upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-05-28 04:32:30 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 25
nextcloud/lib/private/Security/Signature/Rfc9421/IJwkResolvingSignatoryManager.php
Micke Nordin 0eb927e617 feat(http-sig): RFC 9421 protocol primitives 
Add the RFC 9421 (HTTP Message Signatures) sign/verify path alongside
the existing draft-cavage implementation:

- Algorithm: sodium for Ed25519, JWT::sign for RSA / ECDSA, ecdsaRawToDer
  for the ECDSA wire format. JWK parsing via JWK::parseKey.
- SignatureBase: RFC 9421 §2.5 base construction for the derived
  components OCM uses plus plain HTTP fields.
- ContentDigest: RFC 9530 helpers used as a covered component.
- Rfc9421IncomingSignedRequest / Rfc9421OutgoingSignedRequest:
  request models. Parsing of Signature-Input / Signature delegates
  to gapple\\StructuredFields\\Parser.
- IJwkResolvingSignatoryManager: capability bit signatory managers
  advertise to participate in RFC 9421 verification.
- OcmProfile: OCM-mandated dictionary label.
- SignatureManager: dispatch to RFC 9421 inbound when Signature-Input
  is present, outbound when rfc9421.format is set.

Plus tests for each primitive and a full round-trip across the model.

Signed-off-by: Micke Nordin <kano@sunet.se>
2026-05-27 11:03:55 +02:00

29 lines
978 B
PHP
Raw Permalink Blame History

<?php
declare(strict_types=1);
/**
* SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
* SPDX-License-Identifier: AGPL-3.0-or-later
*/
namespace OC\Security\Signature\Rfc9421;
use Firebase\JWT\Key;
use OCP\Security\Signature\ISignatoryManager;
/**
* Capability bit for {@see ISignatoryManager} implementations that can resolve
* a remote JWK for RFC 9421 verification. {@see \OC\Security\Signature\SignatureManager}
* checks this via instanceof on the RFC 9421 path; cavage doesn't need it.
*/
interface IJwkResolvingSignatoryManager extends ISignatoryManager {
/**
* Resolve the JWK identified by $keyId for the remote at $origin and
* return it as a parsed {@see Key}. Null when no matching JWK is found.
*
* @param string $origin host of the remote that signed the request
* @param string $keyId raw `keyid` from Signature-Input; matched against JWK `kid`
*/
public function getRemoteKey(string $origin, string $keyId): ?Key;
}
Reference in a new issue View git blame Copy permalink