search

Setasign / fpdi-protection

A FPDI compatible and enhanced version of the FPDF_Protection script.
MIT License
30 stars 13 forks source link

RC4 issue #17

Open buglinjo opened 1 year ago

buglinjo commented 1 year ago

Our company decided to get rid of legacy encryption methods like RC4.

Is there a way to provide cipher during initialization of the FpdiProtection() class? Why is it required to use RC4 when PDF also supports AES256?

JanSlabon commented 1 year ago

This add-on simply only offers revision 2 or 3 with RC4. It's not only a cipher that needs to be changed to support AES256.

IIRC: Simply using another cipher in revision 2/3 for encryption will still need RC4 for the encryption-key-calculation.

You may check out our SetaPDF-Core component which offers also offers AES256 encryption: https://www.setasign.com/products/setapdf-core/demos/standard-security/

buglinjo commented 1 year ago

Oh, so do you mean RC4 is globally required for any "encryption-key-calculation" process you mentioned? Even if you use AES256 you still need RC4 for something else?

Thanks for the fast reply!

JanSlabon commented 1 year ago

No, for AES256 RC4 is not needed. but it is also possible to use e.g. AES128 with revision 2 or 3 - the algorithm for calculation of the encryption key relies on RC4.

buglinjo commented 1 year ago

Got it, thank you!

medilies commented 2 months ago

Is it possible to use this package without editing the Open SSL config and not run into this exception?

OpenSSL with RC4 supported is required. In case you use OpenSSL 3 make sure that legacy providers are loaded (see https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers).

MaximilianKresse commented 2 months ago

You can set the flag "$useArcfourFallback" to true in the constructor - but this will heavily impact your performance and should be avoided if possible.

medilies commented 2 months ago

@MaximilianKresse the code with useArcfourFallback is not released yet.

Still, is it not possible to use aes-256-cbc when calling openssl_encrypt. I tried to extend FpdiProtection by mixing code from TCPDF but I think that I'm doing something wrong since my password did not decrypt the PDF I created:

        $pdf = new class extends FpdiProtection
        {
            public function __construct($orientation = 'P', $unit = 'mm', $size = 'A4')
            {
                Fpdi::__construct($orientation, $unit, $size);

                $randomBytes = function_exists('random_bytes') ? \random_bytes(32) : \mt_rand();
                $this->fileIdentifier = md5(__FILE__.PHP_SAPI.PHP_VERSION.$randomBytes, true);

                if (! function_exists('openssl_encrypt') || ! in_array('aes-256-cbc', openssl_get_cipher_methods(), true)) {
                    throw new \RuntimeException(
                        'OpenSSL with aes-256-cbc supported is required. In case you use OpenSSL 3 make sure that '.
                        'legacy providers are loaded (see https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers).'
                    );
                }
            }

            protected function arcfour($key, $data)
            {
                $algo = 'aes-256-cbc';
                if (strlen($key) === 16) {
                    $algo = 'aes-128-cbc';
                }
                $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length($algo));

                return openssl_encrypt($data, $algo, $key, OPENSSL_RAW_DATA, $iv);
            }
        };
JanSlabon commented 2 months ago

As written here: This add-on simply only offers revision 2 or 3 with RC4. It's not only a cipher that needs to be changed to support AES256.

You may check out our SetaPDF-Core component which offers also AES256 encryption: https://www.setasign.com/products/setapdf-core/demos/standard-security/

Release regarding useArcfourFallback will follow shortly. After that we can close this issue.