Skip to content

Add RFC 9421 support via rfc-http-sig capability and publicKeys array #305

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
mickenordin merged 1 commit into from
Dec 10, 2025
Merged

Add RFC 9421 support via rfc-http-sig capability and publicKeys array #305

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 27 additions & 6 deletions IETF-RFC.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -657,6 +657,9 @@ contain the following information about its OCM API:
for a short-lived bearer token.
_ `"invite-wayf"` - to indicate that this OCM Server exposes a WAYF
Page to facilitate the Invite flow.
_ `"http-sig"` - to indicate that this OCM Server supports
[RFC9421] HTTP Message Signatures and advertises public keys in the
`publicKeys` array for signature verification.
* OPTIONAL: criteria (array of string) - The criteria for accepting a
Share Creation Notification.
As all Receiving Servers SHOULD require the use of TLS in API
Expand All @@ -674,19 +677,37 @@ contain the following information about its OCM API:
address \* `"invite"` - an invite MUST have been exchanged between the
sender and the receiver before a Share Creation Notification can be
sent
* OPTIONAL: publicKey (object) - The signatory used to sign outgoing
request to confirm its origin.
The signatory is optional, but if present, it MUST contain
two string fields, `id` and `publicKeyPem`.
* OPTIONAL: publicKey (object) - DEPRECATED: Use publicKeys array
instead for RFC 9421 support.
Legacy field for draft-cavage HTTP Signatures (RSA only).
Maintained for backward compatibility with existing deployments.
The signatory is optional, but if present, it MUST contain
two string fields, `keyId` and `publicKeyPem`.
properties:
- REQUIRED keyId (string) unique id of the key in URI format. The
hostname set the origin of the request and MUST be
identical to the current discovery endpoint.
Example: https://my-cloud-storage.org/ocm#signature
- REQUIRED publicKeyPem (string) - PEM-encoded version of the public
key.
- REQUIRED publicKeyPem (string) - PEM-encoded RSA public key for
draft-cavage signatures.
Example:
"----BEGIN PUBLIC KEY----\n...\n----END PUBLIC KEY----\n"
* OPTIONAL: publicKeys (array of objects) - Array of public keys for
[RFC9421] HTTP Message Signatures.
Servers advertising the "http-sig" capability MUST provide this
field. Clients SHOULD prefer [RFC9421] signatures when this capability
is present. Each object in the array MUST contain:
- REQUIRED keyId (string) - Unique identifier for this key in URI
format. Hostname MUST match the discovery endpoint hostname.
Example: https://my-cloud-storage.org/ocm#key-1
- REQUIRED publicKeyPem (string) - PEM-encoded public key for
[RFC9421] signatures.
Example:
"----BEGIN PUBLIC KEY----\nMCowBQYDK...\n----END PUBLIC KEY----\n"
- REQUIRED algorithm (string) - Cryptographic algorithm identifier
from the IANA HTTP Signature Algorithms Registry as defined in
[RFC9421] Section 6.2.
Example: "ed25519"
* OPTIONAL: inviteAcceptDialog (string) - URL path of a web page where
a user can accept an invite, when query parameters `"token"` and
`"providerDomain"` are provided. Implementations that offer the
Expand Down
49 changes: 43 additions & 6 deletions spec.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -420,9 +420,11 @@ components:
- protocol-object
- invites
- exchange-token
- http-sig
example:
- webdav-uri
- protocol-object
- http-sig
criteria:
type: array
description: |
Expand All @@ -442,26 +444,61 @@ components:
- invite
publicKey:
type: object
deprecated: true
description: >
The signatory used to sign outgoing request to confirm its origin.
The
signatory is optional but it MUST contain `id` and `publicKeyPem`.
DEPRECATED: Use publicKeys array instead for RFC 9421 support.
Legacy field for draft-cavage HTTP Signatures (RSA only).
Maintained for backward compatibility with existing deployments.
The signatory is optional but it MUST contain `keyId` and `publicKeyPem`.
Comment on lines +449 to +452
Copy link
Member

@glpatcern glpatcern Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As commented in person, I'm tempted to say we entirely drop this as opposed to deprecate it, despite we know there is one implementation. I'd like to see what other people think about this.

Copy link
Member

@MahdiBaghbani MahdiBaghbani Dec 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I also agree that we should drop it, true that Nextcloud is still using this but in case of an update, they can still backport it.

Copy link
Member Author

@mickenordin mickenordin Dec 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we change the key, and allow arbitrary fields it will not impact Nextcloud if we remove it, but we have a lot of other deprecated things in there already and it is good practice to deprecate before removing I think. But not a strong opinion, I am fine with just removing it if that is what people want

properties:
keyId:
type: string
description: >
unique id of the key in URI format. The hostname set the origin
of the
request and MUST be identical to the current discovery endpoint.
of the request and MUST be identical to the current discovery endpoint.
example: https://my-cloud-storage.org/ocm#signature
publicKeyPem:
type: string
description: |
PEM-encoded version of the public key.
PEM-encoded RSA public key for draft-cavage signatures.
example: |
-----BEGIN PUBLIC KEY-----
MII...QDD
-----END PUBLIC KEY-----
publicKeys:
type: array
description: >
Array of public keys for RFC 9421 HTTP Message Signatures.
Servers advertising the "rfc-http-sig" capability MUST provide this field.
Clients SHOULD prefer RFC 9421 signatures when this capability is present.
items:
type: object
required:
- keyId
- publicKeyPem
- algorithm
properties:
keyId:
type: string
format: uri
description: >
Unique identifier for this key in URI format.
Hostname MUST match the discovery endpoint hostname.
example: https://my-cloud-storage.org/ocm#key-1
publicKeyPem:
type: string
description: |
PEM-encoded public key for RFC 9421 signatures.
example: |
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VwAyEA...
-----END PUBLIC KEY-----
algorithm:
type: string
description: >
Cryptographic algorithm identifier from the IANA HTTP Signature
Algorithms Registry as defined in RFC 9421 Section 6.2.
example: ed25519
tokenEndPoint:
type: string
description: >
Expand Down
Loading