sources/PackageSigning/X509Extensions.swift b/Sources/PackageSigning/X509Extensions.swift index a5ac1ba5d8b..8c1603138fa 100644 --- a/Sources/PackageSigning/X509Extensions.swift +++ b/Sources/PackageSigning/X509Extensions.swift @@ -30,7 +30,7 @@ extension Certificate { init(secIdentity: SecIdentity) throws { var secCertificate: SecCertificate? let status = SecIdentityCopyCertificate(secIdentity, &secCertificate) - guard status == errSecSuccess, let secCertificate else { + guard status == errSecSuccess, let secCertificate = secCertificate else { throw StringError("failed to get certificate from SecIdentity: status \(status)") } self = try Certificate(secCertificate: secCertificate) @@ -60,13 +60,33 @@ extension DistinguishedName { private func stringAttribute(oid: ASN1ObjectIdentifier) -> String? { for relativeDistinguishedName in self { for attribute in relativeDistinguishedName where attribute.type == oid { - return attribute.value.description + if let stringValue = attribute.stringValue { + return stringValue + } } } return nil } } +extension RelativeDistinguishedName.Attribute { + fileprivate var stringValue: String? { + let asn1StringBytes: ArraySlice? + do { + asn1StringBytes = try ASN1PrintableString(asn1Any: self.value).bytes + } catch { + asn1StringBytes = try? ASN1UTF8String(asn1Any: self.value).bytes + } + + guard let asn1StringBytes, + let stringValue = String(bytes: asn1StringBytes, encoding: .utf8) + else { + return nil + } + return stringValue + } +} + // MARK: - Certificate cache extension Certificate { diff --git a/Tests/PackageSigningTests/SigningTests.swift b/Tests/PackageSigningTests/SigningTests.swift index 7be3c6bd2e7..e71fddc61a5 100644 --- a/Tests/PackageSigningTests/SigningTests.swift +++ b/Tests/PackageSigningTests/SigningTests.swift @@ -517,8 +517,8 @@ final class SigningTests: XCTestCase { responses: [OCSPSingleResponse( certID: singleRequest.certID, certStatus: .unknown, - thisUpdate: try GeneralizedTime(validationTime - .days(1)), - nextUpdate: try GeneralizedTime(validationTime + .days(1)) + thisUpdate: try .init(validationTime - .days(1)), + nextUpdate: try .init(validationTime + .days(1)) )], privateKey: intermediatePrivateKey, responseExtensions: { nonce } @@ -1150,7 +1150,7 @@ enum OCSPTestHelper { } if isCodeSigning { Critical( - try ExtendedKeyUsage([ExtendedKeyUsage.Usage.codeSigning]) + ExtendedKeyUsage([ExtendedKeyUsage.Usage.codeSigning]) ) } if let ocspServer {