feat(signed-request): moving out of unstable

Signed-off-by: Maxence Lange <maxence@artificial-owl.com>

apps/cloud_federation_api/lib/Controller/OCMRequestController.php

@@ -10,7 +10,6 @@ declare(strict_types=1);
 namespace OCA\CloudFederationAPI\Controller;
 
 use JsonException;
-use NCU\Security\Signature\Exceptions\IncomingRequestException;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\Attribute\BruteForceProtection;
@@ -24,6 +23,7 @@ use OCP\IRequest;
 use OCP\OCM\Events\OCMEndpointRequestEvent;
 use OCP\OCM\Exceptions\OCMArgumentException;
 use OCP\OCM\IOCMDiscoveryService;
+use OCP\Security\Signature\Exceptions\IncomingRequestException;
 use Psr\Log\LoggerInterface;
 
 class OCMRequestController extends Controller {

apps/cloud_federation_api/lib/Controller/RequestHandlerController.php

@@ -7,12 +7,6 @@
 
 namespace OCA\CloudFederationAPI\Controller;
 
-use NCU\Federation\ISignedCloudFederationProvider;
-use NCU\Security\Signature\Exceptions\IdentityNotFoundException;
-use NCU\Security\Signature\Exceptions\IncomingRequestException;
-use NCU\Security\Signature\Exceptions\SignatoryNotFoundException;
-use NCU\Security\Signature\IIncomingSignedRequest;
-use NCU\Security\Signature\ISignatureManager;
 use OC\OCM\OCMSignatoryManager;
 use OCA\CloudFederationAPI\Config;
 use OCA\CloudFederationAPI\Db\FederatedInviteMapper;
@@ -37,12 +31,18 @@ use OCP\Federation\Exceptions\ProviderDoesNotExistsException;
 use OCP\Federation\ICloudFederationFactory;
 use OCP\Federation\ICloudFederationProviderManager;
 use OCP\Federation\ICloudIdManager;
+use OCP\Federation\ISignedCloudFederationProvider;
 use OCP\IAppConfig;
 use OCP\IGroupManager;
 use OCP\IRequest;
 use OCP\IURLGenerator;
 use OCP\IUserManager;
 use OCP\OCM\IOCMDiscoveryService;
+use OCP\Security\Signature\Exceptions\IdentityNotFoundException;
+use OCP\Security\Signature\Exceptions\IncomingRequestException;
+use OCP\Security\Signature\Exceptions\SignatoryNotFoundException;
+use OCP\Security\Signature\IIncomingSignedRequest;
+use OCP\Security\Signature\ISignatureManager;
 use OCP\Share\Exceptions\ShareNotFound;
 use OCP\Util;
 use Psr\Log\LoggerInterface;

apps/cloud_federation_api/tests/RequestHandlerControllerTest.php

@@ -9,7 +9,6 @@ declare(strict_types=1);
 
 namespace OCA\CloudFederationApi\Tests;
 
-use NCU\Security\Signature\ISignatureManager;
 use OCA\CloudFederationAPI\Config;
 use OCA\CloudFederationAPI\Controller\RequestHandlerController;
 use OCA\CloudFederationAPI\Db\FederatedInvite;
@@ -29,6 +28,7 @@ use OCP\IURLGenerator;
 use OCP\IUser;
 use OCP\IUserManager;
 use OCP\OCM\IOCMDiscoveryService;
+use OCP\Security\Signature\ISignatureManager;
 use PHPUnit\Framework\MockObject\MockObject;
 use Psr\Log\LoggerInterface;
 use Test\TestCase;

apps/federatedfilesharing/lib/OCM/CloudFederationProviderFiles.php

@@ -6,7 +6,6 @@
  */
 namespace OCA\FederatedFileSharing\OCM;
 
-use NCU\Federation\ISignedCloudFederationProvider;
 use OC\AppFramework\Http;
 use OC\Files\Filesystem;
 use OC\Files\SetupManager;
@@ -30,6 +29,7 @@ use OCP\Federation\ICloudFederationFactory;
 use OCP\Federation\ICloudFederationProviderManager;
 use OCP\Federation\ICloudFederationShare;
 use OCP\Federation\ICloudIdManager;
+use OCP\Federation\ISignedCloudFederationProvider;
 use OCP\Files\IFilenameValidator;
 use OCP\Files\NotFoundException;
 use OCP\HintException;

lib/composer/composer/autoload_classmap.php

@@ -386,6 +386,7 @@ return array(
     'OCP\\Federation\\ICloudId' => $baseDir . '/lib/public/Federation/ICloudId.php',
     'OCP\\Federation\\ICloudIdManager' => $baseDir . '/lib/public/Federation/ICloudIdManager.php',
     'OCP\\Federation\\ICloudIdResolver' => $baseDir . '/lib/public/Federation/ICloudIdResolver.php',
+    'OCP\\Federation\\ISignedCloudFederationProvider' => $baseDir . '/lib/public/Federation/ISignedCloudFederationProvider.php',
     'OCP\\Files' => $baseDir . '/lib/public/Files.php',
     'OCP\\FilesMetadata\\AMetadataEvent' => $baseDir . '/lib/public/FilesMetadata/AMetadataEvent.php',
     'OCP\\FilesMetadata\\Event\\MetadataBackgroundEvent' => $baseDir . '/lib/public/FilesMetadata/Event/MetadataBackgroundEvent.php',
@@ -792,6 +793,26 @@ return array(
     'OCP\\Security\\PasswordContext' => $baseDir . '/lib/public/Security/PasswordContext.php',
     'OCP\\Security\\RateLimiting\\ILimiter' => $baseDir . '/lib/public/Security/RateLimiting/ILimiter.php',
     'OCP\\Security\\RateLimiting\\IRateLimitExceededException' => $baseDir . '/lib/public/Security/RateLimiting/IRateLimitExceededException.php',
+    'OCP\\Security\\Signature\\Enum\\DigestAlgorithm' => $baseDir . '/lib/public/Security/Signature/Enum/DigestAlgorithm.php',
+    'OCP\\Security\\Signature\\Enum\\SignatoryStatus' => $baseDir . '/lib/public/Security/Signature/Enum/SignatoryStatus.php',
+    'OCP\\Security\\Signature\\Enum\\SignatoryType' => $baseDir . '/lib/public/Security/Signature/Enum/SignatoryType.php',
+    'OCP\\Security\\Signature\\Enum\\SignatureAlgorithm' => $baseDir . '/lib/public/Security/Signature/Enum/SignatureAlgorithm.php',
+    'OCP\\Security\\Signature\\Exceptions\\IdentityNotFoundException' => $baseDir . '/lib/public/Security/Signature/Exceptions/IdentityNotFoundException.php',
+    'OCP\\Security\\Signature\\Exceptions\\IncomingRequestException' => $baseDir . '/lib/public/Security/Signature/Exceptions/IncomingRequestException.php',
+    'OCP\\Security\\Signature\\Exceptions\\InvalidKeyOriginException' => $baseDir . '/lib/public/Security/Signature/Exceptions/InvalidKeyOriginException.php',
+    'OCP\\Security\\Signature\\Exceptions\\InvalidSignatureException' => $baseDir . '/lib/public/Security/Signature/Exceptions/InvalidSignatureException.php',
+    'OCP\\Security\\Signature\\Exceptions\\SignatoryConflictException' => $baseDir . '/lib/public/Security/Signature/Exceptions/SignatoryConflictException.php',
+    'OCP\\Security\\Signature\\Exceptions\\SignatoryException' => $baseDir . '/lib/public/Security/Signature/Exceptions/SignatoryException.php',
+    'OCP\\Security\\Signature\\Exceptions\\SignatoryNotFoundException' => $baseDir . '/lib/public/Security/Signature/Exceptions/SignatoryNotFoundException.php',
+    'OCP\\Security\\Signature\\Exceptions\\SignatureElementNotFoundException' => $baseDir . '/lib/public/Security/Signature/Exceptions/SignatureElementNotFoundException.php',
+    'OCP\\Security\\Signature\\Exceptions\\SignatureException' => $baseDir . '/lib/public/Security/Signature/Exceptions/SignatureException.php',
+    'OCP\\Security\\Signature\\Exceptions\\SignatureNotFoundException' => $baseDir . '/lib/public/Security/Signature/Exceptions/SignatureNotFoundException.php',
+    'OCP\\Security\\Signature\\IIncomingSignedRequest' => $baseDir . '/lib/public/Security/Signature/IIncomingSignedRequest.php',
+    'OCP\\Security\\Signature\\IOutgoingSignedRequest' => $baseDir . '/lib/public/Security/Signature/IOutgoingSignedRequest.php',
+    'OCP\\Security\\Signature\\ISignatoryManager' => $baseDir . '/lib/public/Security/Signature/ISignatoryManager.php',
+    'OCP\\Security\\Signature\\ISignatureManager' => $baseDir . '/lib/public/Security/Signature/ISignatureManager.php',
+    'OCP\\Security\\Signature\\ISignedRequest' => $baseDir . '/lib/public/Security/Signature/ISignedRequest.php',
+    'OCP\\Security\\Signature\\Model\\Signatory' => $baseDir . '/lib/public/Security/Signature/Model/Signatory.php',
     'OCP\\Security\\VerificationToken\\IVerificationToken' => $baseDir . '/lib/public/Security/VerificationToken/IVerificationToken.php',
     'OCP\\Security\\VerificationToken\\InvalidTokenException' => $baseDir . '/lib/public/Security/VerificationToken/InvalidTokenException.php',
     'OCP\\Server' => $baseDir . '/lib/public/Server.php',

lib/composer/composer/autoload_static.php

@@ -427,6 +427,7 @@ class ComposerStaticInit749170dad3f5e7f9ca158f5a9f04f6a2
         'OCP\\Federation\\ICloudId' => __DIR__ . '/../../..' . '/lib/public/Federation/ICloudId.php',
         'OCP\\Federation\\ICloudIdManager' => __DIR__ . '/../../..' . '/lib/public/Federation/ICloudIdManager.php',
         'OCP\\Federation\\ICloudIdResolver' => __DIR__ . '/../../..' . '/lib/public/Federation/ICloudIdResolver.php',
+        'OCP\\Federation\\ISignedCloudFederationProvider' => __DIR__ . '/../../..' . '/lib/public/Federation/ISignedCloudFederationProvider.php',
         'OCP\\Files' => __DIR__ . '/../../..' . '/lib/public/Files.php',
         'OCP\\FilesMetadata\\AMetadataEvent' => __DIR__ . '/../../..' . '/lib/public/FilesMetadata/AMetadataEvent.php',
         'OCP\\FilesMetadata\\Event\\MetadataBackgroundEvent' => __DIR__ . '/../../..' . '/lib/public/FilesMetadata/Event/MetadataBackgroundEvent.php',
@@ -833,6 +834,26 @@ class ComposerStaticInit749170dad3f5e7f9ca158f5a9f04f6a2
         'OCP\\Security\\PasswordContext' => __DIR__ . '/../../..' . '/lib/public/Security/PasswordContext.php',
         'OCP\\Security\\RateLimiting\\ILimiter' => __DIR__ . '/../../..' . '/lib/public/Security/RateLimiting/ILimiter.php',
         'OCP\\Security\\RateLimiting\\IRateLimitExceededException' => __DIR__ . '/../../..' . '/lib/public/Security/RateLimiting/IRateLimitExceededException.php',
+        'OCP\\Security\\Signature\\Enum\\DigestAlgorithm' => __DIR__ . '/../../..' . '/lib/public/Security/Signature/Enum/DigestAlgorithm.php',
+        'OCP\\Security\\Signature\\Enum\\SignatoryStatus' => __DIR__ . '/../../..' . '/lib/public/Security/Signature/Enum/SignatoryStatus.php',
+        'OCP\\Security\\Signature\\Enum\\SignatoryType' => __DIR__ . '/../../..' . '/lib/public/Security/Signature/Enum/SignatoryType.php',
+        'OCP\\Security\\Signature\\Enum\\SignatureAlgorithm' => __DIR__ . '/../../..' . '/lib/public/Security/Signature/Enum/SignatureAlgorithm.php',
+        'OCP\\Security\\Signature\\Exceptions\\IdentityNotFoundException' => __DIR__ . '/../../..' . '/lib/public/Security/Signature/Exceptions/IdentityNotFoundException.php',
+        'OCP\\Security\\Signature\\Exceptions\\IncomingRequestException' => __DIR__ . '/../../..' . '/lib/public/Security/Signature/Exceptions/IncomingRequestException.php',
+        'OCP\\Security\\Signature\\Exceptions\\InvalidKeyOriginException' => __DIR__ . '/../../..' . '/lib/public/Security/Signature/Exceptions/InvalidKeyOriginException.php',
+        'OCP\\Security\\Signature\\Exceptions\\InvalidSignatureException' => __DIR__ . '/../../..' . '/lib/public/Security/Signature/Exceptions/InvalidSignatureException.php',
+        'OCP\\Security\\Signature\\Exceptions\\SignatoryConflictException' => __DIR__ . '/../../..' . '/lib/public/Security/Signature/Exceptions/SignatoryConflictException.php',
+        'OCP\\Security\\Signature\\Exceptions\\SignatoryException' => __DIR__ . '/../../..' . '/lib/public/Security/Signature/Exceptions/SignatoryException.php',
+        'OCP\\Security\\Signature\\Exceptions\\SignatoryNotFoundException' => __DIR__ . '/../../..' . '/lib/public/Security/Signature/Exceptions/SignatoryNotFoundException.php',
+        'OCP\\Security\\Signature\\Exceptions\\SignatureElementNotFoundException' => __DIR__ . '/../../..' . '/lib/public/Security/Signature/Exceptions/SignatureElementNotFoundException.php',
+        'OCP\\Security\\Signature\\Exceptions\\SignatureException' => __DIR__ . '/../../..' . '/lib/public/Security/Signature/Exceptions/SignatureException.php',
+        'OCP\\Security\\Signature\\Exceptions\\SignatureNotFoundException' => __DIR__ . '/../../..' . '/lib/public/Security/Signature/Exceptions/SignatureNotFoundException.php',
+        'OCP\\Security\\Signature\\IIncomingSignedRequest' => __DIR__ . '/../../..' . '/lib/public/Security/Signature/IIncomingSignedRequest.php',
+        'OCP\\Security\\Signature\\IOutgoingSignedRequest' => __DIR__ . '/../../..' . '/lib/public/Security/Signature/IOutgoingSignedRequest.php',
+        'OCP\\Security\\Signature\\ISignatoryManager' => __DIR__ . '/../../..' . '/lib/public/Security/Signature/ISignatoryManager.php',
+        'OCP\\Security\\Signature\\ISignatureManager' => __DIR__ . '/../../..' . '/lib/public/Security/Signature/ISignatureManager.php',
+        'OCP\\Security\\Signature\\ISignedRequest' => __DIR__ . '/../../..' . '/lib/public/Security/Signature/ISignedRequest.php',
+        'OCP\\Security\\Signature\\Model\\Signatory' => __DIR__ . '/../../..' . '/lib/public/Security/Signature/Model/Signatory.php',
         'OCP\\Security\\VerificationToken\\IVerificationToken' => __DIR__ . '/../../..' . '/lib/public/Security/VerificationToken/IVerificationToken.php',
         'OCP\\Security\\VerificationToken\\InvalidTokenException' => __DIR__ . '/../../..' . '/lib/public/Security/VerificationToken/InvalidTokenException.php',
         'OCP\\Server' => __DIR__ . '/../../..' . '/lib/public/Server.php',

lib/private/Federation/CloudFederationProviderManager.php

@@ -8,7 +8,6 @@ declare(strict_types=1);
  */
 namespace OC\Federation;
 
-use NCU\Security\Signature\ISignatureManager;
 use OC\AppFramework\Http;
 use OC\OCM\OCMSignatoryManager;
 use OCP\App\IAppManager;
@@ -26,6 +25,7 @@ use OCP\IConfig;
 use OCP\OCM\Exceptions\OCMCapabilityException;
 use OCP\OCM\Exceptions\OCMProviderException;
 use OCP\OCM\IOCMDiscoveryService;
+use OCP\Security\Signature\ISignatureManager;
 use Psr\Log\LoggerInterface;
 
 /**

lib/private/OCM/Model/OCMProvider.php

@@ -9,11 +9,11 @@ declare(strict_types=1);
 
 namespace OC\OCM\Model;
 
-use NCU\Security\Signature\Model\Signatory;
 use OCP\OCM\Exceptions\OCMArgumentException;
 use OCP\OCM\Exceptions\OCMProviderException;
 use OCP\OCM\IOCMProvider;
 use OCP\OCM\IOCMResource;
+use OCP\Security\Signature\Model\Signatory;
 
 /**
  * @since 28.0.0

lib/private/OCM/OCMDiscoveryService.php

@@ -12,14 +12,6 @@ namespace OC\OCM;
 use Exception;
 use GuzzleHttp\Exception\ConnectException;
 use JsonException;
-use NCU\Security\Signature\Exceptions\IdentityNotFoundException;
-use NCU\Security\Signature\Exceptions\IncomingRequestException;
-use NCU\Security\Signature\Exceptions\SignatoryException;
-use NCU\Security\Signature\Exceptions\SignatoryNotFoundException;
-use NCU\Security\Signature\Exceptions\SignatureException;
-use NCU\Security\Signature\Exceptions\SignatureNotFoundException;
-use NCU\Security\Signature\IIncomingSignedRequest;
-use NCU\Security\Signature\ISignatureManager;
 use OC\Core\AppInfo\ConfigLexicon;
 use OC\OCM\Model\OCMProvider;
 use OCP\AppFramework\Attribute\Consumable;
@@ -40,6 +32,14 @@ use OCP\OCM\Exceptions\OCMProviderException;
 use OCP\OCM\Exceptions\OCMRequestException;
 use OCP\OCM\IOCMDiscoveryService;
 use OCP\OCM\IOCMProvider;
+use OCP\Security\Signature\Exceptions\IdentityNotFoundException;
+use OCP\Security\Signature\Exceptions\IncomingRequestException;
+use OCP\Security\Signature\Exceptions\SignatoryException;
+use OCP\Security\Signature\Exceptions\SignatoryNotFoundException;
+use OCP\Security\Signature\Exceptions\SignatureException;
+use OCP\Security\Signature\Exceptions\SignatureNotFoundException;
+use OCP\Security\Signature\IIncomingSignedRequest;
+use OCP\Security\Signature\ISignatureManager;
 use Psr\Log\LoggerInterface;
 
 /**

lib/private/OCM/OCMSignatoryManager.php

@@ -9,17 +9,17 @@ declare(strict_types=1);
 
 namespace OC\OCM;
 
-use NCU\Security\Signature\Enum\DigestAlgorithm;
-use NCU\Security\Signature\Enum\SignatoryType;
-use NCU\Security\Signature\Enum\SignatureAlgorithm;
-use NCU\Security\Signature\Exceptions\IdentityNotFoundException;
-use NCU\Security\Signature\ISignatoryManager;
-use NCU\Security\Signature\ISignatureManager;
-use NCU\Security\Signature\Model\Signatory;
 use OC\Security\IdentityProof\Manager;
 use OCP\IAppConfig;
 use OCP\IURLGenerator;
 use OCP\OCM\Exceptions\OCMProviderException;
+use OCP\Security\Signature\Enum\DigestAlgorithm;
+use OCP\Security\Signature\Enum\SignatoryType;
+use OCP\Security\Signature\Enum\SignatureAlgorithm;
+use OCP\Security\Signature\Exceptions\IdentityNotFoundException;
+use OCP\Security\Signature\ISignatoryManager;
+use OCP\Security\Signature\ISignatureManager;
+use OCP\Security\Signature\Model\Signatory;
 use OCP\Server;
 use Psr\Container\ContainerExceptionInterface;
 use Psr\Container\NotFoundExceptionInterface;

lib/private/Security/Signature/Db/SignatoryMapper.php

@@ -8,12 +8,12 @@ declare(strict_types=1);
 
 namespace OC\Security\Signature\Db;
 
-use NCU\Security\Signature\Exceptions\SignatoryNotFoundException;
-use NCU\Security\Signature\Model\Signatory;
 use OCP\AppFramework\Db\DoesNotExistException;
 use OCP\AppFramework\Db\QBMapper;
 use OCP\DB\Exception;
 use OCP\IDBConnection;
+use OCP\Security\Signature\Exceptions\SignatoryNotFoundException;
+use OCP\Security\Signature\Model\Signatory;
 
 /**
  * @template-extends QBMapper<Signatory>

lib/private/Security/Signature/Model/IncomingSignedRequest.php

@@ -9,20 +9,20 @@ declare(strict_types=1);
 namespace OC\Security\Signature\Model;
 
 use JsonSerializable;
-use NCU\Security\Signature\Enum\DigestAlgorithm;
-use NCU\Security\Signature\Enum\SignatureAlgorithm;
-use NCU\Security\Signature\Exceptions\IdentityNotFoundException;
-use NCU\Security\Signature\Exceptions\IncomingRequestException;
-use NCU\Security\Signature\Exceptions\InvalidSignatureException;
-use NCU\Security\Signature\Exceptions\SignatoryNotFoundException;
-use NCU\Security\Signature\Exceptions\SignatureElementNotFoundException;
-use NCU\Security\Signature\Exceptions\SignatureException;
-use NCU\Security\Signature\Exceptions\SignatureNotFoundException;
-use NCU\Security\Signature\IIncomingSignedRequest;
-use NCU\Security\Signature\ISignatureManager;
-use NCU\Security\Signature\Model\Signatory;
 use OC\Security\Signature\SignatureManager;
 use OCP\IRequest;
+use OCP\Security\Signature\Enum\DigestAlgorithm;
+use OCP\Security\Signature\Enum\SignatureAlgorithm;
+use OCP\Security\Signature\Exceptions\IdentityNotFoundException;
+use OCP\Security\Signature\Exceptions\IncomingRequestException;
+use OCP\Security\Signature\Exceptions\InvalidSignatureException;
+use OCP\Security\Signature\Exceptions\SignatoryNotFoundException;
+use OCP\Security\Signature\Exceptions\SignatureElementNotFoundException;
+use OCP\Security\Signature\Exceptions\SignatureException;
+use OCP\Security\Signature\Exceptions\SignatureNotFoundException;
+use OCP\Security\Signature\IIncomingSignedRequest;
+use OCP\Security\Signature\ISignatureManager;
+use OCP\Security\Signature\Model\Signatory;
 use ValueError;
 
 /**

lib/private/Security/Signature/Model/OutgoingSignedRequest.php

@@ -9,14 +9,14 @@ declare(strict_types=1);
 namespace OC\Security\Signature\Model;
 
 use JsonSerializable;
-use NCU\Security\Signature\Enum\DigestAlgorithm;
-use NCU\Security\Signature\Enum\SignatureAlgorithm;
-use NCU\Security\Signature\Exceptions\SignatoryException;
-use NCU\Security\Signature\Exceptions\SignatoryNotFoundException;
-use NCU\Security\Signature\IOutgoingSignedRequest;
-use NCU\Security\Signature\ISignatoryManager;
-use NCU\Security\Signature\ISignatureManager;
 use OC\Security\Signature\SignatureManager;
+use OCP\Security\Signature\Enum\DigestAlgorithm;
+use OCP\Security\Signature\Enum\SignatureAlgorithm;
+use OCP\Security\Signature\Exceptions\SignatoryException;
+use OCP\Security\Signature\Exceptions\SignatoryNotFoundException;
+use OCP\Security\Signature\IOutgoingSignedRequest;
+use OCP\Security\Signature\ISignatoryManager;
+use OCP\Security\Signature\ISignatureManager;
 
 /**
  * extends ISignedRequest to add info requested at the generation of the signature

lib/private/Security/Signature/Model/SignedRequest.php

@@ -9,11 +9,11 @@ declare(strict_types=1);
 namespace OC\Security\Signature\Model;
 
 use JsonSerializable;
-use NCU\Security\Signature\Enum\DigestAlgorithm;
-use NCU\Security\Signature\Exceptions\SignatoryNotFoundException;
-use NCU\Security\Signature\Exceptions\SignatureElementNotFoundException;
-use NCU\Security\Signature\ISignedRequest;
-use NCU\Security\Signature\Model\Signatory;
+use OCP\Security\Signature\Enum\DigestAlgorithm;
+use OCP\Security\Signature\Exceptions\SignatoryNotFoundException;
+use OCP\Security\Signature\Exceptions\SignatureElementNotFoundException;
+use OCP\Security\Signature\ISignedRequest;
+use OCP\Security\Signature\Model\Signatory;
 
 /**
  * @inheritDoc

lib/private/Security/Signature/SignatureManager.php

@@ -8,28 +8,28 @@ declare(strict_types=1);
 
 namespace OC\Security\Signature;
 
-use NCU\Security\Signature\Enum\SignatoryType;
-use NCU\Security\Signature\Exceptions\IdentityNotFoundException;
-use NCU\Security\Signature\Exceptions\IncomingRequestException;
-use NCU\Security\Signature\Exceptions\InvalidKeyOriginException;
-use NCU\Security\Signature\Exceptions\InvalidSignatureException;
-use NCU\Security\Signature\Exceptions\SignatoryConflictException;
-use NCU\Security\Signature\Exceptions\SignatoryException;
-use NCU\Security\Signature\Exceptions\SignatoryNotFoundException;
-use NCU\Security\Signature\Exceptions\SignatureElementNotFoundException;
-use NCU\Security\Signature\Exceptions\SignatureException;
-use NCU\Security\Signature\Exceptions\SignatureNotFoundException;
-use NCU\Security\Signature\IIncomingSignedRequest;
-use NCU\Security\Signature\IOutgoingSignedRequest;
-use NCU\Security\Signature\ISignatoryManager;
-use NCU\Security\Signature\ISignatureManager;
-use NCU\Security\Signature\Model\Signatory;
 use OC\Security\Signature\Db\SignatoryMapper;
 use OC\Security\Signature\Model\IncomingSignedRequest;
 use OC\Security\Signature\Model\OutgoingSignedRequest;
 use OCP\DB\Exception as DBException;
 use OCP\IAppConfig;
 use OCP\IRequest;
+use OCP\Security\Signature\Enum\SignatoryType;
+use OCP\Security\Signature\Exceptions\IdentityNotFoundException;
+use OCP\Security\Signature\Exceptions\IncomingRequestException;
+use OCP\Security\Signature\Exceptions\InvalidKeyOriginException;
+use OCP\Security\Signature\Exceptions\InvalidSignatureException;
+use OCP\Security\Signature\Exceptions\SignatoryConflictException;
+use OCP\Security\Signature\Exceptions\SignatoryException;
+use OCP\Security\Signature\Exceptions\SignatoryNotFoundException;
+use OCP\Security\Signature\Exceptions\SignatureElementNotFoundException;
+use OCP\Security\Signature\Exceptions\SignatureException;
+use OCP\Security\Signature\Exceptions\SignatureNotFoundException;
+use OCP\Security\Signature\IIncomingSignedRequest;
+use OCP\Security\Signature\IOutgoingSignedRequest;
+use OCP\Security\Signature\ISignatoryManager;
+use OCP\Security\Signature\ISignatureManager;
+use OCP\Security\Signature\Model\Signatory;
 use Psr\Log\LoggerInterface;
 
 /**

lib/private/Server.php

@@ -8,7 +8,6 @@
 namespace OC;
 
 use bantu\IniGetWrapper\IniGetWrapper;
-use NCU\Security\Signature\ISignatureManager;
 use OC\Accounts\AccountManager;
 use OC\App\AppManager;
 use OC\App\AppStore\Bundles\BundleFetcher;
@@ -223,6 +222,7 @@ use OCP\Security\Ip\IRemoteAddress;
 use OCP\Security\ISecureRandom;
 use OCP\Security\ITrustedDomainHelper;
 use OCP\Security\RateLimiting\ILimiter;
+use OCP\Security\Signature\ISignatureManager;
 use OCP\Security\VerificationToken\IVerificationToken;
 use OCP\ServerVersion;
 use OCP\Settings\IDeclarativeManager;

lib/public/Federation/ISignedCloudFederationProvider.php

@@ -0,0 +1,31 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCP\Federation;
+
+/**
+ * Interface ICloudFederationProvider
+ *
+ * Enable apps to create their own cloud federation provider
+ *
+ * @since 33.0.0
+ */
+interface ISignedCloudFederationProvider extends ICloudFederationProvider {
+
+	/**
+	 * returns federationId in direct relation (as recipient or as author) of a sharedSecret
+	 * the federationId must be the one at the remote end
+	 *
+	 * @param string $sharedSecret
+	 * @param array $payload
+	 *
+	 * @since 31.0.0
+	 * @return string
+	 */
+	public function getFederationIdFromSharedSecret(string $sharedSecret, array $payload): string;
+}

lib/public/OCM/IOCMDiscoveryService.php

@@ -9,14 +9,14 @@ declare(strict_types=1);
 
 namespace OCP\OCM;
 
-use NCU\Security\Signature\Exceptions\IncomingRequestException;
-use NCU\Security\Signature\IIncomingSignedRequest;
 use OCP\AppFramework\Attribute\Consumable;
 use OCP\Http\Client\IClient;
 use OCP\Http\Client\IResponse;
 use OCP\OCM\Events\LocalOCMDiscoveryEvent;
 use OCP\OCM\Exceptions\OCMCapabilityException;
 use OCP\OCM\Exceptions\OCMProviderException;
+use OCP\Security\Signature\Exceptions\IncomingRequestException;
+use OCP\Security\Signature\IIncomingSignedRequest;
 
 /**
  * Discover remote OCM services

lib/public/Security/Signature/Enum/DigestAlgorithm.php

@@ -0,0 +1,37 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCP\Security\Signature\Enum;
+
+use OCP\AppFramework\Attribute\Consumable;
+
+/**
+ * list of available algorithm when generating digest from body
+ *
+ * @since 33.0.0
+ */
+#[Consumable(since: '33.0.0')]
+enum DigestAlgorithm: string {
+	/** @since 33.0.0 */
+	case SHA256 = 'SHA-256';
+	/** @since 33.0.0 */
+	case SHA512 = 'SHA-512';
+
+	/**
+	 * returns hashing algorithm to be used when generating digest
+	 *
+	 * @return string
+	 * @since 33.0.0
+	 */
+	public function getHashingAlgorithm(): string {
+		return match($this) {
+			self::SHA256 => 'sha256',
+			self::SHA512 => 'sha512',
+		};
+	}
+}

lib/public/Security/Signature/Enum/SignatoryStatus.php

@@ -0,0 +1,27 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCP\Security\Signature\Enum;
+
+use OCP\AppFramework\Attribute\Consumable;
+
+/**
+ * current status of signatory. is it trustable or not ?
+ *
+ * - SYNCED = the remote instance is trustable.
+ * - BROKEN = the remote instance does not use the same key pairs than previously
+ *
+ * @since 33.0.0
+ */
+#[Consumable(since: '33.0.0')]
+enum SignatoryStatus: int {
+	/** @since 33.0.0 */
+	case SYNCED = 1;
+	/** @since 33.0.0 */
+	case BROKEN = 9;
+}

lib/public/Security/Signature/Enum/SignatoryType.php

@@ -0,0 +1,33 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCP\Security\Signature\Enum;
+
+use OCP\AppFramework\Attribute\Consumable;
+
+/**
+ * type of link between local and remote instance
+ *
+ * - FORGIVABLE = the keypair can be deleted and refreshed anytime; silently
+ * - REFRESHABLE = the keypair can be refreshed but a notice will be generated
+ * - TRUSTED = any changes of keypair will require human interaction, warning will be issued
+ * - STATIC = error will be issued on conflict,  assume keypair cannot be reset.
+ *
+ * @since 33.0.0
+ */
+#[Consumable(since: '33.0.0')]
+enum SignatoryType: int {
+	/** @since 33.0.0 */
+	case FORGIVABLE = 1; // no notice on refresh
+	/** @since 33.0.0 */
+	case REFRESHABLE = 4; // notice on refresh
+	/** @since 33.0.0 */
+	case TRUSTED = 8; // warning on refresh
+	/** @since 33.0.0 */
+	case STATIC = 9; // error on refresh
+}

lib/public/Security/Signature/Enum/SignatureAlgorithm.php

@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2018 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCP\Security\Signature\Enum;
+
+use OCP\AppFramework\Attribute\Consumable;
+
+/**
+ * list of available algorithm when signing payload
+ *
+ * @since 33.0.0
+ */
+#[Consumable(since: '33.0.0')]
+enum SignatureAlgorithm: string {
+	/** @since 33.0.0 */
+	case RSA_SHA256 = 'rsa-sha256';
+	/** @since 33.0.0 */
+	case RSA_SHA512 = 'rsa-sha512';
+}

lib/public/Security/Signature/Exceptions/IdentityNotFoundException.php

@@ -0,0 +1,18 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCP\Security\Signature\Exceptions;
+
+use OCP\AppFramework\Attribute\Throwable;
+
+/**
+ * @since 33.0.0
+ */
+#[Throwable(since: '33.0.0')]
+class IdentityNotFoundException extends SignatureException {
+}

lib/public/Security/Signature/Exceptions/IncomingRequestException.php

@@ -0,0 +1,18 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCP\Security\Signature\Exceptions;
+
+use OCP\AppFramework\Attribute\Throwable;
+
+/**
+ * @since 33.0.0
+ */
+#[Throwable(since: '33.0.0')]
+class IncomingRequestException extends SignatureException {
+}

lib/public/Security/Signature/Exceptions/InvalidKeyOriginException.php

@@ -0,0 +1,18 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCP\Security\Signature\Exceptions;
+
+use OCP\AppFramework\Attribute\Throwable;
+
+/**
+ * @since 33.0.0
+ */
+#[Throwable(since: '33.0.0')]
+class InvalidKeyOriginException extends SignatureException {
+}

lib/public/Security/Signature/Exceptions/InvalidSignatureException.php

@@ -0,0 +1,18 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCP\Security\Signature\Exceptions;
+
+use OCP\AppFramework\Attribute\Throwable;
+
+/**
+ * @since 33.0.0
+ */
+#[Throwable(since: '33.0.0')]
+class InvalidSignatureException extends SignatureException {
+}

lib/public/Security/Signature/Exceptions/SignatoryConflictException.php

@@ -0,0 +1,18 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCP\Security\Signature\Exceptions;
+
+use OCP\AppFramework\Attribute\Throwable;
+
+/**
+ * @since 33.0.0
+ */
+#[Throwable(since: '33.0.0')]
+class SignatoryConflictException extends SignatoryException {
+}

lib/public/Security/Signature/Exceptions/SignatoryException.php

@@ -0,0 +1,18 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCP\Security\Signature\Exceptions;
+
+use OCP\AppFramework\Attribute\Throwable;
+
+/**
+ * @since 33.0.0
+ */
+#[Throwable(since: '33.0.0')]
+class SignatoryException extends SignatureException {
+}

lib/public/Security/Signature/Exceptions/SignatoryNotFoundException.php

@@ -0,0 +1,18 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCP\Security\Signature\Exceptions;
+
+use OCP\AppFramework\Attribute\Throwable;
+
+/**
+ * @since 33.0.0
+ */
+#[Throwable(since: '33.0.0')]
+class SignatoryNotFoundException extends SignatoryException {
+}

lib/public/Security/Signature/Exceptions/SignatureElementNotFoundException.php

@@ -0,0 +1,18 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCP\Security\Signature\Exceptions;
+
+use OCP\AppFramework\Attribute\Throwable;
+
+/**
+ * @since 33.0.0
+ */
+#[Throwable(since: '33.0.0')]
+class SignatureElementNotFoundException extends SignatureException {
+}

lib/public/Security/Signature/Exceptions/SignatureException.php

@@ -0,0 +1,19 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCP\Security\Signature\Exceptions;
+
+use Exception;
+use OCP\AppFramework\Attribute\Throwable;
+
+/**
+ * @since 33.0.0
+ */
+#[Throwable(since: '33.0.0')]
+class SignatureException extends Exception {
+}

lib/public/Security/Signature/Exceptions/SignatureNotFoundException.php

@@ -0,0 +1,18 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2023 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCP\Security\Signature\Exceptions;
+
+use OCP\AppFramework\Attribute\Throwable;
+
+/**
+ * @since 33.0.0
+ */
+#[Throwable(since: '33.0.0')]
+class SignatureNotFoundException extends SignatureException {
+}

lib/public/Security/Signature/IIncomingSignedRequest.php

@@ -0,0 +1,68 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCP\Security\Signature;
+
+use OCP\AppFramework\Attribute\Consumable;
+use OCP\IRequest;
+use OCP\Security\Signature\Exceptions\SignatoryNotFoundException;
+use OCP\Security\Signature\Exceptions\SignatureElementNotFoundException;
+use OCP\Security\Signature\Exceptions\SignatureException;
+
+/**
+ * model wrapping an actual incoming request, adding details about the signature and the
+ * authenticity of the origin of the request.
+ *
+ * This interface must not be implemented in your application but
+ * instead obtained from {@see ISignatureManager::getIncomingSignedRequest}.
+ *
+ *  ```php
+ *  $signedRequest = $this->signatureManager->getIncomingSignedRequest($mySignatoryManager);
+ *  ```
+ *
+ * @see ISignatureManager for details on signature
+ * @since 33.0.0
+ */
+#[Consumable(since: '33.0.0')]
+interface IIncomingSignedRequest extends ISignedRequest {
+	/**
+	 * returns the base IRequest
+	 *
+	 * @return IRequest
+	 * @since 33.0.0
+	 */
+	public function getRequest(): IRequest;
+
+	/**
+	 * get the hostname at the source of the base request.
+	 * based on the keyId defined in the signature header.
+	 *
+	 * @return string
+	 * @since 33.0.0
+	 */
+	public function getOrigin(): string;
+
+	/**
+	 * returns the keyId extracted from the signature headers.
+	 * keyId is a mandatory entry in the headers of a signed request.
+	 *
+	 * @return string
+	 * @throws SignatureElementNotFoundException
+	 * @since 33.0.0
+	 */
+	public function getKeyId(): string;
+
+	/**
+	 * confirm the current signed request's identity is correct
+	 *
+	 * @throws SignatureException
+	 * @throws SignatoryNotFoundException
+	 * @since 33.0.0
+	 */
+	public function verify(): void;
+}

lib/public/Security/Signature/IOutgoingSignedRequest.php

@@ -0,0 +1,114 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCP\Security\Signature;
+
+use OCP\AppFramework\Attribute\Consumable;
+use OCP\Security\Signature\Enum\SignatureAlgorithm;
+use OCP\Security\Signature\Exceptions\SignatoryException;
+use OCP\Security\Signature\Exceptions\SignatoryNotFoundException;
+
+/**
+ * extends ISignedRequest to add info requested at the generation of the signature
+ *
+ *  This interface must not be implemented in your application but
+ *  instead obtained from {@see ISignatureManager::getIncomingSignedRequest}.
+ *
+ *   ```php
+ *   $signedRequest = $this->signatureManager->getIncomingSignedRequest($mySignatoryManager);
+ *   ```
+ *
+ * @see ISignatureManager for details on signature
+ * @since 33.0.0
+ */
+#[Consumable(since: '33.0.0')]
+interface IOutgoingSignedRequest extends ISignedRequest {
+	/**
+	 * set the host of the recipient of the request.
+	 *
+	 * @param string $host
+	 * @return self
+	 * @since 33.0.0
+	 */
+	public function setHost(string $host): self;
+
+	/**
+	 * get the host of the recipient of the request.
+	 * - on incoming request, this is the local hostname of current instance.
+	 * - on outgoing request, this is the remote instance.
+	 *
+	 * @return string
+	 * @since 33.0.0
+	 */
+	public function getHost(): string;
+
+	/**
+	 * add a key/value pair to the headers of the request
+	 *
+	 * @param string $key
+	 * @param string|int|float $value
+	 *
+	 * @return self
+	 * @since 33.0.0
+	 */
+	public function addHeader(string $key, string|int|float $value): self;
+
+	/**
+	 * returns list of headers value that will be added to the base request
+	 *
+	 * @return array
+	 * @since 33.0.0
+	 */
+	public function getHeaders(): array;
+
+	/**
+	 * set the ordered list of used headers in the Signature
+	 *
+	 * @param list<string> $list
+	 *
+	 * @return self
+	 * @since 33.0.0
+	 */
+	public function setHeaderList(array $list): self;
+
+	/**
+	 * returns ordered list of used headers in the Signature
+	 *
+	 * @return list<string>
+	 * @since 33.0.0
+	 */
+	public function getHeaderList(): array;
+
+	/**
+	 * set algorithm to be used to sign the signature
+	 *
+	 * @param SignatureAlgorithm $algorithm
+	 *
+	 * @return self
+	 * @since 33.0.0
+	 */
+	public function setAlgorithm(SignatureAlgorithm $algorithm): self;
+
+	/**
+	 * returns the algorithm set to sign the signature
+	 *
+	 * @return SignatureAlgorithm
+	 * @since 33.0.0
+	 */
+	public function getAlgorithm(): SignatureAlgorithm;
+
+	/**
+	 * sign outgoing request providing a certificate that it emanate from this instance
+	 *
+	 * @return self
+	 * @throws SignatoryException
+	 * @throws SignatoryNotFoundException
+	 * @since 33.0.0
+	 */
+	public function sign(): self;
+}

lib/public/Security/Signature/ISignatoryManager.php

@@ -0,0 +1,75 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCP\Security\Signature;
+
+use OCP\AppFramework\Attribute\Consumable;
+use OCP\Security\Signature\Model\Signatory;
+
+/**
+ * ISignatoryManager contains a group of method that will help
+ *   - signing outgoing request
+ *   - confirm the authenticity of incoming signed request.
+ *
+ * This interface must be implemented to generate a `SignatoryManager` to
+ *  be used with {@see ISignatureManager}
+ *
+ * @since 33.0.0
+ */
+#[Consumable(since: '33.0.0')]
+interface ISignatoryManager {
+	/**
+	 * id of the signatory manager.
+	 * This is used to store, confirm uniqueness and avoid conflict of the remote key pairs.
+	 *
+	 * Must be unique.
+	 *
+	 * @return string
+	 * @since 33.0.0
+	 */
+	public function getProviderId(): string;
+
+	/**
+	 * options that might affect the way the whole process is handled:
+	 * [
+	 *   'bodyMaxSize' => 10000,
+	 *   'ttl' => 300,
+	 *   'ttlSignatory' => 86400*3,
+	 *   'extraSignatureHeaders' => [],
+	 *   'algorithm' => 'sha256',
+	 *   'dateHeader' => "D, d M Y H:i:s T",
+	 * ]
+	 *
+	 * @return array
+	 * @since 33.0.0
+	 */
+	public function getOptions(): array;
+
+	/**
+	 * generate and returns local signatory including private and public key pair.
+	 *
+	 * Used to sign outgoing request
+	 *
+	 * @return Signatory
+	 * @since 33.0.0
+	 */
+	public function getLocalSignatory(): Signatory;
+
+	/**
+	 * retrieve details and generate signatory from remote instance.
+	 * If signatory cannot be found, returns NULL.
+	 *
+	 * Used to confirm authenticity of incoming request.
+	 *
+	 * @param string $remote
+	 *
+	 * @return Signatory|null must be NULL if no signatory is found
+	 * @since 33.0.0
+	 */
+	public function getRemoteSignatory(string $remote): ?Signatory;
+}

lib/public/Security/Signature/ISignatureManager.php

@@ -0,0 +1,138 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCP\Security\Signature;
+
+use OCP\AppFramework\Attribute\Consumable;
+use OCP\Security\Signature\Exceptions\IdentityNotFoundException;
+use OCP\Security\Signature\Exceptions\IncomingRequestException;
+use OCP\Security\Signature\Exceptions\SignatoryNotFoundException;
+use OCP\Security\Signature\Exceptions\SignatureException;
+use OCP\Security\Signature\Exceptions\SignatureNotFoundException;
+use OCP\Security\Signature\Model\Signatory;
+
+/**
+ * ISignatureManager is a service integrated to core that provide tools
+ * to set/get authenticity of/from outgoing/incoming request.
+ *
+ * Quick description of the signature, added to the headers
+ * {
+ *     "(request-target)": "post /path",
+ *     "content-length": 385,
+ *     "date": "Mon, 08 Jul 2024 14:16:20 GMT",
+ *     "digest": "SHA-256=U7gNVUQiixe5BRbp4Tg0xCZMTcSWXXUZI2\\/xtHM40S0=",
+ *     "host": "hostname.of.the.recipient",
+ *     "Signature": "keyId=\"https://author.hostname/key\",algorithm=\"sha256\",headers=\"content-length date digest host\",signature=\"DzN12OCS1rsA[...]o0VmxjQooRo6HHabg==\""
+ * }
+ *
+ * 'content-length' is the total length of the data/content
+ * 'date' is the datetime the request have been initiated
+ * 'digest' is a checksum of the data/content
+ * 'host' is the hostname of the recipient of the request (remote when signing outgoing request, local on incoming request)
+ * 'Signature' contains the signature generated using the private key, and metadata:
+ *    - 'keyId' is a unique id, formatted as an url. hostname is used to retrieve the public key via custom discovery
+ *    - 'algorithm' define the algorithm used to generate signature
+ *    - 'headers' contains a list of element used during the generation of the signature
+ *    - 'signature' is the encrypted string, using local private key, of an array containing elements
+ *      listed in 'headers' and their value. Some elements (content-length date digest host) are mandatory
+ *      to ensure authenticity override protection.
+ *
+ * This interface can be used to inject {@see SignatureManager} in your code:
+ *
+ * ```php
+ *    public function __construct(
+ *        private ISignatureManager $signatureManager,
+ *    ) {}
+ *  ```
+ *
+ *   instead obtained from {@see ISignatureManager::getIncomingSignedRequest}.
+ *
+ * @since 33.0.0
+ */
+#[Consumable(since: '33.0.0')]
+interface ISignatureManager {
+	/**
+	 * Extracting data from headers and body from the incoming request.
+	 * Compare headers and body to confirm authenticity of remote instance.
+	 * Returns details about the signed request or throws exception.
+	 *
+	 * Should be called from Controller.
+	 *
+	 * @param ISignatoryManager $signatoryManager used to get details about remote instance
+	 * @param string|null $body if NULL, body will be extracted from php://input
+	 *
+	 * @return IIncomingSignedRequest
+	 * @throws IncomingRequestException if anything looks wrong with the incoming request
+	 * @throws SignatureNotFoundException if incoming request is not signed
+	 * @throws SignatureException if signature could not be confirmed
+	 * @since 33.0.0
+	 */
+	public function getIncomingSignedRequest(ISignatoryManager $signatoryManager, ?string $body = null): IIncomingSignedRequest;
+
+	/**
+	 * Preparing signature (and headers) to sign an outgoing request.
+	 * Returns a IOutgoingSignedRequest containing all details to finalise the packaging of the whole payload
+	 *
+	 * @param ISignatoryManager $signatoryManager
+	 * @param string $content body to be signed
+	 * @param string $method needed in the signature
+	 * @param string $uri needed in the signature
+	 *
+	 * @return IOutgoingSignedRequest
+	 * @since 33.0.0
+	 */
+	public function getOutgoingSignedRequest(ISignatoryManager $signatoryManager, string $content, string $method, string $uri): IOutgoingSignedRequest;
+
+	/**
+	 * Complete the full process of signing and filling headers from payload when generating
+	 * an outgoing request with IClient
+	 *
+	 * @param ISignatoryManager $signatoryManager
+	 * @param array $payload original payload, will be used to sign and completed with new headers with signature elements
+	 * @param string $method needed in the signature
+	 * @param string $uri needed in the signature
+	 *
+	 * @return array new payload to be sent, including original payload and signature elements in headers
+	 * @since 33.0.0
+	 */
+	public function signOutgoingRequestIClientPayload(ISignatoryManager $signatoryManager, array $payload, string $method, string $uri): array;
+
+	/**
+	 * returns remote signatory stored in local database, based on the remote host.
+	 *
+	 * @param string $host remote host
+	 * @param string $account linked account, should be used when multiple signature can exist for the same host
+	 *
+	 * @return Signatory
+	 * @throws SignatoryNotFoundException if entry does not exist in local database
+	 * @since 33.0.0
+	 */
+	public function getSignatory(string $host, string $account = ''): Signatory;
+
+	/**
+	 * returns a fully formatted keyId, based on a fix hostname and path
+	 *
+	 * @param string $path
+	 *
+	 * @return string
+	 * @throws IdentityNotFoundException if hostname is not set
+	 * @since 33.0.0
+	 */
+	public function generateKeyIdFromConfig(string $path): string;
+
+	/**
+	 * returns hostname:port extracted from an uri
+	 *
+	 * @param string $uri
+	 *
+	 * @return string
+	 * @throws IdentityNotFoundException if identity cannot be extracted
+	 * @since 33.0.0
+	 */
+	public function extractIdentityFromUri(string $uri): string;
+}

lib/public/Security/Signature/ISignedRequest.php

@@ -0,0 +1,123 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCP\Security\Signature;
+
+use OCP\AppFramework\Attribute\Consumable;
+use OCP\Security\Signature\Enum\DigestAlgorithm;
+use OCP\Security\Signature\Exceptions\SignatoryNotFoundException;
+use OCP\Security\Signature\Exceptions\SignatureElementNotFoundException;
+use OCP\Security\Signature\Model\Signatory;
+
+/**
+ * model that store data related to a possible signature.
+ * those details will be used:
+ * - to confirm authenticity of a signed incoming request
+ * - to sign an outgoing request
+ *
+ * This interface must not be implemented in your application:
+ * @see IIncomingSignedRequest
+ * @see IOutgoingSignedRequest
+ *
+ * @since 33.0.0
+ */
+#[Consumable(since: '33.0.0')]
+interface ISignedRequest {
+	/**
+	 * payload of the request
+	 *
+	 * @return string
+	 * @since 33.0.0
+	 */
+	public function getBody(): string;
+
+	/**
+	 * get algorithm used to generate digest
+	 *
+	 * @return DigestAlgorithm
+	 * @since 33.0.0
+	 */
+	public function getDigestAlgorithm(): DigestAlgorithm;
+
+	/**
+	 * checksum of the payload of the request
+	 *
+	 * @return string
+	 * @since 33.0.0
+	 */
+	public function getDigest(): string;
+
+	/**
+	 * set the list of headers related to the signature of the request
+	 *
+	 * @param array $elements
+	 *
+	 * @return self
+	 * @since 33.0.0
+	 */
+	public function setSigningElements(array $elements): self;
+
+	/**
+	 * get the list of elements in the Signature header of the request
+	 *
+	 * @return array
+	 * @since 33.0.0
+	 */
+	public function getSigningElements(): array;
+
+	/**
+	 * @param string $key
+	 *
+	 * @return string
+	 * @throws SignatureElementNotFoundException
+	 * @since 33.0.0
+	 */
+	public function getSigningElement(string $key): string;
+
+	/**
+	 * returns data used to generate signature
+	 *
+	 * @return array
+	 * @since 33.0.0
+	 */
+	public function getSignatureData(): array;
+
+	/**
+	 * get the signed version of the signature
+	 *
+	 * @return string
+	 * @since 33.0.0
+	 */
+	public function getSignature(): string;
+
+	/**
+	 * set the signatory, containing keys and details, related to this request
+	 *
+	 * @param Signatory $signatory
+	 * @return self
+	 * @since 33.0.0
+	 */
+	public function setSignatory(Signatory $signatory): self;
+
+	/**
+	 * get the signatory, containing keys and details, related to this request
+	 *
+	 * @return Signatory
+	 * @throws SignatoryNotFoundException
+	 * @since 33.0.0
+	 */
+	public function getSignatory(): Signatory;
+
+	/**
+	 * returns if a signatory related to this request have been found and defined
+	 *
+	 * @return bool
+	 * @since 33.0.0
+	 */
+	public function hasSignatory(): bool;
+}

lib/public/Security/Signature/Model/Signatory.php

@@ -0,0 +1,202 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCP\Security\Signature\Model;
+
+use JsonSerializable;
+use OCP\AppFramework\Attribute\Consumable;
+use OCP\AppFramework\Db\Entity;
+use OCP\Security\Signature\Enum\SignatoryStatus;
+use OCP\Security\Signature\Enum\SignatoryType;
+use OCP\Security\Signature\Exceptions\IdentityNotFoundException;
+
+/**
+ * model that store keys and details related to host and in use protocol
+ * mandatory details are providerId, host, keyId and public key.
+ * private key is only used for local signatory, used to sign outgoing request
+ *
+ * the pair providerId+host is unique, meaning only one signatory can exist for each host
+ * and protocol
+ *
+ * @since 33.0.0
+ *
+ * @method void setProviderId(string $providerId)
+ * @method string getProviderId()
+ * @method string getKeyId()
+ * @method void setKeyIdSum(string $keyIdSum)
+ * @method string getKeyIdSum()
+ * @method void setPublicKey(string $publicKey)
+ * @method string getPublicKey()
+ * @method void setPrivateKey(string $privateKey)
+ * @method string getPrivateKey()
+ * @method void setHost(string $host)
+ * @method string getHost()
+ * @method int getType()
+ * @method void setType(int $type)
+ * @method int getStatus()
+ * @method void setStatus(int $status)
+ * @method void setAccount(?string $account)
+ * @method void setMetadata(array $metadata)
+ * @method ?array getMetadata()
+ * @method void setCreation(int $creation)
+ * @method int getCreation()
+ * @method void setLastUpdated(int $creation)
+ * @method int getLastUpdated()
+ * @psalm-suppress PropertyNotSetInConstructor
+ */
+#[Consumable(since: '33.0.0')]
+class Signatory extends Entity implements JsonSerializable {
+	protected string $keyId = '';
+	protected string $keyIdSum = '';
+	protected string $providerId = '';
+	protected string $host = '';
+	protected string $publicKey = '';
+	protected string $privateKey = '';
+	protected ?string $account = '';
+	protected int $type = 9;
+	protected int $status = 1;
+	protected ?array $metadata = null;
+	protected int $creation = 0;
+	protected int $lastUpdated = 0;
+
+	/**
+	 * @param bool $local only set to TRUE when managing local signatory
+	 *
+	 * @since 33.0.0
+	 */
+	public function __construct(
+		private readonly bool $local = false,
+	) {
+		$this->addType('providerId', 'string');
+		$this->addType('host', 'string');
+		$this->addType('account', 'string');
+		$this->addType('keyId', 'string');
+		$this->addType('keyIdSum', 'string');
+		$this->addType('publicKey', 'string');
+		$this->addType('metadata', 'json');
+		$this->addType('type', 'integer');
+		$this->addType('status', 'integer');
+		$this->addType('creation', 'integer');
+		$this->addType('lastUpdated', 'integer');
+	}
+
+	/**
+	 * @param string $keyId
+	 *
+	 * @since 33.0.0
+	 * @throws IdentityNotFoundException if identity cannot be extracted from keyId
+	 */
+	public function setKeyId(string $keyId): void {
+		// if set as local (for current instance), we apply some filters.
+		if ($this->local) {
+			// to avoid conflict with duplicate key pairs (ie generated url from the occ command), we enforce https as prefix
+			if (str_starts_with($keyId, 'http://')) {
+				$keyId = 'https://' . substr($keyId, 7);
+			}
+
+			// removing /index.php from generated url
+			$path = parse_url($keyId, PHP_URL_PATH);
+			if (str_starts_with($path, '/index.php/')) {
+				$pos = strpos($keyId, '/index.php');
+				if ($pos !== false) {
+					$keyId = substr_replace($keyId, '', $pos, 10);
+				}
+			}
+		}
+		$this->setter('keyId', [$keyId]); // needed to trigger the update in database
+		$this->setKeyIdSum(hash('sha256', $keyId));
+
+		$this->setHost(self::extractIdentityFromUri($this->getKeyId()));
+	}
+
+	/**
+	 * @param SignatoryType $type
+	 * @since 33.0.0
+	 */
+	public function setSignatoryType(SignatoryType $type): void {
+		$this->setType($type->value);
+	}
+
+	/**
+	 * @return SignatoryType
+	 * @since 33.0.0
+	 */
+	public function getSignatoryType(): SignatoryType {
+		return SignatoryType::from($this->getType());
+	}
+
+	/**
+	 * @param SignatoryStatus $status
+	 * @since 33.0.0
+	 */
+	public function setSignatoryStatus(SignatoryStatus $status): void {
+		$this->setStatus($status->value);
+	}
+
+	/**
+	 * @return SignatoryStatus
+	 * @since 33.0.0
+	 */
+	public function getSignatoryStatus(): SignatoryStatus {
+		return SignatoryStatus::from($this->getStatus());
+	}
+
+	/**
+	 * @since 33.0.0
+	 */
+	public function getAccount(): string {
+		return $this->account ?? '';
+	}
+
+	/**
+	 * update an entry in metadata
+	 *
+	 * @param string $key
+	 * @param string|int|float|bool|array $value
+	 * @since 33.0.0
+	 */
+	public function setMetaValue(string $key, string|int|float|bool|array $value): void {
+		$this->metadata[$key] = $value;
+		$this->setter('metadata', [$this->metadata]);
+	}
+
+	/**
+	 * @return array
+	 * @since 33.0.0
+	 */
+	public function jsonSerialize(): array {
+		return [
+			'keyId' => $this->getKeyId(),
+			'publicKeyPem' => $this->getPublicKey()
+		];
+	}
+
+	/**
+	 * static is needed to make this easily callable from outside the model
+	 *
+	 * @param string $uri
+	 *
+	 * @return string
+	 * @throws IdentityNotFoundException if identity cannot be extracted
+	 * @since 33.0.0
+	 */
+	public static function extractIdentityFromUri(string $uri): string {
+		$identity = parse_url($uri, PHP_URL_HOST);
+		$port = parse_url($uri, PHP_URL_PORT);
+		if ($identity === null || $identity === false) {
+			throw new IdentityNotFoundException('cannot extract identity from ' . $uri);
+		}
+
+		if ($port !== null && $port !== false) {
+			$identity .= ':' . $port;
+		}
+
+		return $identity;
+	}
+
+}

lib/unstable/Federation/ISignedCloudFederationProvider.php

@@ -16,6 +16,7 @@ use OCP\Federation\ICloudFederationProvider;
  * Enable apps to create their own cloud federation provider
  *
  * @experimental 31.0.0
+ * @deprecated 33.0.0 use {@see \OCP\Federation\ISignedCloudFederationProvider}
  */
 interface ISignedCloudFederationProvider extends ICloudFederationProvider {
 
@@ -27,6 +28,7 @@ interface ISignedCloudFederationProvider extends ICloudFederationProvider {
 	 * @param array $payload
 	 *
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Federation\ISignedCloudFederationProvider}
 	 * @return string
 	 */
 	public function getFederationIdFromSharedSecret(string $sharedSecret, array $payload): string;

lib/unstable/Security/Signature/Enum/DigestAlgorithm.php

@@ -12,11 +12,18 @@ namespace NCU\Security\Signature\Enum;
  * list of available algorithm when generating digest from body
  *
  * @experimental 31.0.0
+ * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Enum\DigestAlgorithm}
  */
 enum DigestAlgorithm: string {
-	/** @experimental 31.0.0 */
+	/**
+	 * @experimental 31.0.0
+	 * @deprecated 33.0.0
+	 */
 	case SHA256 = 'SHA-256';
-	/** @experimental 31.0.0 */
+	/**
+	 * @experimental 31.0.0
+	 * @deprecated 33.0.0
+	 */
 	case SHA512 = 'SHA-512';
 
 	/**
@@ -24,6 +31,8 @@ enum DigestAlgorithm: string {
 	 *
 	 * @return string
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Enum\DigestAlgorithm}
+	 * @psalm-suppress DeprecatedConstant
 	 */
 	public function getHashingAlgorithm(): string {
 		return match($this) {

lib/unstable/Security/Signature/Enum/SignatoryStatus.php

@@ -15,10 +15,17 @@ namespace NCU\Security\Signature\Enum;
  * - BROKEN = the remote instance does not use the same key pairs than previously
  *
  * @experimental 31.0.0
+ * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Enum\SignatoryStatus}
  */
 enum SignatoryStatus: int {
-	/** @experimental 31.0.0 */
+	/**
+	 * @experimental 31.0.0
+	 * @deprecated 33.0.0
+	 */
 	case SYNCED = 1;
-	/** @experimental 31.0.0 */
+	/**
+	 * @experimental 31.0.0
+	 * @deprecated 33.0.0
+	 */
 	case BROKEN = 9;
 }

lib/unstable/Security/Signature/Enum/SignatoryType.php

@@ -17,14 +17,27 @@ namespace NCU\Security\Signature\Enum;
  * - STATIC = error will be issued on conflict,  assume keypair cannot be reset.
  *
  * @experimental 31.0.0
+ * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Enum\SignatoryType}
  */
 enum SignatoryType: int {
-	/** @experimental 31.0.0 */
+	/**
+	 * @experimental 31.0.0
+	 * @deprecated 33.0.0
+	 */
 	case FORGIVABLE = 1; // no notice on refresh
-	/** @experimental 31.0.0 */
+	/**
+	 * @experimental 31.0.0
+	 * @deprecated 33.0.0
+	 */
 	case REFRESHABLE = 4; // notice on refresh
-	/** @experimental 31.0.0 */
+	/**
+	 * @experimental 31.0.0
+	 * @deprecated 33.0.0
+	 */
 	case TRUSTED = 8; // warning on refresh
-	/** @experimental 31.0.0 */
+	/**
+	 * @experimental 31.0.0
+	 * @deprecated 33.0.0
+	 */
 	case STATIC = 9; // error on refresh
 }

lib/unstable/Security/Signature/Enum/SignatureAlgorithm.php

@@ -12,10 +12,17 @@ namespace NCU\Security\Signature\Enum;
  * list of available algorithm when signing payload
  *
  * @experimental 31.0.0
+ * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Enum\SignatureAlgorithm}
  */
 enum SignatureAlgorithm: string {
-	/** @experimental 31.0.0 */
+	/**
+	 * @experimental 31.0.0
+	 * @deprecated 33.0.0
+	 */
 	case RSA_SHA256 = 'rsa-sha256';
-	/** @experimental 31.0.0 */
+	/**
+	 * @experimental 31.0.0
+	 * @deprecated 33.0.0
+	 */
 	case RSA_SHA512 = 'rsa-sha512';
 }

lib/unstable/Security/Signature/Exceptions/IdentityNotFoundException.php

@@ -10,6 +10,8 @@ namespace NCU\Security\Signature\Exceptions;
 
 /**
  * @experimental 31.0.0
+ * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Exceptions\IdentityNotFoundException}
+ * @psalm-suppress DeprecatedClass
  */
 class IdentityNotFoundException extends SignatureException {
 }

lib/unstable/Security/Signature/Exceptions/IncomingRequestException.php

@@ -10,6 +10,8 @@ namespace NCU\Security\Signature\Exceptions;
 
 /**
  * @experimental 31.0.0
+ * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Exceptions\IncomingRequestException}
+ * @psalm-suppress DeprecatedClass
  */
 class IncomingRequestException extends SignatureException {
 }

lib/unstable/Security/Signature/Exceptions/InvalidKeyOriginException.php

@@ -10,6 +10,8 @@ namespace NCU\Security\Signature\Exceptions;
 
 /**
  * @experimental 31.0.0
+ * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Exceptions\InvalidKeyOriginException}
+ * @psalm-suppress DeprecatedClass
  */
 class InvalidKeyOriginException extends SignatureException {
 }

lib/unstable/Security/Signature/Exceptions/InvalidSignatureException.php

@@ -10,6 +10,8 @@ namespace NCU\Security\Signature\Exceptions;
 
 /**
  * @experimental 31.0.0
+ * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Exceptions\InvalidSignatureException}
+ * @psalm-suppress DeprecatedClass
  */
 class InvalidSignatureException extends SignatureException {
 }

lib/unstable/Security/Signature/Exceptions/SignatoryConflictException.php

@@ -10,6 +10,8 @@ namespace NCU\Security\Signature\Exceptions;
 
 /**
  * @experimental 31.0.0
+ * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Exceptions\SignatoryConflictException}
+ * @psalm-suppress DeprecatedClass
  */
 class SignatoryConflictException extends SignatoryException {
 }

lib/unstable/Security/Signature/Exceptions/SignatoryException.php

@@ -10,6 +10,8 @@ namespace NCU\Security\Signature\Exceptions;
 
 /**
  * @experimental 31.0.0
+ * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Exceptions\SignatoryException}
+ * @psalm-suppress DeprecatedClass
  */
 class SignatoryException extends SignatureException {
 }

lib/unstable/Security/Signature/Exceptions/SignatoryNotFoundException.php

@@ -10,6 +10,8 @@ namespace NCU\Security\Signature\Exceptions;
 
 /**
  * @experimental 31.0.0
+ * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Exceptions\SignatoryNotFoundException}
+ * @psalm-suppress DeprecatedClass
  */
 class SignatoryNotFoundException extends SignatoryException {
 }

lib/unstable/Security/Signature/Exceptions/SignatureElementNotFoundException.php

@@ -10,6 +10,8 @@ namespace NCU\Security\Signature\Exceptions;
 
 /**
  * @experimental 31.0.0
+ * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Exceptions\SignatureElementNotFoundException}
+ * @psalm-suppress DeprecatedClass
  */
 class SignatureElementNotFoundException extends SignatureException {
 }

lib/unstable/Security/Signature/Exceptions/SignatureException.php

@@ -12,6 +12,7 @@ use Exception;
 
 /**
  * @experimental 31.0.0
+ * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Exceptions\SignatureException}
  */
 class SignatureException extends Exception {
 }

lib/unstable/Security/Signature/Exceptions/SignatureNotFoundException.php

@@ -10,6 +10,8 @@ namespace NCU\Security\Signature\Exceptions;
 
 /**
  * @experimental 31.0.0
+ * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Exceptions\SignatureNotFoundException}
+ * @psalm-suppress DeprecatedClass
  */
 class SignatureNotFoundException extends SignatureException {
 }

lib/unstable/Security/Signature/IIncomingSignedRequest.php

@@ -26,6 +26,7 @@ use OCP\IRequest;
  *
  * @see ISignatureManager for details on signature
  * @experimental 31.0.0
+ * @deprecated 33.0.0 use {@see \OCP\Security\Signature\IIncomingSignedRequest}
  */
 interface IIncomingSignedRequest extends ISignedRequest {
 	/**
@@ -33,6 +34,7 @@ interface IIncomingSignedRequest extends ISignedRequest {
 	 *
 	 * @return IRequest
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\IIncomingSignedRequest}
 	 */
 	public function getRequest(): IRequest;
 
@@ -42,6 +44,7 @@ interface IIncomingSignedRequest extends ISignedRequest {
 	 *
 	 * @return string
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\IIncomingSignedRequest}
 	 */
 	public function getOrigin(): string;
 
@@ -52,6 +55,7 @@ interface IIncomingSignedRequest extends ISignedRequest {
 	 * @return string
 	 * @throws SignatureElementNotFoundException
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\IIncomingSignedRequest}
 	 */
 	public function getKeyId(): string;
 
@@ -61,6 +65,7 @@ interface IIncomingSignedRequest extends ISignedRequest {
 	 * @throws SignatureException
 	 * @throws SignatoryNotFoundException
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\IIncomingSignedRequest}
 	 */
 	public function verify(): void;
 }

lib/unstable/Security/Signature/IOutgoingSignedRequest.php

@@ -24,6 +24,7 @@ use NCU\Security\Signature\Exceptions\SignatoryNotFoundException;
  *
  * @see ISignatureManager for details on signature
  * @experimental 31.0.0
+ * @deprecated 33.0.0 use {@see \OCP\Security\Signature\IOutgoingSignedRequest}
  */
 interface IOutgoingSignedRequest extends ISignedRequest {
 	/**
@@ -32,6 +33,7 @@ interface IOutgoingSignedRequest extends ISignedRequest {
 	 * @param string $host
 	 * @return self
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\IOutgoingSignedRequest}
 	 */
 	public function setHost(string $host): self;
 
@@ -42,6 +44,7 @@ interface IOutgoingSignedRequest extends ISignedRequest {
 	 *
 	 * @return string
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\IOutgoingSignedRequest}
 	 */
 	public function getHost(): string;
 
@@ -53,6 +56,7 @@ interface IOutgoingSignedRequest extends ISignedRequest {
 	 *
 	 * @return self
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\IOutgoingSignedRequest}
 	 */
 	public function addHeader(string $key, string|int|float $value): self;
 
@@ -61,6 +65,7 @@ interface IOutgoingSignedRequest extends ISignedRequest {
 	 *
 	 * @return array
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\IOutgoingSignedRequest}
 	 */
 	public function getHeaders(): array;
 
@@ -71,6 +76,7 @@ interface IOutgoingSignedRequest extends ISignedRequest {
 	 *
 	 * @return self
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\IOutgoingSignedRequest}
 	 */
 	public function setHeaderList(array $list): self;
 
@@ -79,6 +85,7 @@ interface IOutgoingSignedRequest extends ISignedRequest {
 	 *
 	 * @return list<string>
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\IOutgoingSignedRequest}
 	 */
 	public function getHeaderList(): array;
 
@@ -89,6 +96,8 @@ interface IOutgoingSignedRequest extends ISignedRequest {
 	 *
 	 * @return self
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\IOutgoingSignedRequest}
+	 * @psalm-suppress DeprecatedClass
 	 */
 	public function setAlgorithm(SignatureAlgorithm $algorithm): self;
 
@@ -97,6 +106,8 @@ interface IOutgoingSignedRequest extends ISignedRequest {
 	 *
 	 * @return SignatureAlgorithm
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\IOutgoingSignedRequest}
+	 * @psalm-suppress DeprecatedClass
 	 */
 	public function getAlgorithm(): SignatureAlgorithm;
 
@@ -107,6 +118,7 @@ interface IOutgoingSignedRequest extends ISignedRequest {
 	 * @throws SignatoryException
 	 * @throws SignatoryNotFoundException
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\IOutgoingSignedRequest}
 	 */
 	public function sign(): self;
 }

lib/unstable/Security/Signature/ISignatoryManager.php

@@ -19,6 +19,7 @@ use NCU\Security\Signature\Model\Signatory;
  *  be used with {@see ISignatureManager}
  *
  * @experimental 31.0.0
+ * @deprecated 33.0.0 use {@see \OCP\Security\Signature\ISignatoryManager}
  */
 interface ISignatoryManager {
 	/**
@@ -29,6 +30,7 @@ interface ISignatoryManager {
 	 *
 	 * @return string
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\ISignatoryManager}
 	 */
 	public function getProviderId(): string;
 
@@ -45,6 +47,7 @@ interface ISignatoryManager {
 	 *
 	 * @return array
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\ISignatoryManager}
 	 */
 	public function getOptions(): array;
 
@@ -55,6 +58,8 @@ interface ISignatoryManager {
 	 *
 	 * @return Signatory
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\ISignatoryManager}
+	 * @psalm-suppress DeprecatedClass
 	 */
 	public function getLocalSignatory(): Signatory;
 
@@ -68,6 +73,8 @@ interface ISignatoryManager {
 	 *
 	 * @return Signatory|null must be NULL if no signatory is found
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\ISignatoryManager}
+	 * @psalm-suppress DeprecatedClass
 	 */
 	public function getRemoteSignatory(string $remote): ?Signatory;
 }

lib/unstable/Security/Signature/ISignatureManager.php

@@ -52,6 +52,7 @@ use NCU\Security\Signature\Model\Signatory;
  *   instead obtained from {@see ISignatureManager::getIncomingSignedRequest}.
  *
  * @experimental 31.0.0
+ * @deprecated 33.0.0 use {@see \OCP\Security\Signature\ISignatureManager}
  */
 interface ISignatureManager {
 	/**
@@ -69,6 +70,8 @@ interface ISignatureManager {
 	 * @throws SignatureNotFoundException if incoming request is not signed
 	 * @throws SignatureException if signature could not be confirmed
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\ISignatureManager}
+	 * @psalm-suppress DeprecatedInterface
 	 */
 	public function getIncomingSignedRequest(ISignatoryManager $signatoryManager, ?string $body = null): IIncomingSignedRequest;
 
@@ -83,6 +86,8 @@ interface ISignatureManager {
 	 *
 	 * @return IOutgoingSignedRequest
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\ISignatureManager}
+	 * @psalm-suppress DeprecatedInterface
 	 */
 	public function getOutgoingSignedRequest(ISignatoryManager $signatoryManager, string $content, string $method, string $uri): IOutgoingSignedRequest;
 
@@ -97,6 +102,8 @@ interface ISignatureManager {
 	 *
 	 * @return array new payload to be sent, including original payload and signature elements in headers
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\ISignatureManager}
+	 * @psalm-suppress DeprecatedInterface
 	 */
 	public function signOutgoingRequestIClientPayload(ISignatoryManager $signatoryManager, array $payload, string $method, string $uri): array;
 
@@ -109,6 +116,8 @@ interface ISignatureManager {
 	 * @return Signatory
 	 * @throws SignatoryNotFoundException if entry does not exist in local database
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\ISignatureManager}
+	 * @psalm-suppress DeprecatedClass
 	 */
 	public function getSignatory(string $host, string $account = ''): Signatory;
 
@@ -120,6 +129,7 @@ interface ISignatureManager {
 	 * @return string
 	 * @throws IdentityNotFoundException if hostname is not set
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\ISignatureManager}
 	 */
 	public function generateKeyIdFromConfig(string $path): string;
 
@@ -131,6 +141,7 @@ interface ISignatureManager {
 	 * @return string
 	 * @throws IdentityNotFoundException if identity cannot be extracted
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\ISignatureManager}
 	 */
 	public function extractIdentityFromUri(string $uri): string;
 }

lib/unstable/Security/Signature/ISignedRequest.php

@@ -24,6 +24,7 @@ use NCU\Security\Signature\Model\Signatory;
  * @see IOutgoingSignedRequest
  *
  * @experimental 31.0.0
+ * @deprecated 33.0.0 use {@see \OCP\Security\Signature\ISignedRequest}
  */
 interface ISignedRequest {
 	/**
@@ -31,6 +32,7 @@ interface ISignedRequest {
 	 *
 	 * @return string
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\ISignedRequest}
 	 */
 	public function getBody(): string;
 
@@ -39,6 +41,8 @@ interface ISignedRequest {
 	 *
 	 * @return DigestAlgorithm
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\ISignedRequest}
+	 * @psalm-suppress DeprecatedClass
 	 */
 	public function getDigestAlgorithm(): DigestAlgorithm;
 
@@ -47,6 +51,7 @@ interface ISignedRequest {
 	 *
 	 * @return string
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\ISignedRequest}
 	 */
 	public function getDigest(): string;
 
@@ -57,6 +62,7 @@ interface ISignedRequest {
 	 *
 	 * @return self
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\ISignedRequest}
 	 */
 	public function setSigningElements(array $elements): self;
 
@@ -65,6 +71,7 @@ interface ISignedRequest {
 	 *
 	 * @return array
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\ISignedRequest}
 	 */
 	public function getSigningElements(): array;
 
@@ -74,6 +81,7 @@ interface ISignedRequest {
 	 * @return string
 	 * @throws SignatureElementNotFoundException
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\ISignedRequest}
 	 */
 	public function getSigningElement(string $key): string;
 
@@ -82,6 +90,7 @@ interface ISignedRequest {
 	 *
 	 * @return array
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\ISignedRequest}
 	 */
 	public function getSignatureData(): array;
 
@@ -90,6 +99,7 @@ interface ISignedRequest {
 	 *
 	 * @return string
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\ISignedRequest}
 	 */
 	public function getSignature(): string;
 
@@ -99,6 +109,8 @@ interface ISignedRequest {
 	 * @param Signatory $signatory
 	 * @return self
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\ISignedRequest}
+	 * @psalm-suppress DeprecatedClass
 	 */
 	public function setSignatory(Signatory $signatory): self;
 
@@ -108,6 +120,8 @@ interface ISignedRequest {
 	 * @return Signatory
 	 * @throws SignatoryNotFoundException
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\ISignedRequest}
+	 * @psalm-suppress DeprecatedClass
 	 */
 	public function getSignatory(): Signatory;
 
@@ -116,6 +130,7 @@ interface ISignedRequest {
 	 *
 	 * @return bool
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\ISignedRequest}
 	 */
 	public function hasSignatory(): bool;
 }

lib/unstable/Security/Signature/Model/Signatory.php

@@ -23,6 +23,7 @@ use OCP\AppFramework\Db\Entity;
  * and protocol
  *
  * @experimental 31.0.0
+ * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Model\Signatory}
  *
  * @method void setProviderId(string $providerId)
  * @method string getProviderId()
@@ -66,6 +67,7 @@ class Signatory extends Entity implements JsonSerializable {
 	 * @param bool $local only set to TRUE when managing local signatory
 	 *
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Model\Signatory}
 	 */
 	public function __construct(
 		private readonly bool $local = false,
@@ -87,7 +89,9 @@ class Signatory extends Entity implements JsonSerializable {
 	 * @param string $keyId
 	 *
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Model\Signatory}
 	 * @throws IdentityNotFoundException if identity cannot be extracted from keyId
+	 * @psalm-suppress DeprecatedMethod
 	 */
 	public function setKeyId(string $keyId): void {
 		// if set as local (for current instance), we apply some filters.
@@ -115,6 +119,8 @@ class Signatory extends Entity implements JsonSerializable {
 	/**
 	 * @param SignatoryType $type
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Model\Signatory}
+	 * @psalm-suppress DeprecatedClass
 	 */
 	public function setSignatoryType(SignatoryType $type): void {
 		$this->setType($type->value);
@@ -123,6 +129,8 @@ class Signatory extends Entity implements JsonSerializable {
 	/**
 	 * @return SignatoryType
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Model\Signatory}
+	 * @psalm-suppress DeprecatedClass
 	 */
 	public function getSignatoryType(): SignatoryType {
 		return SignatoryType::from($this->getType());
@@ -131,6 +139,8 @@ class Signatory extends Entity implements JsonSerializable {
 	/**
 	 * @param SignatoryStatus $status
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Model\Signatory}
+	 * @psalm-suppress DeprecatedClass
 	 */
 	public function setSignatoryStatus(SignatoryStatus $status): void {
 		$this->setStatus($status->value);
@@ -139,6 +149,8 @@ class Signatory extends Entity implements JsonSerializable {
 	/**
 	 * @return SignatoryStatus
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Model\Signatory}
+	 * @psalm-suppress DeprecatedClass
 	 */
 	public function getSignatoryStatus(): SignatoryStatus {
 		return SignatoryStatus::from($this->getStatus());
@@ -146,6 +158,7 @@ class Signatory extends Entity implements JsonSerializable {
 
 	/**
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Model\Signatory}
 	 */
 	public function getAccount(): string {
 		return $this->account ?? '';
@@ -157,6 +170,7 @@ class Signatory extends Entity implements JsonSerializable {
 	 * @param string $key
 	 * @param string|int|float|bool|array $value
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Model\Signatory}
 	 */
 	public function setMetaValue(string $key, string|int|float|bool|array $value): void {
 		$this->metadata[$key] = $value;
@@ -166,6 +180,7 @@ class Signatory extends Entity implements JsonSerializable {
 	/**
 	 * @return array
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Model\Signatory}
 	 */
 	public function jsonSerialize(): array {
 		return [
@@ -182,6 +197,8 @@ class Signatory extends Entity implements JsonSerializable {
 	 * @return string
 	 * @throws IdentityNotFoundException if identity cannot be extracted
 	 * @experimental 31.0.0
+	 * @deprecated 33.0.0 use {@see \OCP\Security\Signature\Model\Signatory}
+	 * @psalm-suppress DeprecatedClass
 	 */
 	public static function extractIdentityFromUri(string $uri): string {
 		$identity = parse_url($uri, PHP_URL_HOST);