Merge pull request #60136 from nextcloud/kano-dual-stack-rfc-9421-http-sig

feat(http-sig): Dual stack http-sig

Author: mickenordin

3rdparty

@@ -12,7 +12,6 @@
 use OCA\CloudFederationAPI\Db\FederatedInviteMapper;
 use OCA\CloudFederationAPI\Events\FederatedInviteAcceptedEvent;
 use OCA\CloudFederationAPI\ResponseDefinitions;
-use OCA\FederatedFileSharing\AddressHandler;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Db\DoesNotExistException;
 use OCP\AppFramework\Http;
@@ -38,11 +37,8 @@
 use OCP\IURLGenerator;
 use OCP\IUserManager;
 use OCP\OCM\IOCMDiscoveryService;
-use OCP\Security\Signature\Exceptions\IdentityNotFoundException;
 use OCP\Security\Signature\Exceptions\IncomingRequestException;
-use OCP\Security\Signature\Exceptions\SignatoryNotFoundException;
 use OCP\Security\Signature\IIncomingSignedRequest;
-use OCP\Security\Signature\ISignatureManager;
 use OCP\Share\Exceptions\ShareNotFound;
 use OCP\Util;
 use Psr\Log\LoggerInterface;
@@ -69,12 +65,10 @@ public function __construct(
 		private Config $config,
 		private IEventDispatcher $dispatcher,
 		private FederatedInviteMapper $federatedInviteMapper,
-		private readonly AddressHandler $addressHandler,
 		private readonly IAppConfig $appConfig,
 		private ICloudFederationFactory $factory,
 		private ICloudIdManager $cloudIdManager,
 		private readonly IOCMDiscoveryService $ocmDiscoveryService,
-		private readonly ISignatureManager $signatureManager,
 		private ITimeFactory $timeFactory,
 	) {
 		parent::__construct($appName, $request);
@@ -440,28 +434,22 @@ private function mapUid($uid) {
 	 * If request is not signed, we still verify that the hostname from the extracted value does,
 	 * actually, not support signed request
 	 *
+	 * Delegates to {@see IOCMDiscoveryService::confirmRequestOrigin()}.
+	 *
 	 * @param IIncomingSignedRequest|null $signedRequest
 	 * @param string $key entry from data available in data
 	 * @param string $value value itself used in case request is not signed
 	 *
 	 * @throws IncomingRequestException
 	 */
 	private function confirmSignedOrigin(?IIncomingSignedRequest $signedRequest, string $key, string $value): void {
-		if ($signedRequest === null) {
-			$instance = $this->getHostFromFederationId($value);
-			try {
-				$this->signatureManager->getSignatory($instance);
-				throw new IncomingRequestException('instance is supposed to sign its request');
-			} catch (SignatoryNotFoundException) {
-				return;
-			}
-		}
-
-		$body = json_decode($signedRequest->getBody(), true) ?? [];
-		$entry = trim($body[$key] ?? '', '@');
-		if ($this->getHostFromFederationId($entry) !== $signedRequest->getOrigin()) {
-			throw new IncomingRequestException('share initiation (' . $signedRequest->getOrigin() . ') from different instance (' . $entry . ') [key=' . $key . ']');
+		if ($signedRequest !== null) {
+			$body = json_decode($signedRequest->getBody(), true) ?? [];
+			$entry = trim(($body[$key] ?? ''), '@');
+		} else {
+			$entry = trim($value, '@');
 		}
+		$this->ocmDiscoveryService->confirmRequestOrigin($signedRequest?->getOrigin(), $entry);
 	}
 
 	/**
@@ -498,48 +486,6 @@ private function confirmNotificationIdentity(
 			throw new IncomingRequestException($e->getMessage(), previous: $e);
 		}
 
-		$this->confirmNotificationEntry($signedRequest, $identity);
-	}
-
-
-	/**
-	 * @param IIncomingSignedRequest|null $signedRequest
-	 * @param string $entry
-	 *
-	 * @return void
-	 * @throws IncomingRequestException
-	 */
-	private function confirmNotificationEntry(?IIncomingSignedRequest $signedRequest, string $entry): void {
-		$instance = $this->getHostFromFederationId($entry);
-		if ($signedRequest === null) {
-			try {
-				$this->signatureManager->getSignatory($instance);
-				throw new IncomingRequestException('instance is supposed to sign its request');
-			} catch (SignatoryNotFoundException) {
-				return;
-			}
-		} elseif ($instance !== $signedRequest->getOrigin()) {
-			throw new IncomingRequestException('remote instance ' . $instance . ' not linked to origin ' . $signedRequest->getOrigin());
-		}
-	}
-
-	/**
-	 * @param string $entry
-	 * @return string
-	 * @throws IncomingRequestException
-	 */
-	private function getHostFromFederationId(string $entry): string {
-		if (!str_contains($entry, '@')) {
-			throw new IncomingRequestException('entry ' . $entry . ' does not contain @');
-		}
-		$rightPart = substr($entry, strrpos($entry, '@') + 1);
-
-		// in case the full scheme is sent; getting rid of it
-		$rightPart = $this->addressHandler->removeProtocolFromUrl($rightPart);
-		try {
-			return $this->signatureManager->extractIdentityFromUri('https://' . $rightPart);
-		} catch (IdentityNotFoundException) {
-			throw new IncomingRequestException('invalid host within federation id: ' . $entry);
-		}
+		$this->ocmDiscoveryService->confirmRequestOrigin($signedRequest?->getOrigin(), $identity);
 	}
 }

apps/cloud_federation_api/lib/Controller/RequestHandlerController.php

@@ -13,7 +13,6 @@
 use OCA\CloudFederationAPI\Controller\RequestHandlerController;
 use OCA\CloudFederationAPI\Db\FederatedInvite;
 use OCA\CloudFederationAPI\Db\FederatedInviteMapper;
-use OCA\FederatedFileSharing\AddressHandler;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\AppFramework\Utility\ITimeFactory;
@@ -28,7 +27,6 @@
 use OCP\IUser;
 use OCP\IUserManager;
 use OCP\OCM\IOCMDiscoveryService;
-use OCP\Security\Signature\ISignatureManager;
 use PHPUnit\Framework\MockObject\MockObject;
 use Psr\Log\LoggerInterface;
 use Test\TestCase;
@@ -43,13 +41,11 @@ class RequestHandlerControllerTest extends TestCase {
 	private Config&MockObject $config;
 	private IEventDispatcher&MockObject $eventDispatcher;
 	private FederatedInviteMapper&MockObject $federatedInviteMapper;
-	private AddressHandler&MockObject $addressHandler;
 	private IAppConfig&MockObject $appConfig;
 
 	private ICloudFederationFactory&MockObject $cloudFederationFactory;
 	private ICloudIdManager&MockObject $cloudIdManager;
 	private IOCMDiscoveryService&MockObject $discoveryService;
-	private ISignatureManager&MockObject $signatureManager;
 	private ITimeFactory&MockObject $timeFactory;
 
 	private RequestHandlerController $requestHandlerController;
@@ -66,12 +62,10 @@ protected function setUp(): void {
 		$this->config = $this->createMock(Config::class);
 		$this->eventDispatcher = $this->createMock(IEventDispatcher::class);
 		$this->federatedInviteMapper = $this->createMock(FederatedInviteMapper::class);
-		$this->addressHandler = $this->createMock(AddressHandler::class);
 		$this->appConfig = $this->createMock(IAppConfig::class);
 		$this->cloudFederationFactory = $this->createMock(ICloudFederationFactory::class);
 		$this->cloudIdManager = $this->createMock(ICloudIdManager::class);
 		$this->discoveryService = $this->createMock(IOCMDiscoveryService::class);
-		$this->signatureManager = $this->createMock(ISignatureManager::class);
 		$this->timeFactory = $this->createMock(ITimeFactory::class);
 
 		$this->requestHandlerController = new RequestHandlerController(
@@ -85,12 +79,10 @@ protected function setUp(): void {
 			$this->config,
 			$this->eventDispatcher,
 			$this->federatedInviteMapper,
-			$this->addressHandler,
 			$this->appConfig,
 			$this->cloudFederationFactory,
 			$this->cloudIdManager,
 			$this->discoveryService,
-			$this->signatureManager,
 			$this->timeFactory,
 		);
 	}

apps/cloud_federation_api/tests/RequestHandlerControllerTest.php

@@ -58,7 +58,7 @@ public function getCategory(): string {
 	protected function getRecommendedModuleDescription(string $module): string {
 		return match($module) {
 			'intl' => $this->l10n->t('increases language translation performance and fixes sorting of non-ASCII characters'),
-			'sodium' => $this->l10n->t('for Argon2 for password hashing'),
+			'sodium' => $this->l10n->t('for Argon2 for password hashing and Ed25519 signature verification for RFC 9421 http message signatures'),
 			'gmp' => $this->l10n->t('required for SFTP storage and recommended for WebAuthn performance'),
 			'exif' => $this->l10n->t('for picture rotation in server and metadata extraction in the Photos app'),
 			default => '',

apps/settings/lib/SetupChecks/PhpModules.php

@@ -0,0 +1,12 @@
+<?php
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+// ext-openssl padding mode constants for psalm. PSS omitted: PHP 8.5+ only.
+const OPENSSL_PKCS1_PADDING = 1;
+const OPENSSL_SSLV23_PADDING = 2;
+const OPENSSL_NO_PADDING = 3;
+const OPENSSL_PKCS1_OAEP_PADDING = 4;

build/stubs/openssl.php

@@ -0,0 +1,13 @@
+<?php
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+// ext-sodium Ed25519 size constants for psalm.
+const SODIUM_CRYPTO_SIGN_BYTES = 64;
+const SODIUM_CRYPTO_SIGN_SEEDBYTES = 32;
+const SODIUM_CRYPTO_SIGN_PUBLICKEYBYTES = 32;
+const SODIUM_CRYPTO_SIGN_SECRETKEYBYTES = 64;
+const SODIUM_CRYPTO_SIGN_KEYPAIRBYTES = 96;

build/stubs/sodium.php

@@ -47,6 +47,9 @@
 		"ext-zip": "*",
 		"ext-zlib": "*"
 	},
+	"suggest": {
+		"ext-sodium": "Argon2 password hashing and Ed25519 signature verification for RFC 9421 HTTP message signatures."
+	},
 	"require-dev": {
 		"bamarni/composer-bin-plugin": "^1.4"
 	},

composer.json

@@ -23,6 +23,7 @@
 use OC\Core\Listener\PasswordUpdatedListener;
 use OC\Core\Notification\CoreNotifier;
 use OC\OCM\OCMDiscoveryHandler;
+use OC\OCM\OCMJwksHandler;
 use OC\TagManager;
 use OCP\AppFramework\App;
 use OCP\AppFramework\Bootstrap\IBootContext;
@@ -88,6 +89,7 @@ public function register(IRegistrationContext $context): void {
 		$context->registerConfigLexicon(ConfigLexicon::class);
 
 		$context->registerWellKnownHandler(OCMDiscoveryHandler::class);
+		$context->registerWellKnownHandler(OCMJwksHandler::class);
 		$context->registerCapability(Capabilities::class);
 	}
 

core/AppInfo/Application.php

@@ -0,0 +1,42 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OC\Core\Command\OCM;
+
+use OC\Core\Command\Base;
+use OC\OCM\OCMSignatoryManager;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+
+class ActivateKey extends Base {
+	public function __construct(
+		private readonly OCMSignatoryManager $signatoryManager,
+	) {
+		parent::__construct();
+	}
+
+	#[\Override]
+	protected function configure(): void {
+		$this
+			->setName('ocm:keys:activate')
+			->setDescription('promote the staged JWKS key to active; the previous active key moves to retiring');
+	}
+
+	#[\Override]
+	protected function execute(InputInterface $input, OutputInterface $output): int {
+		try {
+			$this->signatoryManager->activateStagedJwksKey();
+		} catch (\RuntimeException $e) {
+			$output->writeln('<error>' . $e->getMessage() . '</error>');
+			return self::FAILURE;
+		}
+		$output->writeln('<info>Staged key promoted to active.</info>');
+		$output->writeln('Run <info>occ ocm:keys:retire</info> once any in-flight signatures using the previous key have been verified.');
+		return self::SUCCESS;
+	}
+}

core/Command/OCM/ActivateKey.php

@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OC\Core\Command\OCM;
+
+use OC\Core\Command\Base;
+use OC\OCM\OCMSignatoryManager;
+use Symfony\Component\Console\Helper\Table;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+
+class ListKeys extends Base {
+	public function __construct(
+		private readonly OCMSignatoryManager $signatoryManager,
+	) {
+		parent::__construct();
+	}
+
+	#[\Override]
+	protected function configure(): void {
+		$this
+			->setName('ocm:keys:list')
+			->setDescription('list JWKS-published signing keys');
+		parent::configure();
+	}
+
+	#[\Override]
+	protected function execute(InputInterface $input, OutputInterface $output): int {
+		$keys = $this->signatoryManager->listJwksKeys();
+		$format = $input->getOption('output');
+		if ($format === self::OUTPUT_FORMAT_JSON || $format === self::OUTPUT_FORMAT_JSON_PRETTY) {
+			$output->writeln(json_encode($keys, $format === self::OUTPUT_FORMAT_JSON_PRETTY ? JSON_PRETTY_PRINT : 0));
+			return self::SUCCESS;
+		}
+
+		if ($keys === []) {
+			$output->writeln('<comment>No JWKS keys yet; one will be generated on first OCM request.</comment>');
+			return self::SUCCESS;
+		}
+
+		$table = new Table($output);
+		$table->setHeaders(['Pool', 'Slot', 'Key ID']);
+		foreach ($keys as $key) {
+			$table->addRow([$key['poolId'], $key['slot'] ?? '-', $key['kid']]);
+		}
+		$table->render();
+		return self::SUCCESS;
+	}
+}