Support loading trust root CAs on Linux #136
Conversation
|
5.9 (nightly) and main nightly crashes because of this compiler bug: swiftlang/swift#68708 |
| } | ||
|
|
||
| @usableFromInline | ||
| var _certificates: _TinyArray<Element> |
There was a problem hiding this comment.
Is there ever more than two elements here? If not, can we use an enum instead of a TinyArray?
There was a problem hiding this comment.
I thought of allowing to combing certificate stores which would in theory allow up to 3 elements i.e. [.customCertificates(...), .trustRoots, .customCertificates(...)]. The current public API doesn't allow that though and I don't have a concrete use case in mind for that. Do you think something like that is useful or not? If not, we can go with a tuple. I think it makes the implementation a bit more complicated as we can't iterate over tuples but hopefully it will not be too bad.
There was a problem hiding this comment.
I think sticking with the tuple is better.
There was a problem hiding this comment.
I have now implemented _TinyArray2 which store up to two elements inline.
this package seems to be experiencing a second, seemingly different compiler crash as well: swiftlang/swift#68767 , which affects documentation generation. |
# Conflicts: # Benchmarks/Package.swift # Package.swift
|
@tayloraswift thanks for reporting! The crash you have discovered is even on 5.9-release, mine is only on 5.9 nightly. I have worked around this issue for now. Not sure if we can workaround the other crash. |
|
API break is a false positive: We have changed the signature but only from: public init<Certificates: Sequence>(_ certificates: Certificates) where Certificates.Element == Certificateto public init(_ certificates: some Sequence<Certificate>)which is the same thing, just with a different spelling. Bug reported: swiftlang/swift#68797 |
Sources/X509/PromiseAndFuture.swift
Outdated
| } | ||
|
|
||
| deinit { | ||
| switch self.state.unsafeUnlockedValue { |
There was a problem hiding this comment.
I don't think this optimization is appropriate: we can just take the lock, it'll be uncontended.
| @usableFromInline | ||
| var _certificates: [DistinguishedName: [Certificate]] | ||
| var additionTrustRoots: [DistinguishedName: [Certificate]] |
| var systemTrustRoots: [DistinguishedName: [Certificate]] | ||
|
|
||
| @usableFromInline | ||
| var additionTrustRoots: [DistinguishedName: [Certificate]] |
| }() | ||
|
|
||
| static let cachedSystemTrustRootsFuture: Future<[DistinguishedName: [Certificate]], any Error> = | ||
| DispatchQueue.global( |
There was a problem hiding this comment.
Prefer to create a serial dispatch queue for this than directly dispatching to a global queue.
|
Merging over API breakage checker, which is wrong here. |
Motivation
We want to eventually replace the BoringSSL X.509 layer in
swift-nio-sslwithswift-certificates. One missing feature inswift-certificatesis the loading of trusted root CAs from the system.Changes
CertificateStore.systemTrustRootsthat lazily loads the trusted root certificates from disk.CertificateStore.insert(_:)and friends to add additional trusted root CAs to theCertificateStore.systemTrustRootsCertificateStoreLockedValueBox,PromiseandFutureto the internal API to support lazy loading of the trust rootsResult
swift-certificatescan efficiently load the installed trusted root CAs on Linux.