nextcloud/lib/private/Security/Signature/Rfc9421/IJwkResolvingSignatoryManager.php

<?php

declare(strict_types=1);

/**
 * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
 * SPDX-License-Identifier: AGPL-3.0-or-later
 */

namespace OC\Security\Signature\Rfc9421;

use Firebase\JWT\Key;
use OCP\Security\Signature\ISignatoryManager;

/**
 * Capability bit for {@see ISignatoryManager} implementations that can resolve
 * a remote JWK for RFC 9421 verification. {@see \OC\Security\Signature\SignatureManager}
 * checks this via instanceof on the RFC 9421 path; cavage doesn't need it.
 */
interface IJwkResolvingSignatoryManager extends ISignatoryManager {
	/**
	 * Resolve the JWK identified by $keyId for the remote at $origin and
	 * return it as a parsed {@see Key}. Null when no matching JWK is found.
	 *
	 * @param string $origin host of the remote that signed the request
	 * @param string $keyId raw `keyid` from Signature-Input; matched against JWK `kid`
	 */
	public function getRemoteKey(string $origin, string $keyId): ?Key;
}
feat(http-sig): RFC 9421 protocol primitives Add the RFC 9421 (HTTP Message Signatures) sign/verify path alongside the existing draft-cavage implementation: - Algorithm: sodium for Ed25519, JWT::sign for RSA / ECDSA, ecdsaRawToDer for the ECDSA wire format. JWK parsing via JWK::parseKey. - SignatureBase: RFC 9421 §2.5 base construction for the derived components OCM uses plus plain HTTP fields. - ContentDigest: RFC 9530 helpers used as a covered component. - Rfc9421IncomingSignedRequest / Rfc9421OutgoingSignedRequest: request models. Parsing of Signature-Input / Signature delegates to gapple\\StructuredFields\\Parser. - IJwkResolvingSignatoryManager: capability bit signatory managers advertise to participate in RFC 9421 verification. - OcmProfile: OCM-mandated dictionary label. - SignatureManager: dispatch to RFC 9421 inbound when Signature-Input is present, outbound when rfc9421.format is set. Plus tests for each primitive and a full round-trip across the model. Signed-off-by: Micke Nordin <kano@sunet.se> 2026-05-05 10:29:24 -04:00			`<?php`

			`declare(strict_types=1);`

			`/**`
			`* SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors`
			`* SPDX-License-Identifier: AGPL-3.0-or-later`
			`*/`

			`namespace OC\Security\Signature\Rfc9421;`

			`use Firebase\JWT\Key;`
			`use OCP\Security\Signature\ISignatoryManager;`

			`/**`
			`* Capability bit for {@see ISignatoryManager} implementations that can resolve`
			`* a remote JWK for RFC 9421 verification. {@see \OC\Security\Signature\SignatureManager}`
			`* checks this via instanceof on the RFC 9421 path; cavage doesn't need it.`
			`*/`
			`interface IJwkResolvingSignatoryManager extends ISignatoryManager {`
			`/**`
			`* Resolve the JWK identified by $keyId for the remote at $origin and`
			`* return it as a parsed {@see Key}. Null when no matching JWK is found.`
			`*`
			`* @param string $origin host of the remote that signed the request`
			* @param string $keyId raw `keyid` from Signature-Input; matched against JWK `kid`
			`*/`
			`public function getRemoteKey(string $origin, string $keyId): ?Key;`
			`}`