Skip to content

Fix WOPI proof key signing failure#182

Open
delmarguillen wants to merge 1 commit into
Euro-Office:mainfrom
delmarguillen:fix/wopi-proof-key-format
Open

Fix WOPI proof key signing failure#182
delmarguillen wants to merge 1 commit into
Euro-Office:mainfrom
delmarguillen:fix/wopi-proof-key-format

Conversation

@delmarguillen

@delmarguillen delmarguillen commented Jun 14, 2026
edited
Loading

Copy link
Copy Markdown

Summary

The awk command on line 146 of entrypoint.sh flattens the PEM private key by replacing real newlines with literal \n characters:

WOPI_PRIVATE_KEY_DATA=$(awk '{printf %s\\n, $0}' $WOPI_PRIVATE_KEY)

When jq --arg receives this, it treats \n as literal text and escapes it again. The resulting key in local.json has no real newlines, which OpenSSL cannot decode:

error:1E08010C:DECODER routines::unsupported
    at signOneShot (node:internal/crypto/sig:169:15)
    at generateProofSign (/snapshot/server/DocService/sources/wopiUtils.js)

This breaks any WOPI integration that requires proof key verification. Tested on both x86_64 and ARM64.

Fix

Replace awk with cat so jq --arg receives the raw PEM with real newlines and encodes them correctly in JSON.

One line change. Credit to @tiran133 for identifying the fix in #127.

How I found this

I built an integration of Euro-Office with ownCloud OCIS (repo). The WOPI checkFileInfo call failed on every document open.

Tested on

  • DocumentServer 9.3.1 Build 37 (ghcr.io/euro-office/documentserver:latest)
  • VPS: x86_64, Ubuntu 24.04, Docker 29.5.3
  • Local: ARM64 (Surface Pro 9, Podman 5.8.3, WSL2)

@delmarguillen

delmarguillen commented Jun 14, 2026

Copy link
Copy Markdown
Author

This fixes #127, #160, and #177. The root cause is that openssl genpkey produces a PKCS#8 key that Node.js crypto.sign() cannot use with the bundled OpenSSL 3.x backend. Switching to openssl genrsa -traditional generates a PKCS#1 key that works.

This was referenced Jun 14, 2026
Open
Open
Open
@streaminganger

streaminganger commented Jun 14, 2026

Copy link
Copy Markdown

The workaround was converting the key after generation, but the proper fix is generating it in the right format from the start.

this doesn't make sense to me. i would have thought the patch by @tiran133 was a proper fix instead. the existing algorithm has been in use since onlyoffice. the root problem being that jq args will treat \n literally and then escape it result in an invalid key. @filerun analysis in #177 is also correct.

@delmarguillen

delmarguillen commented Jun 14, 2026

Copy link
Copy Markdown
Author

Thanks for pointing that out. I updated the PR with the proper fix from #127, the actual issue is the awk line double-escaping newlines before jq handles them.

@delmarguillen
Fix WOPI proof key signing failure
d810293 
The awk command on line 146 flattens the PEM private key by replacing
real newlines with literal \n characters. When jq --arg receives this,
it treats \n as literal text and escapes it again. The resulting key in
local.json has no real newlines, which OpenSSL cannot decode.

Replace awk with cat so jq --arg receives the raw PEM with real newlines
and encodes them correctly in JSON.

Credit to @tiran133 for identifying the fix in Euro-Office#127.

Signed-off-by: delmarguillen <168364803+delmarguillen@users.noreply.github.com>
@delmarguillen delmarguillen force-pushed the fix/wopi-proof-key-format branch from 09f9870 to d810293 Compare June 14, 2026 19:02
@delmarguillen

delmarguillen commented Jun 14, 2026

Copy link
Copy Markdown
Author

Tested the updated fix on a VPS (x86_64, Ubuntu 24.04) and it works correctly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

📄 Euro-Office team
Status: 📄 To do

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@delmarguillen @streaminganger