Skip to content

Commit 846c840

Browse files
yim-leeyim-lee
committed
Update OCSPPolicy usage
1 parent 265283a commit 846c840

File tree

2 files changed

+9
-33
lines changed

2 files changed

+9
-33
lines changed

Sources/PackageSigning/VerifierPolicies.swift

Lines changed: 8 additions & 31 deletions
Original file line numberDiff line numberDiff line change
@@ -32,16 +32,16 @@ extension SignatureProviderProtocol {
3232
policies.append(RFC5280Policy(validationTime: expiryValidationTime ?? now))
3333
policies
3434
.append(_OCSPVerifierPolicy(
35+
failureMode: .hard,
3536
httpClient: httpClient,
36-
mode: .strict,
3737
validationTime: revocationValidationTime ?? now
3838
))
3939
case (.enabled(let expiryValidationTime), .allowSoftFail(let revocationValidationTime)):
4040
policies.append(RFC5280Policy(validationTime: expiryValidationTime ?? now))
4141
policies
4242
.append(_OCSPVerifierPolicy(
43+
failureMode: .soft,
4344
httpClient: httpClient,
44-
mode: .allowSoftFail,
4545
validationTime: revocationValidationTime ?? now
4646
))
4747
case (.enabled(let expiryValidationTime), .disabled):
@@ -51,17 +51,17 @@ extension SignatureProviderProtocol {
5151
policies.append(RFC5280Policy(validationTime: revocationValidationTime ?? now))
5252
policies
5353
.append(_OCSPVerifierPolicy(
54+
failureMode: .hard,
5455
httpClient: httpClient,
55-
mode: .strict,
5656
validationTime: revocationValidationTime ?? now
5757
))
5858
case (.disabled, .allowSoftFail(let revocationValidationTime)):
5959
// Always do expiry check (and before) if revocation check is enabled
6060
policies.append(RFC5280Policy(validationTime: revocationValidationTime ?? now))
6161
policies
6262
.append(_OCSPVerifierPolicy(
63+
failureMode: .soft,
6364
httpClient: httpClient,
64-
mode: .allowSoftFail,
6565
validationTime: revocationValidationTime ?? now
6666
))
6767
case (.disabled, .disabled):
@@ -127,16 +127,15 @@ struct _OCSPVerifierPolicy: VerifierPolicy {
127127
>()
128128

129129
private var underlying: OCSPVerifierPolicy<_OCSPRequester>
130-
private let mode: Mode
131130

132131
let verifyingCriticalExtensions: [ASN1ObjectIdentifier] = []
133132

134-
init(httpClient: HTTPClient, mode: Mode, validationTime: Date) {
133+
init(failureMode: OCSPFailureMode, httpClient: HTTPClient, validationTime: Date) {
135134
self.underlying = OCSPVerifierPolicy(
135+
failureMode: failureMode,
136136
requester: _OCSPRequester(httpClient: httpClient),
137137
validationTime: validationTime
138138
)
139-
self.mode = mode
140139
}
141140

142141
mutating func chainMeetsPolicyRequirements(chain: UnverifiedCertificateChain) async -> PolicyEvaluationResult {
@@ -147,32 +146,10 @@ struct _OCSPVerifierPolicy: VerifierPolicy {
147146

148147
// This makes HTTP requests
149148
let result = await self.underlying.chainMeetsPolicyRequirements(chain: chain)
150-
let actualResult: PolicyEvaluationResult
151-
switch result {
152-
case .meetsPolicy:
153-
actualResult = result
154-
case .failsToMeetPolicy(let reason):
155-
switch self.mode {
156-
case .strict:
157-
actualResult = result
158-
case .allowSoftFail:
159-
// Allow 'unknown' status and failed OCSP request in this mode
160-
if reason.lowercased().contains("revoked through ocsp") {
161-
actualResult = result
162-
} else {
163-
actualResult = .meetsPolicy
164-
}
165-
}
166-
}
167149

168150
// Save result to cache
169-
self.cache[chain] = (result: actualResult, expires: .now() + Self.cacheTTL)
170-
return actualResult
171-
}
172-
173-
enum Mode {
174-
case strict
175-
case allowSoftFail
151+
self.cache[chain] = (result: result, expires: .now() + Self.cacheTTL)
152+
return result
176153
}
177154
}
178155

Tests/PackageSigningTests/SigningTests.swift

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -486,8 +486,7 @@ final class SigningTests: XCTestCase {
486486
issuer: caName,
487487
issuerPrivateKey: caPrivateKey,
488488
isIntermediate: true,
489-
isCodeSigning: false,
490-
ocspServer: ocspResponderURI
489+
isCodeSigning: false
491490
),
492491
]
493492

0 commit comments

Comments
 (0)