Skip to content

Custom private key #282

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Juice805 wants to merge 35 commits into
base: main
Choose a base branch
from
Open

Custom private key #282

Juice805 wants to merge 35 commits into from
+330 −1

Conversation

@Juice805
Copy link

@Juice805 Juice805 commented Nov 10, 2025
edited
Loading

Motivation:

In some cases a developer may want to sign a certificate using a method other than a private key. For example: if a private key is protected by hardware which signs asynchronously.

Modifications:

  • Create CustomPrivateKey protocol
  • Create async initializers for Certificate and CertificateSigningRequest.
  • CustomPrivateKey can now back aCertificate.PrivateKey
  • Make Certificate.Signature initializer public

Result:

Developers can now sign a certificate with greater flexibility.

Alternatives Considered:

Implementations

Pass the CustomPrivateKey into Certificate and CertificateSigningRequest initializers directly.

There is concern this could add too much duplication of api.

Various names for the protocol:

  • Certificate.PrivateKeyProtocol and Certificate.AsyncPrivateKeyProtocol
  • Certificate.Signer/Certificate.AsyncSigner
  • Certificate.SignatureProvider/Certificate.AsyncSignatureProvider

@Juice805 Juice805 force-pushed the custom-private-key branch 2 times, most recently from aa451de to 8a254cd Compare November 10, 2025 22:48
@Lukasa Lukasa added the 🆕 semver/minor Adds new public API. label Dec 12, 2025
Lukasa
Lukasa reviewed Dec 12, 2025
View reviewed changes
@Juice805 Juice805 force-pushed the custom-private-key branch 2 times, most recently from 574eaa0 to 4d583ad Compare December 12, 2025 18:12
dnadoba
dnadoba reviewed Dec 12, 2025
View reviewed changes
Juice805 and others added 23 commits January 9, 2026 10:45
@Juice805
Certificate.Signer
e9fd552
@Juice805
AsyncSigner
087237d
@Juice805
use some instead of any
cb419d4
@Juice805
public signature init
37bcff8
@Juice805
Add CSR initializers
2046832
@Juice805
Signer → SignatureProvider
3f6ed1a
@Juice805
Certificate.SignatureProvider → Certificate.PrivateKeyProtocol
303905e
@Juice805
Fix CSR inits
627e7fe
@Juice805
formatting
9cba84e
@Juice805
rename file to match protocol name
1e0756e
@Juice805
adopt Hashable
f1b168a
@Juice805
Move protocols to root level
c3ffa5b 
Rename to CustomPrivateKey
@Juice805
Drop PrivateKey protocol conformance
fc4e57b
@Juice805
Rename file to match
3fcdccd
@Juice805
Merge CustomPrivateKey protocols
28173a2
@Juice805
CustomPrivateKey backs Certificate.PrivateKey
0d572cd
@Juice805
signSynchronously
e8cde04
@Juice805
require PEMSerializable adoption
cbd0a6f
@Juice805 @Lukasa
Update Sources/X509/CustomPrivateKey.swift
8d1d0f0 
Co-authored-by: Cory Benfield <[email protected]>
@Juice805
explicit self
091bca6
@Juice805
always import import SwiftASN1 for CustomPrivateKey
dea3799
@Juice805
differentiate async and sync intializers
775a327
@Juice805
Update docs to match new arg names
727ee62
Juice805 added 12 commits January 9, 2026 10:45
@Juice805
Make signAsynchronously default implementation
3fc9f07
@Juice805
Async method bytes must be sendable
621dd5b
@Juice805
an initializer would be a good idea
f411091
@Juice805
CustomPrivateKeyTests
0944c71
@Juice805
verify defaultSignatureAlgorithm is forwarded properly
30fe9a1
@Juice805
switch to swift-testing for new tests
b37f753
@Juice805
add supportedSignatureAlgorithms to CustomPrivateKey
1d90872
@Juice805
Add missing @Test macros
3014401 
Motivation:

The new tests should be run

Modifications:

The new tests are missing the `@Test` macros

Result:

The new tests will have the `@Test` macros
@Juice805
Remove @inlinable from protocol definition
cf9b762 
Motivation:

Code should be clean

Modifications:

Removed `@inlinable` from protocol definition

Result:

protocol will not have `@inlinable`
@Juice805
add @inlinable to default signAsynchronously implementation
af8cf8f 
Motivation:

Default implementation of signAsynchronously should be inlinable

Modifications:

adds `@inlinable` to default signAsynchronously implementation.

Result:

default signAsynchronously implementation will be `@inlinable`
@Juice805
Add note regarding signAsynchronously
1040143 
Motivation:

`signAsynchronously` should not it is not mandatory to implement

Modifications:

Updated documentation

Result:

`signAsynchronously` has better docs
@Juice805
Add Throws note regarding unsupported signing methods
9b3c192
@Juice805 Juice805 force-pushed the custom-private-key branch from 9966a0c to 9b3c192 Compare January 9, 2026 18:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Lukasa Lukasa Lukasa left review comments

@dnadoba dnadoba dnadoba left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

🆕 semver/minor Adds new public API.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Juice805 @Lukasa @dnadoba