Two CI failures introduced by the test additions in this PR:
1. testEd25519VerifyAcceptedWhenSodiumLoaded calls setSignature() to inject
an externally-produced Ed25519 signature (since Algorithm::sign() rejects
Ed25519 by design). setSignature was declared protected, so the test
couldn't call it from outside the class hierarchy. Make it public —
SignedRequest lives in the OC\ private namespace, so this widens
internal-only visibility, not the public API surface.
2. testParseKeyRejectsContradictoryAlg expected firebase/php-jwt's
JWK::parseKey() to throw on a kty=OKP/crv=Ed25519/alg=ES256 key. The
current firebase/php-jwt version does not validate that coherence at
parse time, so the test now fails to see any throwable. The actual
security check happens at Algorithm::verify() time and is covered by
testVerifyEd25519KeyAgainstES256Alg right above it. Skip the parse-time
test with a comment pointing at the verify-time coverage.
Signed-off-by: Micke Nordin <kano@sunet.se>
