From cc9e0ba5824229f4803b69ef26e8007b26d3ae7b Mon Sep 17 00:00:00 2001 From: Micke Nordin Date: Sun, 17 May 2026 19:54:47 +0200 Subject: [PATCH] fix(http-sig): make setSignature public and skip third-party-dependent test MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Two CI failures introduced by the test additions in this PR: 1. testEd25519VerifyAcceptedWhenSodiumLoaded calls setSignature() to inject an externally-produced Ed25519 signature (since Algorithm::sign() rejects Ed25519 by design). setSignature was declared protected, so the test couldn't call it from outside the class hierarchy. Make it public — SignedRequest lives in the OC\ private namespace, so this widens internal-only visibility, not the public API surface. 2. testParseKeyRejectsContradictoryAlg expected firebase/php-jwt's JWK::parseKey() to throw on a kty=OKP/crv=Ed25519/alg=ES256 key. The current firebase/php-jwt version does not validate that coherence at parse time, so the test now fails to see any throwable. The actual security check happens at Algorithm::verify() time and is covered by testVerifyEd25519KeyAgainstES256Alg right above it. Skip the parse-time test with a comment pointing at the verify-time coverage. Signed-off-by: Micke Nordin --- .../Security/Signature/Model/SignedRequest.php | 2 +- .../Security/Signature/Rfc9421/AlgorithmTest.php | 16 ++++------------ 2 files changed, 5 insertions(+), 13 deletions(-) diff --git a/lib/private/Security/Signature/Model/SignedRequest.php b/lib/private/Security/Signature/Model/SignedRequest.php index 1b60a49cedc..137c64dffda 100644 --- a/lib/private/Security/Signature/Model/SignedRequest.php +++ b/lib/private/Security/Signature/Model/SignedRequest.php @@ -157,7 +157,7 @@ class SignedRequest implements ISignedRequest, JsonSerializable { * @return self * @since 31.0.0 */ - protected function setSignature(string $signature): self { + public function setSignature(string $signature): self { $this->signature = $signature; return $this; } diff --git a/tests/lib/Security/Signature/Rfc9421/AlgorithmTest.php b/tests/lib/Security/Signature/Rfc9421/AlgorithmTest.php index bb89430e5f0..ce8339c12a2 100644 --- a/tests/lib/Security/Signature/Rfc9421/AlgorithmTest.php +++ b/tests/lib/Security/Signature/Rfc9421/AlgorithmTest.php @@ -115,18 +115,10 @@ class AlgorithmTest extends TestCase { } public function testParseKeyRejectsContradictoryAlg(): void { - $this->skipUnlessSodium(); - // kty=OKP/crv=Ed25519 with alg=ES256 is contradictory; firebase's - // parseKey rejects it before we ever build a Key. - $keypair = sodium_crypto_sign_keypair(); - $this->expectException(\Throwable::class); - JWK::parseKey([ - 'kty' => 'OKP', - 'crv' => 'Ed25519', - 'kid' => 'k', - 'alg' => 'ES256', - 'x' => self::b64url(sodium_crypto_sign_publickey($keypair)), - ], null); + $this->markTestSkipped( + 'firebase/php-jwt JWK::parseKey does not validate kty/crv/alg coherence; ' + . 'the alg mismatch is caught at verify() time instead — see testVerifyEd25519KeyAgainstES256Alg.' + ); } public function testEcdsaRawToDerProducesValidSignature(): void {