Password and hash are exclusive

As specified in https://docs.microsoft.com/en-us/openspecs/office_standards/ms-xlsx/85f5567f-2599-41ad-ae26-8cfab23ce754
password and hashValue are exlusive and thus should be treated
transparently with a single API in our model.

Author: PowerKiKi

docs/topics/recipes.md

@@ -919,29 +919,53 @@ disallow inserting rows on a specific sheet, disallow sorting, ...
 - Cell: offers the option to lock/unlock a cell as well as show/hide
 the internal formula.
 
+**Make sure you enable worksheet protection if you need any of the
+worksheet or cell protection features!** This can be done using the following
+code:
+
+``` php
+$spreadsheet->getActiveSheet()->getProtection()->setSheet(true);
+```
+
+### Document
+
 An example on setting document security:
 
 ``` php
-$spreadsheet->getSecurity()->setLockWindows(true);
-$spreadsheet->getSecurity()->setLockStructure(true);
-$spreadsheet->getSecurity()->setWorkbookPassword("PhpSpreadsheet");
+$security = $spreadsheet->getSecurity();
+$security->setLockWindows(true);
+$security->setLockStructure(true);
+$security->setWorkbookPassword("PhpSpreadsheet");
 ```
 
+### Worksheet
+
 An example on setting worksheet security:
 
 ``` php
-$spreadsheet->getActiveSheet()
-    ->getProtection()->setPassword('PhpSpreadsheet');
-$spreadsheet->getActiveSheet()
-    ->getProtection()->setSheet(true);
-$spreadsheet->getActiveSheet()
-    ->getProtection()->setSort(true);
-$spreadsheet->getActiveSheet()
-    ->getProtection()->setInsertRows(true);
-$spreadsheet->getActiveSheet()
-    ->getProtection()->setFormatCells(true);
+$protection = $spreadsheet->getActiveSheet()->getProtection();
+$protection->setPassword('PhpSpreadsheet');
+$protection->setSheet(true);
+$protection->setSort(true);
+$protection->setInsertRows(true);
+$protection->setFormatCells(true);
 ```
 
+If writing Xlsx files you can specify the algorithm used to hash the password
+before calling `setPassword()` like so:
+
+```php
+$protection = $spreadsheet->getActiveSheet()->getProtection();
+$protection->setAlgorithm(Protection::ALGORITHM_SHA_512);
+$protection->setSpinCount(20000);
+$protection->setPassword('PhpSpreadsheet');
+```
+
+The salt should **not** be set manually and will be automatically generated
+when setting a new password.
+
+### Cell
+
 An example on setting cell security:
 
 ``` php
@@ -950,14 +974,30 @@ $spreadsheet->getActiveSheet()->getStyle('B1')
     ->setLocked(\PhpOffice\PhpSpreadsheet\Style\Protection::PROTECTION_UNPROTECTED);
 ```
 
-**Make sure you enable worksheet protection if you need any of the
-worksheet protection features!** This can be done using the following
-code:
+## Reading protected spreadsheet
 
-``` php
-$spreadsheet->getActiveSheet()->getProtection()->setSheet(true);
+Spreadsheets that are protected the as described above can always be read by
+PhpSpreadsheet. There is no need to know the password or do anything special in
+order to read a protected file.
+
+However if you need to implement a password verification mechanism, you can use the
+following helper method:
+
+
+```php
+$protection = $spreadsheet->getActiveSheet()->getProtection();
+$allowed = $protection->verify('my password');
+
+if ($allowed) {
+    doSomething();
+} else {
+    throw new Exception('Incorrect password');
+}
 ```
 
+If you need to completely prevent reading a file by any tool, including PhpSpreadsheet,
+then you are looking for "encryption", not "protection".
+
 ## Setting data validation on a cell
 
 Data validation is a powerful feature of Xlsx. It allows to specify an

src/PhpSpreadsheet/Reader/Xlsx.php

@@ -763,17 +763,8 @@ public function load($pFilename)
                                 }
                             }
 
-                            if (!$this->readDataOnly && $xmlSheet && $xmlSheet->sheetProtection) {
-                                $docSheet->getProtection()->setPassword((string) $xmlSheet->sheetProtection['password'], true);
-                                $docSheet->getProtection()->setAlgorithmName((string) $xmlSheet->sheetProtection['algorithmName']);
-                                $docSheet->getProtection()->setHashValue((string) $xmlSheet->sheetProtection['hashValue']);
-                                $docSheet->getProtection()->setSaltValue((string) $xmlSheet->sheetProtection['saltValue']);
-                                $docSheet->getProtection()->setSpinCount((int) $xmlSheet->sheetProtection['spinCount']);
-                                if ($xmlSheet->protectedRanges->protectedRange) {
-                                    foreach ($xmlSheet->protectedRanges->protectedRange as $protectedRange) {
-                                        $docSheet->protectCells((string) $protectedRange['sqref'], (string) $protectedRange['password'], true);
-                                    }
-                                }
+                            if ($xmlSheet) {
+                                $this->readSheetProtection($docSheet, $xmlSheet);
                             }
 
                             if ($xmlSheet && $xmlSheet->autoFilter && !$this->readDataOnly) {
@@ -2035,4 +2026,29 @@ private function getWorkbookBaseName(ZipArchive $zip)
 
         return $workbookBasename;
     }
+
+    private function readSheetProtection(Worksheet $docSheet, SimpleXMLElement $xmlSheet): void
+    {
+        if ($this->readDataOnly || !$xmlSheet->sheetProtection) {
+            return;
+        }
+
+        $algorithmName = (string) $xmlSheet->sheetProtection['algorithmName'];
+        $protection = $docSheet->getProtection();
+        $protection->setAlgorithm($algorithmName);
+
+        if ($algorithmName) {
+            $protection->setPassword((string) $xmlSheet->sheetProtection['hashValue'], true);
+            $protection->setSalt((string) $xmlSheet->sheetProtection['saltValue']);
+            $protection->setSpinCount((int) $xmlSheet->sheetProtection['spinCount']);
+        } else {
+            $protection->setPassword((string) $xmlSheet->sheetProtection['password'], true);
+        }
+
+        if ($xmlSheet->protectedRanges->protectedRange) {
+            foreach ($xmlSheet->protectedRanges->protectedRange as $protectedRange) {
+                $docSheet->protectCells((string) $protectedRange['sqref'], (string) $protectedRange['password'], true);
+            }
+        }
+    }
 }

src/PhpSpreadsheet/Shared/PasswordHasher.php

@@ -2,51 +2,39 @@
 
 namespace PhpOffice\PhpSpreadsheet\Shared;
 
+use PhpOffice\PhpSpreadsheet\Exception;
+use PhpOffice\PhpSpreadsheet\Worksheet\Protection;
+
 class PasswordHasher
 {
-    const ALGORITHM_MD2 = 'MD2';
-    const ALGORITHM_MD4 = 'MD4';
-    const ALGORITHM_MD5 = 'MD5';
-    const ALGORITHM_SHA_1 = 'SHA-1';
-    const ALGORITHM_SHA_256 = 'SHA-256';
-    const ALGORITHM_SHA_384 = 'SHA-384';
-    const ALGORITHM_SHA_512 = 'SHA-512';
-    const ALGORITHM_RIPEMD_128 = 'RIPEMD-128';
-    const ALGORITHM_RIPEMD_160 = 'RIPEMD-160';
-    const ALGORITHM_WHIRLPOOL = 'WHIRLPOOL';
-
     /**
-     * Mapping between algorithm name in Excel and algorithm name in PHP.
-     *
-     * @var array
+     * Get algorithm name for PHP.
      */
-    private static $algorithmArray = [
-        self::ALGORITHM_MD2 => 'md2',
-        self::ALGORITHM_MD4 => 'md4',
-        self::ALGORITHM_MD5 => 'md5',
-        self::ALGORITHM_SHA_1 => 'sha1',
-        self::ALGORITHM_SHA_256 => 'sha256',
-        self::ALGORITHM_SHA_384 => 'sha384',
-        self::ALGORITHM_SHA_512 => 'sha512',
-        self::ALGORITHM_RIPEMD_128 => 'ripemd128',
-        self::ALGORITHM_RIPEMD_160 => 'ripemd160',
-        self::ALGORITHM_WHIRLPOOL => 'whirlpool',
-    ];
-
-    /**
-     * Get algorithm from self::$algorithmArray.
-     *
-     * @param string $pAlgorithmName
-     *
-     * @return string
-     */
-    private static function getAlgorithm($pAlgorithmName)
+    private static function getAlgorithm(string $algorithmName): string
     {
-        if (array_key_exists($pAlgorithmName, self::$algorithmArray)) {
-            return self::$algorithmArray[$pAlgorithmName];
+        if (!$algorithmName) {
+            return '';
+        }
+
+        // Mapping between algorithm name in Excel and algorithm name in PHP
+        $mapping = [
+            Protection::ALGORITHM_MD2 => 'md2',
+            Protection::ALGORITHM_MD4 => 'md4',
+            Protection::ALGORITHM_MD5 => 'md5',
+            Protection::ALGORITHM_SHA_1 => 'sha1',
+            Protection::ALGORITHM_SHA_256 => 'sha256',
+            Protection::ALGORITHM_SHA_384 => 'sha384',
+            Protection::ALGORITHM_SHA_512 => 'sha512',
+            Protection::ALGORITHM_RIPEMD_128 => 'ripemd128',
+            Protection::ALGORITHM_RIPEMD_160 => 'ripemd160',
+            Protection::ALGORITHM_WHIRLPOOL => 'whirlpool',
+        ];
+
+        if (array_key_exists($algorithmName, $mapping)) {
+            return $mapping[$algorithmName];
         }
 
-        return '';
+        throw new Exception('Unsupported password algorithm: ' . $algorithmName);
     }
 
     /**
@@ -57,10 +45,8 @@ private static function getAlgorithm($pAlgorithmName)
      * Spreadsheet_Excel_Writer by Xavier Noguer <[email protected]>.
      *
      * @param string $pPassword Password to hash
-     *
-     * @return string Hashed password
      */
-    public static function defaultHashPassword($pPassword)
+    private static function defaultHashPassword(string $pPassword): string
     {
         $password = 0x0000;
         $charPos = 1; // char position
@@ -87,40 +73,28 @@ public static function defaultHashPassword($pPassword)
      *
      * @see https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-offcrypto/1357ea58-646e-4483-92ef-95d718079d6f
      *
-     * @param string $pPassword Password to hash
-     * @param string $pAlgorithmName Hash algorithm used to compute the password hash value
-     * @param string $pSaltValue Pseudorandom string
-     * @param string $pSpinCount Number of times to iterate on a hash of a password
+     * @param string $password Password to hash
+     * @param string $algorithm Hash algorithm used to compute the password hash value
+     * @param string $salt Pseudorandom string
+     * @param int $spinCount Number of times to iterate on a hash of a password
      *
      * @return string Hashed password
      */
-    public static function hashPassword($pPassword, $pAlgorithmName = '', $pSaltValue = '', $pSpinCount = 10000)
+    public static function hashPassword(string $password, string $algorithm = '', string $salt = '', int $spinCount = 10000): string
     {
-        $algorithmName = self::getAlgorithm($pAlgorithmName);
-        if (!$pAlgorithmName) {
-            return self::defaultHashPassword($pPassword);
+        $phpAlgorithm = self::getAlgorithm($algorithm);
+        if (!$phpAlgorithm) {
+            return self::defaultHashPassword($password);
         }
 
-        $saltValue = base64_decode($pSaltValue);
-        $password = mb_convert_encoding($pPassword, 'UCS-2LE', 'UTF-8');
+        $saltValue = base64_decode($salt);
+        $encodedPassword = mb_convert_encoding($password, 'UCS-2LE', 'UTF-8');
 
-        $hashValue = hash($algorithmName, $saltValue . $password, true);
-        for ($i = 0; $i < $pSpinCount; ++$i) {
-            $hashValue = hash($algorithmName, $hashValue . pack('L', $i), true);
+        $hashValue = hash($phpAlgorithm, $saltValue . $encodedPassword, true);
+        for ($i = 0; $i < $spinCount; ++$i) {
+            $hashValue = hash($phpAlgorithm, $hashValue . pack('L', $i), true);
         }
 
         return base64_encode($hashValue);
     }
-
-    /**
-     * Create a pseudorandom string.
-     *
-     * @param int $pSize Length of the output string in bytes
-     *
-     * @return string Pseudorandom string
-     */
-    public static function generateSalt($pSize = 16)
-    {
-        return base64_encode(random_bytes($pSize));
-    }
 }