Support SecKey Certificate private keys

Sources/X509/CMakeLists.txt

@@ -13,105 +13,7 @@
 ##===----------------------------------------------------------------------===##
 
 add_library(X509
-  "CSR/CSRAttribute.swift"
-  "CSR/CSRAttributes.swift"
-  "CSR/CSRVersion.swift"
-  "CSR/CertificateSigningRequest.swift"
-  "CSR/CertificationRequestInfo.swift"
-  "CSR/ExtensionRequest.swift"
-  "Certificate.swift"
-  "CertificatePrivateKey.swift"
-  "CertificatePublicKey.swift"
-  "CertificateSerialNumber.swift"
-  "CertificateVersion.swift"
-  "CryptographicMessageSyntax/CMSAttribute.swift"
-  "CryptographicMessageSyntax/CMSContentInfo.swift"
-  "CryptographicMessageSyntax/CMSEncapsulatedContentInfo.swift"
-  "CryptographicMessageSyntax/CMSIssuerAndSerialNumber.swift"
-  "CryptographicMessageSyntax/CMSOperations.swift"
-  "CryptographicMessageSyntax/CMSSignature.swift"
-  "CryptographicMessageSyntax/CMSSignedData.swift"
-  "CryptographicMessageSyntax/CMSSignerIdentifier.swift"
-  "CryptographicMessageSyntax/CMSSignerInfo.swift"
-  "CryptographicMessageSyntax/CMSVersion.swift"
-  "Digests.swift"
-  "DistinguishedName.swift"
-  "DistinguishedNameBuilder/CommonName.swift"
-  "DistinguishedNameBuilder/CountryName.swift"
-  "DistinguishedNameBuilder/DNBuilder.swift"
-  "DistinguishedNameBuilder/LocalityName.swift"
-  "DistinguishedNameBuilder/OrganizationName.swift"
-  "DistinguishedNameBuilder/OrganizationalUnitName.swift"
-  "DistinguishedNameBuilder/StateOrProvinceName.swift"
-  "DistinguishedNameBuilder/StreetAddress.swift"
-  "Error.swift"
-  "Extension Types/AuthorityInformationAccess.swift"
-  "Extension Types/AuthorityKeyIdentifier.swift"
-  "Extension Types/BasicConstraints.swift"
-  "Extension Types/ExtendedKeyUsage.swift"
-  "Extension Types/ExtensionIdentifiers.swift"
-  "Extension Types/KeyUsage.swift"
-  "Extension Types/NameConstraints.swift"
-  "Extension Types/SubjectAlternativeName.swift"
-  "Extension Types/SubjectKeyIdentifier.swift"
-  "Extension.swift"
-  "Extensions.swift"
-  "ExtensionsBuilder.swift"
-  "GeneralName.swift"
-  "LockedValueBox.swift"
-  "OCSP/BasicOCSPResponse.swift"
-  "OCSP/DirectoryString.swift"
-  "OCSP/OCSPCertID.swift"
-  "OCSP/OCSPCertStatus.swift"
-  "OCSP/OCSPExtensionID.swift"
-  "OCSP/OCSPNonce.swift"
-  "OCSP/OCSPPolicy.swift"
-  "OCSP/OCSPRequest.swift"
-  "OCSP/OCSPResponse.swift"
-  "OCSP/OCSPResponseBytes.swift"
-  "OCSP/OCSPResponseData.swift"
-  "OCSP/OCSPResponseStatus.swift"
-  "OCSP/OCSPSignature.swift"
-  "OCSP/OCSPSingleRequest.swift"
-  "OCSP/OCSPSingleResponse.swift"
-  "OCSP/OCSPTBSRequest.swift"
-  "OCSP/OCSPVersion.swift"
-  "PKCS8PrivateKey.swift"
-  "PromiseAndFuture.swift"
-  "RDNAttribute.swift"
-  "RandomNumberGenerator+bytes.swift"
-  "RelativeDistinguishedName.swift"
-  "SEC1PrivateKey.swift"
-  "Signature.swift"
-  "SignatureAlgorithm.swift"
-  "Verifier/AllOfPolicies.swift"
-  "Verifier/AnyPolicy.swift"
-  "Verifier/CertificateStore.swift"
-  "Verifier/OneOfPolicies.swift"
-  "Verifier/PolicyBuilder.swift"
-  "Verifier/RFC5280/BasicConstraintsPolicy.swift"
-  "Verifier/RFC5280/DNSNames.swift"
-  "Verifier/RFC5280/DirectoryNames.swift"
-  "Verifier/RFC5280/ExpiryPolicy.swift"
-  "Verifier/RFC5280/IPConstraints.swift"
-  "Verifier/RFC5280/NameConstraintsPolicy.swift"
-  "Verifier/RFC5280/RFC5280Policy.swift"
-  "Verifier/RFC5280/URIConstraints.swift"
-  "Verifier/RFC5280/VersionPolicy.swift"
-  "Verifier/ServerIdentityPolicy.swift"
-  "Verifier/TrustRootLoading.swift"
-  "Verifier/UnverifiedChain.swift"
-  "Verifier/VerificationDiagnostic.swift"
-  "Verifier/Verifier.swift"
-  "Verifier/VerifierPolicy.swift"
-  "X509BaseTypes/AlgorithmIdentifier.swift"
-  "X509BaseTypes/ECDSASignature.swift"
-  "X509BaseTypes/RSAPKCS1PublicKey.swift"
-  "X509BaseTypes/SubjectPublicKeyInfo.swift"
-  "X509BaseTypes/TBSCertificate.swift"
-  "X509BaseTypes/Time.swift"
-  "X509BaseTypes/TimeCalculations.swift"
-  "X509BaseTypes/Validity.swift")
+)
 
 target_link_libraries(X509 PUBLIC
   $<$<NOT:$<PLATFORM_ID:Darwin>>:dispatch>

Sources/X509/CertificatePrivateKey.swift

@@ -21,7 +21,7 @@ extension Certificate {
     /// A private key that can be used with a certificate.
     ///
     /// This type provides an opaque wrapper around the various private key types
-    /// provided by `swift-crypto`. Users are expected to construct this key from
+    /// provided by `swift-crypto` and `Security`. Users are expected to construct this key from
     /// one of those types.
     ///
     /// As private keys are never sent over the wire, this type does not offer
@@ -70,6 +70,13 @@ extension Certificate {
         public init(_ secureEnclaveP256: SecureEnclave.P256.Signing.PrivateKey) {
             self.backing = .secureEnclaveP256(secureEnclaveP256)
         }
+
+        /// Construct a private key wrapping a SecKey private key.
+        /// - Parameter secKey: The SecKey private key to wrap.
+        @inlinable
+        public init(_ secKey: SecKey) throws {
+            self.backing = .secKey(try SecKeyWrapper(key: secKey))
+        }
         #endif
 
         @inlinable
@@ -93,6 +100,8 @@ extension Certificate {
             #if canImport(Darwin)
             case .secureEnclaveP256(let secureEnclaveP256):
                 return try secureEnclaveP256.signature(for: bytes, digestAlgorithm: digestAlgorithm)
+            case .secKey(let secKeyWrapper):
+                return try secKeyWrapper.signature(for: bytes, digestAlgorithm: digestAlgorithm)
             #endif
             }
         }
@@ -113,6 +122,8 @@ extension Certificate {
             #if canImport(Darwin)
             case .secureEnclaveP256(let secureEnclaveP256):
                 return PublicKey(secureEnclaveP256.publicKey)
+            case .secKey(let secKeyWrapper):
+                return secKeyWrapper.publicKey
             #endif
             }
         }
@@ -139,6 +150,21 @@ extension Certificate {
                         reason: "Cannot use \(algorithm) with ECDSA key \(self)"
                     )
                 }
+            case .secKey(let key):
+                switch key.type {
+                case .ECDSA:
+                    if !algorithm.isECDSA {
+                        throw CertificateError.unsupportedSignatureAlgorithm(
+                            reason: "Cannot use \(algorithm) with ECDSA key \(self)"
+                        )
+                    }
+                case .RSA:
+                    if !algorithm.isRSA {
+                        throw CertificateError.unsupportedSignatureAlgorithm(
+                            reason: "Cannot use \(algorithm) with RSA key \(self)"
+                        )
+                    }
+                }
             #endif
             }
 
@@ -164,6 +190,8 @@ extension Certificate.PrivateKey: CustomStringConvertible {
         #if canImport(Darwin)
         case .secureEnclaveP256:
             return "SecureEnclave.P256.PrivateKey"
+        case .secKey:
+            return "SecKey"
         #endif
         }
     }
@@ -178,6 +206,7 @@ extension Certificate.PrivateKey {
         case rsa(_CryptoExtras._RSA.Signing.PrivateKey)
         #if canImport(Darwin)
         case secureEnclaveP256(SecureEnclave.P256.Signing.PrivateKey)
+        case secKey(SecKeyWrapper)
         #endif
 
         @inlinable
@@ -194,6 +223,8 @@ extension Certificate.PrivateKey {
             #if canImport(Darwin)
             case (.secureEnclaveP256(let l), .secureEnclaveP256(let r)):
                 return l.dataRepresentation == r.dataRepresentation
+            case (.secKey(let l), .secKey(let r)):
+                return l.publicKey.backing == r.publicKey.backing
             #endif
             default:
                 return false
@@ -219,6 +250,10 @@ extension Certificate.PrivateKey {
             case .secureEnclaveP256(let digest):
                 hasher.combine(4)
                 hasher.combine(digest.dataRepresentation)
+            case .secKey(let secKeyWrapper):
+                hasher.combine(5)
+                hasher.combine(secKeyWrapper.privateKey.hashValue)
+                hasher.combine(secKeyWrapper.publicKey.hashValue)
             #endif
             }
         }
@@ -305,6 +340,7 @@ extension Certificate.PrivateKey {
             throw CertificateError.unsupportedPrivateKey(
                 reason: "secure enclave private keys can not be serialised as PEM"
             )
+        case .secKey(let key): return try key.pemDocument()
         #endif
         }
     }