Update Swift Crypto for the Ventura beta API (#123)

* Bring over API files from macOS Ventura

* Implement the new API surface

This patch implements the new API surface, and removes anything that's
no longer compatible with the expected API surface from CryptoKit

Author: Lukasa

Sources/Crypto/AEADs/AES/GCM/AES-GCM.swift

@@ -116,6 +116,11 @@ extension AES.GCM {
             self.combinedRepresentation = combined
             self.nonceByteCount = AES.GCM.defaultNonceByteCount
         }
+
+        internal init(combined: Data, nonceByteCount: Int) {
+            self.combinedRepresentation = combined
+            self.nonceByteCount = nonceByteCount
+        }
 
         @inlinable
         public init<D: DataProtocol>(combined: D) throws {

Sources/Crypto/AEADs/ChachaPoly/ChaChaPoly.swift

@@ -122,6 +122,11 @@ extension ChaChaPoly {
 
             self.combined = Data(nonce) + ciphertext + tag
         }
+
+        internal init(combined: Data, nonceByteCount: Int) {
+            assert(nonceByteCount == ChaChaPoly.nonceByteCount)
+            self.combined = combined
+        }
     }
 }
 #endif // Linux or !SwiftPM

Sources/Crypto/AEADs/Nonces.swift

@@ -26,7 +26,12 @@ extension AES.GCM {
 
         /// Generates a fresh random Nonce. Unless required by a specification to provide a specific Nonce, this is the recommended initializer.
         public init() {
-            try! self.init(data: SecureBytes(count: AES.GCM.defaultNonceByteCount))
+            var data = Data(repeating: 0, count: AES.GCM.defaultNonceByteCount)
+            data.withUnsafeMutableBytes {
+                assert($0.count == AES.GCM.defaultNonceByteCount)
+                $0.initializeWithRandomBytes(count: AES.GCM.defaultNonceByteCount)
+            }
+            self.bytes = data
         }
 
         public init<D: DataProtocol>(data: D) throws {
@@ -56,7 +61,12 @@ extension ChaChaPoly {
 
         /// Generates a fresh random Nonce. Unless required by a specification to provide a specific Nonce, this is the recommended initializer.
         public init() {
-            try! self.init(data: SecureBytes(count: ChaChaPoly.nonceByteCount))
+            var data = Data(repeating: 0, count: ChaChaPoly.nonceByteCount)
+            data.withUnsafeMutableBytes {
+                assert($0.count == ChaChaPoly.nonceByteCount)
+                $0.initializeWithRandomBytes(count: ChaChaPoly.nonceByteCount)
+            }
+            self.bytes = data
         }
 
         public init<D: DataProtocol>(data: D) throws {

Sources/Crypto/AEADs/Nonces.swift.gyb

@@ -35,7 +35,12 @@ extension ${name} {
 
         /// Generates a fresh random Nonce. Unless required by a specification to provide a specific Nonce, this is the recommended initializer.
         public init() {
-            try! self.init(data: SecureBytes(count: ${nonceSize}))
+            var data = Data(repeating: 0, count: ${nonceSize})
+            data.withUnsafeMutableBytes {
+                assert($0.count == ${nonceSize})
+                $0.initializeWithRandomBytes(count: ${nonceSize})
+            }
+            self.bytes = data
         }
 
         public init<D: DataProtocol>(data: D) throws {

Sources/Crypto/ASN1/ASN1.swift

@@ -132,11 +132,11 @@ extension ASN1.ASN1ParserNode: CustomStringConvertible {
     }
 }
 
-// MARK: - Sequence
+// MARK: - Sequence, SequenceOf, and Set
 extension ASN1 {
     /// Parse the node as an ASN.1 sequence.
-    internal static func sequence<T>(_ node: ASN1Node, _ builder: (inout ASN1.ASN1NodeCollection.Iterator) throws -> T) throws -> T {
-        guard node.identifier == .sequence, case .constructed(let nodes) = node.content else {
+    internal static func sequence<T>(_ node: ASN1Node, identifier: ASN1.ASN1Identifier, _ builder: (inout ASN1.ASN1NodeCollection.Iterator) throws -> T) throws -> T {
+        guard node.identifier == identifier, case .constructed(let nodes) = node.content else {
             throw CryptoKitASN1Error.unexpectedFieldType
         }
 
@@ -150,6 +150,29 @@ extension ASN1 {
 
         return result
     }
+
+    internal static func sequence<T: ASN1Parseable>(of: T.Type = T.self, identifier: ASN1.ASN1Identifier, rootNode: ASN1Node) throws -> [T] {
+        guard rootNode.identifier == identifier, case .constructed(let nodes) = rootNode.content else {
+            throw CryptoKitASN1Error.unexpectedFieldType
+        }
+
+        return try nodes.map { try T(asn1Encoded: $0) }
+    }
+
+    internal static func sequence<T: ASN1Parseable>(of: T.Type = T.self, identifier: ASN1.ASN1Identifier, nodes: inout ASN1.ASN1NodeCollection.Iterator) throws -> [T] {
+        guard let node = nodes.next() else {
+            // Not present, throw.
+            throw CryptoKitASN1Error.invalidASN1Object
+        }
+
+        return try sequence(of: T.self, identifier: identifier, rootNode: node)
+    }
+
+    /// Parse the node as an ASN.1 set.
+    internal static func set<T>(_ node: ASN1Node, identifier: ASN1.ASN1Identifier, _ builder: (inout ASN1.ASN1NodeCollection.Iterator) throws -> T) throws -> T {
+        // Shhhh these two are secretly the same with identifier.
+        return try sequence(node, identifier: identifier, builder)
+    }
 }
 
 // MARK: - Optional explicitly tagged
@@ -189,6 +212,54 @@ extension ASN1 {
     }
 }
 
+// MARK: - DEFAULT
+extension ASN1 {
+    /// Parses a value that is encoded with a DEFAULT. Such a value is optional, and if absent will
+    /// be replaced with its default.
+    ///
+    /// Expects to be used with the `ASN1.sequence` helper function.
+    internal static func decodeDefault<T: ASN1Parseable & Equatable>(_ nodes: inout ASN1.ASN1NodeCollection.Iterator, identifier: ASN1.ASN1Identifier, defaultValue: T, _ builder: (ASN1Node) throws -> T) throws -> T {
+        // A weird trick here: we only want to consume the next node _if_ it has the right tag. To achieve that,
+        // we work on a copy.
+        var localNodesCopy = nodes
+        guard let node = localNodesCopy.next() else {
+            // Whoops, nothing here.
+            return defaultValue
+        }
+
+        guard node.identifier == identifier else {
+            // Node is a mismatch, with the wrong identifier. Our optional isn't present.
+            return defaultValue
+        }
+
+        // We have the right optional, so let's consume it.
+        nodes = localNodesCopy
+        let parsed = try builder(node)
+
+        // DER forbids encoding DEFAULT values at their default state.
+        // We can lift this in BER.
+        guard parsed != defaultValue else {
+            throw CryptoKitASN1Error.invalidASN1Object
+        }
+
+        return parsed
+    }
+
+    internal static func decodeDefaultExplicitlyTagged<T: ASN1Parseable & Equatable>(_ nodes: inout ASN1.ASN1NodeCollection.Iterator, tagNumber: Int, tagClass: ASN1.ASN1Identifier.TagClass, defaultValue: T, _ builder: (ASN1Node) throws -> T) throws -> T {
+        if let result = try optionalExplicitlyTagged(&nodes, tagNumber: tagNumber, tagClass: tagClass, builder) {
+            guard result != defaultValue else {
+                // DER forbids encoding DEFAULT values at their default state.
+                // We can lift this in BER.
+                throw CryptoKitASN1Error.invalidASN1Object
+            }
+
+            return result
+        } else {
+            return defaultValue
+        }
+    }
+}
+
 // MARK: - Parsing
 extension ASN1 {
     /// A parsed representation of ASN.1.
@@ -369,7 +440,7 @@ extension ASN1.ASN1Node {
 // MARK: - Serializing
 extension ASN1 {
     struct Serializer {
-        private(set) var serializedBytes: [UInt8]
+        var serializedBytes: [UInt8]
 
         init() {
             // We allocate a 1kB array because that should cover us most of the time.
@@ -393,9 +464,37 @@ extension ASN1 {
         }
 
         mutating func serialize<T: ASN1Serializable>(_ node: T, explicitlyTaggedWithTagNumber tagNumber: Int, tagClass: ASN1.ASN1Identifier.TagClass) throws {
+            return try self.serialize(explicitlyTaggedWithTagNumber: tagNumber, tagClass: tagClass) { coder in
+                try coder.serialize(node)
+            }
+        }
+
+        mutating func serialize(explicitlyTaggedWithTagNumber tagNumber: Int, tagClass: ASN1.ASN1Identifier.TagClass, _ block: (inout Serializer) throws -> Void) rethrows {
             let identifier = ASN1Identifier(explicitTagWithNumber: tagNumber, tagClass: tagClass)
             try self.appendConstructedNode(identifier: identifier) { coder in
-                try coder.serialize(node)
+                try block(&coder)
+            }
+        }
+
+        mutating func serializeSequenceOf<Elements: Sequence>(_ elements: Elements, identifier: ASN1.ASN1Identifier = .sequence) throws where Elements.Element: ASN1Serializable {
+            try self.appendConstructedNode(identifier: identifier) { coder in
+                for element in elements {
+                    try coder.serialize(element)
+                }
+            }
+        }
+
+        mutating func serialize(_ node: ASN1.ASN1Node) {
+            let identifier = node.identifier
+            self._appendNode(identifier: identifier) { coder in
+                switch node.content {
+                case .constructed(let nodes):
+                    for node in nodes {
+                        coder.serialize(node)
+                    }
+                case .primitive(let baseData):
+                    coder.serializedBytes.append(contentsOf: baseData)
+                }
             }
         }
 
@@ -438,7 +537,7 @@ extension ASN1 {
             for shift in (0..<(lengthBytesNeeded - 1)).reversed() {
                 // Shift and mask the integer.
                 self.serializedBytes.formIndex(after: &writeIndex)
-                self.serializedBytes[writeIndex] = UInt8(truncatingIfNeeded: contentLength >> (shift * 8))
+                self.serializedBytes[writeIndex] = UInt8(truncatingIfNeeded: (contentLength >> (shift * 8)))
             }
 
             assert(writeIndex == self.serializedBytes.index(lengthIndex, offsetBy: lengthBytesNeeded - 1))
@@ -463,12 +562,54 @@ extension ASN1Parseable {
     internal init(asn1Encoded: [UInt8]) throws {
         self = try .init(asn1Encoded: ASN1.parse(asn1Encoded))
     }
+
+    internal init(asn1Encoded: ArraySlice<UInt8>) throws {
+        self = try .init(asn1Encoded: ASN1.parse(asn1Encoded))
+    }
 }
 
 internal protocol ASN1Serializable {
     func serialize(into coder: inout ASN1.Serializer) throws
 }
 
+/// Covers ASN.1 types that may be implicitly tagged. Not all nodes can be!
+internal protocol ASN1ImplicitlyTaggable: ASN1Parseable, ASN1Serializable {
+    /// The tag that the first node will use "by default" if the grammar omits
+    /// any more specific tag definition.
+    static var defaultIdentifier: ASN1.ASN1Identifier { get }
+
+    init(asn1Encoded: ASN1.ASN1Node, withIdentifier identifier: ASN1.ASN1Identifier) throws
+
+    func serialize(into coder: inout ASN1.Serializer, withIdentifier identifier: ASN1.ASN1Identifier) throws
+}
+
+extension ASN1ImplicitlyTaggable {
+    internal init(asn1Encoded sequenceNodeIterator: inout ASN1.ASN1NodeCollection.Iterator,
+                  withIdentifier identifier: ASN1.ASN1Identifier = Self.defaultIdentifier) throws {
+        guard let node = sequenceNodeIterator.next() else {
+            throw CryptoKitASN1Error.invalidASN1Object
+        }
+
+        self = try .init(asn1Encoded: node, withIdentifier: identifier)
+    }
+
+    internal init(asn1Encoded: [UInt8], withIdentifier identifier: ASN1.ASN1Identifier = Self.defaultIdentifier) throws {
+        self = try .init(asn1Encoded: ASN1.parse(asn1Encoded), withIdentifier: identifier)
+    }
+
+    internal init(asn1Encoded: ArraySlice<UInt8>, withIdentifier identifier: ASN1.ASN1Identifier = Self.defaultIdentifier) throws {
+        self = try .init(asn1Encoded: ASN1.parse(asn1Encoded), withIdentifier: identifier)
+    }
+
+    init(asn1Encoded: ASN1.ASN1Node) throws {
+        try self.init(asn1Encoded: asn1Encoded, withIdentifier: Self.defaultIdentifier)
+    }
+
+    func serialize(into coder: inout ASN1.Serializer) throws {
+        try self.serialize(into: &coder, withIdentifier: Self.defaultIdentifier)
+    }
+}
+
 extension ArraySlice where Element == UInt8 {
     fileprivate mutating func readASN1Length() throws -> UInt? {
         guard let firstByte = self.popFirst() else {

Sources/Crypto/ASN1/Basic ASN1 Types/ASN1Any.swift

@@ -0,0 +1,70 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the SwiftCrypto open source project
+//
+// Copyright (c) 2019-2020 Apple Inc. and the SwiftCrypto project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.md for the list of SwiftCrypto project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+#if (os(macOS) || os(iOS) || os(watchOS) || os(tvOS)) && CRYPTO_IN_SWIFTPM && !CRYPTO_IN_SWIFTPM_FORCE_BUILD_API
+@_exported import CryptoKit
+#else
+import Foundation
+
+extension ASN1 {
+    /// An ASN1 ANY represents...well, anything.
+    ///
+    /// In this case we store the ASN.1 ANY as a serialized representation. This is a bit annoying,
+    /// but it's the only safe way to manage this data, as we cannot arbitrarily parse it.
+    ///
+    /// The only things we allow users to do with ASN.1 ANYs is to try to decode them as something else,
+    /// to create them from something else, or to serialize them.
+    struct ASN1Any: ASN1Parseable, ASN1Serializable, Hashable {
+        fileprivate var serializedBytes: ArraySlice<UInt8>
+
+        init<ASN1Type: ASN1Serializable>(erasing: ASN1Type) throws {
+            var serializer = ASN1.Serializer()
+            try erasing.serialize(into: &serializer)
+            self.serializedBytes = ArraySlice(serializer.serializedBytes)
+        }
+
+        init<ASN1Type: ASN1ImplicitlyTaggable>(erasing: ASN1Type, withIdentifier identifier: ASN1.ASN1Identifier) throws {
+            var serializer = ASN1.Serializer()
+            try erasing.serialize(into: &serializer, withIdentifier: identifier)
+            self.serializedBytes = ArraySlice(serializer.serializedBytes)
+        }
+
+        init(asn1Encoded rootNode: ASN1.ASN1Node) {
+            // This is a bit sad: we just re-serialize this data. In an ideal world
+            // we'd update the parse representation so that all nodes can point at their
+            // complete backing storage, but for now this is better.
+            var serializer = ASN1.Serializer()
+            serializer.serialize(rootNode)
+            self.serializedBytes = ArraySlice(serializer.serializedBytes)
+        }
+
+        func serialize(into coder: inout ASN1.Serializer) throws {
+            // Dangerous to just reach in there like this, but it's the right way to serialize this.
+            coder.serializedBytes.append(contentsOf: self.serializedBytes)
+        }
+    }
+}
+
+extension ASN1Parseable {
+    init(asn1Any: ASN1.ASN1Any) throws {
+        try self.init(asn1Encoded: asn1Any.serializedBytes)
+    }
+}
+
+extension ASN1ImplicitlyTaggable {
+    init(asn1Any: ASN1.ASN1Any, withIdentifier identifier: ASN1.ASN1Identifier) throws {
+        try self.init(asn1Encoded: asn1Any.serializedBytes, withIdentifier: identifier)
+    }
+}
+
+#endif // Linux or !SwiftPM

Sources/Crypto/ASN1/Basic ASN1 Types/ASN1BitString.swift

@@ -18,11 +18,15 @@ import Foundation
 
 extension ASN1 {
     /// A bitstring is a representation of...well...some bits.
-    struct ASN1BitString: ASN1Parseable, ASN1Serializable {
+    struct ASN1BitString: ASN1ImplicitlyTaggable {
+        static var defaultIdentifier: ASN1.ASN1Identifier {
+            .primitiveBitString
+        }
+
         var bytes: ArraySlice<UInt8>
 
-        init(asn1Encoded node: ASN1.ASN1Node) throws {
-            guard node.identifier == .primitiveBitString else {
+        init(asn1Encoded node: ASN1.ASN1Node, withIdentifier identifier: ASN1.ASN1Identifier) throws {
+            guard node.identifier == identifier else {
                 throw CryptoKitASN1Error.unexpectedFieldType
             }
 
@@ -43,8 +47,8 @@ extension ASN1 {
             self.bytes = bytes
         }
 
-        func serialize(into coder: inout ASN1.Serializer) throws {
-            coder.appendPrimitiveNode(identifier: .primitiveBitString) { bytes in
+        func serialize(into coder: inout ASN1.Serializer, withIdentifier identifier: ASN1.ASN1Identifier) throws {
+            coder.appendPrimitiveNode(identifier: identifier) { bytes in
                 bytes.append(0)
                 bytes.append(contentsOf: self.bytes)
             }