Add a TimedCertificateReloader (#269)

This PR adds a `CertificateReloader` protocol and a
`TimedCertificateReloader` implementation.

A `CertificateReloader` allows for certificate-key pairs to be observed
and updated. A `TimedCertificateReloader` does this every set interval
of time.

This PR also provides an extension on `TLSConfiguration` to enable this
reloading ability in NIO applications, so that updated certificates and
keys can be used during SSL handshakes; as well as conformance of the
`TimedCertificateReloader` to `swift-service-lifecycle`'s `Service`
protocol, for easy composition.

Author: gjcairo

Package.swift

@@ -257,6 +257,30 @@ var targets: [PackageDescription.Target] = [
         ],
         swiftSettings: strictConcurrencySettings
     ),
+    .target(
+        name: "NIOCertificateReloading",
+        dependencies: [
+            .product(name: "NIOCore", package: "swift-nio"),
+            .product(name: "NIOSSL", package: "swift-nio-ssl"),
+            .product(name: "X509", package: "swift-certificates"),
+            .product(name: "SwiftASN1", package: "swift-asn1"),
+            .product(name: "ServiceLifecycle", package: "swift-service-lifecycle"),
+            .product(name: "AsyncAlgorithms", package: "swift-async-algorithms"),
+            .product(name: "Logging", package: "swift-log"),
+        ],
+        swiftSettings: strictConcurrencySettings
+    ),
+    .testTarget(
+        name: "NIOCertificateReloadingTests",
+        dependencies: [
+            "NIOCertificateReloading",
+            .product(name: "NIOCore", package: "swift-nio"),
+            .product(name: "NIOSSL", package: "swift-nio-ssl"),
+            .product(name: "X509", package: "swift-certificates"),
+            .product(name: "SwiftASN1", package: "swift-asn1"),
+        ],
+        swiftSettings: strictConcurrencySettings
+    ),
 ]
 
 let package = Package(
@@ -270,6 +294,7 @@ let package = Package(
         .library(name: "NIOHTTPTypesHTTP2", targets: ["NIOHTTPTypesHTTP2"]),
         .library(name: "NIOResumableUpload", targets: ["NIOResumableUpload"]),
         .library(name: "NIOHTTPResponsiveness", targets: ["NIOHTTPResponsiveness"]),
+        .library(name: "NIOCertificateReloading", targets: ["NIOCertificateReloading"]),
     ],
     dependencies: [
         .package(url: "https://github.com/apple/swift-nio.git", from: "2.81.0"),
@@ -278,6 +303,12 @@ let package = Package(
         .package(url: "https://github.com/apple/swift-http-structured-headers.git", from: "1.2.0"),
         .package(url: "https://github.com/apple/swift-atomics.git", from: "1.2.0"),
         .package(url: "https://github.com/apple/swift-algorithms.git", from: "1.2.0"),
+        .package(url: "https://github.com/apple/swift-certificates.git", from: "1.10.0"),
+        .package(url: "https://github.com/apple/swift-nio-ssl.git", from: "2.29.3"),
+        .package(url: "https://github.com/apple/swift-asn1.git", from: "1.3.1"),
+        .package(url: "https://github.com/swift-server/swift-service-lifecycle.git", from: "2.8.0"),
+        .package(url: "https://github.com/apple/swift-async-algorithms.git", from: "1.0.0"),
+        .package(url: "https://github.com/apple/swift-log.git", from: "1.6.3"),
 
     ],
     targets: targets

Sources/NIOCertificateReloading/CertificateReloader.swift

@@ -0,0 +1,125 @@
+//===----------------------------------------------------------------------===//
+//
+// This source file is part of the SwiftNIO open source project
+//
+// Copyright (c) 2025 Apple Inc. and the SwiftNIO project authors
+// Licensed under Apache License v2.0
+//
+// See LICENSE.txt for license information
+// See CONTRIBUTORS.txt for the list of SwiftNIO project authors
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+//===----------------------------------------------------------------------===//
+
+import NIOCore
+import NIOSSL
+
+/// A protocol that defines a certificate reloader.
+///
+/// A certificate reloader is a service that can provide you with updated versions of a certificate and private key pair, in
+/// the form of a `NIOSSLContextConfigurationOverride`, which will be used when performing a TLS handshake in NIO.
+/// Each implementation can choose how to observe for changes, but they all require an ``sslContextConfigurationOverride``
+/// to be exposed.
+public protocol CertificateReloader: Sendable {
+    /// A `NIOSSLContextConfigurationOverride` that will be used as part of the NIO application's TLS configuration.
+    /// Its certificate and private key will be kept up-to-date via whatever mechanism the specific ``CertificateReloader``
+    /// implementation provides.
+    var sslContextConfigurationOverride: NIOSSLContextConfigurationOverride { get }
+}
+
+extension TLSConfiguration {
+    /// Errors thrown when creating a ``NIOSSL/TLSConfiguration`` with a ``CertificateReloader``.
+    public struct CertificateReloaderError: Error, Hashable, CustomStringConvertible {
+        private enum _Backing: CustomStringConvertible {
+            case missingCertificateChain
+            case missingPrivateKey
+
+            var description: String {
+                switch self {
+                case .missingCertificateChain:
+                    return "Missing certificate chain"
+                case .missingPrivateKey:
+                    return "Missing private key"
+                }
+            }
+        }
+
+        private let _backing: _Backing
+
+        private init(backing: _Backing) {
+            self._backing = backing
+        }
+
+        public var description: String {
+            self._backing.description
+        }
+
+        /// The given ``CertificateReloader`` could not provide a certificate chain with which to create this config.
+        public static var missingCertificateChain: Self { .init(backing: .missingCertificateChain) }
+
+        /// The given ``CertificateReloader`` could not provide a private key with which to create this config.
+        public static var missingPrivateKey: Self { .init(backing: .missingPrivateKey) }
+    }
+
+    /// Create a ``NIOSSL/TLSConfiguration`` for use with server-side contexts, with certificate reloading enabled.
+    /// - Parameter certificateReloader: A ``CertificateReloader`` to watch for certificate and key pair updates.
+    /// - Returns: A ``NIOSSL/TLSConfiguration`` for use with server-side contexts, that reloads the certificate and key
+    /// used in its SSL handshake.
+    /// - Throws: This method will throw if an override isn't present. This may happen if a certificate or private key could not be
+    /// loaded from the given paths.
+    public static func makeServerConfiguration(
+        certificateReloader: some CertificateReloader
+    ) throws -> Self {
+        let override = certificateReloader.sslContextConfigurationOverride
+
+        guard let certificateChain = override.certificateChain else {
+            throw CertificateReloaderError.missingCertificateChain
+        }
+
+        guard let privateKey = override.privateKey else {
+            throw CertificateReloaderError.missingPrivateKey
+        }
+
+        var configuration = Self.makeServerConfiguration(
+            certificateChain: certificateChain,
+            privateKey: privateKey
+        )
+        configuration.setCertificateReloader(certificateReloader)
+        return configuration
+    }
+
+    /// Create a ``NIOSSL/TLSConfiguration`` for use with client-side contexts, with certificate reloading enabled.
+    /// - Parameter certificateReloader: A ``CertificateReloader`` to watch for certificate and key pair updates.
+    /// - Returns: A ``NIOSSL/TLSConfiguration`` for use with client-side contexts, that reloads the certificate and key
+    /// used in its SSL handshake.
+    /// - Throws: This method will throw if an override isn't present. This may happen if a certificate or private key could not be
+    /// loaded from the given paths.
+    public static func makeClientConfiguration(
+        certificateReloader: some CertificateReloader
+    ) throws -> Self {
+        let override = certificateReloader.sslContextConfigurationOverride
+
+        guard let certificateChain = override.certificateChain else {
+            throw CertificateReloaderError.missingCertificateChain
+        }
+
+        guard let privateKey = override.privateKey else {
+            throw CertificateReloaderError.missingPrivateKey
+        }
+
+        var configuration = Self.makeClientConfiguration()
+        configuration.certificateChain = certificateChain
+        configuration.privateKey = privateKey
+        configuration.setCertificateReloader(certificateReloader)
+        return configuration
+    }
+
+    /// Configure a ``CertificateReloader`` to observe updates for the certificate and key pair used.
+    /// - Parameter reloader: A ``CertificateReloader`` to watch for certificate and key pair updates.
+    public mutating func setCertificateReloader(_ reloader: some CertificateReloader) {
+        self.sslContextCallback = { _, promise in
+            promise.succeed(reloader.sslContextConfigurationOverride)
+        }
+    }
+}