RC4 issue

[buglinjo]

Our company decided to get rid of legacy encryption methods like RC4.

Is there a way to provide cipher during initialization of the FpdiProtection() class? Why is it required to use RC4 when PDF also supports AES256?

[JanSlabon]

This add-on simply only offers revision 2 or 3 with RC4. It's not only a cipher that needs to be changed to support AES256.

IIRC: Simply using another cipher in revision 2/3 for encryption will still need RC4 for the encryption-key-calculation.

You may check out our SetaPDF-Core component which offers also offers AES256 encryption: https://www.setasign.com/products/setapdf-core/demos/standard-security/

[buglinjo]

Oh, so do you mean RC4 is globally required for any "encryption-key-calculation" process you mentioned? Even if you use AES256 you still need RC4 for something else?

Thanks for the fast reply!

[JanSlabon]

No, for AES256 RC4 is not needed. but it is also possible to use e.g. AES128 with revision 2 or 3 - the algorithm for calculation of the encryption key relies on RC4.

[buglinjo]

Got it, thank you!

[medilies]

Is it possible to use this package without editing the Open SSL config and not run into this exception?

OpenSSL with RC4 supported is required. In case you use OpenSSL 3 make sure that legacy providers are loaded (see https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers).

[MaximilianKresse]

You can set the flag "$useArcfourFallback" to true in the constructor - but this will heavily impact your performance and should be avoided if possible.

[medilies]

@MaximilianKresse the code with useArcfourFallback is not released yet.

Still, is it not possible to use aes-256-cbc when calling openssl_encrypt. I tried to extend FpdiProtection by mixing code from TCPDF but I think that I'm doing something wrong since my password did not decrypt the PDF I created:

        $pdf = new class extends FpdiProtection
        {
            public function __construct($orientation = 'P', $unit = 'mm', $size = 'A4')
            {
                Fpdi::__construct($orientation, $unit, $size);

                $randomBytes = function_exists('random_bytes') ? \random_bytes(32) : \mt_rand();
                $this->fileIdentifier = md5(__FILE__.PHP_SAPI.PHP_VERSION.$randomBytes, true);

                if (! function_exists('openssl_encrypt') || ! in_array('aes-256-cbc', openssl_get_cipher_methods(), true)) {
                    throw new \RuntimeException(
                        'OpenSSL with aes-256-cbc supported is required. In case you use OpenSSL 3 make sure that '.
                        'legacy providers are loaded (see https://wiki.openssl.org/index.php/OpenSSL_3.0#Providers).'
                    );
                }
            }

            protected function arcfour($key, $data)
            {
                $algo = 'aes-256-cbc';
                if (strlen($key) === 16) {
                    $algo = 'aes-128-cbc';
                }
                $iv = openssl_random_pseudo_bytes(openssl_cipher_iv_length($algo));

                return openssl_encrypt($data, $algo, $key, OPENSSL_RAW_DATA, $iv);
            }
        };

[JanSlabon]

As written here: This add-on simply only offers revision 2 or 3 with RC4. It's not only a cipher that needs to be changed to support AES256.

You may check out our SetaPDF-Core component which offers also AES256 encryption: https://www.setasign.com/products/setapdf-core/demos/standard-security/

Release regarding useArcfourFallback will follow shortly. After that we can close this issue.