nextcloud / server

apps/files_trashbin/lib/Storage.php

Indentation +239 added lines, -239 removed lines

@@ -34,244 +34,244 @@
 
 class Storage extends Wrapper {
 
-	private $mountPoint;
-	// remember already deleted files to avoid infinite loops if the trash bin
-	// move files across storages
-	private $deletedFiles = array();
-
-	/**
-	 * Disable trash logic
-	 *
-	 * @var bool
-	 */
-	private static $disableTrash = false;
-
-	/**
-	 * remember which file/folder was moved out of s shared folder
-	 * in this case we want to add a copy to the owners trash bin
-	 *
-	 * @var array
-	 */
-	private static $moveOutOfSharedFolder = [];
-
-	/** @var  IUserManager */
-	private $userManager;
-
-	/** @var ILogger */
-	private $logger;
-
-	/**
-	 * Storage constructor.
-	 *
-	 * @param array $parameters
-	 * @param IUserManager|null $userManager
-	 */
-	public function __construct($parameters,
-								IUserManager $userManager = null,
-								ILogger $logger = null) {
-		$this->mountPoint = $parameters['mountPoint'];
-		$this->userManager = $userManager;
-		$this->logger = $logger;
-		parent::__construct($parameters);
-	}
-
-	/**
-	 * @internal
-	 */
-	public static function preRenameHook($params) {
-		// in cross-storage cases, a rename is a copy + unlink,
-		// that last unlink must not go to trash, only exception:
-		// if the file was moved from a shared storage to a local folder,
-		// in this case the owner should get a copy in his trash bin so that
-		// they can restore the files again
-
-		$oldPath = $params['oldpath'];
-		$newPath = dirname($params['newpath']);
-		$currentUser = \OC::$server->getUserSession()->getUser();
-
-		$fileMovedOutOfSharedFolder = false;
-
-		try {
-			if ($currentUser) {
-				$currentUserId = $currentUser->getUID();
-
-				$view = new View($currentUserId . '/files');
-				$fileInfo = $view->getFileInfo($oldPath);
-				if ($fileInfo) {
-					$sourceStorage = $fileInfo->getStorage();
-					$sourceOwner = $view->getOwner($oldPath);
-					$targetOwner = $view->getOwner($newPath);
-
-					if ($sourceOwner !== $targetOwner
-						&& $sourceStorage->instanceOfStorage('OCA\Files_Sharing\SharedStorage')
-					) {
-						$fileMovedOutOfSharedFolder = true;
-					}
-				}
-			}
-		} catch (\Exception $e) {
-			// do nothing, in this case we just disable the trashbin and continue
-			$logger = \OC::$server->getLogger();
-			$logger->debug('Trashbin storage could not check if a file was moved out of a shared folder: ' . $e->getMessage());
-		}
-
-		if($fileMovedOutOfSharedFolder) {
-			self::$moveOutOfSharedFolder['/' . $currentUserId . '/files' . $oldPath] = true;
-		} else {
-			self::$disableTrash = true;
-		}
-
-	}
-
-	/**
-	 * @internal
-	 */
-	public static function postRenameHook($params) {
-		self::$disableTrash = false;
-	}
-
-	/**
-	 * Rename path1 to path2 by calling the wrapped storage.
-	 *
-	 * @param string $path1 first path
-	 * @param string $path2 second path
-	 * @return bool
-	 */
-	public function rename($path1, $path2) {
-		$result = $this->storage->rename($path1, $path2);
-		if ($result === false) {
-			// when rename failed, the post_rename hook isn't triggered,
-			// but we still want to reenable the trash logic
-			self::$disableTrash = false;
-		}
-		return $result;
-	}
-
-	/**
-	 * Deletes the given file by moving it into the trashbin.
-	 *
-	 * @param string $path path of file or folder to delete
-	 *
-	 * @return bool true if the operation succeeded, false otherwise
-	 */
-	public function unlink($path) {
-		try {
-			if (isset(self::$moveOutOfSharedFolder[$this->mountPoint . $path])) {
-				$result = $this->doDelete($path, 'unlink', true);
-				unset(self::$moveOutOfSharedFolder[$this->mountPoint . $path]);
-			} else {
-				$result = $this->doDelete($path, 'unlink');
-			}
-		} catch (GenericEncryptionException $e) {
-			// in case of a encryption exception we delete the file right away
-			$this->logger->info(
-				"Can't move file" .  $path .
-				"to the trash bin, therefore it was deleted right away");
-
-			$result = $this->storage->unlink($path);
-		}
-
-		return $result;
-	}
-
-	/**
-	 * Deletes the given folder by moving it into the trashbin.
-	 *
-	 * @param string $path path of folder to delete
-	 *
-	 * @return bool true if the operation succeeded, false otherwise
-	 */
-	public function rmdir($path) {
-		if (isset(self::$moveOutOfSharedFolder[$this->mountPoint . $path])) {
-			$result = $this->doDelete($path, 'rmdir', true);
-			unset(self::$moveOutOfSharedFolder[$this->mountPoint . $path]);
-		} else {
-			$result = $this->doDelete($path, 'rmdir');
-		}
-
-		return $result;
-	}
-
-	/**
-	 * check if it is a file located in data/user/files only files in the
-	 * 'files' directory should be moved to the trash
-	 *
-	 * @param $path
-	 * @return bool
-	 */
-	protected function shouldMoveToTrash($path){
-		$normalized = Filesystem::normalizePath($this->mountPoint . '/' . $path);
-		$parts = explode('/', $normalized);
-		if (count($parts) < 4) {
-			return false;
-		}
-
-		if ($this->userManager->userExists($parts[1]) && $parts[2] == 'files') {
-			return true;
-		}
-
-		return false;
-	}
-
-	/**
-	 * Run the delete operation with the given method
-	 *
-	 * @param string $path path of file or folder to delete
-	 * @param string $method either "unlink" or "rmdir"
-	 * @param bool $ownerOnly delete for owner only (if file gets moved out of a shared folder)
-	 *
-	 * @return bool true if the operation succeeded, false otherwise
-	 */
-	private function doDelete($path, $method, $ownerOnly = false) {
-		if (self::$disableTrash
-			|| !\OC_App::isEnabled('files_trashbin')
-			|| (pathinfo($path, PATHINFO_EXTENSION) === 'part')
-			|| $this->shouldMoveToTrash($path) === false
-		) {
-			return call_user_func_array([$this->storage, $method], [$path]);
-		}
-
-		// check permissions before we continue, this is especially important for
-		// shared files
-		if (!$this->isDeletable($path)) {
-			return false;
-		}
-
-		$normalized = Filesystem::normalizePath($this->mountPoint . '/' . $path, true, false, true);
-		$result = true;
-		$view = Filesystem::getView();
-		if (!isset($this->deletedFiles[$normalized]) && $view instanceof View) {
-			$this->deletedFiles[$normalized] = $normalized;
-			if ($filesPath = $view->getRelativePath($normalized)) {
-				$filesPath = trim($filesPath, '/');
-				$result = \OCA\Files_Trashbin\Trashbin::move2trash($filesPath, $ownerOnly);
-				// in cross-storage cases the file will be copied
-				// but not deleted, so we delete it here
-				if ($result) {
-					call_user_func_array([$this->storage, $method], [$path]);
-				}
-			} else {
-				$result = call_user_func_array([$this->storage, $method], [$path]);
-			}
-			unset($this->deletedFiles[$normalized]);
-		} else if ($this->storage->file_exists($path)) {
-			$result = call_user_func_array([$this->storage, $method], [$path]);
-		}
-
-		return $result;
-	}
-
-	/**
-	 * Setup the storate wrapper callback
-	 */
-	public static function setupStorage() {
-		\OC\Files\Filesystem::addStorageWrapper('oc_trashbin', function ($mountPoint, $storage) {
-			return new \OCA\Files_Trashbin\Storage(
-				array('storage' => $storage, 'mountPoint' => $mountPoint),
-				\OC::$server->getUserManager(),
-				\OC::$server->getLogger()
-			);
-		}, 1);
-	}
+    private $mountPoint;
+    // remember already deleted files to avoid infinite loops if the trash bin
+    // move files across storages
+    private $deletedFiles = array();
+
+    /**
+     * Disable trash logic
+     *
+     * @var bool
+     */
+    private static $disableTrash = false;
+
+    /**
+     * remember which file/folder was moved out of s shared folder
+     * in this case we want to add a copy to the owners trash bin
+     *
+     * @var array
+     */
+    private static $moveOutOfSharedFolder = [];
+
+    /** @var  IUserManager */
+    private $userManager;
+
+    /** @var ILogger */
+    private $logger;
+
+    /**
+     * Storage constructor.
+     *
+     * @param array $parameters
+     * @param IUserManager|null $userManager
+     */
+    public function __construct($parameters,
+                                IUserManager $userManager = null,
+                                ILogger $logger = null) {
+        $this->mountPoint = $parameters['mountPoint'];
+        $this->userManager = $userManager;
+        $this->logger = $logger;
+        parent::__construct($parameters);
+    }
+
+    /**
+     * @internal
+     */
+    public static function preRenameHook($params) {
+        // in cross-storage cases, a rename is a copy + unlink,
+        // that last unlink must not go to trash, only exception:
+        // if the file was moved from a shared storage to a local folder,
+        // in this case the owner should get a copy in his trash bin so that
+        // they can restore the files again
+
+        $oldPath = $params['oldpath'];
+        $newPath = dirname($params['newpath']);
+        $currentUser = \OC::$server->getUserSession()->getUser();
+
+        $fileMovedOutOfSharedFolder = false;
+
+        try {
+            if ($currentUser) {
+                $currentUserId = $currentUser->getUID();
+
+                $view = new View($currentUserId . '/files');
+                $fileInfo = $view->getFileInfo($oldPath);
+                if ($fileInfo) {
+                    $sourceStorage = $fileInfo->getStorage();
+                    $sourceOwner = $view->getOwner($oldPath);
+                    $targetOwner = $view->getOwner($newPath);
+
+                    if ($sourceOwner !== $targetOwner
+                        && $sourceStorage->instanceOfStorage('OCA\Files_Sharing\SharedStorage')
+                    ) {
+                        $fileMovedOutOfSharedFolder = true;
+                    }
+                }
+            }
+        } catch (\Exception $e) {
+            // do nothing, in this case we just disable the trashbin and continue
+            $logger = \OC::$server->getLogger();
+            $logger->debug('Trashbin storage could not check if a file was moved out of a shared folder: ' . $e->getMessage());
+        }
+
+        if($fileMovedOutOfSharedFolder) {
+            self::$moveOutOfSharedFolder['/' . $currentUserId . '/files' . $oldPath] = true;
+        } else {
+            self::$disableTrash = true;
+        }
+
+    }
+
+    /**
+     * @internal
+     */
+    public static function postRenameHook($params) {
+        self::$disableTrash = false;
+    }
+
+    /**
+     * Rename path1 to path2 by calling the wrapped storage.
+     *
+     * @param string $path1 first path
+     * @param string $path2 second path
+     * @return bool
+     */
+    public function rename($path1, $path2) {
+        $result = $this->storage->rename($path1, $path2);
+        if ($result === false) {
+            // when rename failed, the post_rename hook isn't triggered,
+            // but we still want to reenable the trash logic
+            self::$disableTrash = false;
+        }
+        return $result;
+    }
+
+    /**
+     * Deletes the given file by moving it into the trashbin.
+     *
+     * @param string $path path of file or folder to delete
+     *
+     * @return bool true if the operation succeeded, false otherwise
+     */
+    public function unlink($path) {
+        try {
+            if (isset(self::$moveOutOfSharedFolder[$this->mountPoint . $path])) {
+                $result = $this->doDelete($path, 'unlink', true);
+                unset(self::$moveOutOfSharedFolder[$this->mountPoint . $path]);
+            } else {
+                $result = $this->doDelete($path, 'unlink');
+            }
+        } catch (GenericEncryptionException $e) {
+            // in case of a encryption exception we delete the file right away
+            $this->logger->info(
+                "Can't move file" .  $path .
+                "to the trash bin, therefore it was deleted right away");
+
+            $result = $this->storage->unlink($path);
+        }
+
+        return $result;
+    }
+
+    /**
+     * Deletes the given folder by moving it into the trashbin.
+     *
+     * @param string $path path of folder to delete
+     *
+     * @return bool true if the operation succeeded, false otherwise
+     */
+    public function rmdir($path) {
+        if (isset(self::$moveOutOfSharedFolder[$this->mountPoint . $path])) {
+            $result = $this->doDelete($path, 'rmdir', true);
+            unset(self::$moveOutOfSharedFolder[$this->mountPoint . $path]);
+        } else {
+            $result = $this->doDelete($path, 'rmdir');
+        }
+
+        return $result;
+    }
+
+    /**
+     * check if it is a file located in data/user/files only files in the
+     * 'files' directory should be moved to the trash
+     *
+     * @param $path
+     * @return bool
+     */
+    protected function shouldMoveToTrash($path){
+        $normalized = Filesystem::normalizePath($this->mountPoint . '/' . $path);
+        $parts = explode('/', $normalized);
+        if (count($parts) < 4) {
+            return false;
+        }
+
+        if ($this->userManager->userExists($parts[1]) && $parts[2] == 'files') {
+            return true;
+        }
+
+        return false;
+    }
+
+    /**
+     * Run the delete operation with the given method
+     *
+     * @param string $path path of file or folder to delete
+     * @param string $method either "unlink" or "rmdir"
+     * @param bool $ownerOnly delete for owner only (if file gets moved out of a shared folder)
+     *
+     * @return bool true if the operation succeeded, false otherwise
+     */
+    private function doDelete($path, $method, $ownerOnly = false) {
+        if (self::$disableTrash
+            || !\OC_App::isEnabled('files_trashbin')
+            || (pathinfo($path, PATHINFO_EXTENSION) === 'part')
+            || $this->shouldMoveToTrash($path) === false
+        ) {
+            return call_user_func_array([$this->storage, $method], [$path]);
+        }
+
+        // check permissions before we continue, this is especially important for
+        // shared files
+        if (!$this->isDeletable($path)) {
+            return false;
+        }
+
+        $normalized = Filesystem::normalizePath($this->mountPoint . '/' . $path, true, false, true);
+        $result = true;
+        $view = Filesystem::getView();
+        if (!isset($this->deletedFiles[$normalized]) && $view instanceof View) {
+            $this->deletedFiles[$normalized] = $normalized;
+            if ($filesPath = $view->getRelativePath($normalized)) {
+                $filesPath = trim($filesPath, '/');
+                $result = \OCA\Files_Trashbin\Trashbin::move2trash($filesPath, $ownerOnly);
+                // in cross-storage cases the file will be copied
+                // but not deleted, so we delete it here
+                if ($result) {
+                    call_user_func_array([$this->storage, $method], [$path]);
+                }
+            } else {
+                $result = call_user_func_array([$this->storage, $method], [$path]);
+            }
+            unset($this->deletedFiles[$normalized]);
+        } else if ($this->storage->file_exists($path)) {
+            $result = call_user_func_array([$this->storage, $method], [$path]);
+        }
+
+        return $result;
+    }
+
+    /**
+     * Setup the storate wrapper callback
+     */
+    public static function setupStorage() {
+        \OC\Files\Filesystem::addStorageWrapper('oc_trashbin', function ($mountPoint, $storage) {
+            return new \OCA\Files_Trashbin\Storage(
+                array('storage' => $storage, 'mountPoint' => $mountPoint),
+                \OC::$server->getUserManager(),
+                \OC::$server->getLogger()
+            );
+        }, 1);
+    }
 
 }

Spacing +13 added lines, -13 removed lines

@@ -95,7 +95,7 @@ 
 			if ($currentUser) {
 				$currentUserId = $currentUser->getUID();
 
-				$view = new View($currentUserId . '/files');
+				$view = new View($currentUserId.'/files');
 				$fileInfo = $view->getFileInfo($oldPath);
 				if ($fileInfo) {
 					$sourceStorage = $fileInfo->getStorage();
@@ -112,11 +112,11 @@ 
 		} catch (\Exception $e) {
 			// do nothing, in this case we just disable the trashbin and continue
 			$logger = \OC::$server->getLogger();
-			$logger->debug('Trashbin storage could not check if a file was moved out of a shared folder: ' . $e->getMessage());
+			$logger->debug('Trashbin storage could not check if a file was moved out of a shared folder: '.$e->getMessage());
 		}
 
-		if($fileMovedOutOfSharedFolder) {
-			self::$moveOutOfSharedFolder['/' . $currentUserId . '/files' . $oldPath] = true;
+		if ($fileMovedOutOfSharedFolder) {
+			self::$moveOutOfSharedFolder['/'.$currentUserId.'/files'.$oldPath] = true;
 		} else {
 			self::$disableTrash = true;
 		}
@@ -156,16 +156,16 @@ 
 	 */
 	public function unlink($path) {
 		try {
-			if (isset(self::$moveOutOfSharedFolder[$this->mountPoint . $path])) {
+			if (isset(self::$moveOutOfSharedFolder[$this->mountPoint.$path])) {
 				$result = $this->doDelete($path, 'unlink', true);
-				unset(self::$moveOutOfSharedFolder[$this->mountPoint . $path]);
+				unset(self::$moveOutOfSharedFolder[$this->mountPoint.$path]);
 			} else {
 				$result = $this->doDelete($path, 'unlink');
 			}
 		} catch (GenericEncryptionException $e) {
 			// in case of a encryption exception we delete the file right away
 			$this->logger->info(
-				"Can't move file" .  $path .
+				"Can't move file".$path.
 				"to the trash bin, therefore it was deleted right away");
 
 			$result = $this->storage->unlink($path);
@@ -182,9 +182,9 @@ 
 	 * @return bool true if the operation succeeded, false otherwise
 	 */
 	public function rmdir($path) {
-		if (isset(self::$moveOutOfSharedFolder[$this->mountPoint . $path])) {
+		if (isset(self::$moveOutOfSharedFolder[$this->mountPoint.$path])) {
 			$result = $this->doDelete($path, 'rmdir', true);
-			unset(self::$moveOutOfSharedFolder[$this->mountPoint . $path]);
+			unset(self::$moveOutOfSharedFolder[$this->mountPoint.$path]);
 		} else {
 			$result = $this->doDelete($path, 'rmdir');
 		}
@@ -199,8 +199,8 @@ 
 	 * @param $path
 	 * @return bool
 	 */
-	protected function shouldMoveToTrash($path){
-		$normalized = Filesystem::normalizePath($this->mountPoint . '/' . $path);
+	protected function shouldMoveToTrash($path) {
+		$normalized = Filesystem::normalizePath($this->mountPoint.'/'.$path);
 		$parts = explode('/', $normalized);
 		if (count($parts) < 4) {
 			return false;
@@ -237,7 +237,7 @@ 
 			return false;
 		}
 
-		$normalized = Filesystem::normalizePath($this->mountPoint . '/' . $path, true, false, true);
+		$normalized = Filesystem::normalizePath($this->mountPoint.'/'.$path, true, false, true);
 		$result = true;
 		$view = Filesystem::getView();
 		if (!isset($this->deletedFiles[$normalized]) && $view instanceof View) {
@@ -265,7 +265,7 @@ 
 	 * Setup the storate wrapper callback
 	 */
 	public static function setupStorage() {
-		\OC\Files\Filesystem::addStorageWrapper('oc_trashbin', function ($mountPoint, $storage) {
+		\OC\Files\Filesystem::addStorageWrapper('oc_trashbin', function($mountPoint, $storage) {
 			return new \OCA\Files_Trashbin\Storage(
 				array('storage' => $storage, 'mountPoint' => $mountPoint),
 				\OC::$server->getUserManager(),

apps/encryption/lib/Crypto/Crypt.php

Indentation +636 added lines, -636 removed lines

@@ -53,641 +53,641 @@
  */
 class Crypt {
 
-	const DEFAULT_CIPHER = 'AES-256-CTR';
-	// default cipher from old ownCloud versions
-	const LEGACY_CIPHER = 'AES-128-CFB';
-
-	// default key format, old ownCloud version encrypted the private key directly
-	// with the user password
-	const LEGACY_KEY_FORMAT = 'password';
-
-	const HEADER_START = 'HBEGIN';
-	const HEADER_END = 'HEND';
-
-	/** @var ILogger */
-	private $logger;
-
-	/** @var string */
-	private $user;
-
-	/** @var IConfig */
-	private $config;
-
-	/** @var array */
-	private $supportedKeyFormats;
-
-	/** @var IL10N */
-	private $l;
-
-	/** @var array */
-	private $supportedCiphersAndKeySize = [
-		'AES-256-CTR' => 32,
-		'AES-128-CTR' => 16,
-		'AES-256-CFB' => 32,
-		'AES-128-CFB' => 16,
-	];
-
-	/**
-	 * @param ILogger $logger
-	 * @param IUserSession $userSession
-	 * @param IConfig $config
-	 * @param IL10N $l
-	 */
-	public function __construct(ILogger $logger, IUserSession $userSession, IConfig $config, IL10N $l) {
-		$this->logger = $logger;
-		$this->user = $userSession && $userSession->isLoggedIn() ? $userSession->getUser()->getUID() : '"no user given"';
-		$this->config = $config;
-		$this->l = $l;
-		$this->supportedKeyFormats = ['hash', 'password'];
-	}
-
-	/**
-	 * create new private/public key-pair for user
-	 *
-	 * @return array|bool
-	 */
-	public function createKeyPair() {
-
-		$log = $this->logger;
-		$res = $this->getOpenSSLPKey();
-
-		if (!$res) {
-			$log->error("Encryption Library couldn't generate users key-pair for {$this->user}",
-				['app' => 'encryption']);
-
-			if (openssl_error_string()) {
-				$log->error('Encryption library openssl_pkey_new() fails: ' . openssl_error_string(),
-					['app' => 'encryption']);
-			}
-		} elseif (openssl_pkey_export($res,
-			$privateKey,
-			null,
-			$this->getOpenSSLConfig())) {
-			$keyDetails = openssl_pkey_get_details($res);
-			$publicKey = $keyDetails['key'];
-
-			return [
-				'publicKey' => $publicKey,
-				'privateKey' => $privateKey
-			];
-		}
-		$log->error('Encryption library couldn\'t export users private key, please check your servers OpenSSL configuration.' . $this->user,
-			['app' => 'encryption']);
-		if (openssl_error_string()) {
-			$log->error('Encryption Library:' . openssl_error_string(),
-				['app' => 'encryption']);
-		}
-
-		return false;
-	}
-
-	/**
-	 * Generates a new private key
-	 *
-	 * @return resource
-	 */
-	public function getOpenSSLPKey() {
-		$config = $this->getOpenSSLConfig();
-		return openssl_pkey_new($config);
-	}
-
-	/**
-	 * get openSSL Config
-	 *
-	 * @return array
-	 */
-	private function getOpenSSLConfig() {
-		$config = ['private_key_bits' => 4096];
-		$config = array_merge(
-			$config,
-			$this->config->getSystemValue('openssl', [])
-		);
-		return $config;
-	}
-
-	/**
-	 * @param string $plainContent
-	 * @param string $passPhrase
-	 * @param int $version
-	 * @param int $position
-	 * @return false|string
-	 * @throws EncryptionFailedException
-	 */
-	public function symmetricEncryptFileContent($plainContent, $passPhrase, $version, $position) {
-
-		if (!$plainContent) {
-			$this->logger->error('Encryption Library, symmetrical encryption failed no content given',
-				['app' => 'encryption']);
-			return false;
-		}
-
-		$iv = $this->generateIv();
-
-		$encryptedContent = $this->encrypt($plainContent,
-			$iv,
-			$passPhrase,
-			$this->getCipher());
-
-		// Create a signature based on the key as well as the current version
-		$sig = $this->createSignature($encryptedContent, $passPhrase.$version.$position);
-
-		// combine content to encrypt the IV identifier and actual IV
-		$catFile = $this->concatIV($encryptedContent, $iv);
-		$catFile = $this->concatSig($catFile, $sig);
-		$padded = $this->addPadding($catFile);
-
-		return $padded;
-	}
-
-	/**
-	 * generate header for encrypted file
-	 *
-	 * @param string $keyFormat (can be 'hash' or 'password')
-	 * @return string
-	 * @throws \InvalidArgumentException
-	 */
-	public function generateHeader($keyFormat = 'hash') {
-
-		if (in_array($keyFormat, $this->supportedKeyFormats, true) === false) {
-			throw new \InvalidArgumentException('key format "' . $keyFormat . '" is not supported');
-		}
-
-		$cipher = $this->getCipher();
-
-		$header = self::HEADER_START
-			. ':cipher:' . $cipher
-			. ':keyFormat:' . $keyFormat
-			. ':' . self::HEADER_END;
-
-		return $header;
-	}
-
-	/**
-	 * @param string $plainContent
-	 * @param string $iv
-	 * @param string $passPhrase
-	 * @param string $cipher
-	 * @return string
-	 * @throws EncryptionFailedException
-	 */
-	private function encrypt($plainContent, $iv, $passPhrase = '', $cipher = self::DEFAULT_CIPHER) {
-		$encryptedContent = openssl_encrypt($plainContent,
-			$cipher,
-			$passPhrase,
-			false,
-			$iv);
-
-		if (!$encryptedContent) {
-			$error = 'Encryption (symmetric) of content failed';
-			$this->logger->error($error . openssl_error_string(),
-				['app' => 'encryption']);
-			throw new EncryptionFailedException($error);
-		}
-
-		return $encryptedContent;
-	}
-
-	/**
-	 * return Cipher either from config.php or the default cipher defined in
-	 * this class
-	 *
-	 * @return string
-	 */
-	public function getCipher() {
-		$cipher = $this->config->getSystemValue('cipher', self::DEFAULT_CIPHER);
-		if (!isset($this->supportedCiphersAndKeySize[$cipher])) {
-			$this->logger->warning(
-					sprintf(
-							'Unsupported cipher (%s) defined in config.php supported. Falling back to %s',
-							$cipher,
-							self::DEFAULT_CIPHER
-					),
-				['app' => 'encryption']);
-			$cipher = self::DEFAULT_CIPHER;
-		}
-
-		// Workaround for OpenSSL 0.9.8. Fallback to an old cipher that should work.
-		if(OPENSSL_VERSION_NUMBER < 0x1000101f) {
-			if($cipher === 'AES-256-CTR' || $cipher === 'AES-128-CTR') {
-				$cipher = self::LEGACY_CIPHER;
-			}
-		}
-
-		return $cipher;
-	}
-
-	/**
-	 * get key size depending on the cipher
-	 *
-	 * @param string $cipher
-	 * @return int
-	 * @throws \InvalidArgumentException
-	 */
-	protected function getKeySize($cipher) {
-		if(isset($this->supportedCiphersAndKeySize[$cipher])) {
-			return $this->supportedCiphersAndKeySize[$cipher];
-		}
-
-		throw new \InvalidArgumentException(
-			sprintf(
-					'Unsupported cipher (%s) defined.',
-					$cipher
-			)
-		);
-	}
-
-	/**
-	 * get legacy cipher
-	 *
-	 * @return string
-	 */
-	public function getLegacyCipher() {
-		return self::LEGACY_CIPHER;
-	}
-
-	/**
-	 * @param string $encryptedContent
-	 * @param string $iv
-	 * @return string
-	 */
-	private function concatIV($encryptedContent, $iv) {
-		return $encryptedContent . '00iv00' . $iv;
-	}
-
-	/**
-	 * @param string $encryptedContent
-	 * @param string $signature
-	 * @return string
-	 */
-	private function concatSig($encryptedContent, $signature) {
-		return $encryptedContent . '00sig00' . $signature;
-	}
-
-	/**
-	 * Note: This is _NOT_ a padding used for encryption purposes. It is solely
-	 * used to achieve the PHP stream size. It has _NOTHING_ to do with the
-	 * encrypted content and is not used in any crypto primitive.
-	 *
-	 * @param string $data
-	 * @return string
-	 */
-	private function addPadding($data) {
-		return $data . 'xxx';
-	}
-
-	/**
-	 * generate password hash used to encrypt the users private key
-	 *
-	 * @param string $password
-	 * @param string $cipher
-	 * @param string $uid only used for user keys
-	 * @return string
-	 */
-	protected function generatePasswordHash($password, $cipher, $uid = '') {
-		$instanceId = $this->config->getSystemValue('instanceid');
-		$instanceSecret = $this->config->getSystemValue('secret');
-		$salt = hash('sha256', $uid . $instanceId . $instanceSecret, true);
-		$keySize = $this->getKeySize($cipher);
-
-		$hash = hash_pbkdf2(
-			'sha256',
-			$password,
-			$salt,
-			100000,
-			$keySize,
-			true
-		);
-
-		return $hash;
-	}
-
-	/**
-	 * encrypt private key
-	 *
-	 * @param string $privateKey
-	 * @param string $password
-	 * @param string $uid for regular users, empty for system keys
-	 * @return false|string
-	 */
-	public function encryptPrivateKey($privateKey, $password, $uid = '') {
-		$cipher = $this->getCipher();
-		$hash = $this->generatePasswordHash($password, $cipher, $uid);
-		$encryptedKey = $this->symmetricEncryptFileContent(
-			$privateKey,
-			$hash,
-			0,
-			0
-		);
-
-		return $encryptedKey;
-	}
-
-	/**
-	 * @param string $privateKey
-	 * @param string $password
-	 * @param string $uid for regular users, empty for system keys
-	 * @return false|string
-	 */
-	public function decryptPrivateKey($privateKey, $password = '', $uid = '') {
-
-		$header = $this->parseHeader($privateKey);
-
-		if (isset($header['cipher'])) {
-			$cipher = $header['cipher'];
-		} else {
-			$cipher = self::LEGACY_CIPHER;
-		}
-
-		if (isset($header['keyFormat'])) {
-			$keyFormat = $header['keyFormat'];
-		} else {
-			$keyFormat = self::LEGACY_KEY_FORMAT;
-		}
-
-		if ($keyFormat === 'hash') {
-			$password = $this->generatePasswordHash($password, $cipher, $uid);
-		}
-
-		// If we found a header we need to remove it from the key we want to decrypt
-		if (!empty($header)) {
-			$privateKey = substr($privateKey,
-				strpos($privateKey,
-					self::HEADER_END) + strlen(self::HEADER_END));
-		}
-
-		$plainKey = $this->symmetricDecryptFileContent(
-			$privateKey,
-			$password,
-			$cipher,
-			0
-		);
-
-		if ($this->isValidPrivateKey($plainKey) === false) {
-			return false;
-		}
-
-		return $plainKey;
-	}
-
-	/**
-	 * check if it is a valid private key
-	 *
-	 * @param string $plainKey
-	 * @return bool
-	 */
-	protected function isValidPrivateKey($plainKey) {
-		$res = openssl_get_privatekey($plainKey);
-		if (is_resource($res)) {
-			$sslInfo = openssl_pkey_get_details($res);
-			if (isset($sslInfo['key'])) {
-				return true;
-			}
-		}
-
-		return false;
-	}
-
-	/**
-	 * @param string $keyFileContents
-	 * @param string $passPhrase
-	 * @param string $cipher
-	 * @param int $version
-	 * @param int $position
-	 * @return string
-	 * @throws DecryptionFailedException
-	 */
-	public function symmetricDecryptFileContent($keyFileContents, $passPhrase, $cipher = self::DEFAULT_CIPHER, $version = 0, $position = 0) {
-		$catFile = $this->splitMetaData($keyFileContents, $cipher);
-
-		if ($catFile['signature'] !== false) {
-			$this->checkSignature($catFile['encrypted'], $passPhrase.$version.$position, $catFile['signature']);
-		}
-
-		return $this->decrypt($catFile['encrypted'],
-			$catFile['iv'],
-			$passPhrase,
-			$cipher);
-	}
-
-	/**
-	 * check for valid signature
-	 *
-	 * @param string $data
-	 * @param string $passPhrase
-	 * @param string $expectedSignature
-	 * @throws GenericEncryptionException
-	 */
-	private function checkSignature($data, $passPhrase, $expectedSignature) {
-		$signature = $this->createSignature($data, $passPhrase);
-		if (!hash_equals($expectedSignature, $signature)) {
-			throw new GenericEncryptionException('Bad Signature', $this->l->t('Bad Signature'));
-		}
-	}
-
-	/**
-	 * create signature
-	 *
-	 * @param string $data
-	 * @param string $passPhrase
-	 * @return string
-	 */
-	private function createSignature($data, $passPhrase) {
-		$passPhrase = hash('sha512', $passPhrase . 'a', true);
-		$signature = hash_hmac('sha256', $data, $passPhrase);
-		return $signature;
-	}
-
-
-	/**
-	 * remove padding
-	 *
-	 * @param string $padded
-	 * @param bool $hasSignature did the block contain a signature, in this case we use a different padding
-	 * @return string|false
-	 */
-	private function removePadding($padded, $hasSignature = false) {
-		if ($hasSignature === false && substr($padded, -2) === 'xx') {
-			return substr($padded, 0, -2);
-		} elseif ($hasSignature === true && substr($padded, -3) === 'xxx') {
-			return substr($padded, 0, -3);
-		}
-		return false;
-	}
-
-	/**
-	 * split meta data from encrypted file
-	 * Note: for now, we assume that the meta data always start with the iv
-	 *       followed by the signature, if available
-	 *
-	 * @param string $catFile
-	 * @param string $cipher
-	 * @return array
-	 */
-	private function splitMetaData($catFile, $cipher) {
-		if ($this->hasSignature($catFile, $cipher)) {
-			$catFile = $this->removePadding($catFile, true);
-			$meta = substr($catFile, -93);
-			$iv = substr($meta, strlen('00iv00'), 16);
-			$sig = substr($meta, 22 + strlen('00sig00'));
-			$encrypted = substr($catFile, 0, -93);
-		} else {
-			$catFile = $this->removePadding($catFile);
-			$meta = substr($catFile, -22);
-			$iv = substr($meta, -16);
-			$sig = false;
-			$encrypted = substr($catFile, 0, -22);
-		}
-
-		return [
-			'encrypted' => $encrypted,
-			'iv' => $iv,
-			'signature' => $sig
-		];
-	}
-
-	/**
-	 * check if encrypted block is signed
-	 *
-	 * @param string $catFile
-	 * @param string $cipher
-	 * @return bool
-	 * @throws GenericEncryptionException
-	 */
-	private function hasSignature($catFile, $cipher) {
-		$meta = substr($catFile, -93);
-		$signaturePosition = strpos($meta, '00sig00');
-
-		// enforce signature for the new 'CTR' ciphers
-		if ($signaturePosition === false && strpos(strtolower($cipher), 'ctr') !== false) {
-			throw new GenericEncryptionException('Missing Signature', $this->l->t('Missing Signature'));
-		}
-
-		return ($signaturePosition !== false);
-	}
-
-
-	/**
-	 * @param string $encryptedContent
-	 * @param string $iv
-	 * @param string $passPhrase
-	 * @param string $cipher
-	 * @return string
-	 * @throws DecryptionFailedException
-	 */
-	private function decrypt($encryptedContent, $iv, $passPhrase = '', $cipher = self::DEFAULT_CIPHER) {
-		$plainContent = openssl_decrypt($encryptedContent,
-			$cipher,
-			$passPhrase,
-			false,
-			$iv);
-
-		if ($plainContent) {
-			return $plainContent;
-		} else {
-			throw new DecryptionFailedException('Encryption library: Decryption (symmetric) of content failed: ' . openssl_error_string());
-		}
-	}
-
-	/**
-	 * @param string $data
-	 * @return array
-	 */
-	protected function parseHeader($data) {
-		$result = [];
-
-		if (substr($data, 0, strlen(self::HEADER_START)) === self::HEADER_START) {
-			$endAt = strpos($data, self::HEADER_END);
-			$header = substr($data, 0, $endAt + strlen(self::HEADER_END));
-
-			// +1 not to start with an ':' which would result in empty element at the beginning
-			$exploded = explode(':',
-				substr($header, strlen(self::HEADER_START) + 1));
-
-			$element = array_shift($exploded);
-
-			while ($element != self::HEADER_END) {
-				$result[$element] = array_shift($exploded);
-				$element = array_shift($exploded);
-			}
-		}
-
-		return $result;
-	}
-
-	/**
-	 * generate initialization vector
-	 *
-	 * @return string
-	 * @throws GenericEncryptionException
-	 */
-	private function generateIv() {
-		return random_bytes(16);
-	}
-
-	/**
-	 * Generate a cryptographically secure pseudo-random 256-bit ASCII key, used
-	 * as file key
-	 *
-	 * @return string
-	 * @throws \Exception
-	 */
-	public function generateFileKey() {
-		return random_bytes(32);
-	}
-
-	/**
-	 * @param $encKeyFile
-	 * @param $shareKey
-	 * @param $privateKey
-	 * @return string
-	 * @throws MultiKeyDecryptException
-	 */
-	public function multiKeyDecrypt($encKeyFile, $shareKey, $privateKey) {
-		if (!$encKeyFile) {
-			throw new MultiKeyDecryptException('Cannot multikey decrypt empty plain content');
-		}
-
-		if (openssl_open($encKeyFile, $plainContent, $shareKey, $privateKey)) {
-			return $plainContent;
-		} else {
-			throw new MultiKeyDecryptException('multikeydecrypt with share key failed:' . openssl_error_string());
-		}
-	}
-
-	/**
-	 * @param string $plainContent
-	 * @param array $keyFiles
-	 * @return array
-	 * @throws MultiKeyEncryptException
-	 */
-	public function multiKeyEncrypt($plainContent, array $keyFiles) {
-		// openssl_seal returns false without errors if plaincontent is empty
-		// so trigger our own error
-		if (empty($plainContent)) {
-			throw new MultiKeyEncryptException('Cannot multikeyencrypt empty plain content');
-		}
-
-		// Set empty vars to be set by openssl by reference
-		$sealed = '';
-		$shareKeys = [];
-		$mappedShareKeys = [];
-
-		if (openssl_seal($plainContent, $sealed, $shareKeys, $keyFiles)) {
-			$i = 0;
-
-			// Ensure each shareKey is labelled with its corresponding key id
-			foreach ($keyFiles as $userId => $publicKey) {
-				$mappedShareKeys[$userId] = $shareKeys[$i];
-				$i++;
-			}
-
-			return [
-				'keys' => $mappedShareKeys,
-				'data' => $sealed
-			];
-		} else {
-			throw new MultiKeyEncryptException('multikeyencryption failed ' . openssl_error_string());
-		}
-	}
+    const DEFAULT_CIPHER = 'AES-256-CTR';
+    // default cipher from old ownCloud versions
+    const LEGACY_CIPHER = 'AES-128-CFB';
+
+    // default key format, old ownCloud version encrypted the private key directly
+    // with the user password
+    const LEGACY_KEY_FORMAT = 'password';
+
+    const HEADER_START = 'HBEGIN';
+    const HEADER_END = 'HEND';
+
+    /** @var ILogger */
+    private $logger;
+
+    /** @var string */
+    private $user;
+
+    /** @var IConfig */
+    private $config;
+
+    /** @var array */
+    private $supportedKeyFormats;
+
+    /** @var IL10N */
+    private $l;
+
+    /** @var array */
+    private $supportedCiphersAndKeySize = [
+        'AES-256-CTR' => 32,
+        'AES-128-CTR' => 16,
+        'AES-256-CFB' => 32,
+        'AES-128-CFB' => 16,
+    ];
+
+    /**
+     * @param ILogger $logger
+     * @param IUserSession $userSession
+     * @param IConfig $config
+     * @param IL10N $l
+     */
+    public function __construct(ILogger $logger, IUserSession $userSession, IConfig $config, IL10N $l) {
+        $this->logger = $logger;
+        $this->user = $userSession && $userSession->isLoggedIn() ? $userSession->getUser()->getUID() : '"no user given"';
+        $this->config = $config;
+        $this->l = $l;
+        $this->supportedKeyFormats = ['hash', 'password'];
+    }
+
+    /**
+     * create new private/public key-pair for user
+     *
+     * @return array|bool
+     */
+    public function createKeyPair() {
+
+        $log = $this->logger;
+        $res = $this->getOpenSSLPKey();
+
+        if (!$res) {
+            $log->error("Encryption Library couldn't generate users key-pair for {$this->user}",
+                ['app' => 'encryption']);
+
+            if (openssl_error_string()) {
+                $log->error('Encryption library openssl_pkey_new() fails: ' . openssl_error_string(),
+                    ['app' => 'encryption']);
+            }
+        } elseif (openssl_pkey_export($res,
+            $privateKey,
+            null,
+            $this->getOpenSSLConfig())) {
+            $keyDetails = openssl_pkey_get_details($res);
+            $publicKey = $keyDetails['key'];
+
+            return [
+                'publicKey' => $publicKey,
+                'privateKey' => $privateKey
+            ];
+        }
+        $log->error('Encryption library couldn\'t export users private key, please check your servers OpenSSL configuration.' . $this->user,
+            ['app' => 'encryption']);
+        if (openssl_error_string()) {
+            $log->error('Encryption Library:' . openssl_error_string(),
+                ['app' => 'encryption']);
+        }
+
+        return false;
+    }
+
+    /**
+     * Generates a new private key
+     *
+     * @return resource
+     */
+    public function getOpenSSLPKey() {
+        $config = $this->getOpenSSLConfig();
+        return openssl_pkey_new($config);
+    }
+
+    /**
+     * get openSSL Config
+     *
+     * @return array
+     */
+    private function getOpenSSLConfig() {
+        $config = ['private_key_bits' => 4096];
+        $config = array_merge(
+            $config,
+            $this->config->getSystemValue('openssl', [])
+        );
+        return $config;
+    }
+
+    /**
+     * @param string $plainContent
+     * @param string $passPhrase
+     * @param int $version
+     * @param int $position
+     * @return false|string
+     * @throws EncryptionFailedException
+     */
+    public function symmetricEncryptFileContent($plainContent, $passPhrase, $version, $position) {
+
+        if (!$plainContent) {
+            $this->logger->error('Encryption Library, symmetrical encryption failed no content given',
+                ['app' => 'encryption']);
+            return false;
+        }
+
+        $iv = $this->generateIv();
+
+        $encryptedContent = $this->encrypt($plainContent,
+            $iv,
+            $passPhrase,
+            $this->getCipher());
+
+        // Create a signature based on the key as well as the current version
+        $sig = $this->createSignature($encryptedContent, $passPhrase.$version.$position);
+
+        // combine content to encrypt the IV identifier and actual IV
+        $catFile = $this->concatIV($encryptedContent, $iv);
+        $catFile = $this->concatSig($catFile, $sig);
+        $padded = $this->addPadding($catFile);
+
+        return $padded;
+    }
+
+    /**
+     * generate header for encrypted file
+     *
+     * @param string $keyFormat (can be 'hash' or 'password')
+     * @return string
+     * @throws \InvalidArgumentException
+     */
+    public function generateHeader($keyFormat = 'hash') {
+
+        if (in_array($keyFormat, $this->supportedKeyFormats, true) === false) {
+            throw new \InvalidArgumentException('key format "' . $keyFormat . '" is not supported');
+        }
+
+        $cipher = $this->getCipher();
+
+        $header = self::HEADER_START
+            . ':cipher:' . $cipher
+            . ':keyFormat:' . $keyFormat
+            . ':' . self::HEADER_END;
+
+        return $header;
+    }
+
+    /**
+     * @param string $plainContent
+     * @param string $iv
+     * @param string $passPhrase
+     * @param string $cipher
+     * @return string
+     * @throws EncryptionFailedException
+     */
+    private function encrypt($plainContent, $iv, $passPhrase = '', $cipher = self::DEFAULT_CIPHER) {
+        $encryptedContent = openssl_encrypt($plainContent,
+            $cipher,
+            $passPhrase,
+            false,
+            $iv);
+
+        if (!$encryptedContent) {
+            $error = 'Encryption (symmetric) of content failed';
+            $this->logger->error($error . openssl_error_string(),
+                ['app' => 'encryption']);
+            throw new EncryptionFailedException($error);
+        }
+
+        return $encryptedContent;
+    }
+
+    /**
+     * return Cipher either from config.php or the default cipher defined in
+     * this class
+     *
+     * @return string
+     */
+    public function getCipher() {
+        $cipher = $this->config->getSystemValue('cipher', self::DEFAULT_CIPHER);
+        if (!isset($this->supportedCiphersAndKeySize[$cipher])) {
+            $this->logger->warning(
+                    sprintf(
+                            'Unsupported cipher (%s) defined in config.php supported. Falling back to %s',
+                            $cipher,
+                            self::DEFAULT_CIPHER
+                    ),
+                ['app' => 'encryption']);
+            $cipher = self::DEFAULT_CIPHER;
+        }
+
+        // Workaround for OpenSSL 0.9.8. Fallback to an old cipher that should work.
+        if(OPENSSL_VERSION_NUMBER < 0x1000101f) {
+            if($cipher === 'AES-256-CTR' || $cipher === 'AES-128-CTR') {
+                $cipher = self::LEGACY_CIPHER;
+            }
+        }
+
+        return $cipher;
+    }
+
+    /**
+     * get key size depending on the cipher
+     *
+     * @param string $cipher
+     * @return int
+     * @throws \InvalidArgumentException
+     */
+    protected function getKeySize($cipher) {
+        if(isset($this->supportedCiphersAndKeySize[$cipher])) {
+            return $this->supportedCiphersAndKeySize[$cipher];
+        }
+
+        throw new \InvalidArgumentException(
+            sprintf(
+                    'Unsupported cipher (%s) defined.',
+                    $cipher
+            )
+        );
+    }
+
+    /**
+     * get legacy cipher
+     *
+     * @return string
+     */
+    public function getLegacyCipher() {
+        return self::LEGACY_CIPHER;
+    }
+
+    /**
+     * @param string $encryptedContent
+     * @param string $iv
+     * @return string
+     */
+    private function concatIV($encryptedContent, $iv) {
+        return $encryptedContent . '00iv00' . $iv;
+    }
+
+    /**
+     * @param string $encryptedContent
+     * @param string $signature
+     * @return string
+     */
+    private function concatSig($encryptedContent, $signature) {
+        return $encryptedContent . '00sig00' . $signature;
+    }
+
+    /**
+     * Note: This is _NOT_ a padding used for encryption purposes. It is solely
+     * used to achieve the PHP stream size. It has _NOTHING_ to do with the
+     * encrypted content and is not used in any crypto primitive.
+     *
+     * @param string $data
+     * @return string
+     */
+    private function addPadding($data) {
+        return $data . 'xxx';
+    }
+
+    /**
+     * generate password hash used to encrypt the users private key
+     *
+     * @param string $password
+     * @param string $cipher
+     * @param string $uid only used for user keys
+     * @return string
+     */
+    protected function generatePasswordHash($password, $cipher, $uid = '') {
+        $instanceId = $this->config->getSystemValue('instanceid');
+        $instanceSecret = $this->config->getSystemValue('secret');
+        $salt = hash('sha256', $uid . $instanceId . $instanceSecret, true);
+        $keySize = $this->getKeySize($cipher);
+
+        $hash = hash_pbkdf2(
+            'sha256',
+            $password,
+            $salt,
+            100000,
+            $keySize,
+            true
+        );
+
+        return $hash;
+    }
+
+    /**
+     * encrypt private key
+     *
+     * @param string $privateKey
+     * @param string $password
+     * @param string $uid for regular users, empty for system keys
+     * @return false|string
+     */
+    public function encryptPrivateKey($privateKey, $password, $uid = '') {
+        $cipher = $this->getCipher();
+        $hash = $this->generatePasswordHash($password, $cipher, $uid);
+        $encryptedKey = $this->symmetricEncryptFileContent(
+            $privateKey,
+            $hash,
+            0,
+            0
+        );
+
+        return $encryptedKey;
+    }
+
+    /**
+     * @param string $privateKey
+     * @param string $password
+     * @param string $uid for regular users, empty for system keys
+     * @return false|string
+     */
+    public function decryptPrivateKey($privateKey, $password = '', $uid = '') {
+
+        $header = $this->parseHeader($privateKey);
+
+        if (isset($header['cipher'])) {
+            $cipher = $header['cipher'];
+        } else {
+            $cipher = self::LEGACY_CIPHER;
+        }
+
+        if (isset($header['keyFormat'])) {
+            $keyFormat = $header['keyFormat'];
+        } else {
+            $keyFormat = self::LEGACY_KEY_FORMAT;
+        }
+
+        if ($keyFormat === 'hash') {
+            $password = $this->generatePasswordHash($password, $cipher, $uid);
+        }
+
+        // If we found a header we need to remove it from the key we want to decrypt
+        if (!empty($header)) {
+            $privateKey = substr($privateKey,
+                strpos($privateKey,
+                    self::HEADER_END) + strlen(self::HEADER_END));
+        }
+
+        $plainKey = $this->symmetricDecryptFileContent(
+            $privateKey,
+            $password,
+            $cipher,
+            0
+        );
+
+        if ($this->isValidPrivateKey($plainKey) === false) {
+            return false;
+        }
+
+        return $plainKey;
+    }
+
+    /**
+     * check if it is a valid private key
+     *
+     * @param string $plainKey
+     * @return bool
+     */
+    protected function isValidPrivateKey($plainKey) {
+        $res = openssl_get_privatekey($plainKey);
+        if (is_resource($res)) {
+            $sslInfo = openssl_pkey_get_details($res);
+            if (isset($sslInfo['key'])) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    /**
+     * @param string $keyFileContents
+     * @param string $passPhrase
+     * @param string $cipher
+     * @param int $version
+     * @param int $position
+     * @return string
+     * @throws DecryptionFailedException
+     */
+    public function symmetricDecryptFileContent($keyFileContents, $passPhrase, $cipher = self::DEFAULT_CIPHER, $version = 0, $position = 0) {
+        $catFile = $this->splitMetaData($keyFileContents, $cipher);
+
+        if ($catFile['signature'] !== false) {
+            $this->checkSignature($catFile['encrypted'], $passPhrase.$version.$position, $catFile['signature']);
+        }
+
+        return $this->decrypt($catFile['encrypted'],
+            $catFile['iv'],
+            $passPhrase,
+            $cipher);
+    }
+
+    /**
+     * check for valid signature
+     *
+     * @param string $data
+     * @param string $passPhrase
+     * @param string $expectedSignature
+     * @throws GenericEncryptionException
+     */
+    private function checkSignature($data, $passPhrase, $expectedSignature) {
+        $signature = $this->createSignature($data, $passPhrase);
+        if (!hash_equals($expectedSignature, $signature)) {
+            throw new GenericEncryptionException('Bad Signature', $this->l->t('Bad Signature'));
+        }
+    }
+
+    /**
+     * create signature
+     *
+     * @param string $data
+     * @param string $passPhrase
+     * @return string
+     */
+    private function createSignature($data, $passPhrase) {
+        $passPhrase = hash('sha512', $passPhrase . 'a', true);
+        $signature = hash_hmac('sha256', $data, $passPhrase);
+        return $signature;
+    }
+
+
+    /**
+     * remove padding
+     *
+     * @param string $padded
+     * @param bool $hasSignature did the block contain a signature, in this case we use a different padding
+     * @return string|false
+     */
+    private function removePadding($padded, $hasSignature = false) {
+        if ($hasSignature === false && substr($padded, -2) === 'xx') {
+            return substr($padded, 0, -2);
+        } elseif ($hasSignature === true && substr($padded, -3) === 'xxx') {
+            return substr($padded, 0, -3);
+        }
+        return false;
+    }
+
+    /**
+     * split meta data from encrypted file
+     * Note: for now, we assume that the meta data always start with the iv
+     *       followed by the signature, if available
+     *
+     * @param string $catFile
+     * @param string $cipher
+     * @return array
+     */
+    private function splitMetaData($catFile, $cipher) {
+        if ($this->hasSignature($catFile, $cipher)) {
+            $catFile = $this->removePadding($catFile, true);
+            $meta = substr($catFile, -93);
+            $iv = substr($meta, strlen('00iv00'), 16);
+            $sig = substr($meta, 22 + strlen('00sig00'));
+            $encrypted = substr($catFile, 0, -93);
+        } else {
+            $catFile = $this->removePadding($catFile);
+            $meta = substr($catFile, -22);
+            $iv = substr($meta, -16);
+            $sig = false;
+            $encrypted = substr($catFile, 0, -22);
+        }
+
+        return [
+            'encrypted' => $encrypted,
+            'iv' => $iv,
+            'signature' => $sig
+        ];
+    }
+
+    /**
+     * check if encrypted block is signed
+     *
+     * @param string $catFile
+     * @param string $cipher
+     * @return bool
+     * @throws GenericEncryptionException
+     */
+    private function hasSignature($catFile, $cipher) {
+        $meta = substr($catFile, -93);
+        $signaturePosition = strpos($meta, '00sig00');
+
+        // enforce signature for the new 'CTR' ciphers
+        if ($signaturePosition === false && strpos(strtolower($cipher), 'ctr') !== false) {
+            throw new GenericEncryptionException('Missing Signature', $this->l->t('Missing Signature'));
+        }
+
+        return ($signaturePosition !== false);
+    }
+
+
+    /**
+     * @param string $encryptedContent
+     * @param string $iv
+     * @param string $passPhrase
+     * @param string $cipher
+     * @return string
+     * @throws DecryptionFailedException
+     */
+    private function decrypt($encryptedContent, $iv, $passPhrase = '', $cipher = self::DEFAULT_CIPHER) {
+        $plainContent = openssl_decrypt($encryptedContent,
+            $cipher,
+            $passPhrase,
+            false,
+            $iv);
+
+        if ($plainContent) {
+            return $plainContent;
+        } else {
+            throw new DecryptionFailedException('Encryption library: Decryption (symmetric) of content failed: ' . openssl_error_string());
+        }
+    }
+
+    /**
+     * @param string $data
+     * @return array
+     */
+    protected function parseHeader($data) {
+        $result = [];
+
+        if (substr($data, 0, strlen(self::HEADER_START)) === self::HEADER_START) {
+            $endAt = strpos($data, self::HEADER_END);
+            $header = substr($data, 0, $endAt + strlen(self::HEADER_END));
+
+            // +1 not to start with an ':' which would result in empty element at the beginning
+            $exploded = explode(':',
+                substr($header, strlen(self::HEADER_START) + 1));
+
+            $element = array_shift($exploded);
+
+            while ($element != self::HEADER_END) {
+                $result[$element] = array_shift($exploded);
+                $element = array_shift($exploded);
+            }
+        }
+
+        return $result;
+    }
+
+    /**
+     * generate initialization vector
+     *
+     * @return string
+     * @throws GenericEncryptionException
+     */
+    private function generateIv() {
+        return random_bytes(16);
+    }
+
+    /**
+     * Generate a cryptographically secure pseudo-random 256-bit ASCII key, used
+     * as file key
+     *
+     * @return string
+     * @throws \Exception
+     */
+    public function generateFileKey() {
+        return random_bytes(32);
+    }
+
+    /**
+     * @param $encKeyFile
+     * @param $shareKey
+     * @param $privateKey
+     * @return string
+     * @throws MultiKeyDecryptException
+     */
+    public function multiKeyDecrypt($encKeyFile, $shareKey, $privateKey) {
+        if (!$encKeyFile) {
+            throw new MultiKeyDecryptException('Cannot multikey decrypt empty plain content');
+        }
+
+        if (openssl_open($encKeyFile, $plainContent, $shareKey, $privateKey)) {
+            return $plainContent;
+        } else {
+            throw new MultiKeyDecryptException('multikeydecrypt with share key failed:' . openssl_error_string());
+        }
+    }
+
+    /**
+     * @param string $plainContent
+     * @param array $keyFiles
+     * @return array
+     * @throws MultiKeyEncryptException
+     */
+    public function multiKeyEncrypt($plainContent, array $keyFiles) {
+        // openssl_seal returns false without errors if plaincontent is empty
+        // so trigger our own error
+        if (empty($plainContent)) {
+            throw new MultiKeyEncryptException('Cannot multikeyencrypt empty plain content');
+        }
+
+        // Set empty vars to be set by openssl by reference
+        $sealed = '';
+        $shareKeys = [];
+        $mappedShareKeys = [];
+
+        if (openssl_seal($plainContent, $sealed, $shareKeys, $keyFiles)) {
+            $i = 0;
+
+            // Ensure each shareKey is labelled with its corresponding key id
+            foreach ($keyFiles as $userId => $publicKey) {
+                $mappedShareKeys[$userId] = $shareKeys[$i];
+                $i++;
+            }
+
+            return [
+                'keys' => $mappedShareKeys,
+                'data' => $sealed
+            ];
+        } else {
+            throw new MultiKeyEncryptException('multikeyencryption failed ' . openssl_error_string());
+        }
+    }
 }