[Issue #77] Remove md2, md4, and md5 for all Apple platforms

LowAmmo · LowAmmo · commit 8da0317bc230 · 2025-04-08T16:42:31.000-05:00
* Address the deprecation warning due to Apple considering them insecure

* Update platform versions (cocoapods / SPM):
  * MacOS - 11 / 11.5
  * iOS - 14 / 14.5
  * tvOS - 14 / 14.5
  * watchOS - 7 / 7.5
* Update Swift Version to 5.4

* Keep md4 &amp; md5 for Linux
* Add md5_insecure &amp; sha1_insecure to mimic the Apple APIs
diff --git a/BlueCryptor.podspec b/BlueCryptor.podspec
@@ -1,21 +1,21 @@
 Pod::Spec.new do |s|
 s.name        = "BlueCryptor"
-s.version     = "2.0.3"
+s.version     = "2.1.0"
 s.summary     = "Swift cross-platform crypto library using CommonCrypto/libcrypto via Package Manager."
 s.homepage    = "https://github.com/Kitura/BlueCryptor"
 s.license     = { :type => "Apache License, Version 2.0" }
 s.author     = "IBM & Kitura Project Authors"
 s.module_name  = 'Cryptor'
 
 s.requires_arc = true
-s.swift_version = '5.1'
-s.osx.deployment_target = "10.11"
-s.ios.deployment_target = "10.0"
-s.tvos.deployment_target = "10.0"
-s.watchos.deployment_target = "2.0"
+s.swift_version = '5.4'
+s.osx.deployment_target = "11.5"
+s.ios.deployment_target = "14.5"
+s.tvos.deployment_target = "14.5"
+s.watchos.deployment_target = "7.5"
 s.source   = { :git => "https://github.com/Kitura/BlueCryptor.git", :tag => s.version }
 s.source_files = "Sources/Cryptor/*.swift"
 s.pod_target_xcconfig =  {
-'SWIFT_VERSION' => '5.0',
+'SWIFT_VERSION' => '5.4',
 }
 end
diff --git a/Package.swift b/Package.swift
@@ -1,4 +1,4 @@
-// swift-tools-version:5.0
+// swift-tools-version:5.4
 // The swift-tools-version declares the minimum version of Swift required to build this package.
 
 //
@@ -33,10 +33,10 @@ var targetDependencies: [Target.Dependency] = []
 let package = Package(
     name: "Cryptor",
     platforms: [
-        .macOS(.v10_11),
-        .iOS(.v10),
-        .tvOS(.v10),
-        .watchOS(.v2),
+        .macOS(.v11),
+        .iOS(.v14),
+        .tvOS(.v14),
+        .watchOS(.v7),
     ],
     products: [
         // Products define the executables and libraries produced by a package, and make them visible to other packages.
@@ -53,5 +53,5 @@ let package = Package(
             name: "CryptorTests",
             dependencies: ["Cryptor"]),
     ],
-    swiftLanguageVersions: [.v5]
+    swiftLanguageVersions: [SwiftVersion.version("5.4")]
 )
diff --git a/README.md b/README.md
@@ -211,8 +211,10 @@ Also provided are an API to pad a byte array (`[UInt8]`) such that it is an inte
 
 ## Restrictions
 
-The following algorithm is not available on Linux since it is not supported by *OpenSSL*.
-- Digest: MD2
+The following algorithms are only available on Linux since Apple considers them cryptographically broken
+- Digest: MD4
+- Digest: MD5
+    - MD5 is available as an insecure algorithm
 
 In all cases, use of unsupported APIs or algorithms will result in a Swift `fatalError()`, terminating the program and should be treated as a programming error.
 
diff --git a/Sources/Cryptor/Crypto.swift b/Sources/Cryptor/Crypto.swift
@@ -30,27 +30,35 @@ public protocol CryptoDigest {
 /// Extension to the CryptoDigest to return the digest appropriate to the selected algorithm.
 ///
 extension CryptoDigest {
-	
-    /// An MD2 digest of this object
-    public var md2: Self {
-		return self.digest(using: .md2)
-	}
-	
-    /// An MD4 digest of this object
-    public var md4: Self {
-		return self.digest(using: .md4)
-	}
-	
-    /// An MD5 digest of this object
-    public var md5: Self {
-		return self.digest(using: .md5)
- 	}
-	
+    
+    // Only available on Linux as Apple platforms consider them cryptographically insecure
+    #if os(Linux)
+        /// An MD4 digest of this object
+        public var md4: Self {
+            return self.digest(using: .md4)
+        }
+        
+        /// An MD5 digest of this object
+        public var md5: Self {
+            return self.digest(using: .md5)
+        }
+    #endif
+    
+    /// An MD5 digest of this object. Called out as "insecure" as it should not be used for cryptographic purposes
+    public var md5_insecure: Self {
+        return self.digest(using: .md5_insecure)
+    }
+    
     /// An SHA1 digest of this object
     public var sha1: Self {
 		return self.digest(using: .sha1)
 	}
 	
+    /// An SHA1 digest of this object. Called out as "insecure" as it should not be used for cryptographic purposes
+    public var sha1_insecure: Self {
+        return self.digest(using: .sha1_insecure)
+    }
+    
     /// An SHA224 digest of this object
     public var sha224: Self {
 		return self.digest(using: .sha224)
diff --git a/Sources/Cryptor/Digest.swift b/Sources/Cryptor/Digest.swift
@@ -22,6 +22,9 @@ import Foundation
     typealias CC_LONG = size_t
 #else
     import CommonCrypto
+    #if canImport(CryptoKit)
+        import CryptoKit
+    #endif
 #endif
 
 ///
@@ -50,18 +53,26 @@ public class Digest: Updatable {
     ///
     public enum Algorithm {
 		
-        /// Message Digest 2 See: http://en.wikipedia.org/wiki/MD2_(cryptography)
-        case md2
-		
-        /// Message Digest 4
-        case md4
-		
+        // Only available on Linux as Apple platforms consider them cryptographically insecure
+        #if os(Linux)
+            /// Message Digest 4
+            case md4
+            
+            /// Message Digest 5
+            case md5
+        #endif
+        
         /// Message Digest 5
-        case md5
-		
+        /// - NOTE: Do NOT use for cryptography, considered insecure
+        case md5_insecure
+        
         /// Secure Hash Algorithm 1
         case sha1
-		
+        
+        /// Secure Hash Algorithm 1
+        /// - NOTE: Do NOT use for cryptography, considered insecure
+        case sha1_insecure
+        
         /// Secure Hash Algorithm 2 224-bit
         case sha224
 		
@@ -85,61 +96,61 @@ public class Digest: Updatable {
     public init(using algorithm: Algorithm) {
 		
         switch algorithm {
+        
+        #if os(Linux)
+            case .md4:
+                self.engine = DigestEngineCC<MD4_CTX>(initializer:MD4_Init, updater:MD4_Update, finalizer:MD4_Final, length:MD4_DIGEST_LENGTH)
+                
+            case .md5, .md5_insecure:
+                self.engine = DigestEngineCC<MD5_CTX>(initializer:MD5_Init, updater:MD5_Update, finalizer:MD5_Final, length:MD5_DIGEST_LENGTH)
+                        
+        #else
 			
-        case .md2:
-            #if os(Linux)
-                fatalError("MD2 digest not supported by OpenSSL")
-            #else
-	            engine = DigestEngineCC<CC_MD2_CTX>(initializer:CC_MD2_Init, updater:CC_MD2_Update, finalizer:CC_MD2_Final, length:CC_MD2_DIGEST_LENGTH)
-			#endif
-			
-        case .md4:
-            #if os(Linux)
-                engine = DigestEngineCC<MD4_CTX>(initializer:MD4_Init, updater:MD4_Update, finalizer:MD4_Final, length:MD4_DIGEST_LENGTH)
-            #else
-            	engine = DigestEngineCC<CC_MD4_CTX>(initializer:CC_MD4_Init, updater:CC_MD4_Update, finalizer:CC_MD4_Final, length:CC_MD4_DIGEST_LENGTH)
-			#endif
-			
-        case .md5:
-            #if os(Linux)
-                engine = DigestEngineCC<MD5_CTX>(initializer:MD5_Init, updater:MD5_Update, finalizer:MD5_Final, length:MD5_DIGEST_LENGTH)
-            #else
-				engine = DigestEngineCC<CC_MD5_CTX>(initializer:CC_MD5_Init, updater:CC_MD5_Update, finalizer:CC_MD5_Final, length:CC_MD5_DIGEST_LENGTH)
-			#endif
-			
+            case .md5_insecure:
+                self.engine = DigestEngineMD5Insecure()
+
+        #endif
+            
         case .sha1:
             #if os(Linux)
-                engine = DigestEngineCC<SHA_CTX>(initializer:SHA1_Init, updater:SHA1_Update, finalizer:SHA1_Final, length:SHA_DIGEST_LENGTH)
+                self.engine = DigestEngineCC<SHA_CTX>(initializer:SHA1_Init, updater:SHA1_Update, finalizer:SHA1_Final, length:SHA_DIGEST_LENGTH)
             #else
                 engine = DigestEngineCC<CC_SHA1_CTX>(initializer:CC_SHA1_Init, updater:CC_SHA1_Update, finalizer:CC_SHA1_Final, length:CC_SHA1_DIGEST_LENGTH)
-			#endif
-			
+            #endif
+            
+        case .sha1_insecure:
+            #if os(Linux)
+                self.engine = DigestEngineCC<SHA_CTX>(initializer:SHA1_Init, updater:SHA1_Update, finalizer:SHA1_Final, length:SHA_DIGEST_LENGTH)
+            #else
+                self.engine = DigestEngineSHA1Insecure()
+            #endif
+            
         case .sha224:
             #if os(Linux)
-                engine = DigestEngineCC<SHA256_CTX>(initializer:SHA224_Init, updater:SHA224_Update, finalizer:SHA224_Final, length:SHA224_DIGEST_LENGTH)
+                self.engine = DigestEngineCC<SHA256_CTX>(initializer:SHA224_Init, updater:SHA224_Update, finalizer:SHA224_Final, length:SHA224_DIGEST_LENGTH)
             #else
-            	engine = DigestEngineCC<CC_SHA256_CTX>(initializer:CC_SHA224_Init, updater:CC_SHA224_Update, finalizer:CC_SHA224_Final, length:CC_SHA224_DIGEST_LENGTH)
+                self.engine = DigestEngineCC<CC_SHA256_CTX>(initializer:CC_SHA224_Init, updater:CC_SHA224_Update, finalizer:CC_SHA224_Final, length:CC_SHA224_DIGEST_LENGTH)
 			#endif
 			
         case .sha256:
             #if os(Linux)
-                engine = DigestEngineCC<SHA256_CTX>(initializer: SHA256_Init, updater:SHA256_Update, finalizer:SHA256_Final, length:SHA256_DIGEST_LENGTH)
+                self.engine = DigestEngineCC<SHA256_CTX>(initializer: SHA256_Init, updater:SHA256_Update, finalizer:SHA256_Final, length:SHA256_DIGEST_LENGTH)
             #else
-	            engine = DigestEngineCC<CC_SHA256_CTX>(initializer:CC_SHA256_Init, updater:CC_SHA256_Update, finalizer:CC_SHA256_Final, length:CC_SHA256_DIGEST_LENGTH)
+                self.engine = DigestEngineCC<CC_SHA256_CTX>(initializer:CC_SHA256_Init, updater:CC_SHA256_Update, finalizer:CC_SHA256_Final, length:CC_SHA256_DIGEST_LENGTH)
 			#endif
 			
         case .sha384:
             #if os(Linux)
-                engine = DigestEngineCC<SHA512_CTX>(initializer:SHA384_Init, updater:SHA384_Update, finalizer:SHA384_Final, length:SHA384_DIGEST_LENGTH)
+                self.engine = DigestEngineCC<SHA512_CTX>(initializer:SHA384_Init, updater:SHA384_Update, finalizer:SHA384_Final, length:SHA384_DIGEST_LENGTH)
             #else
-	            engine = DigestEngineCC<CC_SHA512_CTX>(initializer:CC_SHA384_Init, updater:CC_SHA384_Update, finalizer:CC_SHA384_Final, length:CC_SHA384_DIGEST_LENGTH)
+                self.engine = DigestEngineCC<CC_SHA512_CTX>(initializer:CC_SHA384_Init, updater:CC_SHA384_Update, finalizer:CC_SHA384_Final, length:CC_SHA384_DIGEST_LENGTH)
 			#endif
 			
         case .sha512:
             #if os(Linux)
-                engine = DigestEngineCC<SHA512_CTX>(initializer:SHA512_Init, updater:SHA512_Update, finalizer:SHA512_Final, length:SHA512_DIGEST_LENGTH)
+                self.engine = DigestEngineCC<SHA512_CTX>(initializer:SHA512_Init, updater:SHA512_Update, finalizer:SHA512_Final, length:SHA512_DIGEST_LENGTH)
             #else
-	            engine = DigestEngineCC<CC_SHA512_CTX>(initializer:CC_SHA512_Init, updater:CC_SHA512_Update, finalizer:CC_SHA512_Final, length:CC_SHA512_DIGEST_LENGTH)
+                self.engine = DigestEngineCC<CC_SHA512_CTX>(initializer:CC_SHA512_Init, updater:CC_SHA512_Update, finalizer:CC_SHA512_Final, length:CC_SHA512_DIGEST_LENGTH)
 			#endif
         }
     }
@@ -269,6 +280,62 @@ private class DigestEngineCC<CTX>: DigestEngine {
 }
 
 
+#if !os(Linux)
 
+/**
+ Wraps the Insecure.MD5 engine as a DigestEngine
+ */
+private class DigestEngineMD5Insecure: DigestEngine {
+    var engine = Insecure.MD5()
+    
+    func update(buffer: UnsafeRawPointer, byteCount: CC_LONG) {
+        guard byteCount<=Int.max else {
+            fatalError("Cannot support byte count of size: \(byteCount)")
+        }
+        let count = Int(byteCount)
+        let bufferPointer = UnsafeRawBufferPointer(start: buffer, count: count)
+        engine.update(bufferPointer: bufferPointer)
+    }
+    
+    func final() -> [UInt8] {
+        let digest: Insecure.MD5Digest = self.engine.finalize()
+        let digestLength = Int(Insecure.MD5Digest.byteCount)
+        var buffer = Array<UInt8>(repeating: 0, count:digestLength)
+        digest.withUnsafeBytes { (rawBuffer: UnsafeRawBufferPointer) in
+            for (index, val) in rawBuffer.enumerated() {
+                buffer[index] = val
+            }
+        }
+        return buffer
+    }
+}
 
+/**
+ Wraps the Insecure.SHA1 engine as a DigestEngine
+ */
+private class DigestEngineSHA1Insecure: DigestEngine {
+    var engine = Insecure.SHA1()
+    
+    func update(buffer: UnsafeRawPointer, byteCount: CC_LONG) {
+        guard byteCount<=Int.max else {
+            fatalError("Cannot support byte count of size: \(byteCount)")
+        }
+        let count = Int(byteCount)
+        let bufferPointer = UnsafeRawBufferPointer(start: buffer, count: count)
+        engine.update(bufferPointer: bufferPointer)
+    }
+    
+    func final() -> [UInt8] {
+        let digest: Insecure.SHA1Digest = self.engine.finalize()
+        let digestLength = Int(Insecure.SHA1Digest.byteCount)
+        var buffer = Array<UInt8>(repeating: 0, count:digestLength)
+        digest.withUnsafeBytes { (rawBuffer: UnsafeRawBufferPointer) in
+            for (index, val) in rawBuffer.enumerated() {
+                buffer[index] = val
+            }
+        }
+        return buffer
+    }
+}
 
+#endif
diff --git a/Tests/CryptorTests/CryptorTests.swift b/Tests/CryptorTests/CryptorTests.swift
