From 3b2c18a7449a26a6c780b208f6719a6af612143b Mon Sep 17 00:00:00 2001 From: Aryan Shah Date: Fri, 14 Nov 2025 14:20:11 +0000 Subject: [PATCH 1/2] Motivation: Swift 5.10 is no longer supported. We should raise the minimum Swift tools version to 6.0, fix consequent build warnings/errors, and remove 5.10 CI jobs. Modifications: - Raised the Swift tools version to 6.0 in both the main swift-certificates package and the Benchmark package. - Removed the now redundant `StrictConcurrency=complete` flag in `swift-certificates`' `Package.swift`. - Removed 5.10 CI job arguments. - Removed 5.10 benchmark thresholds. - Added an explicit type annotation to the `package-benchmark` setup closure to address a build error. - Updated `VerifierBenchmark` to use newer, non-deprecated `RFC5280Policy` initializers (as a result of #276). Result: Code reflects our support window. --- .github/workflows/main.yml | 1 - .github/workflows/pull_request.yml | 1 - .../VerifierBenchmark.swift | 58 ++++++++++++++----- Benchmarks/Package.swift | 2 +- ...hmark.Parse_WebPKI_Roots_from_DER.p90.json | 3 - ...Parse_WebPKI_Roots_from_PEM_files.p90.json | 3 - ..._WebPKI_Roots_from_multi_PEM_file.p90.json | 3 - ...ficatesBenchmark.TinyArray.append.p90.json | 3 - ...inyArray_non-allocating_functions.p90.json | 3 - .../CertificatesBenchmark.Verifier.p90.json | 3 - Package.swift | 8 +-- 11 files changed, 44 insertions(+), 44 deletions(-) delete mode 100644 Benchmarks/Thresholds/5.10/CertificatesBenchmark.Parse_WebPKI_Roots_from_DER.p90.json delete mode 100644 Benchmarks/Thresholds/5.10/CertificatesBenchmark.Parse_WebPKI_Roots_from_PEM_files.p90.json delete mode 100644 Benchmarks/Thresholds/5.10/CertificatesBenchmark.Parse_WebPKI_Roots_from_multi_PEM_file.p90.json delete mode 100644 Benchmarks/Thresholds/5.10/CertificatesBenchmark.TinyArray.append.p90.json delete mode 100644 Benchmarks/Thresholds/5.10/CertificatesBenchmark.TinyArray_non-allocating_functions.p90.json delete mode 100644 Benchmarks/Thresholds/5.10/CertificatesBenchmark.Verifier.p90.json diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index e261dea9..60afc983 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -14,7 +14,6 @@ jobs: name: Unit tests uses: apple/swift-nio/.github/workflows/unit_tests.yml@main with: - linux_5_10_arguments_override: "--explicit-target-dependency-import-check error" linux_6_0_arguments_override: "-Xswiftc -warnings-as-errors --explicit-target-dependency-import-check error -Xswiftc -require-explicit-sendable" linux_6_1_arguments_override: "-Xswiftc -warnings-as-errors --explicit-target-dependency-import-check error -Xswiftc -require-explicit-sendable" linux_6_2_arguments_override: "-Xswiftc -warnings-as-errors --explicit-target-dependency-import-check error -Xswiftc -require-explicit-sendable" diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 66d0822d..f7fe453a 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -18,7 +18,6 @@ jobs: name: Unit tests uses: apple/swift-nio/.github/workflows/unit_tests.yml@main with: - linux_5_10_arguments_override: "--explicit-target-dependency-import-check error" linux_6_0_arguments_override: "-Xswiftc -warnings-as-errors --explicit-target-dependency-import-check error -Xswiftc -require-explicit-sendable" linux_6_1_arguments_override: "-Xswiftc -warnings-as-errors --explicit-target-dependency-import-check error -Xswiftc -require-explicit-sendable" linux_6_2_arguments_override: "-Xswiftc -warnings-as-errors --explicit-target-dependency-import-check error -Xswiftc -require-explicit-sendable" diff --git a/Benchmarks/Benchmarks/CertificatesBenchmark/VerifierBenchmark.swift b/Benchmarks/Benchmarks/CertificatesBenchmark/VerifierBenchmark.swift index 0fa7b9e1..824f80db 100644 --- a/Benchmarks/Benchmarks/CertificatesBenchmark/VerifierBenchmark.swift +++ b/Benchmarks/Benchmarks/CertificatesBenchmark/VerifierBenchmark.swift @@ -13,7 +13,7 @@ //===----------------------------------------------------------------------===// import Benchmark -import X509 +@_spi(FixedExpiryValidationTime) import X509 import Foundation import Crypto import SwiftASN1 @@ -50,7 +50,7 @@ func testTrivialChainBuilding() async -> Int { let roots = CertificateStore([TestCertificate.ca1]) var verifier = Verifier(rootCertificates: roots) { - RFC5280Policy(validationTime: TestCertificate.referenceTime) + RFC5280Policy(fixedExpiryValidationTime: TestCertificate.referenceTime) } let result = await verifier.validate( leaf: TestCertificate.localhostLeaf, @@ -67,7 +67,9 @@ func testTrivialChainBuilding() async -> Int { func testExtraRootsAreIgnored() async -> Int { let roots = CertificateStore([TestCertificate.ca1, TestCertificate.ca2]) - var verifier = Verifier(rootCertificates: roots) { RFC5280Policy(validationTime: TestCertificate.referenceTime) } + var verifier = Verifier(rootCertificates: roots) { + RFC5280Policy(fixedExpiryValidationTime: TestCertificate.referenceTime) + } let result = await verifier.validate( leaf: TestCertificate.localhostLeaf, intermediates: CertificateStore([TestCertificate.intermediate1]) @@ -83,7 +85,9 @@ func testExtraRootsAreIgnored() async -> Int { func testPuttingRootsInTheIntermediariesIsntAProblem() async -> Int { let roots = CertificateStore([TestCertificate.ca1, TestCertificate.ca2]) - var verifier = Verifier(rootCertificates: roots) { RFC5280Policy(validationTime: TestCertificate.referenceTime) } + var verifier = Verifier(rootCertificates: roots) { + RFC5280Policy(fixedExpiryValidationTime: TestCertificate.referenceTime) + } let result = await verifier.validate( leaf: TestCertificate.localhostLeaf, intermediates: CertificateStore([TestCertificate.intermediate1, TestCertificate.ca1, TestCertificate.ca2]) @@ -99,7 +103,9 @@ func testPuttingRootsInTheIntermediariesIsntAProblem() async -> Int { func testSupportsCrossSignedRootWithoutTrouble() async -> Int { let roots = CertificateStore([TestCertificate.ca2]) - var verifier = Verifier(rootCertificates: roots) { RFC5280Policy(validationTime: TestCertificate.referenceTime) } + var verifier = Verifier(rootCertificates: roots) { + RFC5280Policy(fixedExpiryValidationTime: TestCertificate.referenceTime) + } let result = await verifier.validate( leaf: TestCertificate.localhostLeaf, intermediates: CertificateStore([TestCertificate.intermediate1, TestCertificate.ca1CrossSignedByCA2]) @@ -115,7 +121,9 @@ func testSupportsCrossSignedRootWithoutTrouble() async -> Int { func testBuildsTheShorterPathInTheCaseOfCrossSignedRoots() async -> Int { let roots = CertificateStore([TestCertificate.ca1, TestCertificate.ca2]) - var verifier = Verifier(rootCertificates: roots) { RFC5280Policy(validationTime: TestCertificate.referenceTime) } + var verifier = Verifier(rootCertificates: roots) { + RFC5280Policy(fixedExpiryValidationTime: TestCertificate.referenceTime) + } let result = await verifier.validate( leaf: TestCertificate.localhostLeaf, intermediates: CertificateStore([ @@ -133,7 +141,9 @@ func testBuildsTheShorterPathInTheCaseOfCrossSignedRoots() async -> Int { func testPrefersToUseIntermediatesWithSKIThatMatches() async -> Int { let roots = CertificateStore([TestCertificate.ca1]) - var verifier = Verifier(rootCertificates: roots) { RFC5280Policy(validationTime: TestCertificate.referenceTime) } + var verifier = Verifier(rootCertificates: roots) { + RFC5280Policy(fixedExpiryValidationTime: TestCertificate.referenceTime) + } let result = await verifier.validate( leaf: TestCertificate.localhostLeaf, intermediates: CertificateStore([TestCertificate.intermediate1, TestCertificate.intermediate1WithoutSKIAKI]) @@ -149,7 +159,9 @@ func testPrefersToUseIntermediatesWithSKIThatMatches() async -> Int { func testPrefersNoSKIToNonMatchingSKI() async -> Int { let roots = CertificateStore([TestCertificate.ca1]) - var verifier = Verifier(rootCertificates: roots) { RFC5280Policy(validationTime: TestCertificate.referenceTime) } + var verifier = Verifier(rootCertificates: roots) { + RFC5280Policy(fixedExpiryValidationTime: TestCertificate.referenceTime) + } let result = await verifier.validate( leaf: TestCertificate.localhostLeaf, intermediates: CertificateStore([ @@ -167,7 +179,9 @@ func testPrefersNoSKIToNonMatchingSKI() async -> Int { func testRejectsRootsThatDidNotSignTheCertBeforeThem() async -> Int { let roots = CertificateStore([TestCertificate.ca1WithAlternativePrivateKey, TestCertificate.ca2]) - var verifier = Verifier(rootCertificates: roots) { RFC5280Policy(validationTime: TestCertificate.referenceTime) } + var verifier = Verifier(rootCertificates: roots) { + RFC5280Policy(fixedExpiryValidationTime: TestCertificate.referenceTime) + } let result = await verifier.validate( leaf: TestCertificate.localhostLeaf, intermediates: CertificateStore([ @@ -186,7 +200,7 @@ func testPolicyFailuresCanFindLongerPaths() async -> Int { var verifier = Verifier(rootCertificates: roots) { FailIfCertInChainPolicy(forbiddenCert: TestCertificate.ca1) - RFC5280Policy(validationTime: TestCertificate.referenceTime) + RFC5280Policy(fixedExpiryValidationTime: TestCertificate.referenceTime) } let result = await verifier.validate( leaf: TestCertificate.localhostLeaf, @@ -205,7 +219,9 @@ func testPolicyFailuresCanFindLongerPaths() async -> Int { func testSelfSignedCertsAreTrustedWhenInTrustStore() async -> Int { let roots = CertificateStore([TestCertificate.ca1, TestCertificate.isolatedSelfSignedCert]) - var verifier = Verifier(rootCertificates: roots) { RFC5280Policy(validationTime: TestCertificate.referenceTime) } + var verifier = Verifier(rootCertificates: roots) { + RFC5280Policy(fixedExpiryValidationTime: TestCertificate.referenceTime) + } let result = await verifier.validate( leaf: TestCertificate.isolatedSelfSignedCert, intermediates: CertificateStore([TestCertificate.intermediate1]) @@ -246,7 +262,9 @@ func testTrustRootsCanBeNonSelfSignedLeaves() async -> Int { func testTrustRootsCanBeNonSelfSignedIntermediates() async -> Int { let roots = CertificateStore([TestCertificate.intermediate1]) - var verifier = Verifier(rootCertificates: roots) { RFC5280Policy(validationTime: TestCertificate.referenceTime) } + var verifier = Verifier(rootCertificates: roots) { + RFC5280Policy(fixedExpiryValidationTime: TestCertificate.referenceTime) + } let result = await verifier.validate( leaf: TestCertificate.localhostLeaf, intermediates: CertificateStore([TestCertificate.intermediate1]) @@ -275,7 +293,9 @@ func testWePoliceCriticalExtensionsOnLeafCerts() async -> Int { TestCertificate.ca1, TestCertificate.isolatedSelfSignedCertWithWeirdCriticalExtension, ]) - var verifier = Verifier(rootCertificates: roots) { RFC5280Policy(validationTime: TestCertificate.referenceTime) } + var verifier = Verifier(rootCertificates: roots) { + RFC5280Policy(fixedExpiryValidationTime: TestCertificate.referenceTime) + } let result = await verifier.validate( leaf: TestCertificate.isolatedSelfSignedCertWithWeirdCriticalExtension, intermediates: CertificateStore([TestCertificate.intermediate1]) @@ -291,7 +311,9 @@ func testWePoliceCriticalExtensionsOnLeafCerts() async -> Int { func testMissingIntermediateFailsToBuild() async -> Int { let roots = CertificateStore([TestCertificate.ca1]) - var verifier = Verifier(rootCertificates: roots) { RFC5280Policy(validationTime: TestCertificate.referenceTime) } + var verifier = Verifier(rootCertificates: roots) { + RFC5280Policy(fixedExpiryValidationTime: TestCertificate.referenceTime) + } let result = await verifier.validate( leaf: TestCertificate.localhostLeaf, intermediates: CertificateStore([]) @@ -307,7 +329,9 @@ func testMissingIntermediateFailsToBuild() async -> Int { func testSelfSignedCertsAreRejectedWhenNotInTheTrustStore() async -> Int { let roots = CertificateStore([TestCertificate.ca1]) - var verifier = Verifier(rootCertificates: roots) { RFC5280Policy(validationTime: TestCertificate.referenceTime) } + var verifier = Verifier(rootCertificates: roots) { + RFC5280Policy(fixedExpiryValidationTime: TestCertificate.referenceTime) + } let result = await verifier.validate( leaf: TestCertificate.isolatedSelfSignedCert, intermediates: CertificateStore([TestCertificate.intermediate1]) @@ -322,7 +346,9 @@ func testSelfSignedCertsAreRejectedWhenNotInTheTrustStore() async -> Int { func testMissingRootFailsToBuild() async -> Int { let roots = CertificateStore([]) - var verifier = Verifier(rootCertificates: roots) { RFC5280Policy(validationTime: TestCertificate.referenceTime) } + var verifier = Verifier(rootCertificates: roots) { + RFC5280Policy(fixedExpiryValidationTime: TestCertificate.referenceTime) + } let result = await verifier.validate( leaf: TestCertificate.localhostLeaf, intermediates: CertificateStore([TestCertificate.intermediate1]) diff --git a/Benchmarks/Package.swift b/Benchmarks/Package.swift index c7856b4c..4803421b 100644 --- a/Benchmarks/Package.swift +++ b/Benchmarks/Package.swift @@ -1,4 +1,4 @@ -// swift-tools-version:5.10 +// swift-tools-version:6.0 //===----------------------------------------------------------------------===// // // This source file is part of the SwiftCertificates open source project diff --git a/Benchmarks/Thresholds/5.10/CertificatesBenchmark.Parse_WebPKI_Roots_from_DER.p90.json b/Benchmarks/Thresholds/5.10/CertificatesBenchmark.Parse_WebPKI_Roots_from_DER.p90.json deleted file mode 100644 index bed41247..00000000 --- a/Benchmarks/Thresholds/5.10/CertificatesBenchmark.Parse_WebPKI_Roots_from_DER.p90.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "mallocCountTotal" : 5728000 -} \ No newline at end of file diff --git a/Benchmarks/Thresholds/5.10/CertificatesBenchmark.Parse_WebPKI_Roots_from_PEM_files.p90.json b/Benchmarks/Thresholds/5.10/CertificatesBenchmark.Parse_WebPKI_Roots_from_PEM_files.p90.json deleted file mode 100644 index 4e539274..00000000 --- a/Benchmarks/Thresholds/5.10/CertificatesBenchmark.Parse_WebPKI_Roots_from_PEM_files.p90.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "mallocCountTotal" : 6687000 -} \ No newline at end of file diff --git a/Benchmarks/Thresholds/5.10/CertificatesBenchmark.Parse_WebPKI_Roots_from_multi_PEM_file.p90.json b/Benchmarks/Thresholds/5.10/CertificatesBenchmark.Parse_WebPKI_Roots_from_multi_PEM_file.p90.json deleted file mode 100644 index 90ff73dd..00000000 --- a/Benchmarks/Thresholds/5.10/CertificatesBenchmark.Parse_WebPKI_Roots_from_multi_PEM_file.p90.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "mallocCountTotal" : 6695000 -} \ No newline at end of file diff --git a/Benchmarks/Thresholds/5.10/CertificatesBenchmark.TinyArray.append.p90.json b/Benchmarks/Thresholds/5.10/CertificatesBenchmark.TinyArray.append.p90.json deleted file mode 100644 index a739874a..00000000 --- a/Benchmarks/Thresholds/5.10/CertificatesBenchmark.TinyArray.append.p90.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "mallocCountTotal" : 10000 -} \ No newline at end of file diff --git a/Benchmarks/Thresholds/5.10/CertificatesBenchmark.TinyArray_non-allocating_functions.p90.json b/Benchmarks/Thresholds/5.10/CertificatesBenchmark.TinyArray_non-allocating_functions.p90.json deleted file mode 100644 index 9f9de44c..00000000 --- a/Benchmarks/Thresholds/5.10/CertificatesBenchmark.TinyArray_non-allocating_functions.p90.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "mallocCountTotal" : 0 -} \ No newline at end of file diff --git a/Benchmarks/Thresholds/5.10/CertificatesBenchmark.Verifier.p90.json b/Benchmarks/Thresholds/5.10/CertificatesBenchmark.Verifier.p90.json deleted file mode 100644 index 36d6c874..00000000 --- a/Benchmarks/Thresholds/5.10/CertificatesBenchmark.Verifier.p90.json +++ /dev/null @@ -1,3 +0,0 @@ -{ - "mallocCountTotal" : 918010 -} diff --git a/Package.swift b/Package.swift index a9a01860..e80a2bea 100644 --- a/Package.swift +++ b/Package.swift @@ -1,4 +1,4 @@ -// swift-tools-version:5.10 +// swift-tools-version:6.0 //===----------------------------------------------------------------------===// // // This source file is part of the SwiftCertificates open source project @@ -85,12 +85,6 @@ if ProcessInfo.processInfo.environment["SWIFTCI_USE_LOCAL_DEPS"] == nil { ] } -for target in package.targets { - var settings = target.swiftSettings ?? [] - settings.append(.enableExperimentalFeature("StrictConcurrency=complete")) - target.swiftSettings = settings -} - // --- STANDARD CROSS-REPO SETTINGS DO NOT EDIT --- // for target in package.targets { switch target.type { From 83e7d15f02c1982b0675d9034ebc4943b8d0d8a1 Mon Sep 17 00:00:00 2001 From: Aryan Shah Date: Fri, 14 Nov 2025 17:30:21 +0000 Subject: [PATCH 2/2] Remove use of deprecated initializer --- Tests/X509Tests/PEMTests.swift | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Tests/X509Tests/PEMTests.swift b/Tests/X509Tests/PEMTests.swift index 2e37c9df..1bb2f883 100644 --- a/Tests/X509Tests/PEMTests.swift +++ b/Tests/X509Tests/PEMTests.swift @@ -122,7 +122,8 @@ final class PEMTests: XCTestCase { func testRSAPrivateKey() throws { // generated with "openssl genpkey -algorithm rsa" let rsaKey = try String( - contentsOf: XCTUnwrap(Bundle.module.url(forResource: "PEMTestRSACertificate", withExtension: "pem")) + contentsOf: XCTUnwrap(Bundle.module.url(forResource: "PEMTestRSACertificate", withExtension: "pem")), + encoding: .ascii ) let privateKey = try Certificate.PrivateKey(pemEncoded: rsaKey) guard case .rsa = privateKey.backing else {