Opening documents with per-user key encryption fails (Private Key missing for user)

[inthreedee]

Describe the bug When per-user keys are enabled on the server, opening a new document fails with the error Private Key missing for user: please try to log-out and log-in again. If the new file is then manually shared, edit capabilities are enabled, and then accessed only from the shared link, the document then opens normally.

Based on existing bug reports and pull requests (https://github.com/nextcloud/richdocuments/pull/52, https://github.com/nextcloud/richdocuments/issues/1379, https://github.com/nextcloud/richdocuments/pull/1396), it's my understanding that this should be working. https://github.com/nextcloud/richdocuments/issues/1379 specifically explains that a new document should be shared and then fetched automatically upon creation. It also appears that this was working as of last year.

• Before the document is passed to collabora, a new public share is added for the document (https://github.com/nextcloud/richdocuments/blob/master/lib/Controller/DocumentController.php#L190).
• Collabora is able to fetch the document by using the passed access_token. The document is fetch in incognito mode (https://github.com/nextcloud/richdocuments/blob/master/lib/Controller/WopiController.php#L417).

(Line numbers updated from original issue to match current code)

I believe I have everything configured correctly because I can open, edit, and save documents as long as I first manually share a new document, enable editing, and then access it only from the shared url. Even after sharing, attempting to open the file directly from my files list results in the same private key missing error in the logs. It only seems to work by copying and pasting the share url.

To Reproduce Steps to reproduce the behavior:

1. Enable per-user key encryption
2. Create a new document using Collabora
3. Open fails, see private key error in Nextcloud logs
4. Manually share the file, enable edit, and access it from the shared link: Everything works fine.

Expected behavior The new document should be auto shared with editing capabilities, and opened using those sharing credentials.

Client details:

• OS: Arch Linux
• Browser: Firefox
• Version: Oct 3, 2022
• Device: Desktop

Server details

Operating system: Ubuntu Server

Web server: Apache

Database: mysql

PHP version: 8.0.23

Nextcloud version: 24.0.4 via Snap

Version of the richdocuments app 6.2.0

Version of Collabora Online 22.05.6.3 via dockerhub image

Logs

#### Nextcloud log (data/nextcloud.log) ``` [richdocuments] Error: OCA\Encryption\Exceptions\PrivateKeyMissingException: Private Key missing for user: please try to log-out and log-in again at <> 0. /snap/nextcloud/31571/htdocs/apps/encryption/lib/KeyManager.php line 475 OCA\Encryption\Session->getPrivateKey() 1. /snap/nextcloud/31571/htdocs/apps/encryption/lib/Crypto/Encryption.php line 203 OCA\Encryption\KeyManager->getFileKey() 2. /snap/nextcloud/31571/htdocs/lib/private/Files/Stream/Encryption.php line 286 OCA\Encryption\Crypto\Encryption->begin() 3. <> OC\Files\Stream\Encryption->stream_open() 4. /snap/nextcloud/31571/htdocs/lib/private/Files/Stream/Encryption.php line 213 fopen() 5. /snap/nextcloud/31571/htdocs/lib/private/Files/Stream/Encryption.php line 188 OC\Files\Stream\Encryption::wrapSource() 6. /snap/nextcloud/31571/htdocs/lib/private/Files/Storage/Wrapper/Encryption.php line 470 OC\Files\Stream\Encryption::wrap() 7. /snap/nextcloud/31571/htdocs/lib/private/Files/Storage/Wrapper/Wrapper.php line 301 OC\Files\Storage\Wrapper\Encryption->fopen() 8. /snap/nextcloud/31571/htdocs/lib/private/Files/View.php line 1175 OC\Files\Storage\Wrapper\Wrapper->fopen() 9. /snap/nextcloud/31571/htdocs/lib/private/Files/View.php line 1010 OC\Files\View->basicOperation() 10. /snap/nextcloud/31571/htdocs/lib/private/Files/Node/File.php line 114 OC\Files\View->fopen() 11. /var/snap/nextcloud/31571/nextcloud/extra-apps/richdocuments/lib/Controller/WopiController.php line 425 OC\Files\Node\File->fopen() 12. /snap/nextcloud/31571/htdocs/lib/private/AppFramework/Http/Dispatcher.php line 225 OCA\Richdocuments\Controller\WopiController->getFile() 13. /snap/nextcloud/31571/htdocs/lib/private/AppFramework/Http/Dispatcher.php line 133 OC\AppFramework\Http\Dispatcher->executeController() 14. /snap/nextcloud/31571/htdocs/lib/private/AppFramework/App.php line 172 OC\AppFramework\Http\Dispatcher->dispatch() 15. /snap/nextcloud/31571/htdocs/lib/private/Route/Router.php line 298 OC\AppFramework\App::main() 16. /snap/nextcloud/31571/htdocs/lib/base.php line 1023 OC\Route\Router->match() 17. /snap/nextcloud/31571/htdocs/index.php line 36 OC::handleRequest() GET /index.php/apps/richdocuments/wopi/files/231296_ociqqws2nu00/contents?access_token=IibwYTDxqPhfnN8t4VisjmXt3XnlQoaU&access_token_ttl=0&permission=edit from 172.20.0.5 at 2022-10-03T13:25:17+00:00 ```

[ryhaberecht]

Even using the sharing link does not work for me. Due to this Collabora does not work at all. My installation of Nextcloud is rather ancient and has been upgraded ever since Owncloud 8. So maybe this has something to do with ancient ways of file encryption? Any idea on where to check something?

Operating system: Debian 11.5 Web server: Apache 2.4.54 Database: PostgreSQL 13.8 PHP version: 7.4.33 Nextcloud version: 25.0.1 Version of the richdocuments app: 7.0.1 Version of Collabora Online: Collabora Online - Built-in CODE Server 22.5.802

[richdocuments] Error: OCA\Encryption\Exceptions\PrivateKeyMissingException: Private Key missing for user: please try to log-out and log-in again at <<closure>>

 0. /var/www/nextcloud/apps/encryption/lib/KeyManager.php line 475
    OCA\Encryption\Session->getPrivateKey()
 1. /var/www/nextcloud/apps/encryption/lib/Crypto/Encryption.php line 204
    OCA\Encryption\KeyManager->getFileKey()
 2. /var/www/nextcloud/lib/private/Files/Stream/Encryption.php line 285
    OCA\Encryption\Crypto\Encryption->begin()
 3. <<closure>>
    OC\Files\Stream\Encryption->stream_open()
 4. /var/www/nextcloud/lib/private/Files/Stream/Encryption.php line 213
    fopen()
 5. /var/www/nextcloud/lib/private/Files/Stream/Encryption.php line 188
    OC\Files\Stream\Encryption::wrapSource()
 6. /var/www/nextcloud/lib/private/Files/Storage/Wrapper/Encryption.php line 470
    OC\Files\Stream\Encryption::wrap()
 7. /var/www/nextcloud/lib/private/Files/Storage/Wrapper/Wrapper.php line 301
    OC\Files\Storage\Wrapper\Encryption->fopen()
 8. /var/www/nextcloud/lib/private/Files/View.php line 1179
    OC\Files\Storage\Wrapper\Wrapper->fopen()
 9. /var/www/nextcloud/lib/private/Files/View.php line 1004
    OC\Files\View->basicOperation()
10. /var/www/nextcloud/lib/private/Files/Node/File.php line 114
    OC\Files\View->fopen()
11. /var/www/nextcloud/apps/richdocuments/lib/Controller/WopiController.php line 385
    OC\Files\Node\File->fopen()
12. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 225
    OCA\Richdocuments\Controller\WopiController->getFile()
13. /var/www/nextcloud/lib/private/AppFramework/Http/Dispatcher.php line 133
    OC\AppFramework\Http\Dispatcher->executeController()
14. /var/www/nextcloud/lib/private/AppFramework/App.php line 172
    OC\AppFramework\Http\Dispatcher->dispatch()
15. /var/www/nextcloud/lib/private/Route/Router.php line 298
    OC\AppFramework\App::main()
16. /var/www/nextcloud/lib/base.php line 1047
    OC\Route\Router->match()
17. /var/www/nextcloud/index.php line 36
    OC::handleRequest()

GET /index.php/apps/richdocuments/wopi/files/1003469_oc11addbb0ba/contents?access_token=notforyou&access_token_ttl=1669774106000%2Fws%3FWOPISrc%3Dhttps%3A%2F%2Fmy.domain.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F1003469_oc11addbb0ba&compat=
from ::1 at 2022-11-29T16:08:27+00:00

[ShellCode33]

Same thing for me. Did you figure it out ?

I tried to migrate to the new built-in Collabora, fixed as many "Security & setup warnings" as possible, including the one that told me to disable legacy encryption. I followed encryption migration and how to install collabora online nextcloud hub but I'm unable to edit any document using Collabora.

The error is the same :

[richdocuments] Error: OCA\Encryption\Exceptions\PrivateKeyMissingException: Private Key missing for user: please try to log-out and log-in again at <<closure>>

 0. /var/www/html/apps/encryption/lib/KeyManager.php line 475
    OCA\Encryption\Session->getPrivateKey()
 1. /var/www/html/apps/encryption/lib/Crypto/Encryption.php line 204
    OCA\Encryption\KeyManager->getFileKey()
 2. /var/www/html/lib/private/Files/Stream/Encryption.php line 285
    OCA\Encryption\Crypto\Encryption->begin()
 3. <<closure>>
    OC\Files\Stream\Encryption->stream_open()
 4. /var/www/html/lib/private/Files/Stream/Encryption.php line 213
    fopen()
 5. /var/www/html/lib/private/Files/Stream/Encryption.php line 188
    OC\Files\Stream\Encryption::wrapSource()
 6. /var/www/html/lib/private/Files/Storage/Wrapper/Encryption.php line 470
    OC\Files\Stream\Encryption::wrap()
 7. /var/www/html/lib/private/Files/Storage/Wrapper/Wrapper.php line 301
    OC\Files\Storage\Wrapper\Encryption->fopen()
 8. /var/www/html/lib/private/Files/View.php line 1179
    OC\Files\Storage\Wrapper\Wrapper->fopen()
 9. /var/www/html/lib/private/Files/View.php line 1004
    OC\Files\View->basicOperation()
10. /var/www/html/lib/private/Files/Node/File.php line 114
    OC\Files\View->fopen()
11. /var/www/html/apps/richdocuments/lib/Controller/WopiController.php line 390
    OC\Files\Node\File->fopen()
12. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 225
    OCA\Richdocuments\Controller\WopiController->getFile()
13. /var/www/html/lib/private/AppFramework/Http/Dispatcher.php line 133
    OC\AppFramework\Http\Dispatcher->executeController()
14. /var/www/html/lib/private/AppFramework/App.php line 172
    OC\AppFramework\Http\Dispatcher->dispatch()
15. /var/www/html/lib/private/Route/Router.php line 298
    OC\AppFramework\App::main()
16. /var/www/html/lib/base.php line 1047
    OC\Route\Router->match()
17. /var/www/html/index.php line 36
    OC::handleRequest()

GET /index.php/apps/richdocuments/wopi/files/40541_ocf0sndqo3s8/contents?access_token=hello_there&access_token_ttl=1674300617000&permission=edit%2Fws%3FWOPISrc%3Dhttps%3A%2F%2Fsome.where.com%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F40541_ocf0sndqo3s8&compat=
from 192.168.1.1 at 2023-01-21T01:31:00+00:00

EDIT:

As @inthreedee mentioned, I'm also able to open/edit a shared resource as an anonymous user. I'm unable to do so with my privileged account however.

[ghost]

We have the same problem. Nextcloud 25 docker with server-side encryption + Nextcloud Office with collabora code docker container.

• OCA\Encryption\Exceptions\PrivateKeyMissingException: Private Key missing for user: please try to log-out and log-in again
• OCA\Encryption\Exceptions\MultiKeyDecryptException: multikeydecrypt with share key failed:error:0407109F:rsa routines:RSA_padding_check_PKCS1_type_2:pkcs decoding error Maybe related to #2793?

[ShellCode33]

Just so you know, I gave up and ended up decrypting all my files. It works fine now. I might switch to end-to-end encryption at some point. Server-side encryption is not that useful anyway.

[ghost]

@ShellCode33 Ok, thank you! We would need the passwords or all users for this...

[ghost]

@juliushaertl Should NC Office work with per-user keys?

[Loghaire1st]

Hey, I'm having the same issue, as @ShellCode33 mentioned, editing as anonymous user (accessing share link in private window) is possible. Before enabling per-user key encryption, worked like a charm. Hopefully this will get solved, and we won't have to sacrifice security for functionality.

[Nils98Ar]

According to this NC Office does not support encryption: https://docs.nextcloud.com/server/latest/admin_manual/office/troubleshooting.html#frequently-asked-questions

But I‘m not sure if that information is still up to date.

[inthreedee]

But I‘m not sure if that information is still up to date.

I don't think it is, or it's referring specifically to the default server-key encryption mode. If you look in my OP, I link to a couple of merged pull requests that implement support for per-user encryption keys.

[Nils98Ar]

But I‘m not sure if that information is still up to date.

I don't think it is, or it's referring specifically to the default server-key encryption mode. If you look in my OP, I link to a couple of merged pull requests that implement support for per-user encryption keys.

You are right it seems that it’s supposed to work… but I think with a single master key it should be even simpler than with per-user keys.

[Yiannis128]

I use server side encryption to encrypt all files in AWS server, but all files in the virtual private server are unencrypted. Collabora doesn't work for any files.

[Nils98Ar]

@juliushaertl Maybe you could give information if issues with the server-side encryption and NC office are known or if it‘s rather a configuration error?

It‘s not working since january for us know.

[bogszo]

Has anything changed in the topic?

[anasnaguib]

Any Update on this?

[bahLuk]

This still a problem with v.8.4.6. If I make a share and give it edit permissions and open the link in another browser, then edit it and close it. I can then open it on the user that created the file but not before.

edit Correction it works if I have the share open in another window, as soon as I close the window it stops working, which is most likely because it uses the incognitomode then