Merge pull request #86 from dimitribouniol/dimitri/sendable

alexanderjordanbaker · web-flow · commit 7486785e2979 · 2025-10-31T16:05:06.000-07:00
Missing Hashable and Sendable Conformances
diff --git a/Sources/AppStoreServerLibrary/AppStoreServerAPIClient.swift b/Sources/AppStoreServerLibrary/AppStoreServerAPIClient.swift
@@ -9,7 +9,7 @@ import NIOFoundationCompat
 
 public class AppStoreServerAPIClient {
 
-    public enum ConfigurationError: Error {
+    public enum ConfigurationError: Error, Hashable, Sendable {
         /// Xcode is not a supported environment for an AppStoreServerAPIClient
         case invalidEnvironment
     }
@@ -476,12 +476,12 @@ public class AppStoreServerAPIClient {
     private struct APIFetchError: Error {}
 }
 
-public enum APIResult<T> {
+public enum APIResult<T: Sendable>: Sendable {
     case success(response: T)
     case failure(statusCode: Int?, rawApiError: Int64?, apiError: APIError?, errorMessage: String?, causedBy: Error?)
 }
 
-public enum APIError: Int64 {
+public enum APIError: Int64, Hashable, Sendable {
     ///An error that indicates an invalid request.
     ///
     ///[GeneralBadRequestError](https://developer.apple.com/documentation/appstoreserverapi/generalbadrequesterror)
@@ -859,7 +859,7 @@ public enum APIError: Int64 {
     case generalInternalRetryable = 5000001
 }
 
-public enum GetTransactionHistoryVersion: String {
+public enum GetTransactionHistoryVersion: String, Hashable, Sendable {
     @available(*, deprecated)
     case v1 = "v1"
     case v2 = "v2"
diff --git a/Sources/AppStoreServerLibrary/ChainVerifier.swift b/Sources/AppStoreServerLibrary/ChainVerifier.swift
@@ -8,8 +8,7 @@ import Crypto
 import AsyncHTTPClient
 import NIOFoundationCompat
 
-class ChainVerifier {
-    
+actor ChainVerifier {
     private static let EXPECTED_CHAIN_LENGTH = 3
     private static let EXPECTED_JWT_SEGMENTS = 3
     private static let EXPECTED_ALGORITHM = "ES256"
@@ -28,7 +27,7 @@ class ChainVerifier {
         self.verifiedPublicKeyCache = [:]
     }
     
-    func verify<T: DecodedSignedData>(signedData: String, type: T.Type, onlineVerification: Bool, environment: AppStoreEnvironment) async -> VerificationResult<T> where T: Decodable {
+    func verify<T: DecodedSignedData>(signedData: String, type: T.Type, onlineVerification: Bool, environment: AppStoreEnvironment, currentTime: Date = .now) async -> VerificationResult<T> where T: Decodable & Sendable {
         let header: JWTHeader
         let decodedBody: T
         do {
@@ -67,9 +66,9 @@ class ChainVerifier {
         do {
             let leafCertificate = try Certificate(derEncoded: Array(leaf_der_enocded))
             let intermediateCertificate = try Certificate(derEncoded: Array(intermeidate_der_encoded))
-            let validationTime = !onlineVerification && decodedBody.signedDateOptional != nil ? decodedBody.signedDateOptional! : getDate()
+            let validationTime = !onlineVerification && decodedBody.signedDateOptional != nil ? decodedBody.signedDateOptional! : currentTime
             
-            let verificationResult = await verifyChain(leaf: leafCertificate, intermediate: intermediateCertificate, online: onlineVerification, validationTime: validationTime)
+            let verificationResult = await verifyChain(leaf: leafCertificate, intermediate: intermediateCertificate, online: onlineVerification, validationTime: validationTime, currentTime: currentTime)
             switch verificationResult {
             case .validCertificate(let chain):
                 let leafCertificate = chain.first!
@@ -90,22 +89,22 @@ class ChainVerifier {
         }
     }
     
-    func verifyChain(leaf: Certificate, intermediate: Certificate, online: Bool, validationTime: Date) async -> X509.VerificationResult {
+    func verifyChain(leaf: Certificate, intermediate: Certificate, online: Bool, validationTime: Date, currentTime: Date = .now) async -> X509.VerificationResult {
         if online {
             if let cachedResult = verifiedPublicKeyCache[CacheKey(leaf: leaf, intermediate: intermediate)] {
-                if cachedResult.expirationTime > getDate() {
+                if cachedResult.expirationTime > currentTime {
                     return cachedResult.publicKey
                 }
             }
         }
-        let verificationResult = await verifyChainWithoutCaching(leaf: leaf, intermediate: intermediate, online: online, validationTime: validationTime)
+        let verificationResult = await verifyChainWithoutCaching(leaf: leaf, intermediate: intermediate, online: online, validationTime: validationTime, currentTime: currentTime)
         
         if online {
             if case .validCertificate = verificationResult {
-                verifiedPublicKeyCache[CacheKey(leaf: leaf, intermediate: intermediate)] = CacheValue(expirationTime: getDate().addingTimeInterval(TimeInterval(integerLiteral: ChainVerifier.CACHE_TIME_LIMIT)), publicKey: verificationResult)
+                verifiedPublicKeyCache[CacheKey(leaf: leaf, intermediate: intermediate)] = CacheValue(expirationTime: currentTime.addingTimeInterval(TimeInterval(integerLiteral: ChainVerifier.CACHE_TIME_LIMIT)), publicKey: verificationResult)
                 if verifiedPublicKeyCache.count > ChainVerifier.MAXIMUM_CACHE_SIZE {
                     for kv in verifiedPublicKeyCache {
-                        if kv.value.expirationTime < getDate() {
+                        if kv.value.expirationTime < currentTime {
                             verifiedPublicKeyCache.removeValue(forKey: kv.key)
                         }
                     }
@@ -116,21 +115,17 @@ class ChainVerifier {
         return verificationResult
     }
     
-    func verifyChainWithoutCaching(leaf: Certificate, intermediate: Certificate, online: Bool, validationTime: Date) async -> X509.VerificationResult {
+    nonisolated func verifyChainWithoutCaching(leaf: Certificate, intermediate: Certificate, online: Bool, validationTime: Date, currentTime: Date = .now) async -> X509.VerificationResult {
         var verifier = Verifier(rootCertificates: self.store) {
             RFC5280Policy(validationTime: validationTime)
             AppStoreOIDPolicy()
             if online {
-                OCSPVerifierPolicy(failureMode: .hard, requester: requester, validationTime: getDate())
+                OCSPVerifierPolicy(failureMode: .hard, requester: requester, validationTime: currentTime)
             }
         }
         let intermediateStore = CertificateStore([intermediate])
         return await verifier.validate(leafCertificate: leaf, intermediates: intermediateStore)
     }
-    
-    func getDate() -> Date {
-        return Date()
-    }
 }
 
 struct CacheKey: Hashable {
@@ -217,7 +212,7 @@ final class Requester: OCSPRequester {
     private struct OCSPFetchError: Error {}
 }
 
-public enum VerificationResult<T> {
+public enum VerificationResult<T: Hashable & Sendable>: Hashable, Sendable {
     case valid(T)
     case invalid(VerificationError)
 }
diff --git a/Sources/AppStoreServerLibrary/SignedDataVerifier.swift b/Sources/AppStoreServerLibrary/SignedDataVerifier.swift
@@ -3,9 +3,9 @@
 import Foundation
 
 ///A verifier and decoder class designed to decode signed data from the App Store.
-public struct SignedDataVerifier {
+public struct SignedDataVerifier: Sendable {
 
-    public enum ConfigurationError: Error {
+    public enum ConfigurationError: Error, Hashable, Sendable {
         case INVALID_APP_APPLE_ID
     }
 
@@ -168,7 +168,7 @@ public struct SignedDataVerifier {
         return realtimeRequestResult
     }
 
-    private func decodeSignedData<T: DecodedSignedData>(signedData: String, type: T.Type) async -> VerificationResult<T> where T : Decodable {
+    private func decodeSignedData<T: DecodedSignedData>(signedData: String, type: T.Type) async -> VerificationResult<T> where T : Decodable & Sendable {
         return await chainVerifier.verify(signedData: signedData, type: type, onlineVerification: self.enableOnlineChecks, environment: self.environment)
     }
 }
diff --git a/Tests/AppStoreServerLibraryTests/SignedDataVerifierTests.swift b/Tests/AppStoreServerLibraryTests/SignedDataVerifierTests.swift
@@ -87,7 +87,7 @@ final class SignedDataVerifierTests: XCTestCase {
     }
     
     func testOcspResponseCaching() async throws {
-        let verifier: DateOverrideChainVerifier = DateOverrideChainVerifier(expectedCalls: 1, currentDate: CLOCK_DATE, base64EncodedRootCertificate: ROOT_CA_BASE64_ENCODED)!
+        var verifier: DateOverrideChainVerifier = DateOverrideChainVerifier(expectedCalls: 1, currentDate: CLOCK_DATE, base64EncodedRootCertificate: ROOT_CA_BASE64_ENCODED)!
         let leaf = try! Certificate(derEncoded: Array(Data(base64Encoded: LEAF_CERT_BASE64_ENCODED)!))
         let intermediate = try! Certificate(derEncoded: Array(Data(base64Encoded: INTERMEDIATE_CA_BASE64_ENCODED)!))
         let _ = await verifier.verifyChain(leaf: leaf, intermediate: intermediate, online: true, validationTime: EFFECTIVE_DATE)
@@ -96,7 +96,7 @@ final class SignedDataVerifierTests: XCTestCase {
     }
     
     func testOcspResponseCachingHasExpiration() async throws {
-        let verifier: DateOverrideChainVerifier = DateOverrideChainVerifier(expectedCalls: 2, currentDate: CLOCK_DATE, base64EncodedRootCertificate: ROOT_CA_BASE64_ENCODED)!
+        var verifier: DateOverrideChainVerifier = DateOverrideChainVerifier(expectedCalls: 2, currentDate: CLOCK_DATE, base64EncodedRootCertificate: ROOT_CA_BASE64_ENCODED)!
         let leaf = try! Certificate(derEncoded: Array(Data(base64Encoded: LEAF_CERT_BASE64_ENCODED)!))
         let intermediate = try! Certificate(derEncoded: Array(Data(base64Encoded: INTERMEDIATE_CA_BASE64_ENCODED)!))
         let _ = await verifier.verifyChain(leaf: leaf, intermediate: intermediate, online: true, validationTime: EFFECTIVE_DATE)
@@ -125,7 +125,7 @@ final class SignedDataVerifierTests: XCTestCase {
     
     // The following test will communicate with Apple's OCSP servers, disable this test for offline testing
     func testAppleChainIsValidWithOCSP() async throws {
-        let verifier: ChainVerifier = getChainVerifier(base64EncodedRootCertificate: REAL_APPLE_ROOT_BASE64_ENCODED)
+        var verifier: ChainVerifier = getChainVerifier(base64EncodedRootCertificate: REAL_APPLE_ROOT_BASE64_ENCODED)
         let leaf = try! Certificate(derEncoded: Array(Data(base64Encoded: REAL_APPLE_SIGNING_CERTIFICATE_BASE64_ENCODED)!))
         let intermediate = try! Certificate(derEncoded: Array(Data(base64Encoded: REAL_APPLE_INTERMEDIATE_BASE64_ENCODED)!))
         let root = try! Certificate(derEncoded: Array(Data(base64Encoded: REAL_APPLE_ROOT_BASE64_ENCODED)!))
@@ -255,7 +255,8 @@ final class SignedDataVerifierTests: XCTestCase {
         return try! ChainVerifier(rootCertificates: [Data(base64Encoded: base64EncodedRootCertificate)!])
     }
     
-    class DateOverrideChainVerifier: ChainVerifier {
+    struct DateOverrideChainVerifier {
+        let chainVerifier: ChainVerifier
         var currentDate: Int64
         var expectation : XCTestExpectation
         
@@ -264,19 +265,30 @@ final class SignedDataVerifierTests: XCTestCase {
             self.expectation = XCTestExpectation()
             self.expectation.assertForOverFulfill = true
             self.expectation.expectedFulfillmentCount = expectedCalls
-            try? super.init(rootCertificates: [Data(base64Encoded: base64EncodedRootCertificate)!])
+            guard let chainVerifier = try? ChainVerifier(rootCertificates: [Data(base64Encoded: base64EncodedRootCertificate)!])
+            else { return nil }
+            
+            self.chainVerifier = chainVerifier
         }
         
-        func setDate(newDate: Int64) {
+        mutating func setDate(newDate: Int64) {
             self.currentDate = newDate
         }
         
-        override func verifyChainWithoutCaching(leaf: Certificate, intermediate: Certificate, online: Bool, validationTime: Date) async -> X509.VerificationResult {
+        func verify<T: DecodedSignedData>(signedData: String, type: T.Type, onlineVerification: Bool, environment: AppStoreEnvironment) async -> AppStoreServerLibrary.VerificationResult<T> where T: Decodable & Sendable {
+            await chainVerifier.verify(signedData: signedData, type: type, onlineVerification: onlineVerification, environment: environment, currentTime: getDate())
+        }
+        
+        func verifyChain(leaf: Certificate, intermediate: Certificate, online: Bool, validationTime: Date) async -> X509.VerificationResult {
+            await chainVerifier.verifyChain(leaf: leaf, intermediate: intermediate, online: online, validationTime: validationTime, currentTime: getDate())
+        }
+        
+        func verifyChainWithoutCaching(leaf: Certificate, intermediate: Certificate, online: Bool, validationTime: Date) async -> X509.VerificationResult {
             expectation.fulfill()
             return .validCertificate([])
         }
         
-        override func getDate() -> Date {
+        func getDate() -> Date {
             return Date(timeIntervalSince1970: TimeInterval(currentDate))
         }
     }

Original file line number	Diff line number	Diff line change
`@@ -8,8 +8,7 @@ import Crypto`
`8`	`8`	`import AsyncHTTPClient`
`9`	`9`	`import NIOFoundationCompat`
`10`	`10`
`11`		`-class ChainVerifier {`
`12`		`-`
	`11`	`+actor ChainVerifier {`
`13`	`12`	`private static let EXPECTED_CHAIN_LENGTH = 3`
`14`	`13`	`private static let EXPECTED_JWT_SEGMENTS = 3`
`15`	`14`	`private static let EXPECTED_ALGORITHM = "ES256"`
`@@ -28,7 +27,7 @@ class ChainVerifier {`
`28`	`27`	`self.verifiedPublicKeyCache = [:]`
`29`	`28`	`}`
`30`	`29`
`31`		`- func verify<T: DecodedSignedData>(signedData: String, type: T.Type, onlineVerification: Bool, environment: AppStoreEnvironment) async -> VerificationResult<T> where T: Decodable {`
	`30`	`+ func verify<T: DecodedSignedData>(signedData: String, type: T.Type, onlineVerification: Bool, environment: AppStoreEnvironment, currentTime: Date = .now) async -> VerificationResult<T> where T: Decodable & Sendable {`
`32`	`31`	`let header: JWTHeader`
`33`	`32`	`let decodedBody: T`
`34`	`33`	`do {`
`@@ -67,9 +66,9 @@ class ChainVerifier {`
`67`	`66`	`do {`
`68`	`67`	`let leafCertificate = try Certificate(derEncoded: Array(leaf_der_enocded))`
`69`	`68`	`let intermediateCertificate = try Certificate(derEncoded: Array(intermeidate_der_encoded))`
`70`		`- let validationTime = !onlineVerification && decodedBody.signedDateOptional != nil ? decodedBody.signedDateOptional! : getDate()`
	`69`	`+ let validationTime = !onlineVerification && decodedBody.signedDateOptional != nil ? decodedBody.signedDateOptional! : currentTime`
`71`	`70`
`72`		`- let verificationResult = await verifyChain(leaf: leafCertificate, intermediate: intermediateCertificate, online: onlineVerification, validationTime: validationTime)`
	`71`	`+ let verificationResult = await verifyChain(leaf: leafCertificate, intermediate: intermediateCertificate, online: onlineVerification, validationTime: validationTime, currentTime: currentTime)`
`73`	`72`	`switch verificationResult {`
`74`	`73`	`case .validCertificate(let chain):`
`75`	`74`	`let leafCertificate = chain.first!`
`@@ -90,22 +89,22 @@ class ChainVerifier {`
`90`	`89`	`}`
`91`	`90`	`}`
`92`	`91`
`93`		`- func verifyChain(leaf: Certificate, intermediate: Certificate, online: Bool, validationTime: Date) async -> X509.VerificationResult {`
	`92`	`+ func verifyChain(leaf: Certificate, intermediate: Certificate, online: Bool, validationTime: Date, currentTime: Date = .now) async -> X509.VerificationResult {`
`94`	`93`	`if online {`
`95`	`94`	`if let cachedResult = verifiedPublicKeyCache[CacheKey(leaf: leaf, intermediate: intermediate)] {`
`96`		`- if cachedResult.expirationTime > getDate() {`
	`95`	`+ if cachedResult.expirationTime > currentTime {`
`97`	`96`	`return cachedResult.publicKey`
`98`	`97`	`}`
`99`	`98`	`}`
`100`	`99`	`}`
`101`		`- let verificationResult = await verifyChainWithoutCaching(leaf: leaf, intermediate: intermediate, online: online, validationTime: validationTime)`
	`100`	`+ let verificationResult = await verifyChainWithoutCaching(leaf: leaf, intermediate: intermediate, online: online, validationTime: validationTime, currentTime: currentTime)`
`102`	`101`
`103`	`102`	`if online {`
`104`	`103`	`if case .validCertificate = verificationResult {`
`105`		`- verifiedPublicKeyCache[CacheKey(leaf: leaf, intermediate: intermediate)] = CacheValue(expirationTime: getDate().addingTimeInterval(TimeInterval(integerLiteral: ChainVerifier.CACHE_TIME_LIMIT)), publicKey: verificationResult)`
	`104`	`+ verifiedPublicKeyCache[CacheKey(leaf: leaf, intermediate: intermediate)] = CacheValue(expirationTime: currentTime.addingTimeInterval(TimeInterval(integerLiteral: ChainVerifier.CACHE_TIME_LIMIT)), publicKey: verificationResult)`
`106`	`105`	`if verifiedPublicKeyCache.count > ChainVerifier.MAXIMUM_CACHE_SIZE {`
`107`	`106`	`for kv in verifiedPublicKeyCache {`
`108`		`- if kv.value.expirationTime < getDate() {`
	`107`	`+ if kv.value.expirationTime < currentTime {`
`109`	`108`	`verifiedPublicKeyCache.removeValue(forKey: kv.key)`
`110`	`109`	`}`
`111`	`110`	`}`
`@@ -116,21 +115,17 @@ class ChainVerifier {`
`116`	`115`	`return verificationResult`
`117`	`116`	`}`
`118`	`117`
`119`		`- func verifyChainWithoutCaching(leaf: Certificate, intermediate: Certificate, online: Bool, validationTime: Date) async -> X509.VerificationResult {`
	`118`	`+ nonisolated func verifyChainWithoutCaching(leaf: Certificate, intermediate: Certificate, online: Bool, validationTime: Date, currentTime: Date = .now) async -> X509.VerificationResult {`
`120`	`119`	`var verifier = Verifier(rootCertificates: self.store) {`
`121`	`120`	`RFC5280Policy(validationTime: validationTime)`
`122`	`121`	`AppStoreOIDPolicy()`
`123`	`122`	`if online {`
`124`		`- OCSPVerifierPolicy(failureMode: .hard, requester: requester, validationTime: getDate())`
	`123`	`+ OCSPVerifierPolicy(failureMode: .hard, requester: requester, validationTime: currentTime)`
`125`	`124`	`}`
`126`	`125`	`}`
`127`	`126`	`let intermediateStore = CertificateStore([intermediate])`
`128`	`127`	`return await verifier.validate(leafCertificate: leaf, intermediates: intermediateStore)`
`129`	`128`	`}`
`130`		`-`
`131`		`- func getDate() -> Date {`
`132`		`- return Date()`
`133`		`- }`
`134`	`129`	`}`
`135`	`130`
`136`	`131`	`struct CacheKey: Hashable {`
`@@ -217,7 +212,7 @@ final class Requester: OCSPRequester {`
`217`	`212`	`private struct OCSPFetchError: Error {}`
`218`	`213`	`}`
`219`	`214`
`220`		`-public enum VerificationResult<T> {`
	`215`	`+public enum VerificationResult<T: Hashable & Sendable>: Hashable, Sendable {`
`221`	`216`	`case valid(T)`
`222`	`217`	`case invalid(VerificationError)`
`223`	`218`	`}`
Original file line number	Diff line number	Diff line change
`@@ -3,9 +3,9 @@`
`3`	`3`	`import Foundation`
`4`	`4`
`5`	`5`	`///A verifier and decoder class designed to decode signed data from the App Store.`
`6`		`-public struct SignedDataVerifier {`
	`6`	`+public struct SignedDataVerifier: Sendable {`
`7`	`7`
`8`		`- public enum ConfigurationError: Error {`
	`8`	`+ public enum ConfigurationError: Error, Hashable, Sendable {`
`9`	`9`	`case INVALID_APP_APPLE_ID`
`10`	`10`	`}`
`11`	`11`
`@@ -168,7 +168,7 @@ public struct SignedDataVerifier {`
`168`	`168`	`return realtimeRequestResult`
`169`	`169`	`}`
`170`	`170`
`171`		`- private func decodeSignedData<T: DecodedSignedData>(signedData: String, type: T.Type) async -> VerificationResult<T> where T : Decodable {`
	`171`	`+ private func decodeSignedData<T: DecodedSignedData>(signedData: String, type: T.Type) async -> VerificationResult<T> where T : Decodable & Sendable {`
`172`	`172`	`return await chainVerifier.verify(signedData: signedData, type: type, onlineVerification: self.enableOnlineChecks, environment: self.environment)`
`173`	`173`	`}`
`174`	`174`	`}`