From 1b4c9b21d2245f5d4fc442365d1885b819737a79 Mon Sep 17 00:00:00 2001
From: Micke Nordin <kano@sunet.se>
Date: Mon, 11 May 2026 12:33:35 +0200
Subject: [PATCH] chore: Add review feedback

Throw when one of the headers are empty

Enumerate all the allowed algorithms in th NATIVE constant

Co-authored-by: Carl Schwan <carl@carlschwan.eu>
Signed-off-by: Micke Nordin <kano@sunet.se>
---
 .../Security/Signature/Model/Rfc9421IncomingSignedRequest.php  | 3 +++
 lib/private/Security/Signature/Rfc9421/Algorithm.php           | 2 ++
 2 files changed, 5 insertions(+)

diff --git a/lib/private/Security/Signature/Model/Rfc9421IncomingSignedRequest.php b/lib/private/Security/Signature/Model/Rfc9421IncomingSignedRequest.php
index 7e93da4ebbf..3697c156ec8 100644
--- a/lib/private/Security/Signature/Model/Rfc9421IncomingSignedRequest.php
+++ b/lib/private/Security/Signature/Model/Rfc9421IncomingSignedRequest.php
@@ -306,6 +306,9 @@ class Rfc9421IncomingSignedRequest extends SignedRequest implements
 			if ($value === '' && strtolower($component) === 'host') {
 				$value = $this->request->getServerHost();
 			}
+			if ($value === '') {
+				throw new IncomingRequestException('covered header is missing or empty: ' . $component);
+			}
 			$out[strtolower($component)] = $value;
 		}
 		return $out;
diff --git a/lib/private/Security/Signature/Rfc9421/Algorithm.php b/lib/private/Security/Signature/Rfc9421/Algorithm.php
index 155aead6013..40bec3cf153 100644
--- a/lib/private/Security/Signature/Rfc9421/Algorithm.php
+++ b/lib/private/Security/Signature/Rfc9421/Algorithm.php
@@ -31,6 +31,8 @@ use Throwable;
 final class Algorithm {
 	public const NATIVE = [
 		'rsa-v1_5-sha256',
+		'rsa-v1_5-sha384',
+		'rsa-v1_5-sha512',
 		'ecdsa-p256-sha256',
 		'ecdsa-p384-sha384',
 		'ed25519',