fix(ocm): switching to IdentityProof

Signed-off-by: Maxence Lange <maxence@artificial-owl.com>

apps/cloud_federation_api/lib/Capabilities.php

@@ -8,7 +8,7 @@ declare(strict_types=1);
  */
 namespace OCA\CloudFederationAPI;
 
-use NCU\Security\PublicPrivateKeyPairs\Exceptions\KeyPairException;
+use NCU\Security\Signature\Exceptions\IdentityNotFoundException;
 use NCU\Security\Signature\Exceptions\SignatoryException;
 use OC\OCM\OCMSignatoryManager;
 use OCP\Capabilities\ICapability;
@@ -79,7 +79,7 @@ class Capabilities implements ICapability {
 			} else {
 				$this->logger->debug('ocm public key feature disabled');
 			}
-		} catch (SignatoryException|KeyPairException $e) {
+		} catch (SignatoryException|IdentityNotFoundException $e) {
 			$this->logger->warning('cannot generate local signatory', ['exception' => $e]);
 		}
 

apps/cloud_federation_api/lib/Controller/RequestHandlerController.php

@@ -5,6 +5,7 @@
  */
 namespace OCA\CloudFederationAPI\Controller;
 
+use NCU\Security\Signature\Exceptions\IdentityNotFoundException;
 use NCU\Security\Signature\Exceptions\IncomingRequestException;
 use NCU\Security\Signature\Exceptions\SignatoryNotFoundException;
 use NCU\Security\Signature\Exceptions\SignatureException;
@@ -14,6 +15,7 @@ use NCU\Security\Signature\Model\IIncomingSignedRequest;
 use OC\OCM\OCMSignatoryManager;
 use OCA\CloudFederationAPI\Config;
 use OCA\CloudFederationAPI\ResponseDefinitions;
+use OCA\FederatedFileSharing\AddressHandler;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\Attribute\BruteForceProtection;
@@ -60,6 +62,7 @@ class RequestHandlerController extends Controller {
 		private IURLGenerator $urlGenerator,
 		private ICloudFederationProviderManager $cloudFederationProviderManager,
 		private Config $config,
+		private readonly AddressHandler $addressHandler,
 		private readonly IAppConfig $appConfig,
 		private ICloudFederationFactory $factory,
 		private ICloudIdManager $cloudIdManager,
@@ -289,6 +292,7 @@ class RequestHandlerController extends Controller {
 			$response->throttle();
 			return $response;
 		} catch (\Exception $e) {
+			$this->logger->warning('incoming notification exception', ['exception' => $e]);
 			return new JSONResponse(
 				[
 					'message' => 'Internal error at ' . $this->urlGenerator->getBaseUrl(),
@@ -376,7 +380,7 @@ class RequestHandlerController extends Controller {
 		$body = json_decode($signedRequest->getBody(), true) ?? [];
 		$entry = trim($body[$key] ?? '', '@');
 		if ($this->getHostFromFederationId($entry) !== $signedRequest->getOrigin()) {
-			throw new IncomingRequestException('share initiation from different instance');
+			throw new IncomingRequestException('share initiation (' . $signedRequest->getOrigin() . ') from different instance (' . $entry . ') [key=' . $key . ']');
 		}
 	}
 
@@ -391,7 +395,6 @@ class RequestHandlerController extends Controller {
 	 * @param IIncomingSignedRequest|null $signedRequest
 	 * @param string $token
 	 *
-	 * @return void
 	 * @throws IncomingRequestException
 	 */
 	private function confirmShareOrigin(?IIncomingSignedRequest $signedRequest, string $token): void {
@@ -401,8 +404,23 @@ class RequestHandlerController extends Controller {
 
 		$provider = $this->shareProviderFactory->getProviderForType(IShare::TYPE_REMOTE);
 		$share = $provider->getShareByToken($token);
-		$entry = $share->getSharedWith();
+		try {
+			$this->confirmShareEntry($signedRequest, $share->getSharedWith());
+		} catch (IncomingRequestException) {
+			// notification might come from the instance that owns the share
+			$this->logger->debug('could not confirm origin on sharedWith (' . $share->getSharedWIth() . '); going with shareOwner (' . $share->getShareOwner() . ')');
+			$this->confirmShareEntry($signedRequest, $share->getShareOwner());
+		}
+	}
 
+	/**
+	 * @param IIncomingSignedRequest|null $signedRequest
+	 * @param string $entry
+	 *
+	 * @return void
+	 * @throws IncomingRequestException
+	 */
+	private function confirmShareEntry(?IIncomingSignedRequest $signedRequest, string $entry): void {
 		$instance = $this->getHostFromFederationId($entry);
 		if ($signedRequest === null) {
 			try {
@@ -412,7 +430,7 @@ class RequestHandlerController extends Controller {
 				return;
 			}
 		} elseif ($instance !== $signedRequest->getOrigin()) {
-			throw new IncomingRequestException('token sharedWith from different instance');
+			throw new IncomingRequestException('token sharedWith (' . $instance . ') not linked to origin (' . $signedRequest->getOrigin() . ')');
 		}
 	}
 
@@ -423,20 +441,16 @@ class RequestHandlerController extends Controller {
 	 */
 	private function getHostFromFederationId(string $entry): string {
 		if (!str_contains($entry, '@')) {
-			throw new IncomingRequestException('entry does not contains @');
+			throw new IncomingRequestException('entry ' . $entry . ' does not contains @');
 		}
-		[, $rightPart] = explode('@', $entry, 2);
+		$rightPart = substr($entry, strrpos($entry, '@') + 1);
 
-		$host = parse_url($rightPart, PHP_URL_HOST);
-		$port = parse_url($rightPart, PHP_URL_PORT);
-		if ($port !== null && $port !== false) {
-			$host .= ':' . $port;
-		}
-
-		if (is_string($host) && $host !== '') {
-			return $host;
+		// in case the full scheme is sent; getting rid of it
+		$rightPart = $this->addressHandler->removeProtocolFromUrl($rightPart);
+		try {
+			return $this->signatureManager->extractIdentityFromUri('https://' . $rightPart);
+		} catch (IdentityNotFoundException) {
+			throw new IncomingRequestException('invalid host within federation id: ' . $entry);
 		}
-
-		throw new IncomingRequestException('host is empty');
 	}
 }

apps/federatedfilesharing/lib/FederatedShareProvider.php

@@ -250,7 +250,8 @@ class FederatedShareProvider implements IShareProvider {
 			$remote,
 			$shareWith,
 			$share->getPermissions(),
-			$share->getNode()->getName()
+			$share->getNode()->getName(),
+			$share->getShareType(),
 		);
 
 		return [$token, $remoteId];

apps/federatedfilesharing/lib/Notifications.php

@@ -108,12 +108,13 @@ class Notifications {
 	 * @throws HintException
 	 * @throws \OC\ServerNotAvailableException
 	 */
-	public function requestReShare($token, $id, $shareId, $remote, $shareWith, $permission, $filename) {
+	public function requestReShare($token, $id, $shareId, $remote, $shareWith, $permission, $filename, $shareType) {
 		$fields = [
 			'shareWith' => $shareWith,
 			'token' => $token,
 			'permission' => $permission,
 			'remoteId' => $shareId,
+			'shareType' => $shareType,
 		];
 
 		$ocmFields = $fields;

build/integration/features/bootstrap/FederationContext.php

@@ -38,7 +38,7 @@ class FederationContext implements Context, SnippetAcceptingContext {
 
 		$port = getenv('PORT_FED');
 
-		self::$phpFederatedServerPid = exec('php -S localhost:' . $port . ' -t ../../ >/dev/null & echo $!');
+		self::$phpFederatedServerPid = exec('PHP_CLI_SERVER_WORKERS=2 php -S localhost:' . $port . ' -t ../../ >/dev/null & echo $!');
 	}
 
 	/**

build/integration/federation_features/cleanup-remote-storage.feature

@@ -4,6 +4,27 @@ Feature: cleanup-remote-storage
   Background:
     Given using api version "1"
 
+  Scenario: cleanup remote storage with no storage
+    Given Using server "LOCAL"
+    And user "user0" exists
+    Given Using server "REMOTE"
+    And user "user1" exists
+    # Rename file so it has a unique name in the target server (as the target
+    # server may have its own /textfile0.txt" file)
+    And User "user1" copies file "/textfile0.txt" to "/remote-share.txt"
+    And User "user1" from server "REMOTE" shares "/remote-share.txt" with user "user0" from server "LOCAL"
+    And As an "user1"
+    And Deleting last share
+    And the OCS status code should be "100"
+    And the HTTP status code should be "200"
+    And Deleting last share
+    And Using server "LOCAL"
+    When invoking occ with "sharing:cleanup-remote-storage"
+    Then the command was successful
+    And the command output contains the text "0 remote storage(s) need(s) to be checked"
+    And the command output contains the text "0 remote share(s) exist"
+    And the command output contains the text "no storages deleted"
+
   Scenario: cleanup remote storage with active storages
     Given Using server "LOCAL"
     And user "user0" exists
@@ -35,9 +56,6 @@ Feature: cleanup-remote-storage
     # server may have its own /textfile0.txt" file)
     And User "user1" copies file "/textfile0.txt" to "/remote-share.txt"
     And User "user1" from server "REMOTE" shares "/remote-share.txt" with user "user0" from server "LOCAL"
-    And As an "user1"
-    And sending "GET" to "/apps/files_sharing/api/v1/shares"
-    And the list of returned shares has 1 shares
     And Using server "LOCAL"
     # Accept and download the file to ensure that a storage is created for the
     # federated share

lib/composer/composer/autoload_classmap.php

@@ -1902,8 +1902,6 @@ return array(
     'OC\\Security\\Ip\\Range' => $baseDir . '/lib/private/Security/Ip/Range.php',
     'OC\\Security\\Ip\\RemoteAddress' => $baseDir . '/lib/private/Security/Ip/RemoteAddress.php',
     'OC\\Security\\Normalizer\\IpAddress' => $baseDir . '/lib/private/Security/Normalizer/IpAddress.php',
-    'OC\\Security\\PublicPrivateKeyPairs\\KeyPairManager' => $baseDir . '/lib/private/Security/PublicPrivateKeyPairs/KeyPairManager.php',
-    'OC\\Security\\PublicPrivateKeyPairs\\Model\\KeyPair' => $baseDir . '/lib/private/Security/PublicPrivateKeyPairs/Model/KeyPair.php',
     'OC\\Security\\RateLimiting\\Backend\\DatabaseBackend' => $baseDir . '/lib/private/Security/RateLimiting/Backend/DatabaseBackend.php',
     'OC\\Security\\RateLimiting\\Backend\\IBackend' => $baseDir . '/lib/private/Security/RateLimiting/Backend/IBackend.php',
     'OC\\Security\\RateLimiting\\Backend\\MemoryCacheBackend' => $baseDir . '/lib/private/Security/RateLimiting/Backend/MemoryCacheBackend.php',

lib/composer/composer/autoload_static.php

@@ -1943,8 +1943,6 @@ class ComposerStaticInit749170dad3f5e7f9ca158f5a9f04f6a2
         'OC\\Security\\Ip\\Range' => __DIR__ . '/../../..' . '/lib/private/Security/Ip/Range.php',
         'OC\\Security\\Ip\\RemoteAddress' => __DIR__ . '/../../..' . '/lib/private/Security/Ip/RemoteAddress.php',
         'OC\\Security\\Normalizer\\IpAddress' => __DIR__ . '/../../..' . '/lib/private/Security/Normalizer/IpAddress.php',
-        'OC\\Security\\PublicPrivateKeyPairs\\KeyPairManager' => __DIR__ . '/../../..' . '/lib/private/Security/PublicPrivateKeyPairs/KeyPairManager.php',
-        'OC\\Security\\PublicPrivateKeyPairs\\Model\\KeyPair' => __DIR__ . '/../../..' . '/lib/private/Security/PublicPrivateKeyPairs/Model/KeyPair.php',
         'OC\\Security\\RateLimiting\\Backend\\DatabaseBackend' => __DIR__ . '/../../..' . '/lib/private/Security/RateLimiting/Backend/DatabaseBackend.php',
         'OC\\Security\\RateLimiting\\Backend\\IBackend' => __DIR__ . '/../../..' . '/lib/private/Security/RateLimiting/Backend/IBackend.php',
         'OC\\Security\\RateLimiting\\Backend\\MemoryCacheBackend' => __DIR__ . '/../../..' . '/lib/private/Security/RateLimiting/Backend/MemoryCacheBackend.php',

lib/private/Federation/CloudFederationProviderManager.php

@@ -18,6 +18,7 @@ use OCP\Federation\ICloudFederationProvider;
 use OCP\Federation\ICloudFederationProviderManager;
 use OCP\Federation\ICloudFederationShare;
 use OCP\Federation\ICloudIdManager;
+use OCP\Http\Client\IClient;
 use OCP\Http\Client\IClientService;
 use OCP\Http\Client\IResponse;
 use OCP\IAppConfig;
@@ -105,25 +106,11 @@ class CloudFederationProviderManager implements ICloudFederationProviderManager
 	public function sendShare(ICloudFederationShare $share) {
 		$cloudID = $this->cloudIdManager->resolveCloudId($share->getShareWith());
 		try {
-			$ocmProvider = $this->discoveryService->discover($cloudID->getRemote());
-		} catch (OCMProviderException $e) {
-			return false;
-		}
-
-		$client = $this->httpClientService->newClient();
-		try {
-			// signing the payload using OCMSignatoryManager before initializing the request
-			$uri = $ocmProvider->getEndPoint() . '/shares';
-			$payload = array_merge($this->getDefaultRequestOptions(), ['body' => json_encode($share->getShare())]);
-			if (!$this->appConfig->getValueBool('core', OCMSignatoryManager::APPCONFIG_SIGN_DISABLED, lazy: true)) {
-				$signedPayload = $this->signatureManager->signOutgoingRequestIClientPayload(
-					$this->signatoryManager,
-					$payload,
-					'post', $uri
-				);
+			try {
+				$response = $this->postOcmPayload($cloudID->getRemote(), '/shares', json_encode($share->getShare()));
+			} catch (OCMProviderException) {
+				return false;
 			}
-			$response = $client->post($uri, $signedPayload ?? $payload);
-
 			if ($response->getStatusCode() === Http::STATUS_CREATED) {
 				$result = json_decode($response->getBody(), true);
 				return (is_array($result)) ? $result : [];
@@ -149,22 +136,9 @@ class CloudFederationProviderManager implements ICloudFederationProviderManager
 	 */
 	public function sendCloudShare(ICloudFederationShare $share): IResponse {
 		$cloudID = $this->cloudIdManager->resolveCloudId($share->getShareWith());
-		$ocmProvider = $this->discoveryService->discover($cloudID->getRemote());
-
 		$client = $this->httpClientService->newClient();
 		try {
-			// signing the payload using OCMSignatoryManager before initializing the request
-			$uri = $ocmProvider->getEndPoint() . '/shares';
-			$payload = array_merge($this->getDefaultRequestOptions(), ['body' => json_encode($share->getShare())]);
-			if (!$this->appConfig->getValueBool('core', OCMSignatoryManager::APPCONFIG_SIGN_DISABLED, lazy: true)) {
-				$signedPayload = $this->signatureManager->signOutgoingRequestIClientPayload(
-					$this->signatoryManager,
-					$payload,
-					'post', $uri
-				);
-			}
-
-			return $client->post($uri, $signedPayload ?? $payload);
+			return $this->postOcmPayload($cloudID->getRemote(), '/shares', json_encode($share->getShare()), $client);
 		} catch (\Throwable $e) {
 			$this->logger->error('Error while sending share to federation server: ' . $e->getMessage(), ['exception' => $e]);
 			try {
@@ -183,26 +157,11 @@ class CloudFederationProviderManager implements ICloudFederationProviderManager
 	 */
 	public function sendNotification($url, ICloudFederationNotification $notification) {
 		try {
-			$ocmProvider = $this->discoveryService->discover($url);
-		} catch (OCMProviderException $e) {
-			return false;
-		}
-
-		$client = $this->httpClientService->newClient();
-		try {
-
-			// signing the payload using OCMSignatoryManager before initializing the request
-			$uri = $ocmProvider->getEndPoint() . '/notifications';
-			$payload = array_merge($this->getDefaultRequestOptions(), ['body' => json_encode($notification->getMessage())]);
-			if (!$this->appConfig->getValueBool('core', OCMSignatoryManager::APPCONFIG_SIGN_DISABLED, lazy: true)) {
-				$signedPayload = $this->signatureManager->signOutgoingRequestIClientPayload(
-					$this->signatoryManager,
-					$payload,
-					'post', $uri
-				);
+			try {
+				$response = $this->postOcmPayload($url, '/notifications', json_encode($notification->getMessage()));
+			} catch (OCMProviderException) {
+				return false;
 			}
-			$response = $client->post($uri, $signedPayload ?? $payload);
-
 			if ($response->getStatusCode() === Http::STATUS_CREATED) {
 				$result = json_decode($response->getBody(), true);
 				return (is_array($result)) ? $result : [];
@@ -222,21 +181,9 @@ class CloudFederationProviderManager implements ICloudFederationProviderManager
 	 * @throws OCMProviderException
 	 */
 	public function sendCloudNotification(string $url, ICloudFederationNotification $notification): IResponse {
-		$ocmProvider = $this->discoveryService->discover($url);
-
 		$client = $this->httpClientService->newClient();
 		try {
-			// signing the payload using OCMSignatoryManager before initializing the request
-			$uri = $ocmProvider->getEndPoint() . '/notifications';
-			$payload = array_merge($this->getDefaultRequestOptions(), ['body' => json_encode($notification->getMessage())]);
-			if (!$this->appConfig->getValueBool('core', OCMSignatoryManager::APPCONFIG_SIGN_DISABLED, lazy: true)) {
-				$signedPayload = $this->signatureManager->signOutgoingRequestIClientPayload(
-					$this->signatoryManager,
-					$payload,
-					'post', $uri
-				);
-			}
-			return $client->post($uri, $signedPayload ?? $payload);
+			return $this->postOcmPayload($url, '/notifications', json_encode($notification->getMessage()), $client);
 		} catch (\Throwable $e) {
 			$this->logger->error('Error while sending notification to federation server: ' . $e->getMessage(), ['exception' => $e]);
 			try {
@@ -256,6 +203,40 @@ class CloudFederationProviderManager implements ICloudFederationProviderManager
 		return $this->appManager->isEnabledForUser('cloud_federation_api');
 	}
 
+	/**
+	 * @param string $cloudId
+	 * @param string $uri
+	 * @param string $payload
+	 *
+	 * @return IResponse
+	 * @throws OCMProviderException
+	 */
+	private function postOcmPayload(string $cloudId, string $uri, string $payload, ?IClient $client = null): IResponse {
+		$ocmProvider = $this->discoveryService->discover($cloudId);
+		$uri = $ocmProvider->getEndPoint() . '/' . ltrim($uri, '/');
+		$client = $client ?? $this->httpClientService->newClient();
+		return $client->post($uri, $this->prepareOcmPayload($uri, $payload));
+	}
+
+	/**
+	 * @param string $uri
+	 * @param string $payload
+	 *
+	 * @return array
+	 */
+	private function prepareOcmPayload(string $uri, string $payload): array {
+		$payload = array_merge($this->getDefaultRequestOptions(), ['body' => $payload]);
+		if (!$this->appConfig->getValueBool('core', OCMSignatoryManager::APPCONFIG_SIGN_DISABLED, lazy: true)) {
+			$signedPayload = $this->signatureManager->signOutgoingRequestIClientPayload(
+				$this->signatoryManager,
+				$payload,
+				'post', $uri
+			);
+		}
+
+		return $signedPayload ?? $payload;
+	}
+
 	private function getDefaultRequestOptions(): array {
 		return [
 			'headers' => ['content-type' => 'application/json'],

lib/private/Files/Storage/DAV.php

@@ -64,7 +64,6 @@ class DAV extends Common {
 	protected $httpClientService;
 	/** @var ICertificateManager */
 	protected $certManager;
-	protected bool $verify = true;
 	protected LoggerInterface $logger;
 	protected IEventLogger $eventLogger;
 	protected IMimeTypeDetector $mimeTypeDetector;
@@ -104,7 +103,6 @@ class DAV extends Common {
 			if (isset($parameters['authType'])) {
 				$this->authType = $parameters['authType'];
 			}
-			$this->verify = (($parameters['verify'] ?? true) !== false);
 			if (isset($parameters['secure'])) {
 				if (is_string($parameters['secure'])) {
 					$this->secure = ($parameters['secure'] === 'true');
@@ -164,11 +162,6 @@ class DAV extends Common {
 			}
 		}
 
-		if (!$this->verify) {
-			$this->client->addCurlSetting(CURLOPT_SSL_VERIFYHOST, 0);
-			$this->client->addCurlSetting(CURLOPT_SSL_VERIFYPEER, false);
-		}
-
 		$lastRequestStart = 0;
 		$this->client->on('beforeRequest', function (RequestInterface $request) use (&$lastRequestStart) {
 			$this->logger->debug('sending dav ' . $request->getMethod() . ' request to external storage: ' . $request->getAbsoluteUrl(), ['app' => 'dav']);

lib/private/OCM/Model/OCMProvider.php

@@ -210,11 +210,11 @@ class OCMProvider implements IOCMProvider {
 	 *      apiVersion: '1.0-proposal1',
 	 *      endPoint: string,
 	 *      publicKey: ISignatory|null,
-	 *      resourceTypes: array{
+	 *      resourceTypes: list<array{
 	 *          name: string,
 	 *          shareTypes: list<string>,
 	 *          protocols: array<string, string>
-	 *      }[],
+	 *      }>,
 	 *      version: string
 	 *  }
 	 */

lib/private/OCM/OCMDiscoveryService.php

@@ -46,6 +46,14 @@ class OCMDiscoveryService implements IOCMDiscoveryService {
 	 */
 	public function discover(string $remote, bool $skipCache = false): IOCMProvider {
 		$remote = rtrim($remote, '/');
+		if (!str_starts_with($remote, 'http://') && !str_starts_with($remote, 'https://')) {
+			// if scheme not specified, we test both;
+			try {
+				return $this->discover('https://' . $remote, $skipCache);
+			} catch (OCMProviderException) {
+				return $this->discover('http://' . $remote, $skipCache);
+			}
+		}
 
 		if (!$skipCache) {
 			try {
@@ -70,10 +78,7 @@ class OCMDiscoveryService implements IOCMDiscoveryService {
 			if ($this->config->getSystemValueBool('sharing.federation.allowSelfSignedCertificates') === true) {
 				$options['verify'] = false;
 			}
-			$response = $client->get(
-				$remote . '/ocm-provider/',
-				$options,
-			);
+			$response = $client->get($remote . '/ocm-provider/', $options);
 
 			if ($response->getStatusCode() === Http::STATUS_OK) {
 				$body = $response->getBody();

lib/private/OCM/OCMSignatoryManager.php

@@ -8,15 +8,13 @@ declare(strict_types=1);
  */
 namespace OC\OCM;
 
-use NCU\Security\PublicPrivateKeyPairs\Exceptions\KeyPairConflictException;
-use NCU\Security\PublicPrivateKeyPairs\Exceptions\KeyPairNotFoundException;
-use NCU\Security\PublicPrivateKeyPairs\IKeyPairManager;
 use NCU\Security\Signature\Exceptions\IdentityNotFoundException;
 use NCU\Security\Signature\ISignatoryManager;
 use NCU\Security\Signature\ISignatureManager;
 use NCU\Security\Signature\Model\IIncomingSignedRequest;
 use NCU\Security\Signature\Model\ISignatory;
 use NCU\Security\Signature\Model\SignatoryType;
+use OC\Security\IdentityProof\Manager;
 use OC\Security\Signature\Model\Signatory;
 use OCP\IAppConfig;
 use OCP\IURLGenerator;
@@ -40,7 +38,7 @@ class OCMSignatoryManager implements ISignatoryManager {
 		private readonly IAppConfig $appConfig,
 		private readonly ISignatureManager $signatureManager,
 		private readonly IURLGenerator $urlGenerator,
-		private readonly IKeyPairManager $keyPairManager,
+		private readonly Manager $identityProofManager,
 		private readonly OCMDiscoveryService $ocmDiscoveryService,
 	) {
 	}
@@ -69,7 +67,6 @@ class OCMSignatoryManager implements ISignatoryManager {
 	 * @inheritDoc
 	 *
 	 * @return ISignatory
-	 * @throws KeyPairConflictException
 	 * @throws IdentityNotFoundException
 	 * @since 31.0.0
 	 */
@@ -85,13 +82,16 @@ class OCMSignatoryManager implements ISignatoryManager {
 			$keyId = $this->generateKeyId();
 		}
 
-		try {
-			$keyPair = $this->keyPairManager->getKeyPair('core', 'ocm_external');
-		} catch (KeyPairNotFoundException) {
-			$keyPair = $this->keyPairManager->generateKeyPair('core', 'ocm_external');
+		if (!$this->identityProofManager->hasAppKey('core', 'ocm_external')) {
+			$this->identityProofManager->generateAppKey('core', 'ocm_external', [
+				'algorithm' => 'rsa',
+				'private_key_bits' => 2048,
+				'private_key_type' => OPENSSL_KEYTYPE_RSA,
+			]);
 		}
+		$keyPair = $this->identityProofManager->getAppKey('core', 'ocm_external');
 
-		return new Signatory($keyId, $keyPair->getPublicKey(), $keyPair->getPrivateKey(), local: true);
+		return new Signatory($keyId, $keyPair->getPublic(), $keyPair->getPrivate(), local: true);
 	}
 
 	/**

lib/private/Security/IdentityProof/Manager.php

@@ -10,6 +10,7 @@ namespace OC\Security\IdentityProof;
 
 use OC\Files\AppData\Factory;
 use OCP\Files\IAppData;
+use OCP\Files\NotFoundException;
 use OCP\IConfig;
 use OCP\IUser;
 use OCP\Security\ICrypto;
@@ -31,18 +32,20 @@ class Manager {
 	 * Calls the openssl functions to generate a public and private key.
 	 * In a separate function for unit testing purposes.
 	 *
+	 * @param array $options config options to generate key {@see openssl_csr_new}
+	 *
 	 * @return array [$publicKey, $privateKey]
 	 * @throws \RuntimeException
 	 */
-	protected function generateKeyPair(): array {
+	protected function generateKeyPair(array $options = []): array {
 		$config = [
-			'digest_alg' => 'sha512',
-			'private_key_bits' => 2048,
+			'digest_alg' => $options['algorithm'] ?? 'sha512',
+			'private_key_bits' => $options['bits'] ?? 2048,
+			'private_key_type' => $options['type'] ?? OPENSSL_KEYTYPE_RSA,
 		];
 
 		// Generate new key
 		$res = openssl_pkey_new($config);
-
 		if ($res === false) {
 			$this->logOpensslError();
 			throw new \RuntimeException('OpenSSL reported a problem');
@@ -65,15 +68,17 @@ class Manager {
 	 * Note: If a key already exists it will be overwritten
 	 *
 	 * @param string $id key id
+	 * @param array $options config options to generate key {@see openssl_csr_new}
+	 *
 	 * @throws \RuntimeException
 	 */
-	protected function generateKey(string $id): Key {
-		[$publicKey, $privateKey] = $this->generateKeyPair();
+	protected function generateKey(string $id, array $options = []): Key {
+		[$publicKey, $privateKey] = $this->generateKeyPair($options);
 
 		// Write the private and public key to the disk
 		try {
 			$this->appData->newFolder($id);
-		} catch (\Exception $e) {
+		} catch (\Exception) {
 		}
 		$folder = $this->appData->getFolder($id);
 		$folder->newFile('private')
@@ -125,6 +130,38 @@ class Manager {
 		return $this->retrieveKey('system-' . $instanceId);
 	}
 
+	public function hasAppKey(string $app, string $name): bool {
+		$id = $this->generateAppKeyId($app, $name);
+		try {
+			$this->appData->getFolder($id);
+			return true;
+		} catch (NotFoundException) {
+			return false;
+		}
+	}
+
+	public function getAppKey(string $app, string $name): Key {
+		return $this->retrieveKey($this->generateAppKeyId($app, $name));
+	}
+
+	public function generateAppKey(string $app, string $name, array $options = []): Key {
+		return $this->generateKey($this->generateAppKeyId($app, $name), $options);
+	}
+
+	public function deleteAppKey(string $app, string $name): bool {
+		try {
+			$folder = $this->appData->getFolder($this->generateAppKeyId($app, $name));
+		} catch (NotFoundException) {
+			return false;
+		}
+		$folder->delete();
+		return true;
+	}
+
+	private function generateAppKeyId(string $app, string $name): string {
+		return 'app-' . $app . '-' . $name;
+	}
+
 	private function logOpensslError(): void {
 		$errors = [];
 		while ($error = openssl_error_string()) {

lib/private/Security/PublicPrivateKeyPairs/KeyPairManager.php

@@ -1,182 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-/**
- * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
- * SPDX-License-Identifier: AGPL-3.0-or-later
- */
-namespace OC\Security\PublicPrivateKeyPairs;
-
-use NCU\Security\PublicPrivateKeyPairs\Exceptions\KeyPairConflictException;
-use NCU\Security\PublicPrivateKeyPairs\Exceptions\KeyPairNotFoundException;
-use NCU\Security\PublicPrivateKeyPairs\IKeyPairManager;
-use NCU\Security\PublicPrivateKeyPairs\Model\IKeyPair;
-use OC\Security\PublicPrivateKeyPairs\Model\KeyPair;
-use OCP\IAppConfig;
-
-/**
- * @inheritDoc
- *
- * KeyPairManager store internal public/private key pair using AppConfig, taking advantage of the encryption
- * and lazy loading.
- *
- * @since 31.0.0
- */
-class KeyPairManager implements IKeyPairManager {
-	private const CONFIG_PREFIX = 'security.keypair.';
-
-	public function __construct(
-		private readonly IAppConfig $appConfig,
-	) {
-	}
-
-	/**
-	 * @inheritDoc
-	 *
-	 * @param string $app appId
-	 * @param string $name key name
-	 * @param array $options algorithms, metadata
-	 *
-	 * @return IKeyPair
-	 * @throws KeyPairConflictException if a key already exist
-	 * @since 31.0.0
-	 */
-	public function generateKeyPair(string $app, string $name, array $options = []): IKeyPair {
-		if ($this->hasKeyPair($app, $name)) {
-			throw new KeyPairConflictException('key pair already exist');
-		}
-
-		$keyPair = new KeyPair($app, $name);
-
-		[$publicKey, $privateKey] = $this->generateKeys($options);
-		$keyPair->setPublicKey($publicKey)
-			->setPrivateKey($privateKey)
-			->setOptions($options);
-
-		$this->appConfig->setValueArray(
-			$app, $this->generateAppConfigKey($name),
-			[
-				'public' => $keyPair->getPublicKey(),
-				'private' => $keyPair->getPrivateKey(),
-				'options' => $keyPair->getOptions()
-			],
-			lazy:      true,
-			sensitive: true
-		);
-
-		return $keyPair;
-	}
-
-	/**
-	 * @inheritDoc
-	 *
-	 * @param string $app appId
-	 * @param string $name key name
-	 *
-	 * @return bool TRUE if key pair exists in database
-	 * @since 31.0.0
-	 */
-	public function hasKeyPair(string $app, string $name): bool {
-		$key = $this->generateAppConfigKey($name);
-		return $this->appConfig->hasKey($app, $key, lazy: true);
-	}
-
-	/**
-	 * @inheritDoc
-	 *
-	 * @param string $app appId
-	 * @param string $name key name
-	 *
-	 * @return IKeyPair
-	 * @throws KeyPairNotFoundException if key pair is not known
-	 * @since 31.0.0
-	 */
-	public function getKeyPair(string $app, string $name): IKeyPair {
-		if (!$this->hasKeyPair($app, $name)) {
-			throw new KeyPairNotFoundException('unknown key pair');
-		}
-
-		$key = $this->generateAppConfigKey($name);
-		$stored = $this->appConfig->getValueArray($app, $key, lazy: true);
-		if (!array_key_exists('public', $stored) ||
-			!array_key_exists('private', $stored)) {
-			throw new KeyPairNotFoundException('corrupted key pair');
-		}
-
-		$keyPair = new KeyPair($app, $name);
-		return $keyPair->setPublicKey($stored['public'])
-			->setPrivateKey($stored['private'])
-			->setOptions($stored['options'] ?? []);
-	}
-
-	/**
-	 * @inheritDoc
-	 *
-	 * @param string $app appid
-	 * @param string $name key name
-	 *
-	 * @since 31.0.0
-	 */
-	public function deleteKeyPair(string $app, string $name): void {
-		$this->appConfig->deleteKey('core', $this->generateAppConfigKey($name));
-	}
-
-	/**
-	 * @inheritDoc
-	 *
-	 * @param IKeyPair $keyPair keypair to test
-	 *
-	 * @return bool
-	 * @since 31.0.0
-	 */
-	public function testKeyPair(IKeyPair $keyPair): bool {
-		$clear = md5((string)time());
-
-		// signing with private key
-		openssl_sign($clear, $signed, $keyPair->getPrivateKey(), OPENSSL_ALGO_SHA256);
-		$encoded = base64_encode($signed);
-
-		// verify with public key
-		$signed = base64_decode($encoded);
-		return (openssl_verify($clear, $signed, $keyPair->getPublicKey(), 'sha256') === 1);
-	}
-
-	/**
-	 * return appconfig key based on name of the key pair
-	 *
-	 * @param string $name
-	 *
-	 * @return string
-	 */
-	private function generateAppConfigKey(string $name): string {
-		return self::CONFIG_PREFIX . $name;
-	}
-
-	/**
-	 * generate the key pair, based on $options with the following default values:
-	 *   [
-	 *     'algorithm' => 'rsa',
-	 *     'bits' => 2048,
-	 *     'type' => OPENSSL_KEYTYPE_RSA
-	 *   ]
-	 *
-	 * @param array $options
-	 *
-	 * @return array
-	 */
-	private function generateKeys(array $options = []): array {
-		$res = openssl_pkey_new(
-			[
-				'digest_alg' => $options['algorithm'] ?? 'rsa',
-				'private_key_bits' => $options['bits'] ?? 2048,
-				'private_key_type' => $options['type'] ?? OPENSSL_KEYTYPE_RSA,
-			]
-		);
-
-		openssl_pkey_export($res, $privateKey);
-		$publicKey = openssl_pkey_get_details($res)['key'];
-
-		return [$publicKey, $privateKey];
-	}
-}

lib/private/Security/PublicPrivateKeyPairs/Model/KeyPair.php

@@ -1,114 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-/**
- * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
- * SPDX-License-Identifier: AGPL-3.0-or-later
- */
-namespace OC\Security\PublicPrivateKeyPairs\Model;
-
-use NCU\Security\PublicPrivateKeyPairs\Model\IKeyPair;
-
-/**
- * @inheritDoc
- *
- * @since 31.0.0
- */
-class KeyPair implements IKeyPair {
-	private string $publicKey = '';
-	private string $privateKey = '';
-	private array $options = [];
-
-	public function __construct(
-		private readonly string $app,
-		private readonly string $name,
-	) {
-	}
-
-	/**
-	 * @inheritDoc
-	 *
-	 * @return string
-	 * @since 31.0.0
-	 */
-	public function getApp(): string {
-		return $this->app;
-	}
-
-	/**
-	 * @inheritDoc
-	 *
-	 * @return string
-	 * @since 31.0.0
-	 */
-	public function getName(): string {
-		return $this->name;
-	}
-
-	/**
-	 * @inheritDoc
-	 *
-	 * @param string $publicKey
-	 * @return IKeyPair
-	 * @since 31.0.0
-	 */
-	public function setPublicKey(string $publicKey): IKeyPair {
-		$this->publicKey = $publicKey;
-		return $this;
-	}
-
-	/**
-	 * @inheritDoc
-	 *
-	 * @return string
-	 * @since 31.0.0
-	 */
-	public function getPublicKey(): string {
-		return $this->publicKey;
-	}
-
-	/**
-	 * @inheritDoc
-	 *
-	 * @param string $privateKey
-	 * @return IKeyPair
-	 * @since 31.0.0
-	 */
-	public function setPrivateKey(string $privateKey): IKeyPair {
-		$this->privateKey = $privateKey;
-		return $this;
-	}
-
-	/**
-	 * @inheritDoc
-	 *
-	 * @return string
-	 * @since 31.0.0
-	 */
-	public function getPrivateKey(): string {
-		return $this->privateKey;
-	}
-
-	/**
-	 * @inheritDoc
-	 *
-	 * @param array $options
-	 * @return IKeyPair
-	 * @since 31.0.0
-	 */
-	public function setOptions(array $options): IKeyPair {
-		$this->options = $options;
-		return $this;
-	}
-
-	/**
-	 * @inheritDoc
-	 *
-	 * @return array
-	 * @since 31.0.0
-	 */
-	public function getOptions(): array {
-		return $this->options;
-	}
-}

lib/private/Security/Signature/SignatureManager.php

@@ -112,9 +112,7 @@ class SignatureManager implements ISignatureManager {
 			$this->prepIncomingSignatureHeader($signedRequest);
 			$this->verifyIncomingSignatureHeader($signedRequest);
 			$this->prepEstimatedSignature($signedRequest, $options['extraSignatureHeaders'] ?? []);
-			$this->verifyIncomingRequestSignature(
-				$signedRequest, $signatoryManager, $options['ttlSignatory'] ?? self::SIGNATORY_TTL
-			);
+			$this->verifyIncomingRequestSignature($signedRequest, $signatoryManager, $options['ttlSignatory'] ?? self::SIGNATORY_TTL);
 		} catch (SignatureException $e) {
 			$this->logger->warning(
 				'signature could not be verified', [
@@ -724,7 +722,6 @@ class SignatureManager implements ISignatureManager {
 			case SignatoryType::FORGIVABLE:
 				$this->deleteSignatory($knownSignatory->getKeyId());
 				$this->insertSignatory($signatory);
-
 				return;
 
 			case SignatoryType::REFRESHABLE:
@@ -735,12 +732,10 @@ class SignatureManager implements ISignatureManager {
 			case SignatoryType::TRUSTED:
 				// TODO: send notice to admin
 				throw new SignatoryConflictException();
-				break;
 
 			case SignatoryType::STATIC:
 				// TODO: send warning to admin
 				throw new SignatoryConflictException();
-				break;
 		}
 	}
 

lib/private/Server.php

@@ -103,7 +103,6 @@ use OC\Security\CSRF\CsrfTokenManager;
 use OC\Security\CSRF\TokenStorage\SessionStorage;
 use OC\Security\Hasher;
 use OC\Security\Ip\RemoteAddress;
-use OC\Security\PublicPrivateKeyPairs\KeyPairManager;
 use OC\Security\RateLimiting\Limiter;
 use OC\Security\SecureRandom;
 use OC\Security\Signature\SignatureManager;
@@ -1290,7 +1289,6 @@ class Server extends ServerContainer implements IServerContainer {
 
 		$this->registerAlias(IRichTextFormatter::class, \OC\RichObjectStrings\RichTextFormatter::class);
 
-		$this->registerAlias(IKeyPairManager::class, KeyPairManager::class);
 		$this->registerAlias(ISignatureManager::class, SignatureManager::class);
 
 		$this->connectDispatcher();

lib/public/OCM/IOCMProvider.php

@@ -154,11 +154,11 @@ interface IOCMProvider extends JsonSerializable {
 	 *     apiVersion: '1.0-proposal1',
 	 *     endPoint: string,
 	 *     publicKey: ISignatory|null,
-	 *     resourceTypes: array{
+	 *     resourceTypes: list<array{
 	 *         name: string,
 	 *         shareTypes: list<string>,
 	 *         protocols: array<string, string>
-	 *     }[],
+	 *     }>,
 	 *     version: string
 	 * }
 	 * @since 28.0.0

lib/unstable/Security/PublicPrivateKeyPairs/Exceptions/KeyPairConflictException.php

@@ -1,18 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-/**
- * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
- * SPDX-License-Identifier: AGPL-3.0-or-later
- */
-namespace NCU\Security\PublicPrivateKeyPairs\Exceptions;
-
-/**
- * conflict between public and private key pair
- *
- * @experimental 31.0.0
- * @since 31.0.0
- */
-class KeyPairConflictException extends KeyPairException {
-}

lib/unstable/Security/PublicPrivateKeyPairs/Exceptions/KeyPairException.php

@@ -1,20 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-/**
- * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
- * SPDX-License-Identifier: AGPL-3.0-or-later
- */
-namespace NCU\Security\PublicPrivateKeyPairs\Exceptions;
-
-use Exception;
-
-/**
- * global exception related to key pairs
- *
- * @experimental 31.0.0
- * @since 31.0.0
- */
-class KeyPairException extends Exception {
-}

lib/unstable/Security/PublicPrivateKeyPairs/Exceptions/KeyPairNotFoundException.php

@@ -1,16 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-/**
- * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
- * SPDX-License-Identifier: AGPL-3.0-or-later
- */
-namespace NCU\Security\PublicPrivateKeyPairs\Exceptions;
-
-/**
- * @experimental 31.0.0
- * @since 31.0.0
- */
-class KeyPairNotFoundException extends KeyPairException {
-}

lib/unstable/Security/PublicPrivateKeyPairs/IKeyPairManager.php

@@ -1,80 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-/**
- * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
- * SPDX-License-Identifier: AGPL-3.0-or-later
- */
-namespace NCU\Security\PublicPrivateKeyPairs;
-
-use NCU\Security\PublicPrivateKeyPairs\Exceptions\KeyPairConflictException;
-use NCU\Security\PublicPrivateKeyPairs\Exceptions\KeyPairNotFoundException;
-use NCU\Security\PublicPrivateKeyPairs\Model\IKeyPair;
-
-/**
- * IKeyPairManager contains a group of method to create/manage/store internal public/private key pair.
- *
- * @experimental 31.0.0
- * @since 31.0.0
- */
-interface IKeyPairManager {
-
-	/**
-	 * generate and store public/private key pair.
-	 * throws exception if key pair already exist
-	 *
-	 * @param string $app appId
-	 * @param string $name key name
-	 * @param array $options algorithms, metadata
-	 *
-	 * @return IKeyPair
-	 * @throws KeyPairConflictException if a key already exist
-	 * @since 31.0.0
-	 */
-	public function generateKeyPair(string $app, string $name, array $options = []): IKeyPair;
-
-	/**
-	 * returns if key pair is known.
-	 *
-	 * @param string $app appId
-	 * @param string $name key name
-	 *
-	 * @return bool TRUE if key pair exists in database
-	 * @since 31.0.0
-	 */
-	public function hasKeyPair(string $app, string $name): bool;
-
-	/**
-	 * return key pair from database based on $app and $name.
-	 * throws exception if key pair does not exist
-	 *
-	 * @param string $app appId
-	 * @param string $name key name
-	 *
-	 * @return IKeyPair
-	 * @throws KeyPairNotFoundException if key pair is not known
-	 * @since 31.0.0
-	 */
-	public function getKeyPair(string $app, string $name): IKeyPair;
-
-	/**
-	 * delete key pair from database
-	 *
-	 * @param string $app appid
-	 * @param string $name key name
-	 *
-	 * @since 31.0.0
-	 */
-	public function deleteKeyPair(string $app, string $name): void;
-
-	/**
-	 * test key pair by encrypting/decrypting a string
-	 *
-	 * @param IKeyPair $keyPair keypair to test
-	 *
-	 * @return bool
-	 * @since 31.0.0
-	 */
-	public function testKeyPair(IKeyPair $keyPair): bool;
-}

lib/unstable/Security/PublicPrivateKeyPairs/Model/IKeyPair.php

@@ -1,85 +0,0 @@
-<?php
-
-declare(strict_types=1);
-
-/**
- * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
- * SPDX-License-Identifier: AGPL-3.0-or-later
- */
-namespace NCU\Security\PublicPrivateKeyPairs\Model;
-
-/**
- * simple model that store key pair, its name, its origin (app)
- * and the options used during its creation
- *
- * @experimental 31.0.0
- * @since 31.0.0
- */
-interface IKeyPair {
-	/**
-	 * returns id of the app owning the key pair
-	 *
-	 * @return string
-	 * @since 31.0.0
-	 */
-	public function getApp(): string;
-
-	/**
-	 * returns name of the key pair
-	 *
-	 * @return string
-	 * @since 31.0.0
-	 */
-	public function getName(): string;
-
-	/**
-	 * set public key
-	 *
-	 * @param string $publicKey
-	 * @return IKeyPair
-	 * @since 31.0.0
-	 */
-	public function setPublicKey(string $publicKey): IKeyPair;
-
-	/**
-	 * returns public key
-	 *
-	 * @return string
-	 * @since 31.0.0
-	 */
-	public function getPublicKey(): string;
-
-	/**
-	 * set private key
-	 *
-	 * @param string $privateKey
-	 * @return IKeyPair
-	 * @since 31.0.0
-	 */
-	public function setPrivateKey(string $privateKey): IKeyPair;
-
-	/**
-	 * returns private key
-	 *
-	 * @return string
-	 * @since 31.0.0
-	 */
-	public function getPrivateKey(): string;
-
-	/**
-	 * set options
-	 *
-	 * @param array $options
-	 * @return IKeyPair
-	 * @since 31.0.0
-	 */
-	public function setOptions(array $options): IKeyPair;
-
-	/**
-	 * returns options
-	 *
-	 * @return array
-	 * @since 31.0.0
-	 */
-	public function getOptions(): array;
-}