richdocuments icon indicating copy to clipboard operation
richdocuments copied to clipboard
verified publisher icon nextcloud

Opening documents with per-user key encryption fails (Private Key missing for user)

Open inthreedee opened this issue 3 years ago • 15 comments

Describe the bug When per-user keys are enabled on the server, opening a new document fails with the error Private Key missing for user: please try to log-out and log-in again. If the new file is then manually shared, edit capabilities are enabled, and then accessed only from the shared link, the document then opens normally.

Based on existing bug reports and pull requests (https://github.com/nextcloud/richdocuments/pull/52, https://github.com/nextcloud/richdocuments/issues/1379, https://github.com/nextcloud/richdocuments/pull/1396), it's my understanding that this should be working. https://github.com/nextcloud/richdocuments/issues/1379 specifically explains that a new document should be shared and then fetched automatically upon creation. It also appears that this was working as of last year.

  • Before the document is passed to collabora, a new public share is added for the document (https://github.com/nextcloud/richdocuments/blob/master/lib/Controller/DocumentController.php#L190).
  • Collabora is able to fetch the document by using the passed access_token. The document is fetch in incognito mode (https://github.com/nextcloud/richdocuments/blob/master/lib/Controller/WopiController.php#L417).

(Line numbers updated from original issue to match current code)

I believe I have everything configured correctly because I can open, edit, and save documents as long as I first manually share a new document, enable editing, and then access it only from the shared url. Even after sharing, attempting to open the file directly from my files list results in the same private key missing error in the logs. It only seems to work by copying and pasting the share url.

To Reproduce Steps to reproduce the behavior:

  1. Enable per-user key encryption
  2. Create a new document using Collabora
  3. Open fails, see private key error in Nextcloud logs
  4. Manually share the file, enable edit, and access it from the shared link: Everything works fine.

Expected behavior The new document should be auto shared with editing capabilities, and opened using those sharing credentials.

Client details:

  • OS: Arch Linux
  • Browser: Firefox
  • Version: Oct 3, 2022
  • Device: Desktop

Server details

Operating system: Ubuntu Server

Web server: Apache

Database: mysql

PHP version: 8.0.23

Nextcloud version: 24.0.4 via Snap

Version of the richdocuments app 6.2.0

Version of Collabora Online 22.05.6.3 via dockerhub image

Logs

Nextcloud log (data/nextcloud.log)

[richdocuments] Error: OCA\Encryption\Exceptions\PrivateKeyMissingException: Private Key missing for user: please try to log-out and log-in again at <<closure>>

 0. /snap/nextcloud/31571/htdocs/apps/encryption/lib/KeyManager.php line 475
    OCA\Encryption\Session->getPrivateKey()
 1. /snap/nextcloud/31571/htdocs/apps/encryption/lib/Crypto/Encryption.php line 203
    OCA\Encryption\KeyManager->getFileKey()
 2. /snap/nextcloud/31571/htdocs/lib/private/Files/Stream/Encryption.php line 286
    OCA\Encryption\Crypto\Encryption->begin()
 3. <<closure>>
    OC\Files\Stream\Encryption->stream_open()
 4. /snap/nextcloud/31571/htdocs/lib/private/Files/Stream/Encryption.php line 213
    fopen()
 5. /snap/nextcloud/31571/htdocs/lib/private/Files/Stream/Encryption.php line 188
    OC\Files\Stream\Encryption::wrapSource()
 6. /snap/nextcloud/31571/htdocs/lib/private/Files/Storage/Wrapper/Encryption.php line 470
    OC\Files\Stream\Encryption::wrap()
 7. /snap/nextcloud/31571/htdocs/lib/private/Files/Storage/Wrapper/Wrapper.php line 301
    OC\Files\Storage\Wrapper\Encryption->fopen()
 8. /snap/nextcloud/31571/htdocs/lib/private/Files/View.php line 1175
    OC\Files\Storage\Wrapper\Wrapper->fopen()
 9. /snap/nextcloud/31571/htdocs/lib/private/Files/View.php line 1010
    OC\Files\View->basicOperation()
10. /snap/nextcloud/31571/htdocs/lib/private/Files/Node/File.php line 114
    OC\Files\View->fopen()
11. /var/snap/nextcloud/31571/nextcloud/extra-apps/richdocuments/lib/Controller/WopiController.php line 425
    OC\Files\Node\File->fopen()
12. /snap/nextcloud/31571/htdocs/lib/private/AppFramework/Http/Dispatcher.php line 225
    OCA\Richdocuments\Controller\WopiController->getFile()
13. /snap/nextcloud/31571/htdocs/lib/private/AppFramework/Http/Dispatcher.php line 133
    OC\AppFramework\Http\Dispatcher->executeController()
14. /snap/nextcloud/31571/htdocs/lib/private/AppFramework/App.php line 172
    OC\AppFramework\Http\Dispatcher->dispatch()
15. /snap/nextcloud/31571/htdocs/lib/private/Route/Router.php line 298
    OC\AppFramework\App::main()
16. /snap/nextcloud/31571/htdocs/lib/base.php line 1023
    OC\Route\Router->match()
17. /snap/nextcloud/31571/htdocs/index.php line 36
    OC::handleRequest()

GET /index.php/apps/richdocuments/wopi/files/231296_ociqqws2nu00/contents?access_token=IibwYTDxqPhfnN8t4VisjmXt3XnlQoaU&access_token_ttl=0&permission=edit
from 172.20.0.5 at 2022-10-03T13:25:17+00:00

inthreedee avatar Oct 03 '22 14:10 inthreedee

Even using the sharing link does not work for me. Due to this Collabora does not work at all. My installation of Nextcloud is rather ancient and has been upgraded ever since Owncloud 8. So maybe this has something to do with ancient ways of file encryption? Any idea on where to check something?

Operating system: Debian 11.5 Web server: Apache 2.4.54 Database: PostgreSQL 13.8 PHP version: 7.4.33 Nextcloud version: 25.0.1 Version of the richdocuments app: 7.0.1 Version of Collabora Online: Collabora Online - Built-in CODE Server 22.5.802

[richdocuments] Error: OCA\Encryption\Exceptions\PrivateKeyMissingException: Private Key missing for user: please try to log-out and log-in again at <<closure>>

 0. /var/www/nextcloud/apps/encryption/lib/KeyManager.php line 475
    OCA\Encryption\Session->getPrivateKey()
 1. /var/www/nextcloud/apps/encryption/lib/Crypto/Encryption.php line 204
    OCA\Encryption\KeyManager->getFileKey()
 2. /var/www/nextcloud/lib/private/Files/Stream/Encryption.php line 285
    OCA\Encryption\Crypto\Encryption->begin()
 3. <<closure>>
    OC\Files\Stream\Encryption->stream_open()
 4. /var/www/nextcloud/lib/private/Files/Stream/Encryption.php line 213
    fopen()
 5. /var/www/nextcloud/lib/private/Files/Stream/Encryption.php line 188
    OC\Files\Stream\Encryption::wrapSource()
 6. /var/www/nextcloud/lib/private/Files/Storage/Wrapper/Encryption.php line 470
    OC\Files\Stream\Encryption::wrap()
 7. /var/www/nextcloud/lib/private/Files/Storage/Wrapper/Wrapper.php line 301
    OC\Files\Storage\Wrapper\Encryption->fopen()
 8. /var/www/nextcloud/lib/private/Files/View.php line 1179
    OC\Files\Storage\Wrapper\Wrapper->fopen()
 9. /var/www/nextcloud/lib/private/Files/View.php line 1004
    OC\Files\View->basicOperation()
10. /var/www/nextcloud/lib/private/Files/Node/File.php line 114
    OC\Files\View->fopen()
11. /var/www/nextcloud/apps/richdocuments/lib/Controller/WopiController.php line 385
    OC\Files\Node\File->fopen()
12. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 225
    OCA\Richdocuments\Controller\WopiController->getFile()
13. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 133
    OC\AppFramework\Http\Dispatcher->executeController()
14. /var/www/nextcloud/lib/private/AppFramework/App.php line 172
    OC\AppFramework\Http\Dispatcher->dispatch()
15. /var/www/nextcloud/lib/private/Route/Router.php line 298
    OC\AppFramework\App::main()
16. /var/www/nextcloud/lib/base.php line 1047
    OC\Route\Router->match()
17. /var/www/nextcloud/index.php line 36
    OC::handleRequest()

GET /index.php/apps/richdocuments/wopi/files/1003469_oc11addbb0ba/contents?access_token=notforyou&access_token_ttl=1669774106000%2Fws%3FWOPISrc%3Dhttps%3A%2F%2Fmy.domain.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F1003469_oc11addbb0ba&compat=
from ::1 at 2022-11-29T16:08:27+00:00

ryhaberecht avatar Nov 29 '22 16:11 ryhaberecht

Same thing for me. Did you figure it out ?

I tried to migrate to the new built-in Collabora, fixed as many "Security & setup warnings" as possible, including the one that told me to disable legacy encryption. I followed encryption migration and how to install collabora online nextcloud hub but I'm unable to edit any document using Collabora.

The error is the same :

[richdocuments] Error: OCA\Encryption\Exceptions\PrivateKeyMissingException: Private Key missing for user: please try to log-out and log-in again at <<closure>>

 0. /var/www/html/apps/encryption/lib/KeyManager.php line 475
    OCA\Encryption\Session->getPrivateKey()
 1. /var/www/html/apps/encryption/lib/Crypto/Encryption.php line 204
    OCA\Encryption\KeyManager->getFileKey()
 2. /var/www/html/lib/private/Files/Stream/Encryption.php line 285
    OCA\Encryption\Crypto\Encryption->begin()
 3. <<closure>>
    OC\Files\Stream\Encryption->stream_open()
 4. /var/www/html/lib/private/Files/Stream/Encryption.php line 213
    fopen()
 5. /var/www/html/lib/private/Files/Stream/Encryption.php line 188
    OC\Files\Stream\Encryption::wrapSource()
 6. /var/www/html/lib/private/Files/Storage/Wrapper/Encryption.php line 470
    OC\Files\Stream\Encryption::wrap()
 7. /var/www/html/lib/private/Files/Storage/Wrapper/Wrapper.php line 301
    OC\Files\Storage\Wrapper\Encryption->fopen()
 8. /var/www/html/lib/private/Files/View.php line 1179
    OC\Files\Storage\Wrapper\Wrapper->fopen()
 9. /var/www/html/lib/private/Files/View.php line 1004
    OC\Files\View->basicOperation()
10. /var/www/html/lib/private/Files/Node/File.php line 114
    OC\Files\View->fopen()
11. /var/www/html/apps/richdocuments/lib/Controller/WopiController.php line 390
    OC\Files\Node\File->fopen()
12. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 225
    OCA\Richdocuments\Controller\WopiController->getFile()
13. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 133
    OC\AppFramework\Http\Dispatcher->executeController()
14. /var/www/html/lib/private/AppFramework/App.php line 172
    OC\AppFramework\Http\Dispatcher->dispatch()
15. /var/www/html/lib/private/Route/Router.php line 298
    OC\AppFramework\App::main()
16. /var/www/html/lib/base.php line 1047
    OC\Route\Router->match()
17. /var/www/html/index.php line 36
    OC::handleRequest()

GET /index.php/apps/richdocuments/wopi/files/40541_ocf0sndqo3s8/contents?access_token=hello_there&access_token_ttl=1674300617000&permission=edit%2Fws%3FWOPISrc%3Dhttps%3A%2F%2Fsome.where.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F40541_ocf0sndqo3s8&compat=
from 192.168.1.1 at 2023-01-21T01:31:00+00:00

EDIT:

As @inthreedee mentioned, I'm also able to open/edit a shared resource as an anonymous user. I'm unable to do so with my privileged account however.

ShellCode33 avatar Jan 21 '23 01:01 ShellCode33

We have the same problem. Nextcloud 25 docker with server-side encryption + Nextcloud Office with collabora code docker container.

  • OCA\Encryption\Exceptions\PrivateKeyMissingException: Private Key missing for user: please try to log-out and log-in again
  • OCA\Encryption\Exceptions\MultiKeyDecryptException: multikeydecrypt with share key failed:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error Maybe related to #2793?

ghost avatar Feb 16 '23 11:02 ghost

Just so you know, I gave up and ended up decrypting all my files. It works fine now. I might switch to end-to-end encryption at some point. Server-side encryption is not that useful anyway.

ShellCode33 avatar Feb 16 '23 11:02 ShellCode33

@ShellCode33 Ok, thank you! We would need the passwords or all users for this...

ghost avatar Feb 16 '23 11:02 ghost

@juliushaertl Should NC Office work with per-user keys?

ghost avatar Feb 16 '23 11:02 ghost

Hey, I'm having the same issue, as @ShellCode33 mentioned, editing as anonymous user (accessing share link in private window) is possible. Before enabling per-user key encryption, worked like a charm. Hopefully this will get solved, and we won't have to sacrifice security for functionality.

Loghaire1st avatar Feb 26 '23 13:02 Loghaire1st

According to this NC Office does not support encryption: https://docs.nextcloud.com/server/latest/admin_manual/office/troubleshooting.html#frequently-asked-questions

But I‘m not sure if that information is still up to date.

Nils98Ar avatar Feb 26 '23 15:02 Nils98Ar

But I‘m not sure if that information is still up to date.

I don't think it is, or it's referring specifically to the default server-key encryption mode. If you look in my OP, I link to a couple of merged pull requests that implement support for per-user encryption keys.

inthreedee avatar Feb 26 '23 15:02 inthreedee

But I‘m not sure if that information is still up to date.

I don't think it is, or it's referring specifically to the default server-key encryption mode. If you look in my OP, I link to a couple of merged pull requests that implement support for per-user encryption keys.

You are right it seems that it’s supposed to work… but I think with a single master key it should be even simpler than with per-user keys.

Nils98Ar avatar Feb 26 '23 16:02 Nils98Ar

I use server side encryption to encrypt all files in AWS server, but all files in the virtual private server are unencrypted. Collabora doesn't work for any files.

Yiannis128 avatar Jun 16 '23 01:06 Yiannis128

@juliushaertl Maybe you could give information if issues with the server-side encryption and NC office are known or if it‘s rather a configuration error?

It‘s not working since january for us know.

Nils98Ar avatar Jun 16 '23 05:06 Nils98Ar

Has anything changed in the topic?

bogszo avatar Jul 24 '24 16:07 bogszo

Any Update on this?

anasnaguib avatar Aug 25 '24 23:08 anasnaguib

This still a problem with v.8.4.6. If I make a share and give it edit permissions and open the link in another browser, then edit it and close it. I can then open it on the user that created the file but not before.

edit Correction it works if I have the share open in another window, as soon as I close the window it stops working, which is most likely because it uses the incognitomode then

bahLuk avatar Sep 05 '24 09:09 bahLuk