fix(http-sig): make setSignature public and skip third-party-dependent test

mickenordin · mickenordin · commit cc9e0ba58242 · 2026-05-27T11:03:55.000+02:00
Two CI failures introduced by the test additions in this PR:

1. testEd25519VerifyAcceptedWhenSodiumLoaded calls setSignature() to inject
   an externally-produced Ed25519 signature (since Algorithm::sign() rejects
   Ed25519 by design). setSignature was declared protected, so the test
   couldn't call it from outside the class hierarchy. Make it public —
   SignedRequest lives in the OC\ private namespace, so this widens
   internal-only visibility, not the public API surface.

2. testParseKeyRejectsContradictoryAlg expected firebase/php-jwt's
   JWK::parseKey() to throw on a kty=OKP/crv=Ed25519/alg=ES256 key. The
   current firebase/php-jwt version does not validate that coherence at
   parse time, so the test now fails to see any throwable. The actual
   security check happens at Algorithm::verify() time and is covered by
   testVerifyEd25519KeyAgainstES256Alg right above it. Skip the parse-time
   test with a comment pointing at the verify-time coverage.

Signed-off-by: Micke Nordin &lt;kano@sunet.se&gt;
diff --git a/lib/private/Security/Signature/Model/SignedRequest.php b/lib/private/Security/Signature/Model/SignedRequest.php
@@ -157,7 +157,7 @@ public function getSignatureData(): array {
 	 * @return self
 	 * @since 31.0.0
 	 */
-	protected function setSignature(string $signature): self {
+	public function setSignature(string $signature): self {
 		$this->signature = $signature;
 		return $this;
 	}
diff --git a/tests/lib/Security/Signature/Rfc9421/AlgorithmTest.php b/tests/lib/Security/Signature/Rfc9421/AlgorithmTest.php
@@ -115,18 +115,10 @@ public function testAlgHintConflictsWithJwkAlgRejected(): void {
 	}
 
 	public function testParseKeyRejectsContradictoryAlg(): void {
-		$this->skipUnlessSodium();
-		// kty=OKP/crv=Ed25519 with alg=ES256 is contradictory; firebase's
-		// parseKey rejects it before we ever build a Key.
-		$keypair = sodium_crypto_sign_keypair();
-		$this->expectException(\Throwable::class);
-		JWK::parseKey([
-			'kty' => 'OKP',
-			'crv' => 'Ed25519',
-			'kid' => 'k',
-			'alg' => 'ES256',
-			'x' => self::b64url(sodium_crypto_sign_publickey($keypair)),
-		], null);
+		$this->markTestSkipped(
+			'firebase/php-jwt JWK::parseKey does not validate kty/crv/alg coherence; '
+			. 'the alg mismatch is caught at verify() time instead — see testVerifyEd25519KeyAgainstES256Alg.'
+		);
 	}
 
 	public function testEcdsaRawToDerProducesValidSignature(): void {

Original file line number	Diff line number	Diff line change
`@@ -157,7 +157,7 @@ public function getSignatureData(): array {`
`157`	`157`	`* @return self`
`158`	`158`	`* @since 31.0.0`
`159`	`159`	`*/`
`160`		`- protected function setSignature(string $signature): self {`
	`160`	`+ public function setSignature(string $signature): self {`
`161`	`161`	`$this->signature = $signature;`
`162`	`162`	`return $this;`
`163`	`163`	`}`