Update to latest swift-certificates

- Adjust code
- Re-enable `SigningTests.testCMSCheckCertificateRevocationStatus`

Author: yim-lee

Fixtures/Signing/Certificates/TestIntermediateCA.cer

@@ -750,7 +750,7 @@ if ProcessInfo.processInfo.environment["SWIFTCI_USE_LOCAL_DEPS"] == nil {
         .package(url: "https://github.com/apple/swift-crypto.git", .upToNextMinor(from: "2.4.0")),
         .package(url: "https://github.com/apple/swift-system.git", .upToNextMinor(from: "1.1.1")),
         .package(url: "https://github.com/apple/swift-collections.git", .upToNextMinor(from: "1.0.1")),
-        .package(url: "https://github.com/apple/swift-certificates.git", .upToNextMinor(from: "0.1.0")),
+        .package(url: "https://github.com/apple/swift-certificates.git", branch: "main"),
     ]
 } else {
     package.dependencies += [

Fixtures/Signing/Certificates/TestRootCA.cer

@@ -16,14 +16,21 @@ import struct Foundation.Date
 import struct Foundation.URL
 
 import Basics
+@_implementationOnly import SwiftASN1
 @_implementationOnly import X509
 
 extension SignatureProviderProtocol {
     func buildPolicySet(configuration: VerifierConfiguration, httpClient: HTTPClient) -> PolicySet {
-        var policies = [VerifierPolicy]()
-
-        if case .enabled(let validationTime) = configuration.certificateExpiration {
-            policies.append(RFC5280Policy(validationTime: validationTime ?? Date()))
+        var policies: [VerifierPolicy] = [
+            _CodeSigningPolicy(),
+            _ADPCertificatePolicy(),
+        ]
+
+        switch configuration.certificateExpiration {
+        case .enabled(let validationTime):
+            policies.append(_RFC5280Policy(validationTime: validationTime, enableExpiryCheck: true))
+        case .disabled:
+            policies.append(_RFC5280Policy(validationTime: .none, enableExpiryCheck: false))
         }
 
         switch configuration.certificateRevocation {
@@ -44,38 +51,99 @@ extension SignatureProviderProtocol {
     }
 }
 
+/// Policy for code signing certificates.
+struct _CodeSigningPolicy: VerifierPolicy {
+    let verifyingCriticalExtensions: [ASN1ObjectIdentifier] = [
+        ASN1ObjectIdentifier.X509ExtensionID.keyUsage,
+        ASN1ObjectIdentifier.X509ExtensionID.extendedKeyUsage,
+    ]
+
+    func chainMeetsPolicyRequirements(chain: UnverifiedCertificateChain) async -> PolicyEvaluationResult {
+        let isCodeSigning = (
+            try? chain.leaf.extensions.extendedKeyUsage?.contains(ExtendedKeyUsage.Usage.codeSigning)
+        ) ??
+            false
+        guard isCodeSigning else {
+            return .failsToMeetPolicy(reason: "Certificate \(chain.leaf) does not have code signing extended key usage")
+        }
+        return .meetsPolicy
+    }
+}
+
+/// Policy for ADP certificates.
+struct _ADPCertificatePolicy: VerifierPolicy {
+    /// Include custom marker extensions (which can be critical) so they would not
+    /// be considered unhandled and cause certificate chain validation to fail.
+    let verifyingCriticalExtensions: [ASN1ObjectIdentifier] = Self.swiftPackageMarkers
+        + Self.developmentMarkers
+
+    // Marker extensions for Swift Package certificate
+    private static let swiftPackageMarkers: [ASN1ObjectIdentifier] = [
+        // This is not a critical extension but including it just in case
+        ASN1ObjectIdentifier.NameAttributes.adpSwiftPackageMarker,
+    ]
+
+    // Marker extensions for Development certificate (included for testing)
+    private static let developmentMarkers: [ASN1ObjectIdentifier] = [
+        [1, 2, 840, 113_635, 100, 6, 1, 2],
+        [1, 2, 840, 113_635, 100, 6, 1, 12],
+    ]
+
+    func chainMeetsPolicyRequirements(chain: UnverifiedCertificateChain) async -> PolicyEvaluationResult {
+        // Not policing anything here. This policy is mainly for
+        // listing marker extensions to prevent chain validation
+        // from failing prematurely.
+        .meetsPolicy
+    }
+}
+
+struct _RFC5280Policy: VerifierPolicy {
+    /// See RFC5280Policy
+    public let verifyingCriticalExtensions: [ASN1ObjectIdentifier] = [
+        .X509ExtensionID.basicConstraints,
+        .X509ExtensionID.nameConstraints,
+        .X509ExtensionID.keyUsage,
+    ]
+
+    let validationTime: Date?
+    let enableExpiryCheck: Bool
+
+    func chainMeetsPolicyRequirements(chain: UnverifiedCertificateChain) async -> PolicyEvaluationResult {
+        let policy: RFC5280Policy
+        if self.enableExpiryCheck {
+            policy = RFC5280Policy(validationTime: self.validationTime ?? Date())
+        } else {
+            // Use leaf.notValidBefore as validationTime to ensure the leaf
+            // will pass expiry check. This should work for the chain if the
+            // chain follows validity nesting, but if a parent expires before
+            // a child does then the expiry check will fail.
+            policy = RFC5280Policy(validationTime: chain.leaf.notValidBefore)
+        }
+        return policy.chainMeetsPolicyRequirements(chain: chain)
+    }
+}
+
 struct _OCSPVerifierPolicy: VerifierPolicy {
     private static let cacheTTL: DispatchTimeInterval = .seconds(5 * 60)
     private let cache = ThreadSafeKeyValueStore<
         UnverifiedCertificateChain,
         (result: PolicyEvaluationResult, expires: DispatchTime)
     >()
 
-    private let underlying: OCSPVerifierPolicy<_OCSPRequester>
+    private var underlying: OCSPVerifierPolicy<_OCSPRequester>
     private let mode: Mode
-    private let validationTime: Date
+
+    let verifyingCriticalExtensions: [ASN1ObjectIdentifier] = []
 
     init(httpClient: HTTPClient, mode: Mode, validationTime: Date?) {
-        self.underlying = OCSPVerifierPolicy(requester: _OCSPRequester(httpClient: httpClient))
+        self.underlying = OCSPVerifierPolicy(
+            requester: _OCSPRequester(httpClient: httpClient),
+            validationTime: validationTime ?? Date()
+        )
         self.mode = mode
-        self.validationTime = validationTime ?? Date()
     }
 
-    func chainMeetsPolicyRequirements(chain: UnverifiedCertificateChain) async -> PolicyEvaluationResult {
-        // Check for expiration of the leaf before revocation
-        let leaf = chain.leaf
-        if leaf.notValidBefore > leaf.notValidAfter {
-            return .failsToMeetPolicy(
-                reason: "OCSPVerifierPolicy: leaf certificate \(leaf) has invalid expiry, notValidAfter is earlier than notValidBefore"
-            )
-        }
-        if self.validationTime < leaf.notValidBefore {
-            return .failsToMeetPolicy(reason: "OCSPVerifierPolicy: leaf certificate \(leaf) is not yet valid")
-        }
-        if self.validationTime > leaf.notValidAfter {
-            return .failsToMeetPolicy(reason: "OCSPVerifierPolicy: leaf certificate \(leaf) has expired")
-        }
-
+    mutating func chainMeetsPolicyRequirements(chain: UnverifiedCertificateChain) async -> PolicyEvaluationResult {
         // Look for cached result
         if let cached = self.cache[chain], cached.expires < .now() {
             return cached.result

Fixtures/Signing/Certificates/Test_ec.cer

@@ -30,9 +30,9 @@ final class SigningIdentityTests: XCTestCase {
             let certificate = try Certificate(certificateBytes)
 
             let subject = certificate.subject
-            XCTAssertEqual("Test (EC)", subject.commonName)
-            XCTAssertEqual("Test (EC)", subject.organizationalUnitName)
-            XCTAssertEqual("Test (EC)", subject.organizationName)
+            XCTAssertEqual("Test (EC) leaf", subject.commonName)
+            XCTAssertEqual("Test (EC) org unit", subject.organizationalUnitName)
+            XCTAssertEqual("Test (EC) org", subject.organizationName)
 
             let privateKeyBytes = try readFileContents(
                 in: fixturePath,
@@ -63,9 +63,9 @@ final class SigningIdentityTests: XCTestCase {
             let certificate = try Certificate(certificateBytes)
 
             let subject = certificate.subject
-            XCTAssertEqual("Test (RSA)", subject.commonName)
-            XCTAssertEqual("Test (RSA)", subject.organizationalUnitName)
-            XCTAssertEqual("Test (RSA)", subject.organizationName)
+            XCTAssertEqual("Test (RSA) leaf", subject.commonName)
+            XCTAssertEqual("Test (RSA) org unit", subject.organizationalUnitName)
+            XCTAssertEqual("Test (RSA) org", subject.organizationName)
 
             let privateKeyBytes = try readFileContents(
                 in: fixturePath,