Fix for not honoring ValidationTimePayload's signedDate

[betaphi]

Bug Description

When using the X5CVerifier to verify a Payload that conforms to ValidationTimePayload the signedDate of the ValidationTimePayload would be used to initialize a RFC5280Policy. Unfortunately the default @PolicyBuilder that is used in the respective verifyJWS function also contained a RFC5280Policy, which was always initialized to the current date.

As both policies need to be met in order for the verification to succeed, the ValidationTimePayload's signedDate was effectively ignored. Other negative side effects could be described but I'll keep it short here.

Proposed Solution

As @resultBuilders can not be optional in Swift, a way was needed to provide a default verification policy that would not affect the policy that would be created further down the code depending on the payload's conformance to ValidationTimePayload. I have therefore created a dummy EmptyPolicy, which is always met.
The solution does not have any negative side effects, as a RFC5280Policy is added further down the code in any case. Only this time, it is either initialized with the signedDate of a ValidationTimePayload or the current date.

[0xTim]

Thanks! Can you add a test to ensure that the original bug doesn't get reintroduced?

[betaphi]

We would need a correctly signed token with a signedDate that lies in the past. Also, one of the certificates in the chain should be expired by now. I have such tokens here for testing but they contain private data and therefore cannot be shared. At this point I have no capacity to create such a token.

[betaphi]

May I please ask you again to accept the PR?
I know that not having a test ist non-optimal, but having non-functional software in a production environment is worse isn't it? 😉

[ptoffy]

Thanks for this! I'm happy to accept it once the few nits are resolved. I doubt many people are using this anyway.

[ptoffy]

Can you remove this please?

[ptoffy]

Suggested change

	return .meetsPolicy
	.meetsPolicy

[ptoffy]

This isn't needed as JWTKit already requires higher platform versions

[betaphi]

@ptoffy I have just made the requested changes. Would be great if you could accept the PR now :-)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 83.55%. Comparing base (84a328e) to head (2e09a95).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #231      +/-   ##
==========================================
+ Coverage   83.52%   83.55%   +0.03%     
==========================================
  Files          56       57       +1     
  Lines        1493     1496       +3     
==========================================
+ Hits         1247     1250       +3     
  Misses        246      246              

Files with missing lines	Coverage Δ
Sources/JWTKit/X5C/EmptyPolicy.swift	100.00% <100.00%> (ø)
Sources/JWTKit/X5C/X5CVerifier.swift	85.88% <100.00%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[ptoffy]

Thanks! Unfortunately we're not quite there yet. Could you fix the compiler error please? Also, this needs to go through a swift format pass first (formatting file is here)

[betaphi]

The compiler error was caused by an update to a dependency library. I just fixed it.

About the swift format thing: The whole repo does not comply to the current format. As a result, if I apply it, lots of files will be changed. Therefore I would highly suggest to do this in a separate PR.