feat(http-sig): Wire up the dual stack behaviour

We select which signature flavor to use based on if the remote server
has the `http-sig` capability.

The new bahaviour is backwards compatible, still using draft-cavage
flavor signatures if the remote server has the `publicKey` in the
discovery, but does not advertise the correct capability.

Signed-off-by: Micke Nordin <kano@sunet.se>

Author: mickenordin

core/AppInfo/Application.php

@@ -22,6 +22,7 @@
 use OC\Core\Listener\BeforeTemplateRenderedListener;
 use OC\Core\Listener\PasswordUpdatedListener;
 use OC\Core\Notification\CoreNotifier;
+use OC\OCM\Listener\HttpSigCapabilityListener;
 use OC\OCM\OCMDiscoveryHandler;
 use OC\OCM\OCMJwksHandler;
 use OC\TagManager;
@@ -33,6 +34,7 @@
 use OCP\AppFramework\Http\Events\BeforeTemplateRenderedEvent;
 use OCP\DB\Events\AddMissingIndicesEvent;
 use OCP\DB\Events\AddMissingPrimaryKeyEvent;
+use OCP\OCM\Events\LocalOCMDiscoveryEvent;
 use OCP\User\Events\BeforeUserDeletedEvent;
 use OCP\User\Events\PasswordUpdatedEvent;
 use OCP\User\Events\UserDeletedEvent;
@@ -81,6 +83,7 @@ public function register(IRegistrationContext $context): void {
 		$context->registerEventListener(UserDeletedEvent::class, UserDeletedFilesCleanupListener::class);
 		$context->registerEventListener(UserDeletedEvent::class, UserDeletedWebAuthnCleanupListener::class);
 		$context->registerEventListener(PasswordUpdatedEvent::class, PasswordUpdatedListener::class);
+		$context->registerEventListener(LocalOCMDiscoveryEvent::class, HttpSigCapabilityListener::class);
 
 		// Tags
 		$context->registerEventListener(UserDeletedEvent::class, TagManager::class);

lib/composer/composer/autoload_classmap.php

@@ -1943,12 +1943,14 @@
     'OC\\Notification\\Action' => $baseDir . '/lib/private/Notification/Action.php',
     'OC\\Notification\\Manager' => $baseDir . '/lib/private/Notification/Manager.php',
     'OC\\Notification\\Notification' => $baseDir . '/lib/private/Notification/Notification.php',
+    'OC\\OCM\\Listener\\HttpSigCapabilityListener' => $baseDir . '/lib/private/OCM/Listener/HttpSigCapabilityListener.php',
     'OC\\OCM\\Model\\OCMProvider' => $baseDir . '/lib/private/OCM/Model/OCMProvider.php',
     'OC\\OCM\\Model\\OCMResource' => $baseDir . '/lib/private/OCM/Model/OCMResource.php',
     'OC\\OCM\\OCMDiscoveryHandler' => $baseDir . '/lib/private/OCM/OCMDiscoveryHandler.php',
     'OC\\OCM\\OCMDiscoveryService' => $baseDir . '/lib/private/OCM/OCMDiscoveryService.php',
     'OC\\OCM\\OCMJwksHandler' => $baseDir . '/lib/private/OCM/OCMJwksHandler.php',
     'OC\\OCM\\OCMSignatoryManager' => $baseDir . '/lib/private/OCM/OCMSignatoryManager.php',
+    'OC\\OCM\\Rfc9421SignatoryManager' => $baseDir . '/lib/private/OCM/Rfc9421SignatoryManager.php',
     'OC\\OCS\\ApiHelper' => $baseDir . '/lib/private/OCS/ApiHelper.php',
     'OC\\OCS\\CoreCapabilities' => $baseDir . '/lib/private/OCS/CoreCapabilities.php',
     'OC\\OCS\\DiscoveryService' => $baseDir . '/lib/private/OCS/DiscoveryService.php',

lib/composer/composer/autoload_static.php

@@ -1984,12 +1984,14 @@ class ComposerStaticInit749170dad3f5e7f9ca158f5a9f04f6a2
         'OC\\Notification\\Action' => __DIR__ . '/../../..' . '/lib/private/Notification/Action.php',
         'OC\\Notification\\Manager' => __DIR__ . '/../../..' . '/lib/private/Notification/Manager.php',
         'OC\\Notification\\Notification' => __DIR__ . '/../../..' . '/lib/private/Notification/Notification.php',
+        'OC\\OCM\\Listener\\HttpSigCapabilityListener' => __DIR__ . '/../../..' . '/lib/private/OCM/Listener/HttpSigCapabilityListener.php',
         'OC\\OCM\\Model\\OCMProvider' => __DIR__ . '/../../..' . '/lib/private/OCM/Model/OCMProvider.php',
         'OC\\OCM\\Model\\OCMResource' => __DIR__ . '/../../..' . '/lib/private/OCM/Model/OCMResource.php',
         'OC\\OCM\\OCMDiscoveryHandler' => __DIR__ . '/../../..' . '/lib/private/OCM/OCMDiscoveryHandler.php',
         'OC\\OCM\\OCMDiscoveryService' => __DIR__ . '/../../..' . '/lib/private/OCM/OCMDiscoveryService.php',
         'OC\\OCM\\OCMJwksHandler' => __DIR__ . '/../../..' . '/lib/private/OCM/OCMJwksHandler.php',
         'OC\\OCM\\OCMSignatoryManager' => __DIR__ . '/../../..' . '/lib/private/OCM/OCMSignatoryManager.php',
+        'OC\\OCM\\Rfc9421SignatoryManager' => __DIR__ . '/../../..' . '/lib/private/OCM/Rfc9421SignatoryManager.php',
         'OC\\OCS\\ApiHelper' => __DIR__ . '/../../..' . '/lib/private/OCS/ApiHelper.php',
         'OC\\OCS\\CoreCapabilities' => __DIR__ . '/../../..' . '/lib/private/OCS/CoreCapabilities.php',
         'OC\\OCS\\DiscoveryService' => __DIR__ . '/../../..' . '/lib/private/OCS/DiscoveryService.php',

lib/private/OCM/Listener/HttpSigCapabilityListener.php

@@ -0,0 +1,43 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OC\OCM\Listener;
+
+use OC\OCM\OCMSignatoryManager;
+use OCP\EventDispatcher\Event;
+use OCP\EventDispatcher\IEventListener;
+use OCP\IAppConfig;
+use OCP\OCM\Events\LocalOCMDiscoveryEvent;
+
+/**
+ * Adds the `http-sig` capability to the local OCM discovery document so that
+ * remote senders know they may use RFC 9421 HTTP Message Signatures with the
+ * keys published at `/.well-known/jwks.json`. The capability is suppressed
+ * when signing has been disabled outright via
+ * {@see OCMSignatoryManager::APPCONFIG_SIGN_DISABLED}.
+ *
+ * @template-implements IEventListener<LocalOCMDiscoveryEvent>
+ */
+class HttpSigCapabilityListener implements IEventListener {
+	public function __construct(
+		private readonly IAppConfig $appConfig,
+	) {
+	}
+
+	#[\Override]
+	public function handle(Event $event): void {
+		if (!($event instanceof LocalOCMDiscoveryEvent)) {
+			return;
+		}
+		if ($this->appConfig->getValueBool('core', OCMSignatoryManager::APPCONFIG_SIGN_DISABLED, lazy: true)) {
+			return;
+		}
+		$event->addCapability('http-sig');
+	}
+}

lib/private/OCM/OCMDiscoveryService.php

@@ -344,6 +344,12 @@ public function requestRemoteOcmEndpoint(
 	/**
 	 * add entries to the payload to auth the whole request
 	 *
+	 * Picks the signature scheme from the remote's advertised OCM
+	 * capabilities; see the OCM specification for the selection rules. The
+	 * existing strict/permissive policy (`APPCONFIG_SIGN_ENFORCED` /
+	 * `APPCONFIG_SIGN_DISABLED`) is preserved as the fallback when the remote
+	 * advertises neither `http-sig` nor a `publicKey`.
+	 *
 	 * @throws OCMProviderException
 	 * @return array
 	 */
@@ -353,20 +359,31 @@ private function prepareOcmPayload(string $uri, string $method, array $options,
 			return $payload;
 		}
 
-		if ($this->appConfig->getValueBool('core', OCMSignatoryManager::APPCONFIG_SIGN_ENFORCED, lazy: true)
-			&& $this->signatoryManager->getRemoteSignatory($this->signatureManager->extractIdentityFromUri($uri)) === null) {
+		$origin = $this->signatureManager->extractIdentityFromUri($uri);
+		$ocmProvider = $this->discover($origin);
+
+		$useRfc9421 = $ocmProvider->hasCapability('http-sig');
+		$hasPublicKey = $this->signatoryManager->getRemoteSignatory($origin) !== null;
+
+		if (!$useRfc9421 && !$hasPublicKey
+			&& $this->appConfig->getValueBool('core', OCMSignatoryManager::APPCONFIG_SIGN_ENFORCED, lazy: true)) {
 			throw new OCMProviderException('remote endpoint does not support signed request');
 		}
 
-		if (!$this->appConfig->getValueBool('core', OCMSignatoryManager::APPCONFIG_SIGN_DISABLED, lazy: true)) {
-			$signedPayload = $this->signatureManager->signOutgoingRequestIClientPayload(
-				$this->signatoryManager,
-				$payload,
-				$method, $uri
-			);
+		if ($this->appConfig->getValueBool('core', OCMSignatoryManager::APPCONFIG_SIGN_DISABLED, lazy: true)) {
+			return $payload;
 		}
 
-		return $signedPayload ?? $payload;
+		$signatoryManager = $useRfc9421
+			? new Rfc9421SignatoryManager($this->signatoryManager)
+			: $this->signatoryManager;
+
+		return $this->signatureManager->signOutgoingRequestIClientPayload(
+			$signatoryManager,
+			$payload,
+			$method,
+			$uri,
+		);
 	}
 
 	private function generateRequestOptions(array $options): array {

lib/private/OCM/OCMSignatoryManager.php

@@ -9,22 +9,26 @@
 
 namespace OC\OCM;
 
+use JsonException;
 use OC\Security\IdentityProof\Manager;
 use OC\Security\Jwks\Jwk;
+use OC\Security\Signature\Rfc9421\IJwkResolvingSignatoryManager;
+use OCP\Http\Client\IClientService;
 use OCP\IAppConfig;
+use OCP\IConfig;
 use OCP\IURLGenerator;
 use OCP\OCM\Exceptions\OCMProviderException;
 use OCP\Security\Signature\Enum\DigestAlgorithm;
 use OCP\Security\Signature\Enum\SignatoryType;
 use OCP\Security\Signature\Enum\SignatureAlgorithm;
 use OCP\Security\Signature\Exceptions\IdentityNotFoundException;
-use OCP\Security\Signature\ISignatoryManager;
 use OCP\Security\Signature\ISignatureManager;
 use OCP\Security\Signature\Model\Signatory;
 use OCP\Server;
 use Psr\Container\ContainerExceptionInterface;
 use Psr\Container\NotFoundExceptionInterface;
 use Psr\Log\LoggerInterface;
+use Throwable;
 
 /**
  * @inheritDoc
@@ -34,7 +38,7 @@
  *
  * @since 31.0.0
  */
-class OCMSignatoryManager implements ISignatoryManager {
+class OCMSignatoryManager implements IJwkResolvingSignatoryManager {
 	public const PROVIDER_ID = 'ocm';
 	public const APPCONFIG_SIGN_IDENTITY_EXTERNAL = 'ocm_signed_request_identity_external';
 	public const APPCONFIG_SIGN_DISABLED = 'ocm_signed_request_disabled';
@@ -49,6 +53,8 @@ public function __construct(
 		private readonly ISignatureManager $signatureManager,
 		private readonly IURLGenerator $urlGenerator,
 		private readonly Manager $identityProofManager,
+		private readonly IClientService $clientService,
+		private readonly IConfig $config,
 		private readonly LoggerInterface $logger,
 	) {
 	}
@@ -206,4 +212,49 @@ public function getRemoteSignatory(string $remote): ?Signatory {
 			return null;
 		}
 	}
+
+	/**
+	 * Fetch the remote's `/.well-known/jwks.json` (per the OCM specification)
+	 * and return the JWK whose `kid` matches $keyId. Returns null when the
+	 * fetch fails or no key with that kid is published.
+	 */
+	#[\Override]
+	public function getRemoteJwk(string $origin, string $keyId): ?Jwk {
+		$url = 'https://' . $origin . '/.well-known/jwks.json';
+		$options = [
+			'timeout' => 10,
+			'connect_timeout' => 10,
+		];
+		if ($this->config->getSystemValueBool('sharing.federation.allowSelfSignedCertificates') === true) {
+			$options['verify'] = false;
+		}
+
+		try {
+			$response = $this->clientService->newClient()->get($url, $options);
+		} catch (Throwable $e) {
+			$this->logger->warning('failed to fetch remote JWKS', ['exception' => $e, 'url' => $url]);
+			return null;
+		}
+
+		try {
+			$decoded = json_decode((string)$response->getBody(), true, 8, JSON_THROW_ON_ERROR);
+		} catch (JsonException $e) {
+			$this->logger->warning('remote JWKS is not valid JSON', ['exception' => $e, 'url' => $url]);
+			return null;
+		}
+
+		if (!is_array($decoded) || !is_array($decoded['keys'] ?? null)) {
+			return null;
+		}
+
+		foreach ($decoded['keys'] as $entry) {
+			if (!is_array($entry)) {
+				continue;
+			}
+			if (($entry['kid'] ?? null) === $keyId) {
+				return Jwk::fromArray($entry);
+			}
+		}
+		return null;
+	}
 }

lib/private/OCM/Rfc9421SignatoryManager.php

@@ -0,0 +1,61 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OC\OCM;
+
+use OC\Security\Jwks\Jwk;
+use OC\Security\Signature\Rfc9421\IJwkResolvingSignatoryManager;
+use OCP\Security\Signature\Exceptions\IdentityNotFoundException;
+use OCP\Security\Signature\Model\Signatory;
+
+/**
+ * Per-call wrapper around {@see OCMSignatoryManager} that swaps in the
+ * Ed25519 signatory and turns on the `rfc9421.format` option. Constructed
+ * by {@see OCMDiscoveryService::prepareOcmPayload} when the remote has
+ * advertised the OCM `http-sig` capability.
+ *
+ * Wrapping rather than mutating OCMSignatoryManager keeps the underlying
+ * service stateless — important because it lives in the DI container and
+ * may be reused across requests.
+ */
+final class Rfc9421SignatoryManager implements IJwkResolvingSignatoryManager {
+	public function __construct(
+		private readonly OCMSignatoryManager $delegate,
+	) {
+	}
+
+	#[\Override]
+	public function getProviderId(): string {
+		return $this->delegate->getProviderId();
+	}
+
+	#[\Override]
+	public function getOptions(): array {
+		return array_merge($this->delegate->getOptions(), ['rfc9421.format' => true]);
+	}
+
+	#[\Override]
+	public function getLocalSignatory(): Signatory {
+		$signatory = $this->delegate->getLocalEd25519Signatory();
+		if ($signatory === null) {
+			throw new IdentityNotFoundException('no Ed25519 signatory available');
+		}
+		return $signatory;
+	}
+
+	#[\Override]
+	public function getRemoteSignatory(string $remote): ?Signatory {
+		return $this->delegate->getRemoteSignatory($remote);
+	}
+
+	#[\Override]
+	public function getRemoteJwk(string $origin, string $keyId): ?Jwk {
+		return $this->delegate->getRemoteJwk($origin, $keyId);
+	}
+}

lib/private/Security/Signature/Rfc9421/Algorithm.php

@@ -61,16 +61,13 @@ public static function sign(string $signatureBase, string $privateKey, string $a
 			return sodium_crypto_sign_detached($signatureBase, $privateKey);
 		}
 
-		[$opensslAlgo, $padding, $encoding] = self::opensslParametersForAlgorithm($normalized);
+		[$opensslAlgo, $encoding] = self::opensslParametersForAlgorithm($normalized);
 
-		// Padding is only valid for RSA keys; passing it for ECDSA triggers a
-		// PHP warning and rejection.
-		if ($padding === null) {
-			$ok = openssl_sign($signatureBase, $signature, $privateKey, $opensslAlgo);
-		} else {
-			/** @psalm-suppress TooManyArguments - the 5-arg form is supported on PHP 8 */
-			$ok = openssl_sign($signatureBase, $signature, $privateKey, $opensslAlgo, $padding);
-		}
+		// We do not pass an explicit padding mode: openssl_sign's 5th argument
+		// only became available in PHP 8.5, and the algorithms we still
+		// support (RSA-PKCS1-v1_5, ECDSA) all use the function's default
+		// padding behaviour (PKCS1 v1.5 for RSA, ignored for ECDSA).
+		$ok = openssl_sign($signatureBase, $signature, $privateKey, $opensslAlgo);
 		if (!$ok) {
 			throw new SignatureException('openssl_sign failed for ' . $normalized);
 		}
@@ -111,7 +108,7 @@ public static function verify(string $signatureBase, string $signature, Jwk $jwk
 			return sodium_crypto_sign_verify_detached($signature, $signatureBase, $rawPublicKey);
 		}
 
-		[$opensslAlgo, $padding, $encoding] = self::opensslParametersForAlgorithm($resolved);
+		[$opensslAlgo, $encoding] = self::opensslParametersForAlgorithm($resolved);
 
 		if ($encoding === 'ecdsa') {
 			$signature = self::ecdsaRawToDer($signature, self::ecdsaCoordinateSize($resolved));
@@ -125,11 +122,10 @@ public static function verify(string $signatureBase, string $signature, Jwk $jwk
 			throw new SignatureException('cannot derive public key from JWK');
 		}
 
-		if ($padding === null) {
-			return openssl_verify($signatureBase, $signature, $publicKey, $opensslAlgo) === 1;
-		}
-		/** @psalm-suppress TooManyArguments - the 5-arg form is supported on PHP 8 */
-		return openssl_verify($signatureBase, $signature, $publicKey, $opensslAlgo, $padding) === 1;
+		// See comment in sign(): padding is the openssl_verify default for
+		// the algorithms we still support, and the 5-arg form requires
+		// PHP 8.5.
+		return openssl_verify($signatureBase, $signature, $publicKey, $opensslAlgo) === 1;
 	}
 
 	/**
@@ -176,18 +172,18 @@ public static function normalize(string $algorithm): string {
 	}
 
 	/**
-	 * @return array{0: int, 1: int|null, 2: string} [openssl algo, padding (null = omit for non-RSA), wire encoding]
+	 * @return array{0: int, 1: string} [openssl digest, wire encoding]
 	 */
 	private static function opensslParametersForAlgorithm(string $native): array {
 		// Ed25519 is handled by libsodium upstream of this method and never
 		// reaches it; only RSA-PKCS1-v1_5 and ECDSA go through OpenSSL.
 		// RSA-PSS is not supported (see class docblock).
 		return match ($native) {
-			'rsa-v1_5-sha256' => [OPENSSL_ALGO_SHA256, OPENSSL_PKCS1_PADDING, 'raw'],
-			'rsa-v1_5-sha384' => [OPENSSL_ALGO_SHA384, OPENSSL_PKCS1_PADDING, 'raw'],
-			'rsa-v1_5-sha512' => [OPENSSL_ALGO_SHA512, OPENSSL_PKCS1_PADDING, 'raw'],
-			'ecdsa-p256-sha256' => [OPENSSL_ALGO_SHA256, null, 'ecdsa'],
-			'ecdsa-p384-sha384' => [OPENSSL_ALGO_SHA384, null, 'ecdsa'],
+			'rsa-v1_5-sha256' => [OPENSSL_ALGO_SHA256, 'raw'],
+			'rsa-v1_5-sha384' => [OPENSSL_ALGO_SHA384, 'raw'],
+			'rsa-v1_5-sha512' => [OPENSSL_ALGO_SHA512, 'raw'],
+			'ecdsa-p256-sha256' => [OPENSSL_ALGO_SHA256, 'ecdsa'],
+			'ecdsa-p384-sha384' => [OPENSSL_ALGO_SHA384, 'ecdsa'],
 			default => throw new SignatureException('unsupported signature algorithm: ' . $native),
 		};
 	}

tests/lib/OCM/DiscoveryServiceTest.php

@@ -128,6 +128,13 @@ public function testLocalBaseCapability(): void {
 		$this->assertEmpty(array_diff(['notifications', 'shares'], $local->getCapabilities()));
 	}
 
+	public function testLocalCapabilitiesAdvertiseHttpSigByDefault(): void {
+		// `http-sig` is the OCM-spec flag signalling RFC 9421 support backed
+		// by /.well-known/jwks.json. Advertised whenever signing is not
+		// disabled outright.
+		$local = $this->discoveryService->getLocalOCMProvider();
+		$this->assertTrue($local->hasCapability('http-sig'));
+	}
 
 	public function testLocalAddedCapability(): void {
 		$this->context->for('ocm-capability-app')->registerEventListener(LocalOCMDiscoveryEvent::class, LocalOCMDiscoveryTestEvent::class);