WOPI proof key with OnlyOffice

[wkloucek]

Describe the bug

I tried to use WOPI proof keys with OnlyOffice but couldn't succceed.

This is the information from OnlyOffice how to roll your own proof keys:

https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/b8f413343446ab278843b9749e4d9faaf8ad4b91/run-document-server.sh#L414-L428

Steps to reproduce

1. Configure proof keys (in my case I did it in Kubernetes via the local.json file, https://github.com/owncloud/ocis-charts/blob/main/deployments/ocis-office/addons/onlyoffice/configmap.yaml#L7)
2. try to open / edit a document

Expected behavior

The WOPI proof validation succeeds

Actual behavior

The WOPI proof validation fails:

{
    "level": "error",
    "service": "collaboration",
    "request-id": "",
    "proto": "HTTP/1.1",
    "method": "GET",
    "path": "/wopi/files/800f4f746d72040b2edb9d5d6a772b2666e883f7b6580e537e1ee91c3380b2b0",
    "WopiSessionId": "",
    "WopiOverride": "",
    "WopiProof": "V5qlxY151MKvIUuBcIJFpOHjAEk9oVf+UorUUoylkCksuv0hoj9bbl3lPOYEVV3ZFgbTGNZ9DxkmewGpXzomnNV12W7P+IfkMmyo9qGdTcL8ybQYo3FqcROJxwerw/rFJeLkLdm7HbPi3Eco3imKsEw0hhuP5957+KjahqrKvXEIgW+iT7cDD8nIyw+6ZghSgWoMD1l16vURKbvPYlNnDBXsnB5NbR2PkmrJW+ImxKIkiF/jSHD66Q1VkMpdpi3cppwgCeWAaZkz/4fTOXNfYexPyPoK8CZ1CkMU1pxCrkPJLF/GI1XtBQo66+RpGUN42oEbcMjOK+VVOKDH8xxn4w==",
    "WopiProofOld": "V5qlxY151MKvIUuBcIJFpOHjAEk9oVf+UorUUoylkCksuv0hoj9bbl3lPOYEVV3ZFgbTGNZ9DxkmewGpXzomnNV12W7P+IfkMmyo9qGdTcL8ybQYo3FqcROJxwerw/rFJeLkLdm7HbPi3Eco3imKsEw0hhuP5957+KjahqrKvXEIgW+iT7cDD8nIyw+6ZghSgWoMD1l16vURKbvPYlNnDBXsnB5NbR2PkmrJW+ImxKIkiF/jSHD66Q1VkMpdpi3cppwgCeWAaZkz/4fTOXNfYexPyPoK8CZ1CkMU1pxCrkPJLF/GI1XtBQo66+RpGUN42oEbcMjOK+VVOKDH8xxn4w==",
    "WopiStamp": "638616298978840000",
    "FileReference": "resource_id:{storage_id:\"e8648e87-e681-4eb2-955b-937c604b6f7b\"  opaque_id:\"c9264e92-c60d-42bc-b079-155aea33f6af\"  space_id:\"95c5ee2c-8bb2-400e-b4c9-b97c5ea8c556\"}  path:\".\"",
    "ViewMode": "VIEW_MODE_READ_WRITE",
    "Requester": "idp:\"https://ocis.kube.owncloud.test\"  opaque_id:\"95c5ee2c-8bb2-400e-b4c9-b97c5ea8c556\"  type:USER_TYPE_PRIMARY",
    "error": "crypto/rsa: verification error",
    "time": "2024-09-11T05:38:18Z",
    "line": "github.com/owncloud/ocis/v2/services/collaboration/pkg/middleware/proofkeys.go:55",
    "message": "ProofKeys verification failed"
}

Additional context

my local.json config:

---
kind: ConfigMap
metadata:
  name: doc-local.json
apiVersion: v1
data:
  local.json: |-
    {
      "wopi": {
        "publicKey": "BgIAAACkAABSU0ExAAgAAAEAAQCvzS2vtpREDIN+hPrSmkpUYQtVwZLo93H+53fEcQG6L6qm7TvM0ZHzP944reE2BOj6TPBUHIS+R5P2bWfaqwZi3hSbNiZaHIkhy3iTgtv8u7Iewaoj8OuFKlTOlEolM5XOW9IDtmmsGf+jX7/4txUMl374/X3cT2WHzH0xs5+/JqFuFM04haByr0HD0k8SThwArIFxBGj5tnVbw8jwTqu8YYPAE0gqm1UCl5Hni0Mnj5DR1c7SjJU+dXzJGK0OWlJ0xe0QUdRRbudkknTV9nKu1hUKRdr+hHtAwUmxU9bh9QiAGbH7O5ciYeQ53LQ3ADDPmISMbEhBmx7587ff2iu8",
        "publicKeyOld": "BgIAAACkAABSU0ExAAgAAAEAAQCvzS2vtpREDIN+hPrSmkpUYQtVwZLo93H+53fEcQG6L6qm7TvM0ZHzP944reE2BOj6TPBUHIS+R5P2bWfaqwZi3hSbNiZaHIkhy3iTgtv8u7Iewaoj8OuFKlTOlEolM5XOW9IDtmmsGf+jX7/4txUMl374/X3cT2WHzH0xs5+/JqFuFM04haByr0HD0k8SThwArIFxBGj5tnVbw8jwTqu8YYPAE0gqm1UCl5Hni0Mnj5DR1c7SjJU+dXzJGK0OWlJ0xe0QUdRRbudkknTV9nKu1hUKRdr+hHtAwUmxU9bh9QiAGbH7O5ciYeQ53LQ3ADDPmISMbEhBmx7587ff2iu8",
        "modulus": "vCva37fz+R6bQUhsjISYzzAAN7TcOeRhIpc7+7EZgAj14dZTsUnBQHuE/tpFChXWrnL21XSSZOduUdRREO3FdFJaDq0YyXx1PpWM0s7V0ZCPJ0OL55GXAlWbKkgTwINhvKtO8MjDW3W2+WgEcYGsABxOEk/Sw0GvcqCFOM0UbqEmv5+zMX3Mh2VP3H39+H6XDBW3+L9fo/8ZrGm2A9JbzpUzJUqUzlQqhevwI6rBHrK7/NuCk3jLIYkcWiY2mxTeYgar2mdt9pNHvoQcVPBM+ugENuGtON4/85HRzDvtpqovugFxxHfn/nH36JLBVQthVEqa0vqEfoMMRJS2ry3Nrw==",
        "modulusOld": "vCva37fz+R6bQUhsjISYzzAAN7TcOeRhIpc7+7EZgAj14dZTsUnBQHuE/tpFChXWrnL21XSSZOduUdRREO3FdFJaDq0YyXx1PpWM0s7V0ZCPJ0OL55GXAlWbKkgTwINhvKtO8MjDW3W2+WgEcYGsABxOEk/Sw0GvcqCFOM0UbqEmv5+zMX3Mh2VP3H39+H6XDBW3+L9fo/8ZrGm2A9JbzpUzJUqUzlQqhevwI6rBHrK7/NuCk3jLIYkcWiY2mxTeYgar2mdt9pNHvoQcVPBM+ugENuGtON4/85HRzDvtpqovugFxxHfn/nH36JLBVQthVEqa0vqEfoMMRJS2ry3Nrw==",
        "exponent": "65537",
        "exponentOld": "65537",
        "privateKey": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC8K9rft/P5HptB\nSGyMhJjPMAA3tNw55GEilzv7sRmACPXh1lOxScFAe4T+2kUKFdaucvbVdJJk525R\n1FEQ7cV0UloOrRjJfHU+lYzSztXRkI8nQ4vnkZcCVZsqSBPAg2G8q07wyMNbdbb5\naARxgawAHE4ST9LDQa9yoIU4zRRuoSa/n7MxfcyHZU/cff34fpcMFbf4v1+j/xms\nabYD0lvOlTMlSpTOVCqF6/AjqsEesrv824KTeMshiRxaJjabFN5iBqvaZ232k0e+\nhBxU8Ez66AQ24a043j/zkdHMO+2mqi+6AXHEd+f+cffoksFVC2FUSprS+oR+gwxE\nlLavLc2vAgMBAAECggEASGmH/PfJR2Dj1ieMvjZ4p6KNMuLCrPSZ/Lm+N4lbis3n\n8VSNOHhtieb+syRD1TG6P7+2BUaq33HAHnVaDO2zQqQ+S8+I7mCarc7XNniqB89d\nh3qS6DY6qodPAuJh13+3qOczpa1coGGYXDoPG68PBavez2UwcjtgzPfAzK7+4eMw\nv23iIWTub1gB1TQTw/8WHzfirVmOHiDLsH9ktytK2y1FNNn4aj4gHIygCUTMYGWs\nadRN6TJjuZq8sj0Asg4W4cxEROf4r1l5VaXzEOOXjZc9Q8CRt7FHSlnEELBupY61\nF2PZG+xRRW+4fxhVW5KHM74ZE+rNWdryGyemCLkwwQKBgQDqcosVXgSxnuoXJb/x\nBBdAcAeyyCUT+dvjI/3rj3nFWHNe8UU3ZV5Bt8w7liIrZKOVhh4Hh33qnB2XDj1y\nW3PIsP/QXp4QrHTrlDlmeQa8m0K776wgr3RF6uHxLw8QeH7BB0WeoqPiZqt48OcY\n3z/zul3/lNQUEOcOtezm+kJ2twKBgQDNeEFN4v4pcOwVyIHJT1MjJIADbnAyK1ir\nFxFQ0smvsPbTp2GuvCuaVWeQ7NHQwEAmRA+KlRedSH2v9cYP5qP1QEggIXvWdHH+\noCDNGHbwJLPpMmboLKWh46WKL771j/fCRyCDrMv4a3e/anyN6Cxwvsc+XSv9JoLR\nMqHKQx4oyQKBgQC9jGI6okr1OGBW2qR2vjH2XR08RGkF34sR97WBz/xJu5t7dWHa\nydANHga3Xki+AJ3pdAevWrJJDnM1/8NaQ+o2pjQNSZJONMBK/wnxeYQi1Px9aecm\nffRp2t9V2hA55tHESpbVDPWnRA76tvqAt27DJTh+PNvCZXAKCrhAfrFhvQKBgEbo\nflj7wkzY7JCj7q5jksRo/0iv30ZhESuSPWaQKAxa3QO0GxDrXXzYhnJMWChbgIf0\nKwzfYRPlhYKpJd4s8V5c/ccg5xTegMynxEojbEB52iDbRQpRBiQ1ZNaonZUvRwij\n9UOb6ZRkuiG0BSIQAu4x2J7cFqc5mCHMAGvF9+2JAoGBAKNDo1VGMeDm14tOadWl\n29XrH6lHabidf01FvGbFxqe4PxQipM+kxsU6BtQ/X/fgUtV2Ei93zbmY0ZzyMePc\nLAGg701lYkjLo9bktpkJIqc52aComQPq8zDWGVS4M8wTB6xQWOUiUIAaxP4cpI+7\neGe++daopxJwq/lzUlv9A+1Z\n-----END PRIVATE KEY-----\n",
        "privateKeyOld": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC8K9rft/P5HptB\nSGyMhJjPMAA3tNw55GEilzv7sRmACPXh1lOxScFAe4T+2kUKFdaucvbVdJJk525R\n1FEQ7cV0UloOrRjJfHU+lYzSztXRkI8nQ4vnkZcCVZsqSBPAg2G8q07wyMNbdbb5\naARxgawAHE4ST9LDQa9yoIU4zRRuoSa/n7MxfcyHZU/cff34fpcMFbf4v1+j/xms\nabYD0lvOlTMlSpTOVCqF6/AjqsEesrv824KTeMshiRxaJjabFN5iBqvaZ232k0e+\nhBxU8Ez66AQ24a043j/zkdHMO+2mqi+6AXHEd+f+cffoksFVC2FUSprS+oR+gwxE\nlLavLc2vAgMBAAECggEASGmH/PfJR2Dj1ieMvjZ4p6KNMuLCrPSZ/Lm+N4lbis3n\n8VSNOHhtieb+syRD1TG6P7+2BUaq33HAHnVaDO2zQqQ+S8+I7mCarc7XNniqB89d\nh3qS6DY6qodPAuJh13+3qOczpa1coGGYXDoPG68PBavez2UwcjtgzPfAzK7+4eMw\nv23iIWTub1gB1TQTw/8WHzfirVmOHiDLsH9ktytK2y1FNNn4aj4gHIygCUTMYGWs\nadRN6TJjuZq8sj0Asg4W4cxEROf4r1l5VaXzEOOXjZc9Q8CRt7FHSlnEELBupY61\nF2PZG+xRRW+4fxhVW5KHM74ZE+rNWdryGyemCLkwwQKBgQDqcosVXgSxnuoXJb/x\nBBdAcAeyyCUT+dvjI/3rj3nFWHNe8UU3ZV5Bt8w7liIrZKOVhh4Hh33qnB2XDj1y\nW3PIsP/QXp4QrHTrlDlmeQa8m0K776wgr3RF6uHxLw8QeH7BB0WeoqPiZqt48OcY\n3z/zul3/lNQUEOcOtezm+kJ2twKBgQDNeEFN4v4pcOwVyIHJT1MjJIADbnAyK1ir\nFxFQ0smvsPbTp2GuvCuaVWeQ7NHQwEAmRA+KlRedSH2v9cYP5qP1QEggIXvWdHH+\noCDNGHbwJLPpMmboLKWh46WKL771j/fCRyCDrMv4a3e/anyN6Cxwvsc+XSv9JoLR\nMqHKQx4oyQKBgQC9jGI6okr1OGBW2qR2vjH2XR08RGkF34sR97WBz/xJu5t7dWHa\nydANHga3Xki+AJ3pdAevWrJJDnM1/8NaQ+o2pjQNSZJONMBK/wnxeYQi1Px9aecm\nffRp2t9V2hA55tHESpbVDPWnRA76tvqAt27DJTh+PNvCZXAKCrhAfrFhvQKBgEbo\nflj7wkzY7JCj7q5jksRo/0iv30ZhESuSPWaQKAxa3QO0GxDrXXzYhnJMWChbgIf0\nKwzfYRPlhYKpJd4s8V5c/ccg5xTegMynxEojbEB52iDbRQpRBiQ1ZNaonZUvRwij\n9UOb6ZRkuiG0BSIQAu4x2J7cFqc5mCHMAGvF9+2JAoGBAKNDo1VGMeDm14tOadWl\n29XrH6lHabidf01FvGbFxqe4PxQipM+kxsU6BtQ/X/fgUtV2Ei93zbmY0ZzyMePc\nLAGg701lYkjLo9bktpkJIqc52aComQPq8zDWGVS4M8wTB6xQWOUiUIAaxP4cpI+7\neGe++daopxJwq/lzUlv9A+1Z\n-----END PRIVATE KEY-----\n"
      },
      "services": {
...

My private key (not used for anything than temporary testing, therefore it's fine to paste it here):

-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC8K9rft/P5HptB
SGyMhJjPMAA3tNw55GEilzv7sRmACPXh1lOxScFAe4T+2kUKFdaucvbVdJJk525R
1FEQ7cV0UloOrRjJfHU+lYzSztXRkI8nQ4vnkZcCVZsqSBPAg2G8q07wyMNbdbb5
aARxgawAHE4ST9LDQa9yoIU4zRRuoSa/n7MxfcyHZU/cff34fpcMFbf4v1+j/xms
abYD0lvOlTMlSpTOVCqF6/AjqsEesrv824KTeMshiRxaJjabFN5iBqvaZ232k0e+
hBxU8Ez66AQ24a043j/zkdHMO+2mqi+6AXHEd+f+cffoksFVC2FUSprS+oR+gwxE
lLavLc2vAgMBAAECggEASGmH/PfJR2Dj1ieMvjZ4p6KNMuLCrPSZ/Lm+N4lbis3n
8VSNOHhtieb+syRD1TG6P7+2BUaq33HAHnVaDO2zQqQ+S8+I7mCarc7XNniqB89d
h3qS6DY6qodPAuJh13+3qOczpa1coGGYXDoPG68PBavez2UwcjtgzPfAzK7+4eMw
v23iIWTub1gB1TQTw/8WHzfirVmOHiDLsH9ktytK2y1FNNn4aj4gHIygCUTMYGWs
adRN6TJjuZq8sj0Asg4W4cxEROf4r1l5VaXzEOOXjZc9Q8CRt7FHSlnEELBupY61
F2PZG+xRRW+4fxhVW5KHM74ZE+rNWdryGyemCLkwwQKBgQDqcosVXgSxnuoXJb/x
BBdAcAeyyCUT+dvjI/3rj3nFWHNe8UU3ZV5Bt8w7liIrZKOVhh4Hh33qnB2XDj1y
W3PIsP/QXp4QrHTrlDlmeQa8m0K776wgr3RF6uHxLw8QeH7BB0WeoqPiZqt48OcY
3z/zul3/lNQUEOcOtezm+kJ2twKBgQDNeEFN4v4pcOwVyIHJT1MjJIADbnAyK1ir
FxFQ0smvsPbTp2GuvCuaVWeQ7NHQwEAmRA+KlRedSH2v9cYP5qP1QEggIXvWdHH+
oCDNGHbwJLPpMmboLKWh46WKL771j/fCRyCDrMv4a3e/anyN6Cxwvsc+XSv9JoLR
MqHKQx4oyQKBgQC9jGI6okr1OGBW2qR2vjH2XR08RGkF34sR97WBz/xJu5t7dWHa
ydANHga3Xki+AJ3pdAevWrJJDnM1/8NaQ+o2pjQNSZJONMBK/wnxeYQi1Px9aecm
ffRp2t9V2hA55tHESpbVDPWnRA76tvqAt27DJTh+PNvCZXAKCrhAfrFhvQKBgEbo
flj7wkzY7JCj7q5jksRo/0iv30ZhESuSPWaQKAxa3QO0GxDrXXzYhnJMWChbgIf0
KwzfYRPlhYKpJd4s8V5c/ccg5xTegMynxEojbEB52iDbRQpRBiQ1ZNaonZUvRwij
9UOb6ZRkuiG0BSIQAu4x2J7cFqc5mCHMAGvF9+2JAoGBAKNDo1VGMeDm14tOadWl
29XrH6lHabidf01FvGbFxqe4PxQipM+kxsU6BtQ/X/fgUtV2Ei93zbmY0ZzyMePc
LAGg701lYkjLo9bktpkJIqc52aComQPq8zDWGVS4M8wTB6xQWOUiUIAaxP4cpI+7
eGe++daopxJwq/lzUlv9A+1Z
-----END PRIVATE KEY-----

[alexonlyoffice]

@wkloucek, please specify the Document Server (helm docs images) version you are checking this case on.

[wkloucek]

@wkloucek, please specify the Document Server (helm docs images) version you are checking this case on.

It was the OnlyOffice Helm Chart 4.2.1, which uses OnlyOffice image 8.1.1-1

(see also https://github.com/owncloud/ocis-charts/blob/fdb29dde2b8852294c5b5afc7f47c66b6e80ade9/deployments/ocis-office/helmfile.yaml#L52-L55)

[alexonlyoffice]

Please specify also the following information required to understand the reason: access_token and url with origin (or wopiSrc that is passed when opening the file) and debug logs after the issue is reproduced.

[alexonlyoffice]

Upd. to speed up the process, we think that the parameters mentioned in my previous message are sufficient for the analysis without debug logs at this step.

[alexonlyoffice]

Hello @wkloucek, we checked the keys you provided here on our test instance of the Document Server and successfully integrated it with SharePoint 2019 via WOPI - validation passed. We also checked them using MS validator and everything is ok.

Can you also confirm that this is the validator you are using? As of now we see that the keys you provided are valid and we are not able to identify the problem according to the code of your validator.

[wkloucek]

Can you also confirm that this is the validator you are using

Yes, this is the code.

Thanks a lot for checking it from your side! My colleagues need to have a look, too

[micbar]

@jvillafanez Please check if we have an issue in our implementation. Thanks!

[jvillafanez]

@wkloucek you might want to try with onlyoffice 8.1.3. I had troubles with 8.1.0 but it seems to work with 8.1.3.

There have been some changes recently in onlyoffice regarding the key generation. The "blame" shows changes from 2-4 months ago in https://github.com/ONLYOFFICE/Docker-DocumentServer/blob/b8f413343446ab278843b9749e4d9faaf8ad4b91/run-document-server.sh#L414-L428 .

I can't say for sure, but what I did was place the generated key files in the "/var/www/onlyoffice/Data" folder and restart the container. I guess the container fills the missing pieces, so there is no need to touch the local.json file (I think it gets overwritten). For the key file format, just run the commands in the script

openssl genpkey -algorithm RSA -outform PEM -out "${WOPI_PRIVATE_KEY}" >/dev/null 2>&1
openssl rsa -RSAPublicKey_out -in "${WOPI_PRIVATE_KEY}" -outform "MS PUBLICKEYBLOB" -out "${WOPI_PUBLIC_KEY}" >/dev/null 2>&1

I've also noticed that the onlyoffice 8.1.0 sends the modulus as hexadecimal code, although it should be sent base64-encoded (as it is sent with 8.1.3). Maybe this was the reason why proof keys didn't work before (although it seemed to work with the default keys...) As said, the public key file format has changed (it was PEM format before), so using the "new" "MS PUBLICKEYBLOB" format in an old container might also cause problems.