phpdftk API Documentation

PublicKeyEncryption
in package

FinalYes

Public-key (certificate-based) PDF encryption primitives — ISO 32000-2 §7.6.5.

Creates and opens PKCS#7 CMS EnvelopedData objects that wrap the encryption seed for each recipient, and derives the file encryption key per the public-key security handler specification.

Uses PHP 8.1+ openssl_cms_encrypt()/openssl_cms_decrypt() for reliable CMS envelope operations.

Table of Contents

Methods

createEnvelope()  : string
Create a PKCS#7 CMS EnvelopedData wrapping the seed + permissions for a single recipient. Returns raw DER-encoded bytes.
deriveFileKey()  : string
Derive the file encryption key per ISO 32000-2 §7.6.5.2.
openEnvelope()  : string|null
Open a PKCS#7 CMS EnvelopedData to extract the 20-byte seed.

Methods

createEnvelope()

Create a PKCS#7 CMS EnvelopedData wrapping the seed + permissions for a single recipient. Returns raw DER-encoded bytes.

public static createEnvelope(string $seed, int $permissions, string $certPem[, bool $encryptMetadata = true ]) : string

Per ISO 32000-2 §7.6.5.3, the enveloped content is: 20-byte seed || 4-byte permissions (LE) || optional 4×0xFF

Parameters
$seed : string

20-byte random seed

$permissions : int

Permission bitfield for this recipient

$certPem : string

Recipient's X.509 certificate in PEM format

$encryptMetadata : bool = true

Whether document metadata is encrypted

Return values
string

deriveFileKey()

Derive the file encryption key per ISO 32000-2 §7.6.5.2.

public static deriveFileKey(string $seed, array<string|int, string> $recipientDerStrings, int $permissions, int $keyLengthBytes[, bool $encryptMetadata = true ]) : string

Uses SHA-1 for key lengths up to 20 bytes (AES-128), SHA-256 for longer keys (AES-256).

Parameters
$seed : string

20-byte seed

$recipientDerStrings : array<string|int, string>

Raw DER bytes of each PKCS#7 recipient object

$permissions : int

Combined permissions (AND of all recipients)

$keyLengthBytes : int

Desired key length in bytes (16 for AES-128, 32 for AES-256)

$encryptMetadata : bool = true

Whether metadata is encrypted

Return values
string

openEnvelope()

Open a PKCS#7 CMS EnvelopedData to extract the 20-byte seed.

public static openEnvelope(string $pkcs7Der, string $certPem, string $privateKeyPem) : string|null
Parameters
$pkcs7Der : string

DER-encoded PKCS#7 EnvelopedData

$certPem : string

Recipient's X.509 certificate in PEM format

$privateKeyPem : string

Recipient's private key in PEM format

Return values
string|null

The 20-byte seed, or null if decryption fails


        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results