From 75d62cb5b1d4b8876cf7a9d8ac03b59dbc667b2b Mon Sep 17 00:00:00 2001 From: Cory Benfield Date: Fri, 25 Jul 2025 11:06:49 +0100 Subject: [PATCH] Require VerifierPolicy not have isolated conformance Motivation While conceptually it is possible for verifier policies to have isolated conformance, in practice the way PolicyBuilder is implemented makes that nearly impossible. Given that the utility of an isolated VerifierPolicy is very limited, let's just disallow it. Modifications Require VerifierPolicy to have a SendableMetatype Result Easier to build correct compositions over PolicyBuilder --- Sources/X509/CMakeLists.txt | 1 + Sources/X509/Verifier/VerifierPolicy.swift | 3 ++- Sources/X509/X509SendableMetatype.swift | 19 +++++++++++++++++++ 3 files changed, 22 insertions(+), 1 deletion(-) create mode 100644 Sources/X509/X509SendableMetatype.swift diff --git a/Sources/X509/CMakeLists.txt b/Sources/X509/CMakeLists.txt index a0ee553c..b048e089 100644 --- a/Sources/X509/CMakeLists.txt +++ b/Sources/X509/CMakeLists.txt @@ -118,6 +118,7 @@ add_library(X509 "X509BaseTypes/Time.swift" "X509BaseTypes/TimeCalculations.swift" "X509BaseTypes/Validity.swift" + "X509SendableMetatype.swift" ) target_link_libraries(X509 PUBLIC diff --git a/Sources/X509/Verifier/VerifierPolicy.swift b/Sources/X509/Verifier/VerifierPolicy.swift index c1c4e715..2826407e 100644 --- a/Sources/X509/Verifier/VerifierPolicy.swift +++ b/Sources/X509/Verifier/VerifierPolicy.swift @@ -28,8 +28,9 @@ import SwiftASN1 /// the basic checks from that RFC. Other objects are less common, such as ``OCSPVerifierPolicy``, which performs live /// revocation checking. Users can also implement their own policies to enable swift-certificates to support other /// use-cases. +@preconcurrency @available(macOS 10.15, iOS 13, watchOS 6, tvOS 13, macCatalyst 13, visionOS 1.0, *) -public protocol VerifierPolicy { +public protocol VerifierPolicy: _X509SendableMetatype { /// The X.509 extension types that this policy understands and enforces. /// /// X.509 certificates can have extensions marked as `critical`. These extensions _must_ be understood and enforced by the diff --git a/Sources/X509/X509SendableMetatype.swift b/Sources/X509/X509SendableMetatype.swift new file mode 100644 index 00000000..c5aba0df --- /dev/null +++ b/Sources/X509/X509SendableMetatype.swift @@ -0,0 +1,19 @@ +//===----------------------------------------------------------------------===// +// +// This source file is part of the SwiftCertificates open source project +// +// Copyright (c) 2025 Apple Inc. and the SwiftCertificates project authors +// Licensed under Apache License v2.0 +// +// See LICENSE.txt for license information +// See CONTRIBUTORS.txt for the list of SwiftCertificates project authors +// +// SPDX-License-Identifier: Apache-2.0 +// +//===----------------------------------------------------------------------===// + +#if compiler(>=6.2) +public typealias _X509SendableMetatype = SendableMetatype +#else +public typealias _X509SendableMetatype = Any +#endif