swift-crypto 2.x upgrade (#3759)

* PackageCollectionsSigning: update for BoringSSL API changes

BoringSSL changed more of its types to opaque in
https://boringssl-review.googlesource.com/q/I53e915bfae3b8dc4b67642279d0e54dc606f2297.
This was picked up by swift-crypto in
apple/swift-crypto@127d374.  This
updates the API usage to use `OpaquePointer` more pervasively to repair
the build.

* Add CRYPTO_v2 setting to switch between swift-crypto v1.x and 2.x

* Use env var to control defining CRYPTO_v2

* Bump to swift-crypto 2.0.0

Co-authored-by: Saleem Abdulrasool <[email protected]>

Author: yim-lee

Package.swift

@@ -53,6 +53,13 @@ automatic linking type with `-auto` suffix appended to product's name.
 */
 let autoProducts = [swiftPMProduct, swiftPMDataModelProduct]
 
+let useSwiftCryptoV2 = ProcessInfo.processInfo.environment["SWIFTPM_USE_SWIFT_CRYPTO_V2"] != nil
+let minimumCryptoVersion: Version = useSwiftCryptoV2 ? "2.0.0" : "1.1.4"
+var swiftSettings: [SwiftSetting] = []
+if useSwiftCryptoV2 {
+    swiftSettings.append(.define("CRYPTO_v2"))
+}
+
 let package = Package(
     name: "SwiftPM",
     platforms: [
@@ -183,7 +190,8 @@ let package = Package(
         .target(
              /** Package collections signing */
              name: "PackageCollectionsSigning",
-             dependencies: ["PackageCollectionsModel", "PackageCollectionsSigningLibc", "Crypto", "Basics"]),
+             dependencies: ["PackageCollectionsModel", "PackageCollectionsSigningLibc", "Crypto", "Basics"],
+             swiftSettings: swiftSettings),
 
         .target(
             /** Data structures and support for package collections */
@@ -368,7 +376,7 @@ if ProcessInfo.processInfo.environment["SWIFTCI_USE_LOCAL_DEPS"] == nil {
         // dependency version changes here with those projects.
         .package(url: "https://github.com/apple/swift-argument-parser.git", .upToNextMinor(from: "0.4.3")),
         .package(url: "https://github.com/apple/swift-driver.git", .branch(relatedDependenciesBranch)),
-        .package(url: "https://github.com/apple/swift-crypto.git", .upToNextMinor(from: "1.1.4")),
+        .package(url: "https://github.com/apple/swift-crypto.git", .upToNextMinor(from: minimumCryptoVersion)),
     ]
 } else {
     package.dependencies += [

Sources/PackageCollectionsSigning/Certificate/Certificate.swift

@@ -111,15 +111,21 @@ struct CoreCertificate {
 
 #elseif os(Linux) || os(Windows) || os(Android)
 final class BoringSSLCertificate {
-    private let underlying: UnsafeMutablePointer<X509>
+    #if CRYPTO_v2
+    typealias Pointer = OpaquePointer
+    #else
+    typealias Pointer = UnsafeMutablePointer<X509>
+    #endif
+    
+    private let underlying: Pointer
 
     deinit {
         CCryptoBoringSSL_X509_free(self.underlying)
     }
 
     init(derEncoded data: Data) throws {
         let bytes = data.copyBytes()
-        let x509 = try bytes.withUnsafeBufferPointer { (ptr: UnsafeBufferPointer<UInt8>) throws -> UnsafeMutablePointer<X509> in
+        let x509 = try bytes.withUnsafeBufferPointer { (ptr: UnsafeBufferPointer<UInt8>) throws -> Pointer in
             var pointer = ptr.baseAddress
             guard let x509 = CCryptoBoringSSL_d2i_X509(nil, &pointer, numericCast(ptr.count)) else {
                 throw CertificateError.initializationFailure
@@ -129,7 +135,7 @@ final class BoringSSLCertificate {
         self.underlying = x509
     }
 
-    func withUnsafeMutablePointer<R>(_ body: (UnsafeMutablePointer<X509>) throws -> R) rethrows -> R {
+    func withUnsafeMutablePointer<R>(_ body: (Pointer) throws -> R) rethrows -> R {
         return try body(self.underlying)
     }
 
@@ -195,34 +201,38 @@ final class BoringSSLCertificate {
 }
 
 private extension CertificateName {
-    init(x509Name: UnsafeMutablePointer<X509_NAME>) {
-        self.userID = x509Name.getStringValue(of: NID_userId)
-        self.commonName = x509Name.getStringValue(of: NID_commonName)
-        self.organization = x509Name.getStringValue(of: NID_organizationName)
-        self.organizationalUnit = x509Name.getStringValue(of: NID_organizationalUnitName)
-    }
-}
+    #if CRYPTO_v2
+    typealias Pointer = OpaquePointer
+    #else
+    typealias Pointer = UnsafeMutablePointer<X509_NAME>
+    #endif
+    
+    init(x509Name: Pointer) {
+        func getStringValue(from name: Pointer, of nid: CInt) -> String? {
+            let index = CCryptoBoringSSL_X509_NAME_get_index_by_NID(name, nid, -1)
+            guard index >= 0 else {
+                return nil
+            }
 
-private extension UnsafeMutablePointer where Pointee == X509_NAME {
-    func getStringValue(of nid: CInt) -> String? {
-        let index = CCryptoBoringSSL_X509_NAME_get_index_by_NID(self, nid, -1)
-        guard index >= 0 else {
-            return nil
-        }
+            let entry = CCryptoBoringSSL_X509_NAME_get_entry(name, index)
+            guard let data = CCryptoBoringSSL_X509_NAME_ENTRY_get_data(entry) else {
+                return nil
+            }
 
-        let entry = CCryptoBoringSSL_X509_NAME_get_entry(self, index)
-        guard let data = CCryptoBoringSSL_X509_NAME_ENTRY_get_data(entry) else {
-            return nil
-        }
+            var value: UnsafeMutablePointer<CUnsignedChar>?
+            defer { CCryptoBoringSSL_OPENSSL_free(value) }
 
-        var value: UnsafeMutablePointer<CUnsignedChar>?
-        defer { CCryptoBoringSSL_OPENSSL_free(value) }
+            guard CCryptoBoringSSL_ASN1_STRING_to_UTF8(&value, data) >= 0 else {
+                return nil
+            }
 
-        guard CCryptoBoringSSL_ASN1_STRING_to_UTF8(&value, data) >= 0 else {
-            return nil
+            return String.decodeCString(value, as: UTF8.self, repairingInvalidCodeUnits: true)?.result
         }
 
-        return String.decodeCString(value, as: UTF8.self, repairingInvalidCodeUnits: true)?.result
+        self.userID = getStringValue(from: x509Name, of: NID_userId)
+        self.commonName = getStringValue(from: x509Name, of: NID_commonName)
+        self.organization = getStringValue(from: x509Name, of: NID_organizationName)
+        self.organizationalUnit = getStringValue(from: x509Name, of: NID_organizationalUnitName)
     }
 }
 

Sources/PackageCollectionsSigning/Certificate/CertificatePolicy.swift

@@ -100,7 +100,11 @@ extension CertificatePolicy {
     }
 
     #elseif os(Linux) || os(Windows) || os(Android)
+    #if CRYPTO_v2
+    typealias BoringSSLVerifyCallback = @convention(c) (CInt, OpaquePointer?) -> CInt
+    #else
     typealias BoringSSLVerifyCallback = @convention(c) (CInt, UnsafeMutablePointer<X509_STORE_CTX>?) -> CInt
+    #endif
 
     /// Verifies a certificate chain.
     ///