Package org.apache.pdfbox.pdmodel.encryption

Class SecurityHandler

java.lang.Object
org.apache.pdfbox.pdmodel.encryption.SecurityHandler
Direct Known Subclasses:
PublicKeySecurityHandler, StandardSecurityHandler
public abstract class SecurityHandler extends Object
A security handler as described in the PDF specifications. A security handler is responsible of documents protection.

  • Field Details

    • LOG

      private static final org.apache.commons.logging.Log LOG

    • DEFAULT_KEY_LENGTH

      private static final short DEFAULT_KEY_LENGTH
      See Also:

    • AES_SALT

      private static final byte[] AES_SALT

    • keyLength

      protected short keyLength
      The length in bits of the secret key used to encrypt the document. Will become private in 3.0.

    • encryptionKey

      protected byte[] encryptionKey
      The encryption key that will be used to encrypt / decrypt. Will become private in 3.0.

    • rc4

      private final RC4Cipher rc4
      The RC4 implementation used for cryptographic functions.

    • decryptMetadata

      private boolean decryptMetadata
      Indicates if the Metadata have to be decrypted of not.

    • customSecureRandom

      private SecureRandom customSecureRandom
      Can be used to allow stateless AES encryption

    • objects

      private final Set<COSBase> objects

    • useAES

      private boolean useAES

    • protectionPolicy

      private ProtectionPolicy protectionPolicy

    • currentAccessPermission

      private AccessPermission currentAccessPermission
      The access permission granted to the current user for the document. These permissions are computed during decryption and are in read only mode.

    • streamFilterName

      private COSName streamFilterName
      The stream filter name.

    • stringFilterName

      private COSName stringFilterName
      The string filter name.

  • Constructor Details

    • SecurityHandler

      public SecurityHandler()

  • Method Details

    • setDecryptMetadata

      protected void setDecryptMetadata(boolean decryptMetadata)
      Set whether to decrypt meta data.
      Parameters:
      decryptMetadata - true if meta data has to be decrypted.

    • isDecryptMetadata

      public boolean isDecryptMetadata()
      Returns true if meta data is to be decrypted.
      Returns:
      True if meta data has to be decrypted.

    • setStringFilterName

      protected void setStringFilterName(COSName stringFilterName)
      Set the string filter name.
      Parameters:
      stringFilterName - the string filter name.

    • setStreamFilterName

      protected void setStreamFilterName(COSName streamFilterName)
      Set the stream filter name.
      Parameters:
      streamFilterName - the stream filter name.

    • setCustomSecureRandom

      public void setCustomSecureRandom(SecureRandom customSecureRandom)
      Set the custom SecureRandom.
      Parameters:
      customSecureRandom - the custom SecureRandom for AES encryption

    • prepareDocumentForEncryption

      public abstract void prepareDocumentForEncryption(PDDocument doc) throws IOException
      Prepare the document for encryption.
      Parameters:
      doc - The document that will be encrypted.
      Throws:
      IOException - If there is an error with the document.

    • prepareForDecryption

      public abstract void prepareForDecryption(PDEncryption encryption, COSArray documentIDArray, DecryptionMaterial decryptionMaterial) throws IOException
      Prepares everything to decrypt the document.
      Parameters:
      encryption - encryption dictionary, can be retrieved via PDDocument.getEncryption()
      documentIDArray - document id which is returned via COSDocument.getDocumentID()
      decryptionMaterial - Information used to decrypt the document.
      Throws:
      InvalidPasswordException - If the password is incorrect.
      IOException - If there is an error accessing data.

    • encryptData

      private void encryptData(long objectNumber, long genNumber, InputStream data, OutputStream output, boolean decrypt) throws IOException
      Encrypt or decrypt a set of data.
      Parameters:
      objectNumber - The data object number.
      genNumber - The data generation number.
      data - The data to encrypt.
      output - The output to write the encrypted data to.
      decrypt - true to decrypt the data, false to encrypt it.
      Throws:
      IOException - If there is an error reading the data.

    • calcFinalKey

      private byte[] calcFinalKey(long objectNumber, long genNumber)
      Calculate the key to be used for RC4 and AES-128.
      Parameters:
      objectNumber - The data object number.
      genNumber - The data generation number.
      Returns:
      the calculated key.

    • encryptDataRC4

      protected void encryptDataRC4(byte[] finalKey, InputStream input, OutputStream output) throws IOException
      Encrypt or decrypt data with RC4.
      Parameters:
      finalKey - The final key obtained with via calcFinalKey(long, long).
      input - The data to encrypt.
      output - The output to write the encrypted data to.
      Throws:
      IOException - If there is an error reading the data.

    • encryptDataRC4

      protected void encryptDataRC4(byte[] finalKey, byte[] input, OutputStream output) throws IOException
      Encrypt or decrypt data with RC4.
      Parameters:
      finalKey - The final key obtained with via calcFinalKey(long, long).
      input - The data to encrypt.
      output - The output to write the encrypted data to.
      Throws:
      IOException - If there is an error reading the data.

    • encryptDataAESother

      private void encryptDataAESother(byte[] finalKey, InputStream data, OutputStream output, boolean decrypt) throws IOException
      Encrypt or decrypt data with AES with key length other than 256 bits.
      Parameters:
      finalKey - The final key obtained with via calcFinalKey(long, long).
      data - The data to encrypt.
      output - The output to write the encrypted data to.
      decrypt - true to decrypt the data, false to encrypt it.
      Throws:
      IOException - If there is an error reading the data.

    • encryptDataAES256

      private void encryptDataAES256(InputStream data, OutputStream output, boolean decrypt) throws IOException
      Encrypt or decrypt data with AES256.
      Parameters:
      data - The data to encrypt.
      output - The output to write the encrypted data to.
      decrypt - true to decrypt the data, false to encrypt it.
      Throws:
      IOException - If there is an error reading the data.

    • createCipher

      private Cipher createCipher(byte[] key, byte[] iv, boolean decrypt) throws GeneralSecurityException
      Throws:
      GeneralSecurityException

    • prepareAESInitializationVector

      private boolean prepareAESInitializationVector(boolean decrypt, byte[] iv, InputStream data, OutputStream output) throws IOException
      Throws:
      IOException

    • getSecureRandom

      private SecureRandom getSecureRandom()
      Returns a SecureRandom If customSecureRandom is not defined, instantiate a new SecureRandom
      Returns:
      SecureRandom

    • decrypt

      public void decrypt(COSBase obj, long objNum, long genNum) throws IOException
      This will dispatch to the correct method.
      Parameters:
      obj - The object to decrypt.
      objNum - The object number.
      genNum - The object generation Number.
      Throws:
      IOException - If there is an error getting the stream data.

    • decryptStream

      public void decryptStream(COSStream stream, long objNum, long genNum) throws IOException
      This will decrypt a stream.
      Parameters:
      stream - The stream to decrypt.
      objNum - The object number.
      genNum - The object generation number.
      Throws:
      IOException - If there is an error getting the stream data.

    • encryptStream

      public void encryptStream(COSStream stream, long objNum, int genNum) throws IOException
      This will encrypt a stream, but not the dictionary as the dictionary is encrypted by visitFromString() in COSWriter and we don't want to encrypt it twice.
      Parameters:
      stream - The stream to decrypt.
      objNum - The object number.
      genNum - The object generation number.
      Throws:
      IOException - If there is an error getting the stream data.

    • decryptDictionary

      private void decryptDictionary(COSDictionary dictionary, long objNum, long genNum) throws IOException
      This will decrypt a dictionary.
      Parameters:
      dictionary - The dictionary to decrypt.
      objNum - The object number.
      genNum - The object generation number.
      Throws:
      IOException - If there is an error creating a new string.

    • decryptString

      private void decryptString(COSString string, long objNum, long genNum)
      This will decrypt a string.
      Parameters:
      string - the string to decrypt.
      objNum - The object number.
      genNum - The object generation number.

    • encryptString

      public void encryptString(COSString string, long objNum, int genNum) throws IOException
      This will encrypt a string.
      Parameters:
      string - the string to encrypt.
      objNum - The object number.
      genNum - The object generation number.
      Throws:
      IOException - If an error occurs writing the new string.

    • decryptArray

      private void decryptArray(COSArray array, long objNum, long genNum) throws IOException
      This will decrypt an array.
      Parameters:
      array - The array to decrypt.
      objNum - The object number.
      genNum - The object generation number.
      Throws:
      IOException - If there is an error accessing the data.

    • getKeyLength

      public int getKeyLength()
      Getter of the property keyLength.
      Returns:
      Returns the key length in bits.

    • setKeyLength

      public void setKeyLength(int keyLen)
      Setter of the property keyLength.
      Parameters:
      keyLen - The key length to set in bits.

    • setCurrentAccessPermission

      public void setCurrentAccessPermission(AccessPermission currentAccessPermission)
      Sets the access permissions.
      Parameters:
      currentAccessPermission - The access permissions to be set.

    • getCurrentAccessPermission

      public AccessPermission getCurrentAccessPermission()
      Returns the access permissions that were computed during document decryption. The returned object is in read only mode.
      Returns:
      the access permissions or null if the document was not decrypted.

    • isAES

      public boolean isAES()
      True if AES is used for encryption and decryption.
      Returns:
      true if AEs is used

    • setAES

      public void setAES(boolean aesValue)
      Set to true if AES for encryption and decryption should be used.
      Parameters:
      aesValue - if true AES will be used

    • hasProtectionPolicy

      public boolean hasProtectionPolicy()
      Returns whether a protection policy has been set.
      Returns:
      true if a protection policy has been set.

    • getProtectionPolicy

      protected ProtectionPolicy getProtectionPolicy()
      Returns the set ProtectionPolicy or null.
      Returns:
      The set ProtectionPolicy.

    • setProtectionPolicy

      protected void setProtectionPolicy(ProtectionPolicy protectionPolicy)
      Sets the ProtectionPolicy to the given value.
      Parameters:
      protectionPolicy - The ProtectionPolicy, that shall be set.

    • getEncryptionKey

      public byte[] getEncryptionKey()
      Returns the current encryption key data.
      Returns:
      The current encryption key data.

    • setEncryptionKey

      public void setEncryptionKey(byte[] encryptionKey)
      Sets the current encryption key data.
      Parameters:
      encryptionKey - The encryption key data to set.

    • computeVersionNumber

      protected int computeVersionNumber()
      Computes the version number of the SecurityHandler based on the encryption key length. See PDF Spec 1.6 p 93 and PDF 1.7 Supplement ExtensionLevel: 3 and PDF Spec 2.0.
      Returns:
      The computed version number.