PdfKeyDerivation
in package
PDF encryption key derivation — ISO 32000-2 §7.6.
Covers the Standard security handler (R=2/3/4 with RC4/AES-128 and R=6 with AES-256).
Table of Contents
Constants
- PADDING = "(\xbfN^Nu\x8aAd\x00NV\xff\xfa\x01\x08" . "..\x00\xb6\xd0h>\x80/\f\xa9\xfedSiz"
- Standard 32-byte padding string per PDF spec §7.6.3.3.
Methods
- authenticateOwnerPassword() : string|null
- Authenticate an owner password — returns the file encryption key if the password is valid, null otherwise.
- authenticateOwnerPasswordR6() : string|null
- Authenticate an owner password for R=6 — returns file encryption key or null.
- authenticateUserPassword() : string|null
- Authenticate a user password — returns the file encryption key if the password is valid, null otherwise.
- authenticateUserPasswordR6() : string|null
- Authenticate a user password for R=6 — returns file encryption key or null.
- computeFileEncryptionKey() : string
- Compute the file encryption key from the user password — §7.6.3.3.
- computeHashR6() : string
- R=6 iterative hash algorithm — ISO 32000-2 §7.6.4.3.4.
- computeOValueR6() : array{o: string, oe: string}
- Compute /O and /OE values for R=6 — ISO 32000-2 §7.6.4.3.3 (Algorithm 2.A step b).
- computeOwnerKey() : string
- Compute the owner key (/O) — §7.6.3.4 (R=2/3/4).
- computePermsR6() : string
- Compute /Perms value for R=6 — ISO 32000-2 §7.6.4.3.3 (Algorithm 2.A step c).
- computeUserKey() : string
- Compute the user key (/U) — §7.6.3.4.
- computeUValueR6() : array{u: string, ue: string}
- Compute /U and /UE values for R=6 — ISO 32000-2 §7.6.4.3.3 (Algorithm 2.A step a).
- deriveObjectKey() : string
- Derive an object encryption key per PDF spec §7.6.3.3.
- pad() : string
- Pad or truncate a password to 32 bytes using the standard padding.
- preparePasswordR6() : string
- Prepare a password for R=6: SASLprep + truncate to 127 bytes.
- saslPrep() : string
- Normalize a password via SASLprep (RFC 4013).
Constants
PADDING
Standard 32-byte padding string per PDF spec §7.6.3.3.
public
mixed
PADDING
= "(\xbfN^Nu\x8aAd\x00NV\xff\xfa\x01\x08" . "..\x00\xb6\xd0h>\x80/\f\xa9\xfedSiz"
Methods
authenticateOwnerPassword()
Authenticate an owner password — returns the file encryption key if the password is valid, null otherwise.
public
static authenticateOwnerPassword(string $ownerPassword, string $oValue, string $uValue, int $pValue, string $fileId[, int $keyLengthBits = 128 ][, int $revision = 3 ][, bool $encryptMetadata = true ]) : string|null
Parameters
- $ownerPassword : string
- $oValue : string
- $uValue : string
- $pValue : int
- $fileId : string
- $keyLengthBits : int = 128
- $revision : int = 3
- $encryptMetadata : bool = true
Return values
string|nullauthenticateOwnerPasswordR6()
Authenticate an owner password for R=6 — returns file encryption key or null.
public
static authenticateOwnerPasswordR6(string $password, string $oValue, string $oeValue, string $uValue) : string|null
Parameters
- $password : string
-
UTF-8 password (already SASLprep'd, truncated to 127 bytes)
- $oValue : string
-
48-byte /O value
- $oeValue : string
-
32-byte /OE value
- $uValue : string
-
48-byte /U value
Return values
string|nullauthenticateUserPassword()
Authenticate a user password — returns the file encryption key if the password is valid, null otherwise.
public
static authenticateUserPassword(string $password, string $oValue, string $uValue, int $pValue, string $fileId[, int $keyLengthBits = 128 ][, int $revision = 3 ][, bool $encryptMetadata = true ]) : string|null
Parameters
- $password : string
- $oValue : string
- $uValue : string
- $pValue : int
- $fileId : string
- $keyLengthBits : int = 128
- $revision : int = 3
- $encryptMetadata : bool = true
Return values
string|nullauthenticateUserPasswordR6()
Authenticate a user password for R=6 — returns file encryption key or null.
public
static authenticateUserPasswordR6(string $password, string $uValue, string $ueValue) : string|null
Parameters
- $password : string
-
UTF-8 password (already SASLprep'd, truncated to 127 bytes)
- $uValue : string
-
48-byte /U value
- $ueValue : string
-
32-byte /UE value
Return values
string|nullcomputeFileEncryptionKey()
Compute the file encryption key from the user password — §7.6.3.3.
public
static computeFileEncryptionKey(string $userPassword, string $oValue, int $pValue, string $fileId[, int $keyLengthBits = 128 ][, int $revision = 3 ][, bool $encryptMetadata = true ]) : string
Parameters
- $userPassword : string
-
The user password
- $oValue : string
-
The /O value from the encrypt dictionary (32 bytes)
- $pValue : int
-
The /P permissions value (signed 32-bit)
- $fileId : string
-
The first element of the /ID array
- $keyLengthBits : int = 128
-
Key length in bits (40, 56, 64, 80, 96, 128)
- $revision : int = 3
-
Revision (R=2..4)
- $encryptMetadata : bool = true
-
Whether metadata is encrypted (R=4 only)
Return values
stringcomputeHashR6()
R=6 iterative hash algorithm — ISO 32000-2 §7.6.4.3.4.
public
static computeHashR6(string $password, string $salt[, string $userKey = '' ]) : string
Parameters
- $password : string
-
UTF-8 password (already SASLprep'd, truncated to 127 bytes)
- $salt : string
-
8-byte salt
- $userKey : string = ''
-
First 48 bytes of /U value (empty for user password validation)
Return values
stringcomputeOValueR6()
Compute /O and /OE values for R=6 — ISO 32000-2 §7.6.4.3.3 (Algorithm 2.A step b).
public
static computeOValueR6(string $password, string $fileEncryptionKey, string $uValue) : array{o: string, oe: string}
Parameters
- $password : string
- $fileEncryptionKey : string
- $uValue : string
-
First 48 bytes of the /U value
Return values
array{o: string, oe: string} —O is 48 bytes, OE is 32 bytes
computeOwnerKey()
Compute the owner key (/O) — §7.6.3.4 (R=2/3/4).
public
static computeOwnerKey(string $ownerPassword, string $userPassword, int $keyLength) : string
Parameters
- $ownerPassword : string
- $userPassword : string
- $keyLength : int
Return values
stringcomputePermsR6()
Compute /Perms value for R=6 — ISO 32000-2 §7.6.4.3.3 (Algorithm 2.A step c).
public
static computePermsR6(int $permissions, string $fileEncryptionKey[, bool $encryptMetadata = true ]) : string
Parameters
- $permissions : int
- $fileEncryptionKey : string
- $encryptMetadata : bool = true
Return values
stringcomputeUserKey()
Compute the user key (/U) — §7.6.3.4.
public
static computeUserKey(string $encryptionKey, string $fileId[, int $revision = 3 ]) : string
Parameters
- $encryptionKey : string
-
The file encryption key
- $fileId : string
-
The first element of /ID
- $revision : int = 3
-
Revision (R=2..4)
Return values
stringcomputeUValueR6()
Compute /U and /UE values for R=6 — ISO 32000-2 §7.6.4.3.3 (Algorithm 2.A step a).
public
static computeUValueR6(string $password, string $fileEncryptionKey) : array{u: string, ue: string}
Parameters
- $password : string
- $fileEncryptionKey : string
Return values
array{u: string, ue: string} —U is 48 bytes, UE is 32 bytes
deriveObjectKey()
Derive an object encryption key per PDF spec §7.6.3.3.
public
static deriveObjectKey(string $encryptionKey, int $objectNumber, int $generationNumber[, bool $aes = false ]) : string
Parameters
- $encryptionKey : string
- $objectNumber : int
- $generationNumber : int
- $aes : bool = false
Return values
stringpad()
Pad or truncate a password to 32 bytes using the standard padding.
public
static pad(string $password) : string
Parameters
- $password : string
Return values
stringpreparePasswordR6()
Prepare a password for R=6: SASLprep + truncate to 127 bytes.
public
static preparePasswordR6(string $password) : string
Parameters
- $password : string
Return values
stringsaslPrep()
Normalize a password via SASLprep (RFC 4013).
public
static saslPrep(string $password) : string
Required for PDF 2.0 encryption (R=6, AES-256) per ISO 32000-2 §7.6.4.3.2.
Parameters
- $password : string