[5.10] Revert "Update swift-certificates to 1.0.1, swift-crypto to 3.0.0 (#6949)" (#6988)

Author: yim-lee

Package.swift

@@ -736,10 +736,10 @@ if ProcessInfo.processInfo.environment["SWIFTCI_USE_LOCAL_DEPS"] == nil {
         // dependency version changes here with those projects.
         .package(url: "https://github.com/apple/swift-argument-parser.git", .upToNextMinor(from: "1.2.2")),
         .package(url: "https://github.com/apple/swift-driver.git", branch: relatedDependenciesBranch),
-        .package(url: "https://github.com/apple/swift-crypto.git", .upToNextMinor(from: "3.0.0")),
+        .package(url: "https://github.com/apple/swift-crypto.git", .upToNextMinor(from: "2.5.0")),
         .package(url: "https://github.com/apple/swift-system.git", .upToNextMinor(from: "1.1.1")),
         .package(url: "https://github.com/apple/swift-collections.git", .upToNextMinor(from: "1.0.1")),
-        .package(url: "https://github.com/apple/swift-certificates.git", .upToNextMinor(from: "1.0.1")),
+        .package(url: "https://github.com/apple/swift-certificates.git", .upToNextMinor(from: "0.6.0")),
     ]
 } else {
     package.dependencies += [

Sources/PackageCollectionsSigning/CertificatePolicy.swift

@@ -402,31 +402,27 @@ struct _OCSPVerifierPolicy: VerifierPolicy {
 private struct _OCSPRequester: OCSPRequester {
     let httpClient: HTTPClient
 
-    func query(request: [UInt8], uri: String) async -> OCSPRequesterQueryResult {
+    func query(request: [UInt8], uri: String) async throws -> [UInt8] {
         guard let url = URL(string: uri), let host = url.host else {
-            return .terminalError(SwiftOCSPRequesterError.invalidURL(uri))
+            throw SwiftOCSPRequesterError.invalidURL(uri)
         }
 
-        do {
-            let response = try await self.httpClient.post(
-                url,
-                body: Data(request),
-                headers: [
-                    "Content-Type": "application/ocsp-request",
-                    "Host": host,
-                ]
-            )
+        let response = try await self.httpClient.post(
+            url,
+            body: Data(request),
+            headers: [
+                "Content-Type": "application/ocsp-request",
+                "Host": host,
+            ]
+        )
 
-            guard response.statusCode == 200 else {
-                throw SwiftOCSPRequesterError.invalidResponse(statusCode: response.statusCode)
-            }
-            guard let responseBody = response.body else {
-                throw SwiftOCSPRequesterError.emptyResponse
-            }
-            return .response(Array(responseBody))
-        } catch {
-            return .nonTerminalError(error)
+        guard response.statusCode == 200 else {
+            throw SwiftOCSPRequesterError.invalidResponse(statusCode: response.statusCode)
+        }
+        guard let responseBody = response.body else {
+            throw SwiftOCSPRequesterError.emptyResponse
         }
+        return Array(responseBody)
     }
 }
 

Sources/PackageCollectionsSigning/X509Extensions.swift

@@ -59,9 +59,29 @@ extension DistinguishedName {
     private func stringAttribute(oid: ASN1ObjectIdentifier) -> String? {
         for relativeDistinguishedName in self {
             for attribute in relativeDistinguishedName where attribute.type == oid {
-                return attribute.value.description
+                if let stringValue = attribute.stringValue {
+                    return stringValue
+                }
             }
         }
         return nil
     }
 }
+
+extension RelativeDistinguishedName.Attribute {
+    fileprivate var stringValue: String? {
+        let asn1StringBytes: ArraySlice<UInt8>?
+        do {
+            asn1StringBytes = try ASN1PrintableString(asn1Any: self.value).bytes
+        } catch {
+            asn1StringBytes = try? ASN1UTF8String(asn1Any: self.value).bytes
+        }
+
+        guard let asn1StringBytes,
+              let stringValue = String(bytes: asn1StringBytes, encoding: .utf8)
+        else {
+            return nil
+        }
+        return stringValue
+    }
+}

Sources/PackageSigning/VerifierPolicies.swift

@@ -24,7 +24,7 @@ extension SignatureProviderProtocol {
     func buildPolicySet(configuration: VerifierConfiguration, httpClient: HTTPClient) -> some VerifierPolicy {
         _CodeSigningPolicy()
         _ADPCertificatePolicy()
-
+        
         let now = Date()
         switch (configuration.certificateExpiration, configuration.certificateRevocation) {
         case (.enabled(let expiryValidationTime), .strict(let revocationValidationTime)):
@@ -158,31 +158,27 @@ struct _OCSPVerifierPolicy: VerifierPolicy {
 private struct _OCSPRequester: OCSPRequester {
     let httpClient: HTTPClient
 
-    func query(request: [UInt8], uri: String) async -> OCSPRequesterQueryResult {
+    func query(request: [UInt8], uri: String) async throws -> [UInt8] {
         guard let url = URL(string: uri), let host = url.host else {
-            return .terminalError(SwiftOCSPRequesterError.invalidURL(uri))
+            throw SwiftOCSPRequesterError.invalidURL(uri)
         }
 
-        do {
-            let response = try await self.httpClient.post(
-                url,
-                body: Data(request),
-                headers: [
-                    "Content-Type": "application/ocsp-request",
-                    "Host": host,
-                ]
-            )
+        let response = try await self.httpClient.post(
+            url,
+            body: Data(request),
+            headers: [
+                "Content-Type": "application/ocsp-request",
+                "Host": host,
+            ]
+        )
 
-            guard response.statusCode == 200 else {
-                throw SwiftOCSPRequesterError.invalidResponse(statusCode: response.statusCode)
-            }
-            guard let responseBody = response.body else {
-                throw SwiftOCSPRequesterError.emptyResponse
-            }
-            return .response(Array(responseBody))
-        } catch {
-            return .nonTerminalError(error)
+        guard response.statusCode == 200 else {
+            throw SwiftOCSPRequesterError.invalidResponse(statusCode: response.statusCode)
+        }
+        guard let responseBody = response.body else {
+            throw SwiftOCSPRequesterError.emptyResponse
         }
+        return Array(responseBody)
     }
 }
 

Sources/PackageSigning/X509Extensions.swift

@@ -30,7 +30,7 @@ extension Certificate {
     init(secIdentity: SecIdentity) throws {
         var secCertificate: SecCertificate?
         let status = SecIdentityCopyCertificate(secIdentity, &secCertificate)
-        guard status == errSecSuccess, let secCertificate else {
+        guard status == errSecSuccess, let secCertificate = secCertificate else {
             throw StringError("failed to get certificate from SecIdentity: status \(status)")
         }
         self = try Certificate(secCertificate: secCertificate)
@@ -60,13 +60,33 @@ extension DistinguishedName {
     private func stringAttribute(oid: ASN1ObjectIdentifier) -> String? {
         for relativeDistinguishedName in self {
             for attribute in relativeDistinguishedName where attribute.type == oid {
-                return attribute.value.description
+                if let stringValue = attribute.stringValue {
+                    return stringValue
+                }
             }
         }
         return nil
     }
 }
 
+extension RelativeDistinguishedName.Attribute {
+    fileprivate var stringValue: String? {
+        let asn1StringBytes: ArraySlice<UInt8>?
+        do {
+            asn1StringBytes = try ASN1PrintableString(asn1Any: self.value).bytes
+        } catch {
+            asn1StringBytes = try? ASN1UTF8String(asn1Any: self.value).bytes
+        }
+
+        guard let asn1StringBytes,
+              let stringValue = String(bytes: asn1StringBytes, encoding: .utf8)
+        else {
+            return nil
+        }
+        return stringValue
+    }
+}
+
 // MARK: - Certificate cache
 
 extension Certificate {

Tests/PackageSigningTests/SigningTests.swift

@@ -517,8 +517,8 @@ final class SigningTests: XCTestCase {
                     responses: [OCSPSingleResponse(
                         certID: singleRequest.certID,
                         certStatus: .unknown,
-                        thisUpdate: try GeneralizedTime(validationTime - .days(1)),
-                        nextUpdate: try GeneralizedTime(validationTime + .days(1))
+                        thisUpdate: try .init(validationTime - .days(1)),
+                        nextUpdate: try .init(validationTime + .days(1))
                     )],
                     privateKey: intermediatePrivateKey,
                     responseExtensions: { nonce }
@@ -1150,7 +1150,7 @@ enum OCSPTestHelper {
                 }
                 if isCodeSigning {
                     Critical(
-                        try ExtendedKeyUsage([ExtendedKeyUsage.Usage.codeSigning])
+                        ExtendedKeyUsage([ExtendedKeyUsage.Usage.codeSigning])
                     )
                 }
                 if let ocspServer {