fix: collaboration rsa

[mklos-kw]

Description

Addresses https://github.com/owncloud/ocis/security/code-scanning/4

Related Issue

• Fixes issue_link
• Fixes issue_link
• Fixes issue_link

Motivation and Context

How Has This Been Tested?

• test environment:
• test case 1:
• test case 2:
• ...

Screenshots (if appropriate):

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Technical debt
• Tests only (no source changes)

Checklist:

• Code changes
• Unit tests added
• Acceptance tests added
• Documentation ticket raised:

[update-docs]

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[jvillafanez]

Needs testing. The proof key is generated in the document server (OnlyOffice, Collabora, etc), so I don't think we have control over the algorithm being used. I'm also not sure if the algorithms are compatible with each other.

There is a reference for PKCS1.5 in https://learn.microsoft.com/en-us/microsoft-365/cloud-storage-partner-program/online/scenarios/proofkeys#verification-in-python
In addition, for the Java version it uses a "SHA256withRSA" signature instance, which is described in https://docs.oracle.com/en/java/javase/14/docs/specs/security/standard-names.html as "The RSA signature algorithm that uses the SHA-* digest with the RSASSA-PKCS1-v1_5 signature scheme as defined in PKCS #1 v2.2."

[mklos-kw]

Needs testing. The proof key is generated in the document server (OnlyOffice, Collabora, etc), so I don't think we have control over the algorithm being used. I'm also not sure if the algorithms are compatible with each other.

There is a reference for PKCS1.5 in https://learn.microsoft.com/en-us/microsoft-365/cloud-storage-partner-program/online/scenarios/proofkeys#verification-in-python In addition, for the Java version it uses a "SHA256withRSA" signature instance, which is described in https://docs.oracle.com/en/java/javase/14/docs/specs/security/standard-names.html as "The RSA signature algorithm that uses the SHA-* digest with the RSASSA-PKCS1-v1_5 signature scheme as defined in PKCS #1 v2.2."

Thanks @jvillafanez How this can be tested, any case that would point into right direction?

[jvillafanez]

https://github.com/owncloud/ocis/blob/master/services/collaboration/pkg/middleware/proofkeys.go#L63 is the debug log to look for. The proofkeys middleware is enabled by default, so if everything is ok the debug log should appear.
I'm not entirely sure what happens if you have the proofkeys enabled in ocis but not configured in the document server, but I guess it should throw an error.

[jvillafanez]

It seems the proofkey verifications fail for me.

With OnlyOffice:

{"level":"debug","service":"collaboration","request-id":"","proto":"HTTP/1.1","method":"GET","path":"/wopi/files/a82de53ea881e281e90b161b1ec8e0dd6a457609df8ef7e9bc76bd15d41137fa","WopiSessionId":"","WopiOverride":"","WopiProof":"NpcLBVFldYGHdYMxA4peL7uCDcH8OH43f9WDvdKe9hF5r7Np+i5H390V3nLw9VDUNSYV87fs1EypZ1iTMN7/5rRD8fkAxiEg/lZNEmQ10O3w8YJSpP+9xdgwKruIlnDtF004kGcWFQJrsW0v/RIFY4wRc5JGkTiPUOqZMaaHp5goVbArmovAET9K+Z7OSOB6aFQw17B5NxdYvcnzFgttwWyUYXkwo4zZGVgvIuK6A7h2yL5AAdxlRInaLQyyFNaeKxrkYuSX2Ko6Yvlcxz+kprn3dHKOgO4aU+1j8QYhTLVyDzvNXNQ8QysHMkk8uH7keqJCGLpdilIA2vkvBUIPVQ==","WopiProofOld":"NpcLBVFldYGHdYMxA4peL7uCDcH8OH43f9WDvdKe9hF5r7Np+i5H390V3nLw9VDUNSYV87fs1EypZ1iTMN7/5rRD8fkAxiEg/lZNEmQ10O3w8YJSpP+9xdgwKruIlnDtF004kGcWFQJrsW0v/RIFY4wRc5JGkTiPUOqZMaaHp5goVbArmovAET9K+Z7OSOB6aFQw17B5NxdYvcnzFgttwWyUYXkwo4zZGVgvIuK6A7h2yL5AAdxlRInaLQyyFNaeKxrkYuSX2Ko6Yvlcxz+kprn3dHKOgO4aU+1j8QYhTLVyDzvNXNQ8QysHMkk8uH7keqJCGLpdilIA2vkvBUIPVQ==","WopiStamp":"638826336250620000","FileReference":"resource_id:{storage_id:\"dca36361-250a-41a6-85f9-c5db6333e8e2\"  opaque_id:\"187828b4-dc65-496e-9883-331ce714e76d\"  space_id:\"298f62c3-dcb3-4f1d-b624-ce1c676fa794\"}  path:\".\"","ViewMode":"VIEW_MODE_READ_WRITE","Requester":"idp:\"https://ocis.jp.solidgear.prv\"  opaque_id:\"298f62c3-dcb3-4f1d-b624-ce1c676fa794\"  type:USER_TYPE_PRIMARY","WopiAppUrl":"https://onlyoffice.jp.solidgear.prv/hosting/discovery","time":"2025-05-12T08:00:25Z","line":"/home/juan/src/ocis/ocis/services/collaboration/pkg/proofkeys/handler.go:203","message":"WopiDiscovery: requesting new public keys"}
{"level":"error","service":"collaboration","request-id":"","proto":"HTTP/1.1","method":"GET","path":"/wopi/files/a82de53ea881e281e90b161b1ec8e0dd6a457609df8ef7e9bc76bd15d41137fa","WopiSessionId":"","WopiOverride":"","WopiProof":"NpcLBVFldYGHdYMxA4peL7uCDcH8OH43f9WDvdKe9hF5r7Np+i5H390V3nLw9VDUNSYV87fs1EypZ1iTMN7/5rRD8fkAxiEg/lZNEmQ10O3w8YJSpP+9xdgwKruIlnDtF004kGcWFQJrsW0v/RIFY4wRc5JGkTiPUOqZMaaHp5goVbArmovAET9K+Z7OSOB6aFQw17B5NxdYvcnzFgttwWyUYXkwo4zZGVgvIuK6A7h2yL5AAdxlRInaLQyyFNaeKxrkYuSX2Ko6Yvlcxz+kprn3dHKOgO4aU+1j8QYhTLVyDzvNXNQ8QysHMkk8uH7keqJCGLpdilIA2vkvBUIPVQ==","WopiProofOld":"NpcLBVFldYGHdYMxA4peL7uCDcH8OH43f9WDvdKe9hF5r7Np+i5H390V3nLw9VDUNSYV87fs1EypZ1iTMN7/5rRD8fkAxiEg/lZNEmQ10O3w8YJSpP+9xdgwKruIlnDtF004kGcWFQJrsW0v/RIFY4wRc5JGkTiPUOqZMaaHp5goVbArmovAET9K+Z7OSOB6aFQw17B5NxdYvcnzFgttwWyUYXkwo4zZGVgvIuK6A7h2yL5AAdxlRInaLQyyFNaeKxrkYuSX2Ko6Yvlcxz+kprn3dHKOgO4aU+1j8QYhTLVyDzvNXNQ8QysHMkk8uH7keqJCGLpdilIA2vkvBUIPVQ==","WopiStamp":"638826336250620000","FileReference":"resource_id:{storage_id:\"dca36361-250a-41a6-85f9-c5db6333e8e2\"  opaque_id:\"187828b4-dc65-496e-9883-331ce714e76d\"  space_id:\"298f62c3-dcb3-4f1d-b624-ce1c676fa794\"}  path:\".\"","ViewMode":"VIEW_MODE_READ_WRITE","Requester":"idp:\"https://ocis.jp.solidgear.prv\"  opaque_id:\"298f62c3-dcb3-4f1d-b624-ce1c676fa794\"  type:USER_TYPE_PRIMARY","error":"crypto/rsa: verification error","time":"2025-05-12T08:00:25Z","line":"/home/juan/src/ocis/ocis/services/collaboration/pkg/middleware/proofkeys.go:58","message":"ProofKeys verification failed"}

With Collabora

{"level":"error","service":"collaboration","request-id":"","proto":"HTTP/1.1","method":"GET","path":"/wopi/files/a82de53ea881e281e90b161b1ec8e0dd6a457609df8ef7e9bc76bd15d41137fa","WopiSessionId":"","WopiOverride":"","WopiProof":"jE4AM9bSlCRQmdI+TGYaCXzUIA1QIybemi6eri3nKE+v95SmNsYXnKlCbj/LsyZ3WsjfvsdTfCEHUwXqXWfKZpahvqItxLDPQmUugHhKZGTpWrBSIq8UNcbEF8IvDHFcetc2e9YJhOdC9IAEtT+J/RdZiGQ50qWvUy6SONha/dkB3h7RU7SruLfvVFxkR5N7ASho9TuI24UfXuQYcEHvKzOF4xt4l8ruIOQW2f1uAVHkAulVdQspwOEiR6R0NRy8fUt9pzjhspX/QnWhDFeeOwsgTOEKPWK1plY2WlWze4QUp9aNptOheq8VrjzjhUq9qoy0/lekHdD1zT/p0XirJQ==","WopiProofOld":"jE4AM9bSlCRQmdI+TGYaCXzUIA1QIybemi6eri3nKE+v95SmNsYXnKlCbj/LsyZ3WsjfvsdTfCEHUwXqXWfKZpahvqItxLDPQmUugHhKZGTpWrBSIq8UNcbEF8IvDHFcetc2e9YJhOdC9IAEtT+J/RdZiGQ50qWvUy6SONha/dkB3h7RU7SruLfvVFxkR5N7ASho9TuI24UfXuQYcEHvKzOF4xt4l8ruIOQW2f1uAVHkAulVdQspwOEiR6R0NRy8fUt9pzjhspX/QnWhDFeeOwsgTOEKPWK1plY2WlWze4QUp9aNptOheq8VrjzjhUq9qoy0/lekHdD1zT/p0XirJQ==","WopiStamp":"638826338364662636","FileReference":"resource_id:{storage_id:\"dca36361-250a-41a6-85f9-c5db6333e8e2\"  opaque_id:\"187828b4-dc65-496e-9883-331ce714e76d\"  space_id:\"298f62c3-dcb3-4f1d-b624-ce1c676fa794\"}  path:\".\"","ViewMode":"VIEW_MODE_READ_WRITE","Requester":"idp:\"https://ocis.jp.solidgear.prv\"  opaque_id:\"298f62c3-dcb3-4f1d-b624-ce1c676fa794\"  type:USER_TYPE_PRIMARY","error":"crypto/rsa: verification error","time":"2025-05-12T08:03:56Z","line":"/home/juan/src/ocis/ocis/services/collaboration/pkg/middleware/proofkeys.go:58","message":"ProofKeys verification failed"}
{"level":"info","service":"collaboration","proto":"HTTP/1.1","request-id":"036e67d66c15/QJW39QqvkJ-000003","traceid":"00000000000000000000000000000000","remote-addr":"172.18.0.2:60658","method":"GET","wopi-action":"","status":500,"path":"/wopi/files/a82de53ea881e281e90b161b1ec8e0dd6a457609df8ef7e9bc76bd15d41137fa","duration":25.880318,"bytes":22,"time":"2025-05-12T08:03:56Z","line":"/home/juan/src/ocis/ocis/services/collaboration/pkg/middleware/accesslog.go:35","message":"access-log"}
{"level":"error","service":"collaboration","request-id":"","proto":"HTTP/1.1","method":"GET","path":"/wopi/files/a82de53ea881e281e90b161b1ec8e0dd6a457609df8ef7e9bc76bd15d41137fa","WopiSessionId":"","WopiOverride":"","WopiProof":"BGtAXujJYLeMAf/5Mj9KEhDLj2KokqWR78Fff+gS3m8jnKerguSIAMU/Y75p1OQiQxCJmXVCQ8H1JvfrC3ITK3tqEOQvKJTu5IfdQOKl79yi3nhLi8x9fipHxBhp+2Hn8dF4zSNWOnAbRsRZMwoX2L87NZQYuUWc74Zrg9PBQa97QFxUNey9xO/x2YMxggkKZc9UozRbEAJZG37dgQPjJskHqZHiiSnjXxBjRymk0Nr9kLMS+dsLsamS9dcXaLIDG2LP3PoND9MGe874ENqM3fmxWL/3fTag3bM6Itl8sy9B2MgbTK1kIFswxYmX8Uh81GHdqcUsRYzMJBRHD+BxuA==","WopiProofOld":"BGtAXujJYLeMAf/5Mj9KEhDLj2KokqWR78Fff+gS3m8jnKerguSIAMU/Y75p1OQiQxCJmXVCQ8H1JvfrC3ITK3tqEOQvKJTu5IfdQOKl79yi3nhLi8x9fipHxBhp+2Hn8dF4zSNWOnAbRsRZMwoX2L87NZQYuUWc74Zrg9PBQa97QFxUNey9xO/x2YMxggkKZc9UozRbEAJZG37dgQPjJskHqZHiiSnjXxBjRymk0Nr9kLMS+dsLsamS9dcXaLIDG2LP3PoND9MGe874ENqM3fmxWL/3fTag3bM6Itl8sy9B2MgbTK1kIFswxYmX8Uh81GHdqcUsRYzMJBRHD+BxuA==","WopiStamp":"638826338370270708","FileReference":"resource_id:{storage_id:\"dca36361-250a-41a6-85f9-c5db6333e8e2\"  opaque_id:\"187828b4-dc65-496e-9883-331ce714e76d\"  space_id:\"298f62c3-dcb3-4f1d-b624-ce1c676fa794\"}  path:\".\"","ViewMode":"VIEW_MODE_READ_WRITE","Requester":"idp:\"https://ocis.jp.solidgear.prv\"  opaque_id:\"298f62c3-dcb3-4f1d-b624-ce1c676fa794\"  type:USER_TYPE_PRIMARY","error":"crypto/rsa: verification error","time":"2025-05-12T08:03:57Z","line":"/home/juan/src/ocis/ocis/services/collaboration/pkg/middleware/proofkeys.go:58","message":"ProofKeys verification failed"}

I can't test with Microsoft, but I guess it would also fail