nextcloud/core/Command/OCM/ListKeys.php

<?php

declare(strict_types=1);

/**
 * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
 * SPDX-License-Identifier: AGPL-3.0-or-later
 */
namespace OC\Core\Command\OCM;

use OC\Core\Command\Base;
use OC\OCM\OCMSignatoryManager;
use Symfony\Component\Console\Helper\Table;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Output\OutputInterface;

class ListKeys extends Base {
	public function __construct(
		private readonly OCMSignatoryManager $signatoryManager,
	) {
		parent::__construct();
	}

	#[\Override]
	protected function configure(): void {
		$this
			->setName('ocm:keys:list')
			->setDescription('list JWKS-published signing keys');
		parent::configure();
	}

	#[\Override]
	protected function execute(InputInterface $input, OutputInterface $output): int {
		$keys = $this->signatoryManager->listJwksKeys();
		$format = $input->getOption('output');
		if ($format === self::OUTPUT_FORMAT_JSON || $format === self::OUTPUT_FORMAT_JSON_PRETTY) {
			$output->writeln(json_encode($keys, $format === self::OUTPUT_FORMAT_JSON_PRETTY ? JSON_PRETTY_PRINT : 0));
			return self::SUCCESS;
		}

		if ($keys === []) {
			$output->writeln('<comment>No JWKS keys yet; one will be generated on first OCM request.</comment>');
			return self::SUCCESS;
		}

		$table = new Table($output);
		$table->setHeaders(['Pool', 'Slot', 'Key ID']);
		foreach ($keys as $key) {
			$table->addRow([$key['poolId'], $key['slot'] ?? '-', $key['kid']]);
		}
		$table->render();
		return self::SUCCESS;
	}
}
feat(http-sig): occ commands to manage Ed25519 keys ocm:keys:list list known keys with their slot and kid ocm:keys:stage generate a pending key, advertise via JWKS ocm:keys:activate promote pending -> active, demote previous active ocm:keys:retire delete the retiring key (kid stops resolving) Plus the autoloader regen covering the new classes from this branch. Signed-off-by: Micke Nordin <kano@sunet.se> 2026-05-05 10:29:54 -04:00			`<?php`

			`declare(strict_types=1);`

			`/**`
			`* SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors`
			`* SPDX-License-Identifier: AGPL-3.0-or-later`
			`*/`
			`namespace OC\Core\Command\OCM;`

			`use OC\Core\Command\Base;`
			`use OC\OCM\OCMSignatoryManager;`
			`use Symfony\Component\Console\Helper\Table;`
			`use Symfony\Component\Console\Input\InputInterface;`
			`use Symfony\Component\Console\Output\OutputInterface;`

			`class ListKeys extends Base {`
			`public function __construct(`
			`private readonly OCMSignatoryManager $signatoryManager,`
			`) {`
			`parent::__construct();`
			`}`

			`#[\Override]`
			`protected function configure(): void {`
			`$this`
			`->setName('ocm:keys:list')`
fix: Make sodium optional This commit switches the default signature algorithm to ecdsa-p256-sha256 instead of Ed25519. This allows us to make sodium optional again, and we only pull it in to use it for verifying incomming signatures. If sodium is not installed, we throw on Ed25519 signatures instead. At least it is easy for most people to make their Nextcloud install fully RFC compliant by installing sodium. I also renamed all the Ed25519 function names to be more precis, using Jwks for the JSON Web Keys, and RFC9421 for the http-signature code, where it is needed to distinguish from draft-cavage signatures. Signed-off-by: Micke Nordin <kano@sunet.se> 2026-05-11 10:13:13 -04:00			`->setDescription('list JWKS-published signing keys');`
feat(http-sig): occ commands to manage Ed25519 keys ocm:keys:list list known keys with their slot and kid ocm:keys:stage generate a pending key, advertise via JWKS ocm:keys:activate promote pending -> active, demote previous active ocm:keys:retire delete the retiring key (kid stops resolving) Plus the autoloader regen covering the new classes from this branch. Signed-off-by: Micke Nordin <kano@sunet.se> 2026-05-05 10:29:54 -04:00			`parent::configure();`
			`}`

			`#[\Override]`
			`protected function execute(InputInterface $input, OutputInterface $output): int {`
fix: Make sodium optional This commit switches the default signature algorithm to ecdsa-p256-sha256 instead of Ed25519. This allows us to make sodium optional again, and we only pull it in to use it for verifying incomming signatures. If sodium is not installed, we throw on Ed25519 signatures instead. At least it is easy for most people to make their Nextcloud install fully RFC compliant by installing sodium. I also renamed all the Ed25519 function names to be more precis, using Jwks for the JSON Web Keys, and RFC9421 for the http-signature code, where it is needed to distinguish from draft-cavage signatures. Signed-off-by: Micke Nordin <kano@sunet.se> 2026-05-11 10:13:13 -04:00			`$keys = $this->signatoryManager->listJwksKeys();`
feat(http-sig): occ commands to manage Ed25519 keys ocm:keys:list list known keys with their slot and kid ocm:keys:stage generate a pending key, advertise via JWKS ocm:keys:activate promote pending -> active, demote previous active ocm:keys:retire delete the retiring key (kid stops resolving) Plus the autoloader regen covering the new classes from this branch. Signed-off-by: Micke Nordin <kano@sunet.se> 2026-05-05 10:29:54 -04:00			`$format = $input->getOption('output');`
			`if ($format === self::OUTPUT_FORMAT_JSON \|\| $format === self::OUTPUT_FORMAT_JSON_PRETTY) {`
			`$output->writeln(json_encode($keys, $format === self::OUTPUT_FORMAT_JSON_PRETTY ? JSON_PRETTY_PRINT : 0));`
chore: Fix return values Use constants instead of 0/1 Also fix PHPDoc to use correct return values. Co-authored-by: Carl Schwan <carl@carlschwan.eu> Signed-off-by: Micke Nordin <kano@sunet.se> 2026-05-11 05:37:09 -04:00			`return self::SUCCESS;`
feat(http-sig): occ commands to manage Ed25519 keys ocm:keys:list list known keys with their slot and kid ocm:keys:stage generate a pending key, advertise via JWKS ocm:keys:activate promote pending -> active, demote previous active ocm:keys:retire delete the retiring key (kid stops resolving) Plus the autoloader regen covering the new classes from this branch. Signed-off-by: Micke Nordin <kano@sunet.se> 2026-05-05 10:29:54 -04:00			`}`

			`if ($keys === []) {`
fix: Make sodium optional This commit switches the default signature algorithm to ecdsa-p256-sha256 instead of Ed25519. This allows us to make sodium optional again, and we only pull it in to use it for verifying incomming signatures. If sodium is not installed, we throw on Ed25519 signatures instead. At least it is easy for most people to make their Nextcloud install fully RFC compliant by installing sodium. I also renamed all the Ed25519 function names to be more precis, using Jwks for the JSON Web Keys, and RFC9421 for the http-signature code, where it is needed to distinguish from draft-cavage signatures. Signed-off-by: Micke Nordin <kano@sunet.se> 2026-05-11 10:13:13 -04:00			`$output->writeln('<comment>No JWKS keys yet; one will be generated on first OCM request.</comment>');`
chore: Fix return values Use constants instead of 0/1 Also fix PHPDoc to use correct return values. Co-authored-by: Carl Schwan <carl@carlschwan.eu> Signed-off-by: Micke Nordin <kano@sunet.se> 2026-05-11 05:37:09 -04:00			`return self::SUCCESS;`
feat(http-sig): occ commands to manage Ed25519 keys ocm:keys:list list known keys with their slot and kid ocm:keys:stage generate a pending key, advertise via JWKS ocm:keys:activate promote pending -> active, demote previous active ocm:keys:retire delete the retiring key (kid stops resolving) Plus the autoloader regen covering the new classes from this branch. Signed-off-by: Micke Nordin <kano@sunet.se> 2026-05-05 10:29:54 -04:00			`}`

			`$table = new Table($output);`
			`$table->setHeaders(['Pool', 'Slot', 'Key ID']);`
			`foreach ($keys as $key) {`
			`$table->addRow([$key['poolId'], $key['slot'] ?? '-', $key['kid']]);`
			`}`
			`$table->render();`
chore: Fix return values Use constants instead of 0/1 Also fix PHPDoc to use correct return values. Co-authored-by: Carl Schwan <carl@carlschwan.eu> Signed-off-by: Micke Nordin <kano@sunet.se> 2026-05-11 05:37:09 -04:00			`return self::SUCCESS;`
feat(http-sig): occ commands to manage Ed25519 keys ocm:keys:list list known keys with their slot and kid ocm:keys:stage generate a pending key, advertise via JWKS ocm:keys:activate promote pending -> active, demote previous active ocm:keys:retire delete the retiring key (kid stops resolving) Plus the autoloader regen covering the new classes from this branch. Signed-off-by: Micke Nordin <kano@sunet.se> 2026-05-05 10:29:54 -04:00			`}`
			`}`