Finally remove @retroactive @unchecked Sendable from crypto types (#232)

* Remove retroactive Sendable conf

* Remove comments

* Update crypto version

* Format

* Fix test warnings

* Use from syntax

Author: ptoffy

Package.swift

@@ -13,16 +13,16 @@ let package = Package(
         .library(name: "JWTKit", targets: ["JWTKit"])
     ],
     dependencies: [
-        .package(url: "https://github.com/apple/swift-crypto.git", "3.8.0"..<"5.0.0"),
-        .package(url: "https://github.com/apple/swift-certificates.git", from: "1.2.0"),
+        .package(url: "https://github.com/apple/swift-crypto.git", from: "4.0.0"),
+        .package(url: "https://github.com/apple/swift-certificates.git", from: "1.15.0"),
         .package(url: "https://github.com/apple/swift-log.git", from: "1.0.0"),
     ],
     targets: [
         .target(
             name: "JWTKit",
             dependencies: [
                 .product(name: "Crypto", package: "swift-crypto"),
-                .product(name: "_CryptoExtras", package: "swift-crypto"),
+                .product(name: "CryptoExtras", package: "swift-crypto"),
                 .product(name: "X509", package: "swift-certificates"),
                 .product(name: "Logging", package: "swift-log"),
             ]

Sources/JWTKit/ECDSA/P256+CurveType.swift

@@ -6,7 +6,6 @@ import FoundationEssentials
 import Foundation
 #endif
 
-// TODO: Remove @unchecked Sendable when Crypto is updated to use Sendable
 extension P256: ECDSACurveType {
     public typealias Signature = P256.Signing.ECDSASignature
     public typealias PrivateKey = P256.Signing.PrivateKey
@@ -28,7 +27,6 @@ extension P256: ECDSACurveType {
     }
 }
 
-// TODO: Remove @unchecked Sendable when Crypto is updated to use Sendable
 extension P256.Signing.PublicKey: ECDSAPublicKey {
     /// Verifies that the P256 key signature is valid for the given digest.
     ///
@@ -43,11 +41,8 @@ extension P256.Signing.PublicKey: ECDSAPublicKey {
     }
 }
 
-// TODO: Remove @unchecked Sendable when Crypto is updated to use Sendable
-extension P256.Signing.PrivateKey: ECDSAPrivateKey, @unchecked @retroactive Sendable {}
-extension P256.Signing.ECDSASignature: ECDSASignature, @unchecked @retroactive Sendable {}
-extension P256.Signing.PublicKey: @unchecked @retroactive Sendable {}
-extension P256: @unchecked @retroactive Sendable {}
+extension P256.Signing.PrivateKey: ECDSAPrivateKey {}
+extension P256.Signing.ECDSASignature: ECDSASignature {}
 
 public typealias ES256PublicKey = ECDSA.PublicKey<P256>
 public typealias ES256PrivateKey = ECDSA.PrivateKey<P256>

Sources/JWTKit/ECDSA/P384+CurveType.swift

@@ -6,7 +6,6 @@ import FoundationEssentials
 import Foundation
 #endif
 
-// TODO: Remove @unchecked Sendable when Crypto is updated to use Sendable
 extension P384: ECDSACurveType {
     public typealias Signature = P384.Signing.ECDSASignature
     public typealias PrivateKey = P384.Signing.PrivateKey
@@ -28,7 +27,6 @@ extension P384: ECDSACurveType {
     }
 }
 
-// TODO: Remove @unchecked Sendable when Crypto is updated to use Sendable
 extension P384.Signing.PublicKey: ECDSAPublicKey {
     /// Verifies that the P384 key signature is valid for the given digest.
     ///
@@ -43,11 +41,8 @@ extension P384.Signing.PublicKey: ECDSAPublicKey {
     }
 }
 
-// TODO: Remove @unchecked Sendable when Crypto is updated to use Sendable
-extension P384.Signing.PrivateKey: ECDSAPrivateKey, @unchecked @retroactive Sendable {}
-extension P384.Signing.ECDSASignature: ECDSASignature, @unchecked @retroactive Sendable {}
-extension P384.Signing.PublicKey: @unchecked @retroactive Sendable {}
-extension P384: @unchecked @retroactive Sendable {}
+extension P384.Signing.PrivateKey: ECDSAPrivateKey {}
+extension P384.Signing.ECDSASignature: ECDSASignature {}
 
 public typealias ES384PublicKey = ECDSA.PublicKey<P384>
 public typealias ES384PrivateKey = ECDSA.PrivateKey<P384>

Sources/JWTKit/ECDSA/P521+CurveType.swift

@@ -6,7 +6,6 @@ import FoundationEssentials
 import Foundation
 #endif
 
-// TODO: Remove @unchecked Sendable when Crypto is updated to use Sendable
 extension P521: ECDSACurveType {
     public typealias Signature = P521.Signing.ECDSASignature
     public typealias PrivateKey = P521.Signing.PrivateKey
@@ -29,7 +28,6 @@ extension P521: ECDSACurveType {
     }
 }
 
-// TODO: Remove @unchecked Sendable when Crypto is updated to use Sendable
 extension P521.Signing.PublicKey: ECDSAPublicKey {
     /// Verifies that the P256 key signature is valid for the given digest.
     ///
@@ -44,10 +42,8 @@ extension P521.Signing.PublicKey: ECDSAPublicKey {
     }
 }
 
-extension P521.Signing.PrivateKey: ECDSAPrivateKey, @unchecked @retroactive Sendable {}
-extension P521.Signing.ECDSASignature: ECDSASignature, @unchecked @retroactive Sendable {}
-extension P521.Signing.PublicKey: @unchecked @retroactive Sendable {}
-extension P521: @unchecked @retroactive Sendable {}
+extension P521.Signing.PrivateKey: ECDSAPrivateKey {}
+extension P521.Signing.ECDSASignature: ECDSASignature {}
 
 public typealias ES512PublicKey = ECDSA.PublicKey<P521>
 public typealias ES512PrivateKey = ECDSA.PrivateKey<P521>

Sources/JWTKit/EdDSA/EdDSA.swift

@@ -141,7 +141,3 @@ extension EdDSA {
         }
     }
 }
-
-// TODO: Remove @unchecked Sendable when Crypto is updated to use Sendable
-extension Curve25519.Signing.PublicKey: @unchecked @retroactive Sendable {}
-extension Curve25519.Signing.PrivateKey: @unchecked @retroactive Sendable {}

Sources/JWTKit/RSA/JWTKeyCollection+RSA.swift

@@ -1,4 +1,4 @@
-import _CryptoExtras
+import CryptoExtras
 
 extension JWTKeyCollection {
     /// Adds an RSA key to the collection.

Sources/JWTKit/RSA/RSA.swift

@@ -1,6 +1,6 @@
 import Crypto
+import CryptoExtras
 import X509
-import _CryptoExtras
 
 #if !canImport(Darwin)
 import FoundationEssentials

Sources/JWTKit/RSA/RSASigner.swift

@@ -1,4 +1,4 @@
-import _CryptoExtras
+import CryptoExtras
 
 #if !canImport(Darwin)
 import FoundationEssentials

Sources/JWTKit/X5C/X5CVerifier.swift

@@ -1,4 +1,4 @@
-import X509
+@_spi(FixedExpiryValidationTime) import X509
 
 #if !canImport(Darwin)
 import FoundationEssentials
@@ -60,8 +60,8 @@ public struct X5CVerifier: Sendable {
     /// - Returns: A `X509.VerificationResult` indicating the result of the verification.
     public func verifyChain(
         certificates: [String],
-        policy: () throws -> some VerifierPolicy = { RFC5280Policy(validationTime: Date()) }
-    ) async throws -> X509.VerificationResult {
+        policy: () throws -> some VerifierPolicy = { RFC5280Policy() }
+    ) async throws -> X509.CertificateValidationResult {
         let certificates = try certificates.map { try Certificate(pemEncoded: $0) }
         return try await verifyChain(certificates: certificates, policy: policy)
     }
@@ -74,12 +74,12 @@ public struct X5CVerifier: Sendable {
     /// - Returns: A `X509.VerificationResult` indicating the result of the verification.
     public func verifyChain(
         certificates: [Certificate],
-        @PolicyBuilder policy: () throws -> some VerifierPolicy = { RFC5280Policy(validationTime: Date()) }
-    ) async throws -> X509.VerificationResult {
+        @PolicyBuilder policy: () throws -> some VerifierPolicy = { RFC5280Policy() }
+    ) async throws -> X509.CertificateValidationResult {
         let untrustedChain = CertificateStore(certificates)
         var verifier = try Verifier(rootCertificates: trustedStore, policy: policy)
         let result = await verifier.validate(
-            leafCertificate: certificates[0], intermediates: untrustedChain)
+            leaf: certificates[0], intermediates: untrustedChain)
         return result
     }
 
@@ -141,7 +141,7 @@ public struct X5CVerifier: Sendable {
         _ token: some DataProtocol,
         as _: Payload.Type = Payload.self,
         jsonDecoder: any JWTJSONDecoder,
-        @PolicyBuilder policy: () throws -> some VerifierPolicy = { RFC5280Policy(validationTime: Date()) }
+        @PolicyBuilder policy: () throws -> some VerifierPolicy = { RFC5280Policy() }
     ) async throws -> Payload
     where Payload: JWTPayload {
         // Parse the JWS header to get the header
@@ -187,12 +187,12 @@ public struct X5CVerifier: Sendable {
             rootCertificates: trustedStore,
             policy: {
                 try policy()
-                RFC5280Policy(validationTime: date)
+                RFC5280Policy(fixedExpiryValidationTime: date)
             })
 
         // Validate the leaf certificate against the trusted store
         let result = await verifier.validate(
-            leafCertificate: certificates[0],
+            leaf: certificates[0],
             intermediates: untrustedChain
         )
 

Tests/JWTKitTests/RSATests.swift

@@ -1,7 +1,7 @@
 #if canImport(Testing)
 import Testing
 import JWTKit
-import _CryptoExtras
+import CryptoExtras
 
 @Suite("RSA Tests")
 struct RSATests {