The diff can be checked using: git diff --ignore-all-space --ignore-blank-lines
To see only the changes not related to blank lines.
Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
Two CI failures introduced by the test additions in this PR:
1. testEd25519VerifyAcceptedWhenSodiumLoaded calls setSignature() to inject
an externally-produced Ed25519 signature (since Algorithm::sign() rejects
Ed25519 by design). setSignature was declared protected, so the test
couldn't call it from outside the class hierarchy. Make it public —
SignedRequest lives in the OC\ private namespace, so this widens
internal-only visibility, not the public API surface.
2. testParseKeyRejectsContradictoryAlg expected firebase/php-jwt's
JWK::parseKey() to throw on a kty=OKP/crv=Ed25519/alg=ES256 key. The
current firebase/php-jwt version does not validate that coherence at
parse time, so the test now fails to see any throwable. The actual
security check happens at Algorithm::verify() time and is covered by
testVerifyEd25519KeyAgainstES256Alg right above it. Skip the parse-time
test with a comment pointing at the verify-time coverage.
Signed-off-by: Micke Nordin <kano@sunet.se>
This commit switches the default signature algorithm to
ecdsa-p256-sha256 instead of Ed25519. This allows us to make sodium
optional again, and we only pull it in to use it for verifying incomming
signatures. If sodium is not installed, we throw on Ed25519 signatures
instead. At least it is easy for most people to make their Nextcloud
install fully RFC compliant by installing sodium.
I also renamed all the Ed25519 function names to be more precis, using
Jwks for the JSON Web Keys, and RFC9421 for the http-signature code,
where it is needed to distinguish from draft-cavage signatures.
Signed-off-by: Micke Nordin <kano@sunet.se>
Throw when one of the headers are empty
Enumerate all the allowed algorithms in th NATIVE constant
Co-authored-by: Carl Schwan <carl@carlschwan.eu>
Signed-off-by: Micke Nordin <kano@sunet.se>
Use constants instead of 0/1
Also fix PHPDoc to use correct return values.
Co-authored-by: Carl Schwan <carl@carlschwan.eu>
Signed-off-by: Micke Nordin <kano@sunet.se>
Add Manager::generateEd25519AppKey: persist a sodium-generated
Ed25519 keypair (raw 32-byte public, 64-byte secret) under the same
appdata layout the existing RSA path uses. Used by OCMSignatoryManager
for the slotted RFC 9421 signing keys.
Signed-off-by: Micke Nordin <kano@sunet.se>
Add the RFC 9421 (HTTP Message Signatures) sign/verify path alongside
the existing draft-cavage implementation:
- Algorithm: sodium for Ed25519, JWT::sign for RSA / ECDSA, ecdsaRawToDer
for the ECDSA wire format. JWK parsing via JWK::parseKey.
- SignatureBase: RFC 9421 §2.5 base construction for the derived
components OCM uses plus plain HTTP fields.
- ContentDigest: RFC 9530 helpers used as a covered component.
- Rfc9421IncomingSignedRequest / Rfc9421OutgoingSignedRequest:
request models. Parsing of Signature-Input / Signature delegates
to gapple\\StructuredFields\\Parser.
- IJwkResolvingSignatoryManager: capability bit signatory managers
advertise to participate in RFC 9421 verification.
- OcmProfile: OCM-mandated dictionary label.
- SignatureManager: dispatch to RFC 9421 inbound when Signature-Input
is present, outbound when rfc9421.format is set.
Plus tests for each primitive and a full round-trip across the model.
Signed-off-by: Micke Nordin <kano@sunet.se>
When decrypting a v3 ciphertext with a mismatched secret, the first
attempt throws an Exception (HMAC mismatch). The fallback then calls
decryptWithoutSecret() with an empty string, which causes hash_hkdf()
to throw a ValueError. Since ValueError extends \Error rather than
\Exception, it bypassed the catch block and propagated as an unhandled
error, crashing the whole request.
Wrap the fallback in its own try/catch(\Throwable) and rethrow the
original Exception so callers get a meaningful HMAC mismatch error.
Signed-off-by: Anna Larch <anna@nextcloud.com>
AI-Assisted-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Some providers assign `/48` IPv6 blocks instead of `/64` so it sounds safer
to use this mask by default.
Signed-off-by: Benjamin Gaussorgues <benjamin.gaussorgues@nextcloud.com>
Git'Fellow
Anna
Côme Chilliet
Micke Nordin
Remi Collet
Carl Schwan
Ferdinand Thiessen
Simon L.
Carl Schwan
Maxence Lange
provokateurin
Marcel Müller
Joas Schilling
Daniel Kesselberg
Benjamin Gaussorgues
Christoph Wurst
Josh
dependabot[bot]