search

ONLYOFFICE / DocumentServer

ONLYOFFICE Docs is a free collaborative online office suite comprising viewers and editors for texts, spreadsheets and presentations, forms and PDF, fully compatible with Office Open XML formats: .docx, .xlsx, .pptx and enabling collaborative editing in real time.
https://www.onlyoffice.com
GNU Affero General Public License v3.0
4.78k stars 1.08k forks source link

Private rooms in Developer Edition #1243

Open tex0l opened 3 years ago

tex0l commented 3 years ago

You have released last year the Private Rooms feature that provides E2EE on co-editing: https://www.onlyoffice.com/blog/2020/10/onlyoffice-private-rooms-the-ultimate-security-of-document-collaboration/

It would be useful to the community if it was available in the Developer Edition:

  1. it would allow to review it because when doing encryption, the devil is in the details, and there's nothing better than open-source to ensure as many persons as possible have checked it;
  2. it would enable developers to provide more ways to manage keys than what you currently provide out of the shelves, which is not suitable in all environments.

Would you be open to that?

alexeybannov commented 3 years ago

Hi. Source code plugin is available here.

tex0l commented 3 years ago

Hi @alexeybannov,

Thank you very much for pointing this out, I wasn't able to find it.

My end goal would be to develop a similar plugin that is compatible with the OnlyOffice web-apps (not only the desktop apps) to enable users who knows a shared secret (password or something else) to co-edit with end-2-end encryption. Do you think that's possible?

I have a few questions in order to clarify this:

  1. I see in the config.json a few undocumented options are used (as opposed to documented options described here):
    • "initDataType" : "desktop", : what does this mean?
    • "initData" : "encryption", : it is documented that it should always be "" which is troubling;
    • "cryptoMode" : "2",and "cryptoModeExt" : "disable", : as I understand it, cryptomode is a way to tell that the plugin will handle all crypto, but cryptomodeExt, I'm not sure.
  2. In the actual code code.js, I see a lot of references to AscDesktopEditor:
    • to getEncryptedHeader which seems to be a fixed String 'ENCRYTPED.' ;
    • to do crypto operations natively (why not do them in JS ?) — on this topic, do you have a reference of what functions precisely those interfaces should implement? Or should it only be self-compatible?
      1. code.js exposes the methods https://api.onlyoffice.com/plugin/executemethod/onencryption, I'm not sure I understand how setPasswordByFile and getPasswordByFile work in a browser context, more precisely if the password is sent to the DocumentServer or not, or only held locally.
falling-star commented 2 years ago

@ShockwaveNN @alexeybannov We are using developer edition 5.2.8 currently. We have 2 questions -

Thanks

ShockwaveNN commented 2 years ago

Hi, first of all version v5.2.8 is currently very old and I don't think we support it at all

Second - question related to private rooms are quite complicated and I don't think we'll able to answer them here, but it's better to direct those question to support@onlyoffice.com