From 47ef75562ffd10b917e59eb85397733b956cea97 Mon Sep 17 00:00:00 2001
From: tale-fau <lefaucheurtanguy@gmail.com>
Date: Thu, 9 Nov 2023 17:25:42 +0100
Subject: [PATCH] key and hash created in the javascript

---
 app.php                      | 12 +++++------
 lib/cryptography.class.php   |  7 +++----
 public/js/signature.js       | 40 +++++++++++++++++++++++++++++-------
 templates/signature.html.php |  5 +++--
 4 files changed, 44 insertions(+), 20 deletions(-)

diff --git a/app.php b/app.php
index 7498ef7..a3c83ef 100644
--- a/app.php
+++ b/app.php
@@ -195,7 +195,7 @@ require_once 'lib/cryptography.class.php';
 
 $f3->route('POST /share',
     function($f3) {
-        $hash = substr(hash('sha512', uniqid().rand()), 0, 20);
+        $hash = Web::instance()->slug($_POST['hash']);
         $sharingFolder = $f3->get('PDF_STORAGE_PATH').$hash;
         $f3->set('UPLOADS', $sharingFolder."/");
         if (!is_dir($f3->get('PDF_STORAGE_PATH'))) {
@@ -240,10 +240,9 @@ $f3->route('POST /share',
         if(!$f3->get('DEBUG')) {
             array_map('cryptographyClass::hardUnlink', glob($tmpfile."*.svg"));
         }
-        $symmetricKey = CryptographyClass::createSymmetricKey();
-        setcookie($hash, $symmetricKey, ['expires' => 0, 'samesite' => 'Strict', 'path' => "/"]);
 
-        $encryptor = new CryptographyClass($symmetricKey, $f3->get('PDF_STORAGE_PATH').$hash);
+        $symmetricKey = $_COOKIE[$hash];
+        $encryptor = new CryptographyClass($_COOKIE[$hash], $f3->get('PDF_STORAGE_PATH').$hash);
         $encryptor->encrypt();
 
 
@@ -258,11 +257,10 @@ $f3->route('GET /signature/@hash/pdf',
         $hash = Web::instance()->slug($f3->get('PARAMS.hash'));
         $sharingFolder = $f3->get('PDF_STORAGE_PATH').$hash;
 
-        if (CryptographyClass::isSymmetricKeyValid($_COOKIE[$hash]) == false) {
+        $cryptor = new CryptographyClass(CryptographyClass::protectSymmetricKey($_COOKIE[$hash]), $f3->get('PDF_STORAGE_PATH').$hash);
+        if ($cryptor->decrypt() == false) {
             $f3->error(403);
         }
-        $cryptor = new CryptographyClass($_COOKIE[$hash], $f3->get('PDF_STORAGE_PATH').$hash);
-        $cryptor->decrypt();
 
         $files = scandir($sharingFolder);
         $originalFile = $sharingFolder.'/original.pdf';
diff --git a/lib/cryptography.class.php b/lib/cryptography.class.php
index 395c5ee..5c873f6 100644
--- a/lib/cryptography.class.php
+++ b/lib/cryptography.class.php
@@ -42,7 +42,7 @@ class CryptographyClass
             $result = shell_exec($command);
             if ($result === false) {
                 echo "Decypher failure";
-                exit;
+                return $result;
             }
             $this->hardUnlink($file);
         }
@@ -53,14 +53,13 @@ class CryptographyClass
         if (!$element) {
             return;
         }
-        print_r(['hu', $element]);
         $eraser = str_repeat(0, strlen(file_get_contents($element)));
         file_put_contents($element, $eraser);
         unlink($element);
     }
 
-    public static function isSymmetricKeyValid($key) {
-        return (bool)preg_match('/^[0-9a-zA-Z]{15}$/', $key);
+    public static function protectSymmetricKey($key) {
+        return preg_replace('/[^0-9a-zA-Z]*/', '', $key);
     }
 
     public static function createSymmetricKey() {
diff --git a/public/js/signature.js b/public/js/signature.js
index 165bb5a..17c6e8d 100644
--- a/public/js/signature.js
+++ b/public/js/signature.js
@@ -818,6 +818,10 @@ var createEventsListener = function() {
             }
             document.getElementById('input_svg_share').files = dataTransfer.files;
             hasModifications = false;
+
+            document.getElementById('input_pdf_hash').value = generatePdfHash();
+            document.getElementById('input_symmetric_key').value = generateSymmetricKey();
+            storeSymmetricKeyCookie(document.getElementById('input_pdf_hash').value, document.getElementById('input_symmetric_key').value);
         });
     }
 
@@ -1111,7 +1115,6 @@ var pageSignature = async function(url) {
     let filename = url.replace('/pdf/', '');
 
     if(pdfHash) {
-        storeSymmetricKeyCookie();
         let response = await fetch(url);
         if(response.status != 200) {
             return;
@@ -1165,13 +1168,36 @@ var pageSignature = async function(url) {
     })
 })();
 
-function storeSymmetricKeyCookie() {
-    let symmetricKey = window.location.hash;
-    if (symmetricKey.length != 19) {
+function storeSymmetricKeyCookie(hash, symmetricKey) {
+    if (symmetricKey.length != 15) {
         console.error("Erreur taille cle symmetrique.");
         return;
-    } else if (symmetricKey.substr(0, 4) != "#sk:") {
-        console.error("Erreur format cle symmetrique");
     }
-    document.cookie = pdfHash + "=" + symmetricKey.substr(4, 15) + "; SameSite=Strict";
+    document.cookie = hash + "=" + symmetricKey + "; SameSite=Strict";
+}
+
+function generateSymmetricKey() {
+    const length = 15;
+    const keySpace = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
+    let key = '';
+
+    for (let i = 0; i < length; ++i) {
+        const randomIndex = Math.floor(Math.random() * keySpace.length);
+        key += keySpace.charAt(randomIndex);
+    }
+
+    return key;
+}
+
+function generatePdfHash() {
+    const length = 20;
+    const keySpace = '0123456789abcdefghijklmnopqrstuvwxyz';
+    let key = '';
+
+    for (let i = 0; i < length; ++i) {
+        const randomIndex = Math.floor(Math.random() * keySpace.length);
+        key += keySpace.charAt(randomIndex);
+    }
+
+    return key;
 }
diff --git a/templates/signature.html.php b/templates/signature.html.php
index a774d2b..db027ff 100644
--- a/templates/signature.html.php
+++ b/templates/signature.html.php
@@ -112,7 +112,7 @@
                   </div>
                   <form id="form_pdf" action="<?php echo $REVERSE_PROXY_URL; ?>/signature/<?php echo $hash ?>/save" method="post" enctype="multipart/form-data" class="d-none d-sm-none d-md-block">
                         <input id="input_svg" name="svg[]" type="file" class="d-none" />
-                        <!-- <input id="symmetric_key" name="key" type="hidden" value="test" /> -->
+
                         <button class="btn btn-primary w-100 mt-2" disabled="disabled" type="submit" id="save"><i class="bi bi-cloud-upload"></i> <?php echo _("Transmit my signature"); ?></button>
                   </form>
                   <?php endif; ?>
@@ -198,7 +198,8 @@
                     <form id="form_sharing" clas action="<?php echo $REVERSE_PROXY_URL; ?>/share" method="post" enctype="multipart/form-data">
                           <input id="input_pdf_share" name="pdf" type="file" class="d-none" />
                           <input id="input_svg_share" name="svg[]" type="file" class="d-none" />
-                          <!-- <input id="symmetric_key" name="key" type="hidden" value="test" /> -->
+                          <input id="input_pdf_hash" name="hash" type="hidden" value="" />
+                          <input id="input_symmetric_key" name="key" type="hidden" value="" />
                           <button  class="btn col-9 col-md-6 btn-primary" type="submit" id="save_share"><?php echo sprintf(_("%s Start sharing"), '<i class="bi bi-cloud-upload"></i>'); ?></button>
                     </form>
                 </div>