Cap RSA at 3072 bits, add zstd compression for QR codes

- RSA key size capped at 3072 bits (4096 too large for QR codes) - Added zstd compression for QR code RSA keys (better ratio than zlib) - New prefix STEGASOO-ZS: for zstd, backward compatible with STEGASOO-Z: (zlib) - Added zstandard dependency to web/api/compression extras - Updated all docs, CLI options, and web UI to reflect 3072 max - Version bump to 4.2.0 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-09 23:30:31 -05:00
parent 175362ce4c
commit 3fd3204552
13 changed files with 118 additions and 39 deletions
--- a/frontends/cli/main.py
+++ b/frontends/cli/main.py
@@ -236,7 +236,7 @@ def format_channel_status_line(quiet: bool = False) -> str | None:
    help=f"PIN length (6-9, default: {DEFAULT_PIN_LENGTH})",
 )
@click.option(
-    "--rsa-bits", type=click.Choice(["2048", "3072", "4096"]), default="2048", help="RSA key size"
+    "--rsa-bits", type=click.Choice(["2048", "3072"]), default="2048", help="RSA key size"
 )
@click.option(
    "--words",
@@ -261,7 +261,7 @@ def generate(pin, rsa, pin_length, rsa_bits, words, output, password, as_json):
    Examples:
        stegasoo generate
        stegasoo generate --words 5
-        stegasoo generate --rsa --rsa-bits 4096
+        stegasoo generate --rsa --rsa-bits 3072
        stegasoo generate --rsa -o mykey.pem -p "secretpassword"
        stegasoo generate --no-pin --rsa
    """
--- a/frontends/web/app.py
+++ b/frontends/web/app.py
@@ -253,6 +253,7 @@ from stegasoo.qr_utils import (
    detect_and_crop_qr,
    extract_key_from_qr,
    generate_qr_code,
+    is_compressed,
 )

 # Initialize subprocess wrapper (worker script must be in same directory)
@@ -1209,8 +1210,8 @@ def encode_page():
            rsa_key_from_qr = False

            if rsa_key_pem:
-                # Webcam-scanned PEM key (v4.1.5) - may be compressed
-                if rsa_key_pem.startswith("STEGASOO-Z:"):
+                # Webcam-scanned PEM key (v4.1.5+) - may be compressed (zlib or zstd)
+                if is_compressed(rsa_key_pem):
                    rsa_key_pem = decompress_data(rsa_key_pem)
                rsa_key_data = rsa_key_pem.encode("utf-8")
                rsa_key_from_qr = True
@@ -1648,8 +1649,8 @@ def decode_page():
            rsa_key_from_qr = False

            if rsa_key_pem:
-                # Webcam-scanned PEM key (v4.1.5) - may be compressed
-                if rsa_key_pem.startswith("STEGASOO-Z:"):
+                # Webcam-scanned PEM key (v4.1.5+) - may be compressed (zlib or zstd)
+                if is_compressed(rsa_key_pem):
                    rsa_key_pem = decompress_data(rsa_key_pem)
                rsa_key_data = rsa_key_pem.encode("utf-8")
                rsa_key_from_qr = True
--- a/frontends/web/templates/about.html
+++ b/frontends/web/templates/about.html
@@ -573,7 +573,7 @@
                                        </tr>
                                        <tr>
                                            <td><i class="bi bi-shield me-2"></i>RSA keys</td>
-                                            <td><strong>2048, 3072, 4096 bit</strong></td>
+                                            <td><strong>2048, 3072 bit</strong></td>
                                        </tr>
                                        <tr>
                                            <td><i class="bi bi-chat-quote me-2"></i>Passphrase</td>
--- a/frontends/web/templates/generate.html
+++ b/frontends/web/templates/generate.html
@@ -65,11 +65,7 @@
                                <select name="rsa_bits" class="form-select form-select-sm" id="rsaBitsSelect">
                                    <option value="2048" selected>2048 bits (~128 bits entropy)</option>
                                    <option value="3072">3072 bits (~128 bits entropy)</option>
-                                    <option value="4096">4096 bits (~128 bits entropy)</option>
                                </select>
-                                <div class="form-text text-warning d-none" id="rsaQrWarning">
-                                    <i class="bi bi-exclamation-triangle me-1"></i>QR code unavailable for keys &gt;3072 bits
-                                </div>
                            </div>
                        </div>
                    </div>
@@ -286,12 +282,6 @@
                                    <i class="bi bi-shield-exclamation me-1"></i>
                                    <strong>Security note:</strong> The QR code contains your unencrypted private key.
                                    Only scan in a secure environment. Consider using the password-protected download instead.
-                                    {% if rsa_bits >= 4096 %}
-                                    <br><br>
-                                    <i class="bi bi-exclamation-triangle me-1"></i>
-                                    <strong>4096-bit keys</strong> produce very dense QR codes. If scanning fails, 
-                                    use the PEM text or download options instead.
-                                    {% endif %}
                                </div>
                            </div>
                        </div>