feat(http-sig): Add occ commands to rotate keys

occ com:keys:list
occ com:keys:stage
occ com:keys:activate
occ com:keys:retire

We cache keys for an hour, so at least that time should expire between
stage and retire.

Signed-off-by: Micke Nordin <kano@sunet.se>

Author: mickenordin

core/Command/OCM/ActivateKey.php

@@ -0,0 +1,42 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OC\Core\Command\OCM;
+
+use OC\Core\Command\Base;
+use OC\OCM\OCMSignatoryManager;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+
+class ActivateKey extends Base {
+	public function __construct(
+		private readonly OCMSignatoryManager $signatoryManager,
+	) {
+		parent::__construct();
+	}
+
+	#[\Override]
+	protected function configure(): void {
+		$this
+			->setName('ocm:keys:activate')
+			->setDescription('promote the staged Ed25519 key to active; the previous active key moves to retiring');
+	}
+
+	#[\Override]
+	protected function execute(InputInterface $input, OutputInterface $output): int {
+		try {
+			$this->signatoryManager->activateStagedEd25519Key();
+		} catch (\RuntimeException $e) {
+			$output->writeln('<error>' . $e->getMessage() . '</error>');
+			return 1;
+		}
+		$output->writeln('<info>Staged key promoted to active.</info>');
+		$output->writeln('Run <info>occ ocm:keys:retire</info> once any in-flight signatures using the previous key have been verified.');
+		return 0;
+	}
+}

core/Command/OCM/ListKeys.php

@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OC\Core\Command\OCM;
+
+use OC\Core\Command\Base;
+use OC\OCM\OCMSignatoryManager;
+use Symfony\Component\Console\Helper\Table;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+
+class ListKeys extends Base {
+	public function __construct(
+		private readonly OCMSignatoryManager $signatoryManager,
+	) {
+		parent::__construct();
+	}
+
+	#[\Override]
+	protected function configure(): void {
+		$this
+			->setName('ocm:keys:list')
+			->setDescription('list Ed25519 keys used by OCM RFC 9421 HTTP Message Signatures');
+		parent::configure();
+	}
+
+	#[\Override]
+	protected function execute(InputInterface $input, OutputInterface $output): int {
+		$keys = $this->signatoryManager->listEd25519Keys();
+		$format = $input->getOption('output');
+		if ($format === self::OUTPUT_FORMAT_JSON || $format === self::OUTPUT_FORMAT_JSON_PRETTY) {
+			$output->writeln(json_encode($keys, $format === self::OUTPUT_FORMAT_JSON_PRETTY ? JSON_PRETTY_PRINT : 0));
+			return 0;
+		}
+
+		if ($keys === []) {
+			$output->writeln('<comment>No Ed25519 keys yet — one will be generated on first OCM request.</comment>');
+			return 0;
+		}
+
+		$table = new Table($output);
+		$table->setHeaders(['Pool', 'Slot', 'Key ID']);
+		foreach ($keys as $key) {
+			$table->addRow([$key['poolId'], $key['slot'] ?? '-', $key['kid']]);
+		}
+		$table->render();
+		return 0;
+	}
+}

core/Command/OCM/RetireKey.php

@@ -0,0 +1,41 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OC\Core\Command\OCM;
+
+use OC\Core\Command\Base;
+use OC\OCM\OCMSignatoryManager;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+
+class RetireKey extends Base {
+	public function __construct(
+		private readonly OCMSignatoryManager $signatoryManager,
+	) {
+		parent::__construct();
+	}
+
+	#[\Override]
+	protected function configure(): void {
+		$this
+			->setName('ocm:keys:retire')
+			->setDescription('delete the retiring Ed25519 key; signatures that referenced its kid can no longer be verified');
+	}
+
+	#[\Override]
+	protected function execute(InputInterface $input, OutputInterface $output): int {
+		try {
+			$this->signatoryManager->retireEd25519Key();
+		} catch (\RuntimeException $e) {
+			$output->writeln('<error>' . $e->getMessage() . '</error>');
+			return 1;
+		}
+		$output->writeln('<info>Retiring key deleted.</info>');
+		return 0;
+	}
+}

core/Command/OCM/StageKey.php

@@ -0,0 +1,42 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OC\Core\Command\OCM;
+
+use OC\Core\Command\Base;
+use OC\OCM\OCMSignatoryManager;
+use Symfony\Component\Console\Input\InputInterface;
+use Symfony\Component\Console\Output\OutputInterface;
+
+class StageKey extends Base {
+	public function __construct(
+		private readonly OCMSignatoryManager $signatoryManager,
+	) {
+		parent::__construct();
+	}
+
+	#[\Override]
+	protected function configure(): void {
+		$this
+			->setName('ocm:keys:stage')
+			->setDescription('generate a new Ed25519 key and advertise it via JWKS without using it for signing yet');
+	}
+
+	#[\Override]
+	protected function execute(InputInterface $input, OutputInterface $output): int {
+		try {
+			$signatory = $this->signatoryManager->stageEd25519Key();
+		} catch (\RuntimeException $e) {
+			$output->writeln('<error>' . $e->getMessage() . '</error>');
+			return 1;
+		}
+		$output->writeln('Staged new Ed25519 key: <info>' . $signatory->getKeyId() . '</info>');
+		$output->writeln('Wait for federated peers to refresh their JWKS cache before activating.');
+		return 0;
+	}
+}

core/register_command.php

@@ -74,6 +74,10 @@
 use OC\Core\Command\Memcache\DistributedGet;
 use OC\Core\Command\Memcache\DistributedSet;
 use OC\Core\Command\Memcache\RedisCommand;
+use OC\Core\Command\OCM\ActivateKey as OCMActivateKey;
+use OC\Core\Command\OCM\ListKeys as OCMListKeys;
+use OC\Core\Command\OCM\RetireKey as OCMRetireKey;
+use OC\Core\Command\OCM\StageKey as OCMStageKey;
 use OC\Core\Command\Preview\Generate;
 use OC\Core\Command\Preview\ResetRenderedTexts;
 use OC\Core\Command\Router\ListRoutes;
@@ -251,6 +255,11 @@
 	$application->add(Server::get(SnowflakeDecodeId::class));
 	$application->add(Server::get(Get::class));
 
+	$application->add(Server::get(OCMListKeys::class));
+	$application->add(Server::get(OCMStageKey::class));
+	$application->add(Server::get(OCMActivateKey::class));
+	$application->add(Server::get(OCMRetireKey::class));
+
 	$application->add(Server::get(GetCommand::class));
 	$application->add(Server::get(EnabledCommand::class));
 	$application->add(Server::get(Command\TaskProcessing\ListCommand::class));

lib/private/OCM/OCMJwksHandler.php

@@ -42,12 +42,11 @@ public function handle(string $service, IRequestContext $context, ?IResponse $pr
 		$keys = [];
 		if (!$this->appConfig->getValueBool('core', OCMSignatoryManager::APPCONFIG_SIGN_DISABLED, lazy: true)) {
 			try {
-				$jwk = $this->signatoryManager->getLocalEd25519Jwk();
-				if ($jwk !== null) {
+				foreach ($this->signatoryManager->getLocalEd25519Jwks() as $jwk) {
 					$keys[] = $jwk->toArray();
 				}
 			} catch (Throwable $e) {
-				$this->logger->warning('failed to build local Ed25519 JWK', ['exception' => $e]);
+				$this->logger->warning('failed to build local Ed25519 JWKs', ['exception' => $e]);
 			}
 		}