Add Sendable support

Package.swift

@@ -18,22 +18,30 @@ let package = Package(
         .package(url: "https://github.com/attaswift/BigInt.git", from: "5.3.0"),
     ],
     targets: [
-        .target(name: "JWTKit", dependencies: [
-            .product(name: "Crypto", package: "swift-crypto"),
-            .product(name: "_CryptoExtras", package: "swift-crypto"),
-            .product(name: "X509", package: "swift-certificates"),
-            .product(name: "BigInt", package: "BigInt"),
-        ],
-        swiftSettings: [
-            .enableUpcomingFeature("ConciseMagicFile"),
-        ]),
+        .target(
+            name: "JWTKit",
+            dependencies: [
+                .product(name: "Crypto", package: "swift-crypto"),
+                .product(name: "_CryptoExtras", package: "swift-crypto"),
+                .product(name: "X509", package: "swift-certificates"),
+                .product(name: "BigInt", package: "BigInt"),
+
+            ],
+            swiftSettings: [
+                .enableExperimentalFeature("StrictConcurrency"),
+            ]
+        ),
         .testTarget(
             name: "JWTKitTests",
             dependencies: [
                 "JWTKit",
             ],
             resources: [
                 .copy("TestVectors"),
+            ],
+            swiftSettings: [
+                .enableExperimentalFeature("StrictConcurrency"),
+                .enableUpcomingFeature("ConciseMagicFile"),
             ]
         ),
     ]

Sources/JWTKit/ECDSA/ECDSACurveType.swift

@@ -16,6 +16,7 @@
 ///
 /// Types conforming to this protocol can be used to abstract ECDSA cryptographic operations across various elliptic curves,
 /// allowing for flexible and modular cryptographic code.
+
 public protocol ECDSACurveType: Sendable {
     associatedtype Signature
     associatedtype PrivateKey: ECDSAPrivateKey

Sources/JWTKit/ECDSA/ECDSAKeyType.swift

@@ -50,7 +50,7 @@ public protocol ECDSAPublicKey: Sendable {
     func isValidSignature(_ signature: some DataProtocol, for data: some Digest) throws -> Bool
 }
 
-public protocol ECDSASignature {
+public protocol ECDSASignature: Sendable {
     var rawRepresentation: Data { get set }
 }
 

Sources/JWTKit/ECDSA/P256+CurveType.swift

@@ -1,7 +1,8 @@
 import Crypto
 import Foundation
 
-extension P256: ECDSACurveType {
+// TODO: Remove @unchecked Sendable when Crypto is updated to use Sendable
+extension P256: ECDSACurveType, @unchecked Sendable {
     public typealias Signature = P256.Signing.ECDSASignature
     public typealias PrivateKey = P256.Signing.PrivateKey
 
@@ -17,7 +18,8 @@ extension P256: ECDSACurveType {
     public static let byteRanges: (x: Range<Int>, y: Range<Int>) = (1 ..< 33, 33 ..< 65)
 }
 
-extension P256.Signing.PublicKey: ECDSAPublicKey {
+// TODO: Remove @unchecked Sendable when Crypto is updated to use Sendable
+extension P256.Signing.PublicKey: ECDSAPublicKey, @unchecked Sendable {
     /// Verifies that the P256 key signature is valid for the given digest.
     ///
     /// - Parameters:
@@ -31,7 +33,9 @@ extension P256.Signing.PublicKey: ECDSAPublicKey {
     }
 }
 
-extension P256.Signing.ECDSASignature: ECDSASignature {}
-extension P256.Signing.PrivateKey: ECDSAPrivateKey {}
+// TODO: Remove @unchecked Sendable when Crypto is updated to use Sendable
+extension P256.Signing.PrivateKey: ECDSAPrivateKey, @unchecked Sendable {}
+// TODO: Remove @unchecked Sendable when Crypto is updated to use Sendable
+extension P256.Signing.ECDSASignature: ECDSASignature, @unchecked Sendable {}
 
 public typealias ES256Key = ECDSAKey<P256>

Sources/JWTKit/ECDSA/P384+CurveType.swift

@@ -1,7 +1,8 @@
 import Crypto
 import Foundation
 
-extension P384: ECDSACurveType {
+// TODO: Remove @unchecked Sendable when Crypto is updated to use Sendable
+extension P384: ECDSACurveType, @unchecked Sendable {
     public typealias Signature = P384.Signing.ECDSASignature
     public typealias PrivateKey = P384.Signing.PrivateKey
 
@@ -17,7 +18,8 @@ extension P384: ECDSACurveType {
     public static let byteRanges: (x: Range<Int>, y: Range<Int>) = (1 ..< 49, 49 ..< 97)
 }
 
-extension P384.Signing.PublicKey: ECDSAPublicKey {
+// TODO: Remove @unchecked Sendable when Crypto is updated to use Sendable
+extension P384.Signing.PublicKey: ECDSAPublicKey, @unchecked Sendable {
     /// Verifies that the P384 key signature is valid for the given digest.
     ///
     /// - Parameters:
@@ -31,7 +33,9 @@ extension P384.Signing.PublicKey: ECDSAPublicKey {
     }
 }
 
-extension P384.Signing.ECDSASignature: ECDSASignature {}
-extension P384.Signing.PrivateKey: ECDSAPrivateKey {}
+// TODO: Remove @unchecked Sendable when Crypto is updated to use Sendable
+extension P384.Signing.PrivateKey: ECDSAPrivateKey, @unchecked Sendable {}
+// TODO: Remove @unchecked Sendable when Crypto is updated to use Sendable
+extension P384.Signing.ECDSASignature: ECDSASignature, @unchecked Sendable {}
 
 public typealias ES384Key = ECDSAKey<P384>

Sources/JWTKit/ECDSA/P521+CurveType.swift

@@ -1,7 +1,8 @@
 import Crypto
 import Foundation
 
-extension P521: ECDSACurveType {
+// TODO: Remove @unchecked Sendable when Crypto is updated to use Sendable
+extension P521: ECDSACurveType, @unchecked Sendable {
     public typealias Signature = P521.Signing.ECDSASignature
     public typealias PrivateKey = P521.Signing.PrivateKey
 
@@ -18,7 +19,8 @@ extension P521: ECDSACurveType {
     public static let byteRanges: (x: Range<Int>, y: Range<Int>) = (1 ..< 67, 67 ..< 133)
 }
 
-extension P521.Signing.PublicKey: ECDSAPublicKey {
+// TODO: Remove @unchecked Sendable when Crypto is updated to use Sendable
+extension P521.Signing.PublicKey: ECDSAPublicKey, @unchecked Sendable {
     /// Verifies that the P256 key signature is valid for the given digest.
     ///
     /// - Parameters:
@@ -32,7 +34,9 @@ extension P521.Signing.PublicKey: ECDSAPublicKey {
     }
 }
 
-extension P521.Signing.ECDSASignature: ECDSASignature {}
-extension P521.Signing.PrivateKey: ECDSAPrivateKey {}
+// TODO: Remove @unchecked Sendable when Crypto is updated to use Sendable
+extension P521.Signing.PrivateKey: ECDSAPrivateKey, @unchecked Sendable {}
+// TODO: Remove @unchecked Sendable when Crypto is updated to use Sendable
+extension P521.Signing.ECDSASignature: ECDSASignature, @unchecked Sendable {}
 
 public typealias ES521Key = ECDSAKey<P521>

Sources/JWTKit/EdDSA/OctetKeyPair.swift

@@ -1,7 +1,7 @@
 import Foundation
 
 // https://www.rfc-editor.org/rfc/rfc8037.html#appendix-A
-enum OctetKeyPair {
+enum OctetKeyPair: Sendable {
     case `public`(x: Data)
     case `private`(x: Data, d: Data)
 

Sources/JWTKit/HMAC/HMACSigner.swift

@@ -1,4 +1,4 @@
-import Crypto
+@preconcurrency import Crypto
 import Foundation
 
 struct HMACSigner<SHAType>: JWTAlgorithm where SHAType: HashFunction {

Sources/JWTKit/JWK/JWKS.swift

@@ -2,7 +2,7 @@
 ///
 /// A JSON object that represents a set of JWKs.
 /// Read specification (RFC 7517) https://tools.ietf.org/html/rfc7517.
-public struct JWKS: Codable {
+public struct JWKS: Codable, Sendable {
     /// All JSON Web Keys
     public var keys: [JWK]
 

Sources/JWTKit/JWTHeader.swift

@@ -1,11 +1,11 @@
 /// The header (details) used for signing and processing the JWT.
-struct JWTHeader: Codable {
+struct JWTHeader: Codable, Sendable {
     /// The algorithm used with the signing.
     var alg: String?
-    
+
     /// The Signature's Content Type.
     var typ: String?
-    
+
     /// The Payload's Content Type.
     var cty: String?
 
@@ -18,4 +18,3 @@ struct JWTHeader: Codable {
     /// The x5c certificate chain.
     var x5c: [String]?
 }
-

Sources/JWTKit/JWTParser.swift

@@ -1,6 +1,6 @@
 import Foundation
 
-struct JWTParser {
+struct JWTParser: Sendable {
     let encodedHeader: ArraySlice<UInt8>
     let encodedPayload: ArraySlice<UInt8>
     let encodedSignature: ArraySlice<UInt8>

Sources/JWTKit/RSA/RSAKey.swift

@@ -1,4 +1,4 @@
-import _CryptoExtras
+@preconcurrency import _CryptoExtras
 import Crypto
 import Foundation
 import SwiftASN1
@@ -142,14 +142,14 @@ public struct RSAKey: Sendable {
     let privateKey: _RSA.Signing.PrivateKey?
 
     init(publicKey: _RSA.Signing.PublicKey) {
-        type = .public
+        self.type = .public
         self.publicKey = publicKey
-        privateKey = nil
+        self.privateKey = nil
     }
 
     init(privateKey: _RSA.Signing.PrivateKey) {
-        type = .private
-        publicKey = privateKey.publicKey
+        self.type = .private
+        self.publicKey = privateKey.publicKey
         self.privateKey = privateKey
     }
 

Sources/JWTKit/RSA/RSASigner.swift

@@ -1,5 +1,4 @@
 import _CryptoExtras
-import Crypto
 import Foundation
 
 struct RSASigner: JWTAlgorithm, CryptoSigner {
@@ -43,3 +42,5 @@ struct RSASigner: JWTAlgorithm, CryptoSigner {
         return publicKey.isValidSignature(signature, for: digest, padding: padding)
     }
 }
+
+extension _RSA.Signing.Padding: @unchecked Sendable {}

Sources/JWTKit/Utilities/CryptoSigner.swift

@@ -7,7 +7,7 @@ enum DigestAlgorithm {
     case sha512
 }
 
-protocol CryptoSigner {
+protocol CryptoSigner: Sendable {
     var algorithm: DigestAlgorithm { get }
 }
 

Sources/JWTKit/X5CVerifier.swift

@@ -14,7 +14,7 @@ import X509
 ///
 /// See [RFC 7515](https://www.rfc-editor.org/rfc/rfc7515#section-4.1.6)
 /// for details on the `x5c` header parameter.
-public class X5CVerifier {
+public struct X5CVerifier: Sendable {
     private let trustedStore: X509.CertificateStore
 
     /// Create a new X5CVerifier trusting `rootCertificates`.
@@ -32,7 +32,7 @@ public class X5CVerifier {
     /// Create a new X5CVerifier trusting `rootCertificates`.
     ///
     /// - Parameter rootCertificates: The root certificates to be trusted.
-    public convenience init<Message: DataProtocol>(rootCertificates: [Message]) throws {
+    public init<Message: DataProtocol>(rootCertificates: [Message]) throws {
         try self.init(rootCertificates: rootCertificates.map {
             String(decoding: $0, as: UTF8.self)
         })