bad signature when sharing a file via public link while using encryption

[rcvd]

Steps to reproduce

1. Upload a zip File to a nextcloud server with encryption enabled
2. Share it via link
3. Try to download the file via the public link

Expected behaviour

The file should be downloadable without any further actions

Actual behaviour

Error screen "Can't read signature" "Ungültige Signatur" (Invalid Signature)

General server configuration

Operating system: Linux 4.12.13-1-ARCH #1 SMP PREEMPT Fri Sep 15 06:36:43 UTC 2017 x86_64

Web server: nginx/1.12.1 (fpm-fcgi)

Database: mysql 10.1.26

PHP version: 7.1.9

PHP-modules loaded

 - Core
 - date
 - libxml
 - openssl
 - pcre
 - zlib
 - ctype
 - dom
 - fileinfo
 - filter
 - hash
 - json
 - mbstring
 - pcntl
 - SPL
 - PDO
 - session
 - posix
 - readline
 - Reflection
 - standard
 - SimpleXML
 - Phar
 - tokenizer
 - xml
 - xmlreader
 - xmlwriter
 - mysqlnd
 - cgi-fcgi
 - curl
 - gd
 - iconv
 - mysqli
 - pdo_mysql
 - zip
 - apcu
 - memcached
 - Zend OPcache

Nextcloud configuration

Nextcloud version: 12.0.3 RC2 - 12.0.3.1

Updated from an older Nextcloud/ownCloud or fresh install: Updated

Where did you install Nextcloud from: Official Website

Are you using external storage, if yes which one: files_external is disabled

Are you using encryption: yes

Are you using an external user-backend, if yes which one: No

Signing status

[]

Enabled apps

 - activity: 2.5.2
 - admin_audit: 1.2.0
 - comments: 1.2.0
 - contacts: 1.5.3
 - dav: 1.3.0
 - encryption: 1.6.0
 - federatedfilesharing: 1.2.0
 - files: 1.7.2
 - files_pdfviewer: 1.1.1
 - files_sharing: 1.4.0
 - files_texteditor: 2.4.1
 - files_trashbin: 1.2.0
 - files_versions: 1.5.0
 - files_videoplayer: 1.1.0
 - firstrunwizard: 2.1
 - gallery: 17.0.0
 - issuetemplate: 0.2.2
 - logreader: 2.0.0
 - lookup_server_connector: 1.0.0
 - nextcloud_announcements: 1.1
 - notifications: 2.0.0
 - oauth2: 1.0.5
 - password_policy: 1.2.2
 - provisioning_api: 1.2.0
 - serverinfo: 1.2.0
 - sharebymail: 1.2.0
 - socialsharing_email: 1.0.1
 - socialsharing_twitter: 1.0.1
 - survey_client: 1.0.0
 - theming: 1.3.0
 - twofactor_backupcodes: 1.1.1
 - updatenotification: 1.2.0
 - user_external: 0.4
 - workflowengine: 1.2.0

Disabled apps

 - federation
 - files_external
 - systemtags
 - user_ldap

Content of config/config.php

{
    "instanceid": "oc7htdnu0m4v",
    "passwordsalt": "***REMOVED SENSITIVE VALUE***",
    "secret": "***REMOVED SENSITIVE VALUE***",
    "trusted_domains": [
        "cloud.rcvd.io",
        "oc.rcvd.io"
    ],
    "datadirectory": "\/data\/www\/rcvd.io\/nextcloud\/data",
    "overwrite.cli.url": "https:\/\/cloud.rcvd.io",
    "dbtype": "mysql",
    "version": "12.0.3.1",
    "dbname": "nextcloud",
    "dbhost": "localhost",
    "dbport": "",
    "dbtableprefix": "oc_",
    "dbuser": "***REMOVED SENSITIVE VALUE***",
    "dbpassword": "***REMOVED SENSITIVE VALUE***",
    "logtimezone": "UTC",
    "installed": true,
    "memcache.local": "\\OC\\Memcache\\APCu",
    "memcache.locking": "\\OC\\Memcache\\Redis",
    "redis": {
        "host": "localhost",
        "port": 6379
    },
    "maintenance": false,
    "mail_from_address": "cloud",
    "mail_smtpmode": "php",
    "mail_domain": "rcvd.io",
    "updater.secret": "***REMOVED SENSITIVE VALUE***",
    "theme": "",
    "loglevel": 2,
    "updater.release.channel": "beta"
}

Client configuration

Browser: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13) AppleWebKit/604.1.38 (KHTML, like Gecko) Version/11.0 Safari/604.1.38

Operating system: OS X 10.13

Logs

Web server error log

2017/09/18 06:06:23 [error] 3366#3366: *17726 access forbidden by rule, client: 176.199.203.215, server: oc.rcvd.io, request: "GET /data/.ocdata?t=1505707583006 HTTP/2.0", host: "oc.rcvd.io"
2017/09/18 06:08:02 [error] 3366#3366: *17726 access forbidden by rule, client: 176.199.203.215, server: oc.rcvd.io, request: "GET /data/.ocdata?t=1505707682302 HTTP/2.0", host: "oc.rcvd.io"
2017/09/18 06:08:13 [error] 3366#3366: *17726 access forbidden by rule, client: 176.199.203.215, server: oc.rcvd.io, request: "GET /data/.ocdata?t=1505707693882 HTTP/2.0", host: "oc.rcvd.io"
2017/09/18 06:09:20 [error] 3366#3366: *17726 access forbidden by rule, client: 176.199.203.215, server: oc.rcvd.io, request: "GET /data/.ocdata?t=1505707760333 HTTP/2.0", host: "oc.rcvd.io"
2017/09/18 06:20:27 [error] 3366#3366: *17726 access forbidden by rule, client: 176.199.203.215, server: oc.rcvd.io, request: "GET /data/.ocdata?t=1505708427798 HTTP/2.0", host: "oc.rcvd.io"
2017/09/18 06:24:31 [error] 3366#3366: *17726 access forbidden by rule, client: 176.199.203.215, server: oc.rcvd.io, request: "GET /data/.ocdata?t=1505708671037 HTTP/2.0", host: "oc.rcvd.io"
2017/09/18 06:24:33 [error] 3366#3366: *17726 access forbidden by rule, client: 176.199.203.215, server: oc.rcvd.io, request: "GET /data/.ocdata?t=1505708673103 HTTP/2.0", host: "oc.rcvd.io"
2017/09/18 06:26:07 [error] 3366#3366: *17726 access forbidden by rule, client: 176.199.203.215, server: oc.rcvd.io, request: "GET /data/.ocdata?t=1505708767278 HTTP/2.0", host: "oc.rcvd.io"
2017/09/18 06:26:13 [error] 3366#3366: *17726 access forbidden by rule, client: 176.199.203.215, server: oc.rcvd.io, request: "GET /data/.ocdata?t=1505708773894 HTTP/2.0", host: "oc.rcvd.io"
2017/09/18 06:26:17 [error] 3366#3366: *17726 access forbidden by rule, client: 176.199.203.215, server: oc.rcvd.io, request: "GET /data/.ocdata?t=1505708777076 HTTP/2.0", host: "oc.rcvd.io"
2017/09/18 06:26:27 [error] 3366#3366: *17726 access forbidden by rule, client: 176.199.203.215, server: oc.rcvd.io, request: "GET /data/.ocdata?t=1505708787268 HTTP/2.0", host: "oc.rcvd.io"
2017/09/18 06:34:16 [error] 3366#3366: *17726 access forbidden by rule, client: 176.199.203.215, server: oc.rcvd.io, request: "GET /data/.ocdata?t=1505709256019 HTTP/2.0", host: "oc.rcvd.io"
2017/09/18 06:34:17 [error] 3366#3366: *17726 access forbidden by rule, client: 176.199.203.215, server: oc.rcvd.io, request: "GET /data/.ocdata?t=1505709257630 HTTP/2.0", host: "oc.rcvd.io"
2017/09/18 06:40:25 [error] 3366#3366: *17726 access forbidden by rule, client: 176.199.203.215, server: oc.rcvd.io, request: "GET //data/.ocdata?t=1505709257630 HTTP/2.0", host: "oc.rcvd.io"
2017/09/18 06:40:29 [error] 3366#3366: *17726 access forbidden by rule, client: 176.199.203.215, server: oc.rcvd.io, request: "GET /data/.ocdata?t=1505709257630 HTTP/2.0", host: "oc.rcvd.io"

Nextcloud log (data/nextcloud.log)

{"reqId":"XCsttX50Q2LJKi3Lxl5M","level":3,"time":"2017-09-18T04:41:35+00:00","remoteAddr":"176.199.203.215","user":"--","app":"no app in context","method":"GET","url":"\/s\/BPpRfnEIFYlSfTU\/download","message":"Exception: {\"Exception\":\"OCP\\\\Encryption\\\\Exceptions\\\\GenericEncryptionException\",\"Message\":\"Bad Signature\",\"Code\":0,\"Trace\":\"#0 \\\/data\\\/www\\\/rcvd.io\\\/nextcloud\\\/apps\\\/encryption\\\/lib\\\/Crypto\\\/Crypt.php(463): OCA\\\\Encryption\\\\Crypto\\\\Crypt->checkSignature('GnrifLmsUaVL3bK...', '\\\\x9D$\\\\xAE\\\\x9B\\\\xF7\\\\xE3\\\/l\\\\xAEm\\\\xDB\\\\x1DCr?...', '6b12de7060ce774...')\\n#1 \\\/data\\\/www\\\/rcvd.io\\\/nextcloud\\\/apps\\\/encryption\\\/lib\\\/Crypto\\\/Crypt.php(422): OCA\\\\Encryption\\\\Crypto\\\\Crypt->symmetricDecryptFileContent('GnrifLmsUaVL3bK...', '\\\\x9D$\\\\xAE\\\\x9B\\\\xF7\\\\xE3\\\/l\\\\xAEm\\\\xDB\\\\x1DCr?...', 'AES-256-CTR', 0)\\n#2 \\\/data\\\/www\\\/rcvd.io\\\/nextcloud\\\/apps\\\/encryption\\\/lib\\\/KeyManager.php(427): OCA\\\\Encryption\\\\Crypto\\\\Crypt->decryptPrivateKey('GnrifLmsUaVL3bK...')\\n#3 \\\/data\\\/www\\\/rcvd.io\\\/nextcloud\\\/apps\\\/encryption\\\/lib\\\/Crypto\\\/Encryption.php(490): OCA\\\\Encryption\\\\KeyManager->getFileKey('\\\/alex\\\/files\\\/Tau...', 'pubShare_40674a...')\\n#4 \\\/data\\\/www\\\/rcvd.io\\\/nextcloud\\\/lib\\\/private\\\/Files\\\/Storage\\\/Wrapper\\\/Encryption.php(328): OCA\\\\Encryption\\\\Crypto\\\\Encryption->isReadable('\\\/alex\\\/files\\\/Tau...', NULL)\\n#5 \\\/data\\\/www\\\/rcvd.io\\\/nextcloud\\\/lib\\\/private\\\/Files\\\/Storage\\\/Wrapper\\\/Wrapper.php(169): OC\\\\Files\\\\Storage\\\\Wrapper\\\\Encryption->isReadable('files\\\/Taufe Kon...')\\n#6 \\\/data\\\/www\\\/rcvd.io\\\/nextcloud\\\/lib\\\/private\\\/Files\\\/View.php(1136): OC\\\\Files\\\\Storage\\\\Wrapper\\\\Wrapper->isReadable('files\\\/Taufe Kon...')\\n#7 \\\/data\\\/www\\\/rcvd.io\\\/nextcloud\\\/lib\\\/private\\\/Files\\\/View.php(492): OC\\\\Files\\\\View->basicOperation('isReadable', '\\\/Taufe Konrad\\\/f...')\\n#8 \\\/data\\\/www\\\/rcvd.io\\\/nextcloud\\\/lib\\\/private\\\/Files\\\/Filesystem.php(686): OC\\\\Files\\\\View->isReadable('\\\/Taufe Konrad\\\/f...')\\n#9 \\\/data\\\/www\\\/rcvd.io\\\/nextcloud\\\/lib\\\/private\\\/legacy\\\/files.php(264): OC\\\\Files\\\\Filesystem::isReadable('\\\/Taufe Konrad\\\/f...')\\n#10 \\\/data\\\/www\\\/rcvd.io\\\/nextcloud\\\/lib\\\/private\\\/legacy\\\/files.php(120): OC_Files::getSingleFile(Object(OC\\\\Files\\\\View), '\\\/Taufe Konrad', 'fotos_konrad_ta...', Array)\\n#11 \\\/data\\\/www\\\/rcvd.io\\\/nextcloud\\\/apps\\\/files_sharing\\\/lib\\\/Controller\\\/ShareController.php(535): OC_Files::get('\\\/Taufe Konrad', 'fotos_konrad_ta...', Array)\\n#12 [internal function]: OCA\\\\Files_Sharing\\\\Controller\\\\ShareController->downloadShare('BPpRfnEIFYlSfTU', NULL, '', '')\\n#13 \\\/data\\\/www\\\/rcvd.io\\\/nextcloud\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(160): call_user_func_array(Array, Array)\\n#14 \\\/data\\\/www\\\/rcvd.io\\\/nextcloud\\\/lib\\\/private\\\/AppFramework\\\/Http\\\/Dispatcher.php(90): OC\\\\AppFramework\\\\Http\\\\Dispatcher->executeController(Object(OCA\\\\Files_Sharing\\\\Controller\\\\ShareController), 'downloadShare')\\n#15 \\\/data\\\/www\\\/rcvd.io\\\/nextcloud\\\/lib\\\/private\\\/AppFramework\\\/App.php(114): OC\\\\AppFramework\\\\Http\\\\Dispatcher->dispatch(Object(OCA\\\\Files_Sharing\\\\Controller\\\\ShareController), 'downloadShare')\\n#16 \\\/data\\\/www\\\/rcvd.io\\\/nextcloud\\\/lib\\\/public\\\/AppFramework\\\/App.php(136): OC\\\\AppFramework\\\\App::main('ShareController', 'downloadShare', Object(OC\\\\AppFramework\\\\DependencyInjection\\\\DIContainer))\\n#17 \\\/data\\\/www\\\/rcvd.io\\\/nextcloud\\\/core\\\/routes.php(129): OCP\\\\AppFramework\\\\App->dispatch('ShareController', 'downloadShare')\\n#18 [internal function]: OC\\\\Route\\\\Router->{closure}(Array)\\n#19 \\\/data\\\/www\\\/rcvd.io\\\/nextcloud\\\/lib\\\/private\\\/Route\\\/Router.php(299): call_user_func(Object(Closure), Array)\\n#20 \\\/data\\\/www\\\/rcvd.io\\\/nextcloud\\\/lib\\\/base.php(1004): OC\\\\Route\\\\Router->match('\\\/s\\\/BPpRfnEIFYlS...')\\n#21 \\\/data\\\/www\\\/rcvd.io\\\/nextcloud\\\/index.php(48): OC::handleRequest()\\n#22 {main}\",\"File\":\"\\\/data\\\/www\\\/rcvd.io\\\/nextcloud\\\/apps\\\/encryption\\\/lib\\\/Crypto\\\/Crypt.php\",\"Line\":483}","userAgent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_13) AppleWebKit\/604.1.38 (KHTML, like Gecko) Version\/11.0 Safari\/604.1.38","version":"12.0.3.1"}

Browser log

[LukasReschke]

I cannot reproduce this locally here on a stable12 installation. Do you have some more detailed reproduction steps? Does it happen on any file?

[rcvd]

Yes, it happens on all files, even on those which have been already shared months ago. If I'm logged in, the download works without any problems.

[LukasReschke]

Yes, it happens on all files, even on those which have been already shared months ago. If I'm logged in, the download works without any problems.

So just to recap:

1. You upload a zip file via web interface
2. You publicly share the file via web interface
3. From a not-logged-in browser you access the publicly shared file and try to download it
4. This fails with said error message

Did this happen also before 12.0.3 RC1? Can you provide me with a test account on said instance? ([email protected])

[rcvd]

I'm currently restoring a backup from the stable version. I'll give you an account as soon as the restore is done. Thanks for your help.

[LukasReschke]

Beautified error message:

Exception: {"Exception":"OCP\Encryption\Exceptions\GenericEncryptionException","Message":"Bad Signature","Code":0,"Trace":"#0 \/data\/www\/rcvd.io\/nextcloud\/apps\/encryption\/lib\/Crypto\/Crypt.php(463): OCA\Encryption\Crypto\Crypt->checkSignature('GnrifLmsUaVL3bK...', '\x9D$\xAE\x9B\xF7\xE3\/l\xAEm\xDB\x1DCr?...', '6b12de7060ce774...')
#1 \/data\/www\/rcvd.io\/nextcloud\/apps\/encryption\/lib\/Crypto\/Crypt.php(422): OCA\Encryption\Crypto\Crypt->symmetricDecryptFileContent('GnrifLmsUaVL3bK...', '\x9D$\xAE\x9B\xF7\xE3\/l\xAEm\xDB\x1DCr?...', 'AES-256-CTR', 0)
#2 \/data\/www\/rcvd.io\/nextcloud\/apps\/encryption\/lib\/KeyManager.php(427): OCA\Encryption\Crypto\Crypt->decryptPrivateKey('GnrifLmsUaVL3bK...')
#3 \/data\/www\/rcvd.io\/nextcloud\/apps\/encryption\/lib\/Crypto\/Encryption.php(490): OCA\Encryption\KeyManager->getFileKey('\/alex\/files\/Tau...', 'pubShare_40674a...')
#4 \/data\/www\/rcvd.io\/nextcloud\/lib\/private\/Files\/Storage\/Wrapper\/Encryption.php(328): OCA\Encryption\Crypto\Encryption->isReadable('\/alex\/files\/Tau...', NULL)
#5 \/data\/www\/rcvd.io\/nextcloud\/lib\/private\/Files\/Storage\/Wrapper\/Wrapper.php(169): OC\Files\Storage\Wrapper\Encryption->isReadable('files\/Taufe Kon...')
#6 \/data\/www\/rcvd.io\/nextcloud\/lib\/private\/Files\/View.php(1136): OC\Files\Storage\Wrapper\Wrapper->isReadable('files\/Taufe Kon...')
#7 \/data\/www\/rcvd.io\/nextcloud\/lib\/private\/Files\/View.php(492): OC\Files\View->basicOperation('isReadable', '\/Taufe Konrad\/f...')
#8 \/data\/www\/rcvd.io\/nextcloud\/lib\/private\/Files\/Filesystem.php(686): OC\Files\View->isReadable('\/Taufe Konrad\/f...')
#9 \/data\/www\/rcvd.io\/nextcloud\/lib\/private\/legacy\/files.php(264): OC\Files\Filesystem::isReadable('\/Taufe Konrad\/f...')
#10 \/data\/www\/rcvd.io\/nextcloud\/lib\/private\/legacy\/files.php(120): OC_Files::getSingleFile(Object(OC\Files\View), '\/Taufe Konrad', 'fotos_konrad_ta...', Array)
#11 \/data\/www\/rcvd.io\/nextcloud\/apps\/files_sharing\/lib\/Controller\/ShareController.php(535): OC_Files::get('\/Taufe Konrad', 'fotos_konrad_ta...', Array)
#12 [internal function]: OCA\Files_Sharing\Controller\ShareController->downloadShare('BPpRfnEIFYlSfTU', NULL, '', '')
#13 \/data\/www\/rcvd.io\/nextcloud\/lib\/private\/AppFramework\/Http\/Dispatcher.php(160): call_user_func_array(Array, Array)
#14 \/data\/www\/rcvd.io\/nextcloud\/lib\/private\/AppFramework\/Http\/Dispatcher.php(90): OC\AppFramework\Http\Dispatcher->executeController(Object(OCA\Files_Sharing\Controller\ShareController), 'downloadShare')
#15 \/data\/www\/rcvd.io\/nextcloud\/lib\/private\/AppFramework\/App.php(114): OC\AppFramework\Http\Dispatcher->dispatch(Object(OCA\Files_Sharing\Controller\ShareController), 'downloadShare')
#16 \/data\/www\/rcvd.io\/nextcloud\/lib\/public\/AppFramework\/App.php(136): OC\AppFramework\App::main('ShareController', 'downloadShare', Object(OC\AppFramework\DependencyInjection\DIContainer))
#17 \/data\/www\/rcvd.io\/nextcloud\/core\/routes.php(129): OCP\AppFramework\App->dispatch('ShareController', 'downloadShare')
#18 [internal function]: OC\Route\Router->{closure}(Array)
#19 \/data\/www\/rcvd.io\/nextcloud\/lib\/private\/Route\/Router.php(299): call_user_func(Object(Closure), Array)
#20 \/data\/www\/rcvd.io\/nextcloud\/lib\/base.php(1004): OC\Route\Router->match('\/s\/BPpRfnEIFYlS...')
#21 \/data\/www\/rcvd.io\/nextcloud\/index.php(48): OC::handleRequest()
#22 {main}","File":"\/data\/www\/rcvd.io\/nextcloud\/apps\/encryption\/lib\/Crypto\/Crypt.php","Line":483}"

[rcvd]

Just verified that

• the problem still exists after restoring the old 12.0 version
• the problem also exists with shared images (the image is shown but can not bei downloaded)

@LukasReschke I just sent the account data to you

[LukasReschke]

Thanks, @rcvd.

It seems like the decryption of the public sharing key is failing here for some reason.

cc @schiessle FYI

[rcvd]

Is there anything I can do to shed some more light onto this issue?

[schiessle]

@rcvd is it a fresh Nextcloud 12 installation or did you upgraded from Nextcloud 11?

[rcvd]

@schiessle It's an upgraded installation...started a while ago with owncloud.

[schiessle]

OK, I just tried the upgrade path: Setup Nextcloud 11, enable encryption, create a public link and upgrade but the link still works here. Does it happen for all public links? only a few? What happens if you create a new public link?

[rcvd]

It happens for all public links. For old and new ones. Even on different or newly created accounts. If I decrypt the files using occ the link starts working.

[powerriegel]

Same problem in 11.6 with pdf file.

[MorrisJobke]

We can't reproduce this anymore. Could you test please with a more recent version again? I will close this ticket for now but we can easily reopen the ticket if this is still reproducible somehow. Then please also share exact steps how to do it.