PackageCollectionsSigning: make some of the private API more public

compnerd · compnerd · commit 5dc6593b0030 · 2025-06-17T17:39:32.000-07:00
This extends the visibility of some of the private implementation to the
package level to allow use for testing without `@testable` imports.
diff --git a/Sources/PackageCollectionsSigning/CertificatePolicy.swift b/Sources/PackageCollectionsSigning/CertificatePolicy.swift
@@ -54,7 +54,7 @@ public enum CertificatePolicyKey: Hashable, CustomStringConvertible {
 
 // MARK: - Certificate policies
 
-protocol CertificatePolicy {
+package protocol CertificatePolicy {
     /// Validates the given certificate chain.
     ///
     /// - Parameters:
@@ -71,11 +71,11 @@ extension CertificatePolicy {
     /// - Parameters:
     ///   - certChain: The certificate being verified must be the first element of the array, with its issuer the next
     ///                element and so on, and the root CA certificate is last.
-    func validate(certChain: [Certificate]) async throws {
+    package func validate(certChain: [Certificate]) async throws {
         try await self.validate(certChain: certChain, validationTime: Date())
     }
 
-    func verify(
+    package func verify(
         certChain: [Certificate],
         trustedRoots: [Certificate]?,
         @PolicyBuilder policies: () -> some VerifierPolicy,
@@ -114,7 +114,7 @@ extension CertificatePolicy {
     }
 }
 
-enum CertificatePolicyError: Error, Equatable {
+package enum CertificatePolicyError: Error, Equatable {
     case noTrustedRootCertsConfigured
     case emptyCertChain
     case invalidCertChain
@@ -128,7 +128,7 @@ enum CertificatePolicyError: Error, Equatable {
 ///   - The certificate must use either 256-bit EC (recommended) or 2048-bit RSA key.
 ///   - The certificate must not be revoked. The certificate authority must support OCSP.
 ///   - The certificate chain is valid and root certificate must be trusted.
-struct DefaultCertificatePolicy: CertificatePolicy {
+package struct DefaultCertificatePolicy: CertificatePolicy {
     let trustedRoots: [Certificate]
     let expectedSubjectUserID: String?
     let expectedSubjectOrganizationalUnit: String?
@@ -146,7 +146,7 @@ struct DefaultCertificatePolicy: CertificatePolicy {
     ///                                 user configured and dynamic, while this is configured by SwiftPM and static.
     ///   - expectedSubjectUserID: The subject user ID that must match if specified.
     ///   - expectedSubjectOrganizationalUnit: The subject organizational unit name that must match if specified.
-    init(
+    package init(
         trustedRootCertsDir: URL?,
         additionalTrustedRootCerts: [Certificate]?,
         expectedSubjectUserID: String? = nil,
@@ -168,7 +168,7 @@ struct DefaultCertificatePolicy: CertificatePolicy {
         self.observabilityScope = observabilityScope
     }
 
-    func validate(certChain: [Certificate], validationTime: Date) async throws {
+    package func validate(certChain: [Certificate], validationTime: Date) async throws {
         guard !certChain.isEmpty else {
             throw CertificatePolicyError.emptyCertChain
         }
@@ -202,7 +202,7 @@ struct DefaultCertificatePolicy: CertificatePolicy {
 ///
 /// This has the same requirements as `DefaultCertificatePolicy` plus additional
 /// marker extensions for Swift Package Collection certifiicates.
-struct ADPSwiftPackageCollectionCertificatePolicy: CertificatePolicy {
+package struct ADPSwiftPackageCollectionCertificatePolicy: CertificatePolicy {
     let trustedRoots: [Certificate]
     let expectedSubjectUserID: String?
     let expectedSubjectOrganizationalUnit: String?
@@ -220,7 +220,7 @@ struct ADPSwiftPackageCollectionCertificatePolicy: CertificatePolicy {
     ///                                 user configured and dynamic, while this is configured by SwiftPM and static.
     ///   - expectedSubjectUserID: The subject user ID that must match if specified.
     ///   - expectedSubjectOrganizationalUnit: The subject organizational unit name that must match if specified.
-    init(
+    package init(
         trustedRootCertsDir: URL?,
         additionalTrustedRootCerts: [Certificate]?,
         expectedSubjectUserID: String? = nil,
@@ -242,7 +242,7 @@ struct ADPSwiftPackageCollectionCertificatePolicy: CertificatePolicy {
         self.observabilityScope = observabilityScope
     }
 
-    func validate(certChain: [Certificate], validationTime: Date) async throws {
+    package func validate(certChain: [Certificate], validationTime: Date) async throws {
         guard !certChain.isEmpty else {
             throw CertificatePolicyError.emptyCertChain
         }
@@ -353,13 +353,13 @@ struct ADPAppleDistributionCertificatePolicy: CertificatePolicy {
 // MARK: - Verifier policies
 
 /// Policy for code signing certificates.
-struct _CodeSigningPolicy: VerifierPolicy {
-    let verifyingCriticalExtensions: [ASN1ObjectIdentifier] = [
+package struct _CodeSigningPolicy: VerifierPolicy {
+    package let verifyingCriticalExtensions: [ASN1ObjectIdentifier] = [
         ASN1ObjectIdentifier.X509ExtensionID.keyUsage,
         ASN1ObjectIdentifier.X509ExtensionID.extendedKeyUsage,
     ]
 
-    func chainMeetsPolicyRequirements(chain: UnverifiedCertificateChain) async -> PolicyEvaluationResult {
+    package func chainMeetsPolicyRequirements(chain: UnverifiedCertificateChain) async -> PolicyEvaluationResult {
         let isCodeSigning = (
             try? chain.leaf.extensions.extendedKeyUsage?.contains(ExtendedKeyUsage.Usage.codeSigning)
         ) ?? false
@@ -368,6 +368,8 @@ struct _CodeSigningPolicy: VerifierPolicy {
         }
         return .meetsPolicy
     }
+
+    package init() {}
 }
 
 /// Policy for revocation check via OCSP.
diff --git a/Sources/PackageCollectionsSigning/PackageCollectionSigning.swift b/Sources/PackageCollectionsSigning/PackageCollectionSigning.swift
@@ -129,7 +129,7 @@ public actor PackageCollectionSigning: PackageCollectionSigner, PackageCollectio
         self.observabilityScope = observabilityScope
     }
 
-    init(certPolicy: CertificatePolicy, observabilityScope: ObservabilityScope) {
+    package init(certPolicy: CertificatePolicy, observabilityScope: ObservabilityScope) {
         // These should be set through the given CertificatePolicy
         self.trustedRootCertsDir = nil
         self.additionalTrustedRootCerts = nil
diff --git a/Sources/PackageCollectionsSigning/Signature.swift b/Sources/PackageCollectionsSigning/Signature.swift
@@ -38,24 +38,24 @@ import X509
 // The logic in this source file loosely follows https://www.rfc-editor.org/rfc/rfc7515.html
 // for JSON Web Signature (JWS).
 
-struct Signature {
-    let header: Header
-    let payload: Data
+package struct Signature {
+    package let header: Header
+    package let payload: Data
     let signature: Data
 }
 
 extension Signature {
-    enum Algorithm: String, Codable {
+    package enum Algorithm: String, Codable {
         case RS256 // RSASSA-PKCS1-v1_5 using SHA-256
         case ES256 // ECDSA using P-256 and SHA-256
     }
 
-    struct Header: Equatable, Codable {
+    package struct Header: Equatable, Codable {
         // https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.1
-        let algorithm: Algorithm
+        package let algorithm: Algorithm
 
         /// Base64 encoded certificate chain
-        let certChain: [String]
+        package let certChain: [String]
 
         enum CodingKeys: String, CodingKey {
             case algorithm = "alg"
@@ -66,9 +66,9 @@ extension Signature {
 
 // Reference: https://github.com/vapor/jwt-kit/blob/master/Sources/JWTKit/JWTSerializer.swift
 extension Signature {
-    static let rsaSigningPadding = _RSA.Signing.Padding.insecurePKCS1v1_5
+    package static let rsaSigningPadding = _RSA.Signing.Padding.insecurePKCS1v1_5
 
-    static func generate(
+    package static func generate(
         payload: some Encodable,
         certChainData: [Data],
         jsonEncoder: JSONEncoder,
@@ -102,9 +102,9 @@ extension Signature {
 
 // Reference: https://github.com/vapor/jwt-kit/blob/master/Sources/JWTKit/JWTParser.swift
 extension Signature {
-    typealias CertChainValidate = ([Data]) async throws -> [Certificate]
+    package typealias CertChainValidate = ([Data]) async throws -> [Certificate]
 
-    static func parse(
+    package static func parse(
         _ signature: String,
         certChainValidate: CertChainValidate,
         jsonDecoder: JSONDecoder
@@ -113,7 +113,7 @@ extension Signature {
         return try await Self.parse(bytes, certChainValidate: certChainValidate, jsonDecoder: jsonDecoder)
     }
 
-    static func parse(
+    package static func parse(
         _ signature: some DataProtocol,
         certChainValidate: CertChainValidate,
         jsonDecoder: JSONDecoder
@@ -180,7 +180,7 @@ extension Signature {
     }
 }
 
-enum SignatureError: Error {
+package enum SignatureError: Error {
     case malformedSignature
     case invalidSignature
     case invalidPublicKey

Original file line number	Diff line number	Diff line change
`@@ -129,7 +129,7 @@ public actor PackageCollectionSigning: PackageCollectionSigner, PackageCollectio`
`129`	`129`	`self.observabilityScope = observabilityScope`
`130`	`130`	`}`
`131`	`131`
`132`		`- init(certPolicy: CertificatePolicy, observabilityScope: ObservabilityScope) {`
	`132`	`+ package init(certPolicy: CertificatePolicy, observabilityScope: ObservabilityScope) {`
`133`	`133`	`// These should be set through the given CertificatePolicy`
`134`	`134`	`self.trustedRootCertsDir = nil`
`135`	`135`	`self.additionalTrustedRootCerts = nil`