upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-05-28 04:32:30 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 25

fix(http-sig): make setSignature public and skip third-party-dependent test

Browse source 
Two CI failures introduced by the test additions in this PR:

1. testEd25519VerifyAcceptedWhenSodiumLoaded calls setSignature() to inject
   an externally-produced Ed25519 signature (since Algorithm::sign() rejects
   Ed25519 by design). setSignature was declared protected, so the test
   couldn't call it from outside the class hierarchy. Make it public —
   SignedRequest lives in the OC\ private namespace, so this widens
   internal-only visibility, not the public API surface.

2. testParseKeyRejectsContradictoryAlg expected firebase/php-jwt's
   JWK::parseKey() to throw on a kty=OKP/crv=Ed25519/alg=ES256 key. The
   current firebase/php-jwt version does not validate that coherence at
   parse time, so the test now fails to see any throwable. The actual
   security check happens at Algorithm::verify() time and is covered by
   testVerifyEd25519KeyAgainstES256Alg right above it. Skip the parse-time
   test with a comment pointing at the verify-time coverage.

Signed-off-by: Micke Nordin <kano@sunet.se>
This commit is contained in:
Micke Nordin 2026-05-17 19:54:47 +02:00 committed by Micke Nordin
parent c753aad9e3
commit cc9e0ba582
2 changed files with 5 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
lib/private/Security/Signature/Model/SignedRequest.php
View file

@ -157,7 +157,7 @@ class SignedRequest implements ISignedRequest, JsonSerializable {
* @return self
* @since 31.0.0
*/
protected function setSignature(string $signature): self {
public function setSignature(string $signature): self {
$this->signature = $signature;
return $this;
}

16
tests/lib/Security/Signature/Rfc9421/AlgorithmTest.php
View file

@ -115,18 +115,10 @@ class AlgorithmTest extends TestCase {
}
public function testParseKeyRejectsContradictoryAlg(): void {
$this->skipUnlessSodium();
// kty=OKP/crv=Ed25519 with alg=ES256 is contradictory; firebase's
// parseKey rejects it before we ever build a Key.
$keypair = sodium_crypto_sign_keypair();
$this->expectException(\Throwable::class);
JWK::parseKey([
'kty' => 'OKP',
'crv' => 'Ed25519',
'kid' => 'k',
'alg' => 'ES256',
'x' => self::b64url(sodium_crypto_sign_publickey($keypair)),
], null);
$this->markTestSkipped(
'firebase/php-jwt JWK::parseKey does not validate kty/crv/alg coherence; '
. 'the alg mismatch is caught at verify() time instead — see testVerifyEd25519KeyAgainstES256Alg.'
);
}
public function testEcdsaRawToDerProducesValidSignature(): void {