Address feedback from review

aryan-25 · aryan-25 · commit 0b9b20331dbe · 2025-12-15T12:37:14.000Z
diff --git a/Sources/HTTPServer/NIOHTTPServer+ConnectionContext.swift b/Sources/HTTPServer/NIOHTTPServer+ConnectionContext.swift
@@ -0,0 +1,29 @@
+import NIOCore
+import NIOSSL
+public import X509
+
+@available(macOS 26.0, iOS 26.0, watchOS 26.0, tvOS 26.0, visionOS 26.0, *)
+extension NIOHTTPServer {
+    /// Connection-specific information available during request handling.
+    ///
+    /// Provides access to data such as the peer's validated certificate chain.
+    public struct ConnectionContext: Sendable {
+        var peerCertificateChainFuture: EventLoopFuture<NIOSSL.ValidatedCertificateChain?>?
+
+        init(_ peerCertificateChainFuture: EventLoopFuture<NIOSSL.ValidatedCertificateChain?>? = nil) {
+            self.peerCertificateChainFuture = peerCertificateChainFuture
+        }
+
+        /// The peer's validated certificate chain. This returns `nil` if a custom verification callback was not set
+        /// when configuring mTLS in the server configuration, or if the custom verification callback did not return the
+        /// derived validated chain.
+        public var peerCertificateChain: X509.ValidatedCertificateChain? {
+            get async throws {
+                if let certs = try await self.peerCertificateChainFuture?.get() {
+                    return .init(uncheckedCertificateChain: try certs.map { try Certificate($0) })
+                }
+                return nil
+            }
+        }
+    }
+}
diff --git a/Sources/HTTPServer/NIOHTTPServer.swift b/Sources/HTTPServer/NIOHTTPServer.swift
@@ -25,7 +25,7 @@ import NIOPosix
 import NIOSSL
 import SwiftASN1
 import Synchronization
-public import X509
+import X509
 
 /// A generic HTTP server that can handle incoming HTTP requests.
 ///
@@ -87,32 +87,9 @@ public struct NIOHTTPServer: HTTPServerProtocol {
 
     /// Task-local storage for connection-specific information accessible from request handlers.
     ///
-    /// Use this to access data such as the peer's validated certificate chain.
+    /// - SeeAlso: ``ConnectionContext``.
     @TaskLocal public static var connectionContext = ConnectionContext()
 
-    /// Connection-specific information available during request handling.
-    ///
-    /// Provides access to data such as the peer's validated certificate chain.
-    public struct ConnectionContext: Sendable {
-        var peerCertificateChainFuture: EventLoopFuture<NIOSSL.ValidatedCertificateChain?>?
-
-        init(_ peerCertificateChainFuture: EventLoopFuture<NIOSSL.ValidatedCertificateChain?>? = nil) {
-            self.peerCertificateChainFuture = peerCertificateChainFuture
-        }
-
-        /// The peer's validated certificate chain. This returns `nil` if a custom verification callback was not set
-        /// when configuring mTLS in the server configuration, or if the custom verification callback did not return the
-        /// derived validated chain.
-        public var peerCertificateChain: X509.ValidatedCertificateChain? {
-            get async throws {
-                if let certs = try await self.peerCertificateChainFuture?.get() {
-                    return .init(uncheckedCertificateChain: try certs.map { try Certificate($0) })
-                }
-                return nil
-            }
-        }
-    }
-
     /// Create a new ``HTTPServer`` implemented over `SwiftNIO`.
     /// - Parameters:
     ///   - logger: A logger instance for recording server events and debugging information.
@@ -387,8 +364,8 @@ public struct NIOHTTPServer: HTTPServerProtocol {
                                     case .http2((let http2Connection, let http2Multiplexer)):
                                         do {
                                             let chainFuture = http2Connection.nioSSL_peerValidatedCertificateChain()
-                                            for try await http2StreamChannel in http2Multiplexer.inbound {
-                                                Self.$connectionContext.withValue(ConnectionContext(chainFuture)) {
+                                            try await Self.$connectionContext.withValue(ConnectionContext(chainFuture)) {
+                                                for try await http2StreamChannel in http2Multiplexer.inbound {
                                                     connectionGroup.addTask {
                                                         try await self.handleRequestChannel(
                                                             channel: http2StreamChannel,
@@ -520,7 +497,9 @@ extension NIOHTTPServer {
                             return .certificateVerified(.init(.init(nioSSLCerts)))
 
                         case .failed(let error):
-                            self.logger.error("Custom certificate verification failed: \(error)")
+                            self.logger.error("Custom certificate verification failed", metadata: [
+                                "failure-reason": .string(error.reason)
+                            ])
                             return .failed
                         }
                     }
diff --git a/Sources/HTTPServer/NIOHTTPServerConfiguration.swift b/Sources/HTTPServer/NIOHTTPServerConfiguration.swift
@@ -153,9 +153,15 @@ public struct NIOHTTPServerConfiguration: Sendable {
         ///   - certificateVerification: Configures the client certificate validation behaviour. Defaults to
         ///     ``CertificateVerification/noHostnameVerification``.
         ///   - customCertificateVerificationCallback: If specified, this callback *overrides* the default NIOSSL client
-        ///     certificate verification logic. Refer to the documentation for this argument in
-        ///     ``mTLS(certificateChain:privateKey:trustRoots:certificateVerification:customCertificateVerificationCallback:)``
-        ///     for more details.
+        ///     certificate verification logic. The callback receives the certificates presented by the peer. Within the
+        ///     callback, you must validate these certificates against your trust roots and derive a validated chain of
+        ///     trust per [RFC 4158](https://datatracker.ietf.org/doc/html/rfc4158). Return
+        ///     ``CertificateVerificationResult/certificateVerified(_:)`` from the callback if verification succeeds,
+        ///     optionally including the validated certificate chain you derived. Returning the validated certificate
+        ///     chain allows ``NIOHTTPServer`` to provide access to it in the request handler through
+        ///     ``NIOHTTPServer/ConnectionContext/peerCertificateChain``, accessed via the task-local
+        ///     ``NIOHTTPServer/connectionContext`` property. Otherwise, return
+        ///     ``CertificateVerificationResult/failed(_:)`` if verification fails.
         ///
         /// - Warning: If `customCertificateVerificationCallback` is set, it will **override** NIOSSL's default
         ///   certificate verification logic.
diff --git a/Sources/HTTPServer/NIOSSL+X509.swift b/Sources/HTTPServer/NIOSSL+X509.swift
@@ -19,7 +19,7 @@ import X509
 
 // MARK: X509 to NIOSSL
 
-@available(macOS 26.0, iOS 26.0, watchOS 26.0, tvOS 26.0, visionOS 26.0, *)
+@available(macOS 10.15, iOS 13, watchOS 6, tvOS 13, visionOS 1.0, *)
 extension NIOSSLCertificate {
     convenience init(_ certificate: Certificate) throws {
         var serializer = DER.Serializer()
@@ -28,28 +28,28 @@ extension NIOSSLCertificate {
     }
 }
 
-@available(macOS 26.0, iOS 26.0, watchOS 26.0, tvOS 26.0, visionOS 26.0, *)
+@available(macOS 11.0, iOS 14, tvOS 14, watchOS 7, macCatalyst 14, visionOS 1.0, *)
 extension NIOSSLPrivateKey {
     convenience init(_ privateKey: Certificate.PrivateKey) throws {
         try self.init(bytes: try privateKey.serializeAsPEM().derBytes, format: .der)
     }
 }
 
-@available(macOS 26.0, iOS 26.0, watchOS 26.0, tvOS 26.0, visionOS 26.0, *)
+@available(macOS 10.15, iOS 13, watchOS 6, tvOS 13, visionOS 1.0, *)
 extension NIOSSLCertificateSource {
     init(_ certificate: Certificate) throws {
         self = .certificate(try NIOSSLCertificate(certificate))
     }
 }
 
-@available(macOS 26.0, iOS 26.0, watchOS 26.0, tvOS 26.0, visionOS 26.0, *)
+@available(macOS 11.0, iOS 14, tvOS 14, watchOS 7, macCatalyst 14, visionOS 1.0, *)
 extension NIOSSLPrivateKeySource {
     init(_ privateKey: Certificate.PrivateKey) throws {
         self = .privateKey(try NIOSSLPrivateKey(privateKey))
     }
 }
 
-@available(macOS 26.0, iOS 26.0, watchOS 26.0, tvOS 26.0, visionOS 26.0, *)
+@available(macOS 10.15, iOS 13, watchOS 6, tvOS 13, visionOS 1.0, *)
 extension NIOSSLTrustRoots {
     init(treatingNilAsSystemTrustRoots certificates: [Certificate]?) throws {
         if let certificates {
@@ -62,7 +62,7 @@ extension NIOSSLTrustRoots {
 
 // MARK: NIOSSL to X509
 
-@available(macOS 26.0, iOS 26.0, watchOS 26.0, tvOS 26.0, visionOS 26.0, *)
+@available(macOS 10.15, iOS 13, watchOS 6, tvOS 13, visionOS 1.0, *)
 extension Certificate {
     init(_ certificate: NIOSSLCertificate) throws {
         try self.init(derEncoded: certificate.toDERBytes())

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@ import X509`
`19`	`19`
`20`	`20`	`// MARK: X509 to NIOSSL`
`21`	`21`
`22`		`-@available(macOS 26.0, iOS 26.0, watchOS 26.0, tvOS 26.0, visionOS 26.0, *)`
	`22`	`+@available(macOS 10.15, iOS 13, watchOS 6, tvOS 13, visionOS 1.0, *)`
`23`	`23`	`extension NIOSSLCertificate {`
`24`	`24`	`convenience init(_ certificate: Certificate) throws {`
`25`	`25`	`var serializer = DER.Serializer()`
`@@ -28,28 +28,28 @@ extension NIOSSLCertificate {`
`28`	`28`	`}`
`29`	`29`	`}`
`30`	`30`
`31`		`-@available(macOS 26.0, iOS 26.0, watchOS 26.0, tvOS 26.0, visionOS 26.0, *)`
	`31`	`+@available(macOS 11.0, iOS 14, tvOS 14, watchOS 7, macCatalyst 14, visionOS 1.0, *)`
`32`	`32`	`extension NIOSSLPrivateKey {`
`33`	`33`	`convenience init(_ privateKey: Certificate.PrivateKey) throws {`
`34`	`34`	`try self.init(bytes: try privateKey.serializeAsPEM().derBytes, format: .der)`
`35`	`35`	`}`
`36`	`36`	`}`
`37`	`37`
`38`		`-@available(macOS 26.0, iOS 26.0, watchOS 26.0, tvOS 26.0, visionOS 26.0, *)`
	`38`	`+@available(macOS 10.15, iOS 13, watchOS 6, tvOS 13, visionOS 1.0, *)`
`39`	`39`	`extension NIOSSLCertificateSource {`
`40`	`40`	`init(_ certificate: Certificate) throws {`
`41`	`41`	`self = .certificate(try NIOSSLCertificate(certificate))`
`42`	`42`	`}`
`43`	`43`	`}`
`44`	`44`
`45`		`-@available(macOS 26.0, iOS 26.0, watchOS 26.0, tvOS 26.0, visionOS 26.0, *)`
	`45`	`+@available(macOS 11.0, iOS 14, tvOS 14, watchOS 7, macCatalyst 14, visionOS 1.0, *)`
`46`	`46`	`extension NIOSSLPrivateKeySource {`
`47`	`47`	`init(_ privateKey: Certificate.PrivateKey) throws {`
`48`	`48`	`self = .privateKey(try NIOSSLPrivateKey(privateKey))`
`49`	`49`	`}`
`50`	`50`	`}`
`51`	`51`
`52`		`-@available(macOS 26.0, iOS 26.0, watchOS 26.0, tvOS 26.0, visionOS 26.0, *)`
	`52`	`+@available(macOS 10.15, iOS 13, watchOS 6, tvOS 13, visionOS 1.0, *)`
`53`	`53`	`extension NIOSSLTrustRoots {`
`54`	`54`	`init(treatingNilAsSystemTrustRoots certificates: [Certificate]?) throws {`
`55`	`55`	`if let certificates {`
`@@ -62,7 +62,7 @@ extension NIOSSLTrustRoots {`
`62`	`62`
`63`	`63`	`// MARK: NIOSSL to X509`
`64`	`64`
`65`		`-@available(macOS 26.0, iOS 26.0, watchOS 26.0, tvOS 26.0, visionOS 26.0, *)`
	`65`	`+@available(macOS 10.15, iOS 13, watchOS 6, tvOS 13, visionOS 1.0, *)`
`66`	`66`	`extension Certificate {`
`67`	`67`	`init(_ certificate: NIOSSLCertificate) throws {`
`68`	`68`	`try self.init(derEncoded: certificate.toDERBytes())`