upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-05-28 04:32:30 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 27
nextcloud/core/Command/OCM/RetireKey.php

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

42 lines
1.1 KiB
PHP
Raw Permalink Normal View History

feat(http-sig): occ commands to manage Ed25519 keys ocm:keys:list list known keys with their slot and kid ocm:keys:stage generate a pending key, advertise via JWKS ocm:keys:activate promote pending -> active, demote previous active ocm:keys:retire delete the retiring key (kid stops resolving) Plus the autoloader regen covering the new classes from this branch. Signed-off-by: Micke Nordin <kano@sunet.se>
2026-05-05 10:29:54 -04:00
<?php
declare(strict_types=1);
/**
* SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
* SPDX-License-Identifier: AGPL-3.0-or-later
*/
namespace OC\Core\Command\OCM;
use OC\Core\Command\Base;
use OC\OCM\OCMSignatoryManager;
use Symfony\Component\Console\Input\InputInterface;
use Symfony\Component\Console\Output\OutputInterface;
class RetireKey extends Base {
public function __construct(
private readonly OCMSignatoryManager $signatoryManager,
) {
parent::__construct();
}
#[\Override]
protected function configure(): void {
$this
->setName('ocm:keys:retire')
fix: Make sodium optional This commit switches the default signature algorithm to ecdsa-p256-sha256 instead of Ed25519. This allows us to make sodium optional again, and we only pull it in to use it for verifying incomming signatures. If sodium is not installed, we throw on Ed25519 signatures instead. At least it is easy for most people to make their Nextcloud install fully RFC compliant by installing sodium. I also renamed all the Ed25519 function names to be more precis, using Jwks for the JSON Web Keys, and RFC9421 for the http-signature code, where it is needed to distinguish from draft-cavage signatures. Signed-off-by: Micke Nordin <kano@sunet.se>
2026-05-11 10:13:13 -04:00
->setDescription('delete the retiring JWKS key; signatures that referenced its kid can no longer be verified');
feat(http-sig): occ commands to manage Ed25519 keys ocm:keys:list list known keys with their slot and kid ocm:keys:stage generate a pending key, advertise via JWKS ocm:keys:activate promote pending -> active, demote previous active ocm:keys:retire delete the retiring key (kid stops resolving) Plus the autoloader regen covering the new classes from this branch. Signed-off-by: Micke Nordin <kano@sunet.se>
2026-05-05 10:29:54 -04:00
}
#[\Override]
protected function execute(InputInterface $input, OutputInterface $output): int {
try {
fix: Make sodium optional This commit switches the default signature algorithm to ecdsa-p256-sha256 instead of Ed25519. This allows us to make sodium optional again, and we only pull it in to use it for verifying incomming signatures. If sodium is not installed, we throw on Ed25519 signatures instead. At least it is easy for most people to make their Nextcloud install fully RFC compliant by installing sodium. I also renamed all the Ed25519 function names to be more precis, using Jwks for the JSON Web Keys, and RFC9421 for the http-signature code, where it is needed to distinguish from draft-cavage signatures. Signed-off-by: Micke Nordin <kano@sunet.se>
2026-05-11 10:13:13 -04:00
$this->signatoryManager->retireJwksKey();
feat(http-sig): occ commands to manage Ed25519 keys ocm:keys:list list known keys with their slot and kid ocm:keys:stage generate a pending key, advertise via JWKS ocm:keys:activate promote pending -> active, demote previous active ocm:keys:retire delete the retiring key (kid stops resolving) Plus the autoloader regen covering the new classes from this branch. Signed-off-by: Micke Nordin <kano@sunet.se>
2026-05-05 10:29:54 -04:00
} catch (\RuntimeException $e) {
$output->writeln('<error>' . $e->getMessage() . '</error>');
chore: Fix return values Use constants instead of 0/1 Also fix PHPDoc to use correct return values. Co-authored-by: Carl Schwan <carl@carlschwan.eu> Signed-off-by: Micke Nordin <kano@sunet.se>
2026-05-11 05:37:09 -04:00
return self::FAILURE;
feat(http-sig): occ commands to manage Ed25519 keys ocm:keys:list list known keys with their slot and kid ocm:keys:stage generate a pending key, advertise via JWKS ocm:keys:activate promote pending -> active, demote previous active ocm:keys:retire delete the retiring key (kid stops resolving) Plus the autoloader regen covering the new classes from this branch. Signed-off-by: Micke Nordin <kano@sunet.se>
2026-05-05 10:29:54 -04:00
}
$output->writeln('<info>Retiring key deleted.</info>');
chore: Fix return values Use constants instead of 0/1 Also fix PHPDoc to use correct return values. Co-authored-by: Carl Schwan <carl@carlschwan.eu> Signed-off-by: Micke Nordin <kano@sunet.se>
2026-05-11 05:37:09 -04:00
return self::SUCCESS;
feat(http-sig): occ commands to manage Ed25519 keys ocm:keys:list list known keys with their slot and kid ocm:keys:stage generate a pending key, advertise via JWKS ocm:keys:activate promote pending -> active, demote previous active ocm:keys:retire delete the retiring key (kid stops resolving) Plus the autoloader regen covering the new classes from this branch. Signed-off-by: Micke Nordin <kano@sunet.se>
2026-05-05 10:29:54 -04:00
}
}
Reference in a new issue Copy permalink