Update swift-certificates to 1.0.1, swift-crypto to 3.0.0

Package.swift

@@ -732,10 +732,10 @@ if ProcessInfo.processInfo.environment["SWIFTCI_USE_LOCAL_DEPS"] == nil {
         // dependency version changes here with those projects.
         .package(url: "https://github.com/apple/swift-argument-parser.git", .upToNextMinor(from: "1.2.2")),
         .package(url: "https://github.com/apple/swift-driver.git", branch: relatedDependenciesBranch),
-        .package(url: "https://github.com/apple/swift-crypto.git", .upToNextMinor(from: "2.5.0")),
+        .package(url: "https://github.com/apple/swift-crypto.git", .upToNextMinor(from: "3.0.0")),
         .package(url: "https://github.com/apple/swift-system.git", .upToNextMinor(from: "1.1.1")),
         .package(url: "https://github.com/apple/swift-collections.git", .upToNextMinor(from: "1.0.1")),
-        .package(url: "https://github.com/apple/swift-certificates.git", .upToNextMinor(from: "0.6.0")),
+        .package(url: "https://github.com/apple/swift-certificates.git", .upToNextMinor(from: "1.0.1")),
     ]
 } else {
     package.dependencies += [

Sources/PackageCollectionsSigning/CertificatePolicy.swift

@@ -402,27 +402,31 @@ struct _OCSPVerifierPolicy: VerifierPolicy {
 private struct _OCSPRequester: OCSPRequester {
     let httpClient: HTTPClient
 
-    func query(request: [UInt8], uri: String) async throws -> [UInt8] {
+    func query(request: [UInt8], uri: String) async -> OCSPRequesterQueryResult {
         guard let url = URL(string: uri), let host = url.host else {
-            throw SwiftOCSPRequesterError.invalidURL(uri)
+            return .terminalError(SwiftOCSPRequesterError.invalidURL(uri))
         }
 
-        let response = try await self.httpClient.post(
-            url,
-            body: Data(request),
-            headers: [
-                "Content-Type": "application/ocsp-request",
-                "Host": host,
-            ]
-        )
+        do {
+            let response = try await self.httpClient.post(
+                url,
+                body: Data(request),
+                headers: [
+                    "Content-Type": "application/ocsp-request",
+                    "Host": host,
+                ]
+            )
 
-        guard response.statusCode == 200 else {
-            throw SwiftOCSPRequesterError.invalidResponse(statusCode: response.statusCode)
-        }
-        guard let responseBody = response.body else {
-            throw SwiftOCSPRequesterError.emptyResponse
+            guard response.statusCode == 200 else {
+                throw SwiftOCSPRequesterError.invalidResponse(statusCode: response.statusCode)
+            }
+            guard let responseBody = response.body else {
+                throw SwiftOCSPRequesterError.emptyResponse
+            }
+            return .response(Array(responseBody))
+        } catch {
+            return .nonTerminalError(error)
         }
-        return Array(responseBody)
     }
 }
 

Sources/PackageCollectionsSigning/X509Extensions.swift

@@ -59,29 +59,9 @@ extension DistinguishedName {
     private func stringAttribute(oid: ASN1ObjectIdentifier) -> String? {
         for relativeDistinguishedName in self {
             for attribute in relativeDistinguishedName where attribute.type == oid {
-                if let stringValue = attribute.stringValue {
-                    return stringValue
-                }
+                return attribute.value.description
             }
         }
         return nil
     }
 }
-
-extension RelativeDistinguishedName.Attribute {
-    fileprivate var stringValue: String? {
-        let asn1StringBytes: ArraySlice<UInt8>?
-        do {
-            asn1StringBytes = try ASN1PrintableString(asn1Any: self.value).bytes
-        } catch {
-            asn1StringBytes = try? ASN1UTF8String(asn1Any: self.value).bytes
-        }
-
-        guard let asn1StringBytes,
-              let stringValue = String(bytes: asn1StringBytes, encoding: .utf8)
-        else {
-            return nil
-        }
-        return stringValue
-    }
-}

Sources/PackageSigning/VerifierPolicies.swift

@@ -24,7 +24,7 @@ extension SignatureProviderProtocol {
     func buildPolicySet(configuration: VerifierConfiguration, httpClient: HTTPClient) -> some VerifierPolicy {
         _CodeSigningPolicy()
         _ADPCertificatePolicy()
-        
+
         let now = Date()
         switch (configuration.certificateExpiration, configuration.certificateRevocation) {
         case (.enabled(let expiryValidationTime), .strict(let revocationValidationTime)):
@@ -158,27 +158,31 @@ struct _OCSPVerifierPolicy: VerifierPolicy {
 private struct _OCSPRequester: OCSPRequester {
     let httpClient: HTTPClient
 
-    func query(request: [UInt8], uri: String) async throws -> [UInt8] {
+    func query(request: [UInt8], uri: String) async -> OCSPRequesterQueryResult {
         guard let url = URL(string: uri), let host = url.host else {
-            throw SwiftOCSPRequesterError.invalidURL(uri)
+            return .terminalError(SwiftOCSPRequesterError.invalidURL(uri))
         }
 
-        let response = try await self.httpClient.post(
-            url,
-            body: Data(request),
-            headers: [
-                "Content-Type": "application/ocsp-request",
-                "Host": host,
-            ]
-        )
+        do {
+            let response = try await self.httpClient.post(
+                url,
+                body: Data(request),
+                headers: [
+                    "Content-Type": "application/ocsp-request",
+                    "Host": host,
+                ]
+            )
 
-        guard response.statusCode == 200 else {
-            throw SwiftOCSPRequesterError.invalidResponse(statusCode: response.statusCode)
-        }
-        guard let responseBody = response.body else {
-            throw SwiftOCSPRequesterError.emptyResponse
+            guard response.statusCode == 200 else {
+                throw SwiftOCSPRequesterError.invalidResponse(statusCode: response.statusCode)
+            }
+            guard let responseBody = response.body else {
+                throw SwiftOCSPRequesterError.emptyResponse
+            }
+            return .response(Array(responseBody))
+        } catch {
+            return .nonTerminalError(error)
         }
-        return Array(responseBody)
     }
 }
 

Sources/PackageSigning/X509Extensions.swift

@@ -30,7 +30,7 @@ extension Certificate {
     init(secIdentity: SecIdentity) throws {
         var secCertificate: SecCertificate?
         let status = SecIdentityCopyCertificate(secIdentity, &secCertificate)
-        guard status == errSecSuccess, let secCertificate = secCertificate else {
+        guard status == errSecSuccess, let secCertificate else {
             throw StringError("failed to get certificate from SecIdentity: status \(status)")
         }
         self = try Certificate(secCertificate: secCertificate)
@@ -60,33 +60,13 @@ extension DistinguishedName {
     private func stringAttribute(oid: ASN1ObjectIdentifier) -> String? {
         for relativeDistinguishedName in self {
             for attribute in relativeDistinguishedName where attribute.type == oid {
-                if let stringValue = attribute.stringValue {
-                    return stringValue
-                }
+                return attribute.value.description
             }
         }
         return nil
     }
 }
 
-extension RelativeDistinguishedName.Attribute {
-    fileprivate var stringValue: String? {
-        let asn1StringBytes: ArraySlice<UInt8>?
-        do {
-            asn1StringBytes = try ASN1PrintableString(asn1Any: self.value).bytes
-        } catch {
-            asn1StringBytes = try? ASN1UTF8String(asn1Any: self.value).bytes
-        }
-
-        guard let asn1StringBytes,
-              let stringValue = String(bytes: asn1StringBytes, encoding: .utf8)
-        else {
-            return nil
-        }
-        return stringValue
-    }
-}
-
 // MARK: - Certificate cache
 
 extension Certificate {

Tests/PackageSigningTests/SigningTests.swift

@@ -517,8 +517,8 @@ final class SigningTests: XCTestCase {
                     responses: [OCSPSingleResponse(
                         certID: singleRequest.certID,
                         certStatus: .unknown,
-                        thisUpdate: try .init(validationTime - .days(1)),
-                        nextUpdate: try .init(validationTime + .days(1))
+                        thisUpdate: try GeneralizedTime(validationTime - .days(1)),
+                        nextUpdate: try GeneralizedTime(validationTime + .days(1))
                     )],
                     privateKey: intermediatePrivateKey,
                     responseExtensions: { nonce }
@@ -1150,7 +1150,7 @@ enum OCSPTestHelper {
                 }
                 if isCodeSigning {
                     Critical(
-                        ExtendedKeyUsage([ExtendedKeyUsage.Usage.codeSigning])
+                        try ExtendedKeyUsage([ExtendedKeyUsage.Usage.codeSigning])
                     )
                 }
                 if let ocspServer {