Removed JWT Kit dependency and implemented JWT token generation using CryptoKit

Kamil Strzelecki · Kamil Strzelecki · commit 16192326e693 · 2022-05-19T13:02:43.000+02:00
diff --git a/Package.resolved b/Package.resolved
diff --git a/Package.swift b/Package.swift
@@ -6,7 +6,7 @@ import PackageDescription
 let package = Package(
     name: "AppStoreManager",
     platforms: [
-       .macOS(.v10_15)
+        .macOS(.v11)
     ],
     products: [
         .library(
@@ -22,24 +22,20 @@ let package = Package(
         )
     ],
     dependencies: [
-        .package(url: "https://github.com/vapor/jwt-kit.git", from: "4.4.0"),
-        .package(url: "https://github.com/apple/swift-argument-parser.git", .upToNextMinor(from: "1.1.2")),
-        ],
+        .package(url: "https://github.com/apple/swift-argument-parser.git", .upToNextMinor(from: "1.1.2"))
+    ],
     targets: [
         .target(
             name: "AppStoreManager"),
         .target(
-            name: "AppStoreManagerAuthorization",
-            dependencies: [
-                .product(name: "JWTKit", package: "jwt-kit")
-        ]),
+            name: "AppStoreManagerAuthorization"),
         .executableTarget(
             name: "AppStoreManagerShell",
             dependencies: [
                 "AppStoreManagerAuthorization",
                 "AppStoreManager",
-                .product(name: "ArgumentParser", package: "swift-argument-parser"),
-        ]),
+                .product(name: "ArgumentParser", package: "swift-argument-parser")
+            ]),
         .testTarget(
             name: "AppStoreManagerTests",
             dependencies: [
diff --git a/Sources/AppStoreManagerAuthorization/AppStoreManagerAuthorization.swift b/Sources/AppStoreManagerAuthorization/AppStoreManagerAuthorization.swift
@@ -6,8 +6,6 @@
 //
 
 import Foundation
-import JWTKit
-import CryptoKit
 
 /// Helper object which generate the JWT token to authorize requests to the _AppStoreConnect API_.
 ///
@@ -44,39 +42,9 @@ public struct AppStoreConnectSigner {
     ///
     /// - Parameter privateKey: The private key used to sign the token.
     /// - Returns: The signed token to use to authorize requests.
-    public func generateJWTToken(usingPrivateKey privateKey: Data) throws -> String {
-        let signer = JWTSigners()
-        try signer.use(.es256(key: .private(pem: privateKey)))
-        return try signer.sign(createPayload(), kid: .init(string: keyIdentifier))
-    }
-
-    /// Creates the instance of a `Claims` required by the `SwiftJWT` framework.
-    ///
-    /// The [Apple documentation](https://developer.apple.com/documentation/appstoreconnectapi/generating_tokens_for_api_requests) specifies the `aud` parameter as a `String` but the `ClaimsStandardJWT` gets an array. From the [JWT documentation](https://tools.ietf.org/html/rfc7519#section-4.1.3):
-    /// ```
-    /// In the special case when the JWT has one audience,
-    /// the "aud" value MAY be a single case-sensitive
-    /// string containing a StringOrURI value.
-    /// ```
-    ///
-    /// Hopefully this will works 🙏
-    private func createPayload() -> ClaimsAppStoreJWT {
-        ClaimsAppStoreJWT(
-            iss: payload.issuerIdentifier,
-            aud: payload.audience,
-            exp: payload.expirationTime)
-    }
-}
-
-private struct ClaimsAppStoreJWT {
-    let iss: String
-    let aud: String
-    let exp: Date
-}
-
-extension ClaimsAppStoreJWT: JWTPayload {
-    func verify(using signer: JWTKit.JWTSigner) throws {
-        try AudienceClaim(stringLiteral: aud).verifyIntendedAudience(includes: aud)
+    public func generateJWTToken(usingPrivateKey privateKey: String) throws -> String {
+        let generator = JWTGenerator(keyIdentifier: keyIdentifier, payload: payload)
+        return try generator.token(withPrivateKey: privateKey)
     }
 }
 /// The payload required to create a JWT token.
@@ -92,7 +60,7 @@ public struct AppStoreConnectPayload {
 
     /// The token's expiration time; tokens that expire more than 4 minutes in the future are not valid (Ex: 1528408800)
     /// It is encoded as a *exp* value in the TWT payload
-    fileprivate var expirationTime: Date {
+    internal var expirationTime: Date {
         return Date(timeIntervalSinceNow: 60 * 4)
     }
 
diff --git a/Sources/AppStoreManagerAuthorization/JWTGenerator.swift b/Sources/AppStoreManagerAuthorization/JWTGenerator.swift
@@ -0,0 +1,114 @@
+//
+//  JWTGenerator.swift
+//  
+//
+//  Created by Kamil Strzelecki on 17/05/2022.
+//  Copyright © 2022 Kamil Strzelecki. All rights reserved.
+//
+
+import CryptoKit
+import Foundation
+
+
+internal struct JWTGenerator {
+    
+    internal let keyIdentifier: String
+    internal let payload: AppStoreConnectPayload
+    
+    private let encoder: JSONEncoder = {
+        let encoder = JSONEncoder()
+        encoder.dateEncodingStrategy = .secondsSince1970
+        return encoder
+    }()
+    
+    internal func token(withPrivateKey privateKey: String) throws -> String {
+        let header = try headerBytes()
+        let payload = try payloadBytes()
+        let period = Array(Character(".").utf8)
+    
+        let dataToSign = header + period + payload
+        let signatureData = try sign(dataToSign, withPrivateKey: privateKey)
+        
+        let signedData = Data(dataToSign + period + signatureData)
+        return String(decoding: signedData, as: UTF8.self)
+    }
+    
+    private func sign(_ dataToSign: [UInt8], withPrivateKey privateKey: String) throws -> [UInt8] {
+        let privateKey = try P256.Signing.PrivateKey(pemRepresentation: privateKey)
+        let signature = try privateKey.signature(for: dataToSign)
+        return Array(signature.rawRepresentation.base64URLEncodedData())
+    }
+    
+    private func headerBytes() throws -> [UInt8] {
+        let header = Header(kid: keyIdentifier)
+        let data = try encoder.encode(header)
+        return Array(data.base64URLEncodedData())
+    }
+    
+    private func payloadBytes() throws -> [UInt8] {
+        let payload = Payload(payload)
+        let data = try encoder.encode(payload)
+        return Array(data.base64URLEncodedData())
+    }
+}
+
+
+extension JWTGenerator {
+    
+    fileprivate struct Header: Encodable {
+        
+        fileprivate let alg = "ES256"
+        fileprivate let typ = "JWT"
+        fileprivate let kid: String
+    }
+}
+
+
+extension JWTGenerator {
+    
+    fileprivate struct Payload: Encodable {
+        
+        fileprivate let iss: String
+        fileprivate let aud: String
+        fileprivate let exp: Date
+        
+        fileprivate init(_ payload: AppStoreConnectPayload) {
+            self.iss = payload.issuerIdentifier
+            self.aud = payload.audience
+            self.exp = payload.expirationTime
+        }
+    }
+}
+
+
+extension Data {
+    
+    /// Converts data to a base64-url encoded data.
+    ///
+    /// https://tools.ietf.org/html/rfc4648#page-7
+    internal func base64URLEncodedData() -> Data {
+        var data = base64EncodedData()
+        
+        for (index, byte) in data.enumerated() {
+            switch byte {
+            case 0x2B:
+                data[index] = 0x2D
+            case 0x2F:
+                data[index] = 0x5F
+            default:
+                continue
+            }
+        }
+        
+        return data.split(separator: 0x3D)
+            .first ?? Data()
+    }
+}
+
+
+extension JWTGenerator {
+    
+    internal enum Error: Swift.Error {
+        case cannotConvertDataToString
+    }
+}
diff --git a/Sources/AppStoreManagerShell/Authorise.swift b/Sources/AppStoreManagerShell/Authorise.swift
@@ -31,17 +31,14 @@ struct Authorise: ParsableCommand {
 
 
     func run() throws {
-        let privateKey: String
-        if self.privateKey.hasPrefix("-----BEGIN") == false,
-           self.privateKey.contains("\\n") {
-
+        var privateKey = privateKey
+        
+        if privateKey.hasPrefix("-----BEGIN") == false {
             privateKey = """
             -----BEGIN PRIVATE KEY-----
-            \(self.privateKey.replacingOccurrences(of: "\\n", with: "\n"))
+            \(privateKey.replacingOccurrences(of: "\\n", with: "\n"))
             -----END PRIVATE KEY-----
             """
-        } else {
-            privateKey = self.privateKey
         }
 
         let authorizationService = AuthorizationService(
diff --git a/Sources/AppStoreManagerShell/AuthorizationService.swift b/Sources/AppStoreManagerShell/AuthorizationService.swift
@@ -27,37 +27,13 @@ struct AuthorizationService {
     }
 
     func authorizationToken() -> Result<String, Self.Error> {
-        createPrivateKey(for: data.privateKey)
-            .map { (privateKey) -> (AppStoreConnectSigner, privateKey: Data) in
-                let payload = AppStoreConnectPayload(issuerIdentifier: self.data.issuerId)
-                return (AppStoreConnectSigner(keyIdentifier: self.data.keyId, payload: payload), privateKey)
-            }
-            .flatMap { (signerAndPrivateKey) -> Result<String, Self.Error> in
-                let (signer, privateKey)  = signerAndPrivateKey
-                do {
-                    let token = try signer.generateJWTToken(usingPrivateKey: privateKey)
-                    return .success(token)
-                } catch {
-                    return .failure(.init(message: "Could not generate JWT token"))
-                }
-            }
-    }
-
-    private func createPrivateKey(for privateToken: String) -> Result<Data, Self.Error> {
-        guard let privateKey = data.privateKey.data(using: .utf8) else {
-            return .failure(.init(message: "Provided private key is invalid"))
-        }
-        return .success(privateKey)
-    }
-
-    private func mapError<Anything>(error: Result<Anything, Self.Error>.ConcatenatedError<Self.Error>) -> Self.Error {
-
-        switch error {
-        case let .both(payloadError, keyIdentifierError):
-            return .init(message: "\(payloadError.message)\n\(keyIdentifierError.message)")
-        case let .failure(error),
-             let .other(error):
-            return error
+        do {
+            let payload = AppStoreConnectPayload(issuerIdentifier: data.issuerId)
+            let signer = AppStoreConnectSigner(keyIdentifier: data.keyId, payload: payload)
+            let token = try signer.generateJWTToken(usingPrivateKey: data.privateKey)
+            return .success(token)
+        } catch {
+            return .failure(.init(message: "Could not generate JWT token"))
         }
     }
 }
