Class PdfEncryption

java.lang.Object

com.itextpdf.kernel.pdf.PdfObjectWrapper<PdfDictionary>

com.itextpdf.kernel.pdf.PdfEncryption

public class PdfEncryption
extends PdfObjectWrapper<PdfDictionary>

Field Summary

Fields

Modifier and Type	Field	Description
private static final int	AES_128
private static final int	AES_256
private static final int	AES_GCM
private int	cryptoMode
private static final int	DEFAULT_KEY_LENGTH
private byte[]	documentId
private boolean	embeddedFilesOnly
private boolean	encryptMetadata
private static final int	MAC_DISABLED
private static final int	MAC_ENABLED
private AbstractMacIntegrityProtector	macContainer
private Integer	permissions
private SecurityHandler	securityHandler
private static long	seq
private static final int	STANDARD_ENCRYPTION_128
private static final int	STANDARD_ENCRYPTION_40

Constructor Summary

Constructors

Constructor	Description
PdfEncryption(byte[] userPassword, byte[] ownerPassword, int permissions, int encryptionType, byte[] documentId, PdfVersion version, AbstractMacIntegrityProtector macContainer)	Creates the encryption.
PdfEncryption(PdfDictionary pdfDict, byte[] password, byte[] documentId)	Creates PdfEncryption instance based on already existing standard encryption dictionary.
PdfEncryption(PdfDictionary pdfDict, Key certificateKey, Certificate certificate, String certificateKeyProvider, IExternalDecryptionProcess externalDecryptionProcess)	Creates PdfEncryption instance based on already existing public encryption dictionary.
PdfEncryption(Certificate[] certs, int[] permissions, int encryptionType, PdfVersion version, AbstractMacIntegrityProtector macContainer)	Creates the certificate encryption.

Method Summary

Modifier and Type	Method	Description
(package private) void	checkEncryptionRequirements(PdfDocument document)
byte[]	computeUserPassword(byte[] ownerPassword)	Computes user password if standard encryption handler is used with Standard40, Standard128 or AES128 algorithm.
private int	configureAccessibilityPermissionsForMac(int permissions)
(package private) void	configureEncryptionParametersFromReader(PdfDocument document, PdfDictionary trailer)
(package private) void	configureEncryptionParametersFromWriter(PdfDocument document)
static PdfObject	createInfoId(byte[] id, boolean modified)	Creates a PdfLiteral that contains an array of two id entries.
static PdfObject	createInfoId(byte[] firstId, byte[] secondId, boolean preserveEncryption)	Creates a PdfLiteral that contains an array of two id entries.
byte[]	decryptByteArray(byte[] b)
byte[]	encryptByteArray(byte[] b)
private static int	fixAccessibilityPermissionPdf20(int permissions)
void	flush()	To manually flush a PdfObject behind this wrapper, you have to ensure that this object is added to the document, i.e.
static byte[]	generateNewDocumentId()
int	getCryptoMode()	Gets encryption algorithm and access permissions.
byte[]	getDocumentId()
int	getEncryptionAlgorithm()	Gets encryption algorithm.
OutputStreamEncryption	getEncryptionStream(OutputStream os)
(package private) AbstractMacIntegrityProtector	getMacContainer()
Integer	getPermissions()	Gets the encryption permissions.
boolean	isEmbeddedFilesOnly()
boolean	isMetadataEncrypted()
boolean	isOpenedWithFullPermission()
protected boolean	isWrappedObjectMustBeIndirect()	Defines if the object behind this wrapper must be an indirect object in the resultant document.
private static byte[]	padByteArrayTo16(byte[] documentId)
private int	readAndSetCryptoModeForPubSecHandler(PdfDictionary encDict)
private int	readAndSetCryptoModeForStdHandler(PdfDictionary encDict)
(package private) static boolean	readEmbeddedFilesOnlyFromEncryptDictionary(PdfDictionary encDict)
private int	setCryptoMode(int mode)
private int	setCryptoMode(int mode, int length)
void	setHashKeyForNextObject(int objNumber, int objGeneration)
private void	setKeyLength(int keyLength)
private void	updateMacPermission()

Methods inherited from class PdfObjectWrapper

ensureObjectIsAddedToDocument, ensureUnderlyingObjectHasIndirectReference, getPdfObject, isFlushed, makeIndirect, makeIndirect, markObjectAsIndirect, setForbidRelease, setModified, setPdfObject, unsetForbidRelease

Methods inherited from class Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

STANDARD_ENCRYPTION_40

private static final int STANDARD_ENCRYPTION_40

See Also:

• Constant Field Values

STANDARD_ENCRYPTION_128

private static final int STANDARD_ENCRYPTION_128

See Also:

• Constant Field Values

AES_128

private static final int AES_128

See Also:

• Constant Field Values

AES_256

private static final int AES_256

See Also:

• Constant Field Values

AES_GCM

private static final int AES_GCM

See Also:

• Constant Field Values

DEFAULT_KEY_LENGTH

private static final int DEFAULT_KEY_LENGTH

See Also:

• Constant Field Values

MAC_ENABLED

private static final int MAC_ENABLED

See Also:

• Constant Field Values

MAC_DISABLED

private static final int MAC_DISABLED

See Also:

• Constant Field Values

seq

private static long seq

cryptoMode

private int cryptoMode

permissions

private Integer permissions

encryptMetadata

private boolean encryptMetadata

embeddedFilesOnly

private boolean embeddedFilesOnly

documentId

private byte[] documentId

securityHandler

private SecurityHandler securityHandler

macContainer

private AbstractMacIntegrityProtector macContainer

Constructor Details

PdfEncryption

public PdfEncryption(byte[] userPassword,
 byte[] ownerPassword,
 int permissions,
 int encryptionType,
 byte[] documentId,
 PdfVersion version,
 AbstractMacIntegrityProtector macContainer)

Creates the encryption.

Parameters:

userPassword - the user password. Can be null or of zero length, which is equal to omitting the user password

ownerPassword - the owner password. If it's null or empty, iText will generate a random string to be used as the owner password

permissions - the user permissions The open permissions for the document can be EncryptionConstants.ALLOW_PRINTING, EncryptionConstants.ALLOW_MODIFY_CONTENTS, EncryptionConstants.ALLOW_COPY, EncryptionConstants.ALLOW_MODIFY_ANNOTATIONS, EncryptionConstants.ALLOW_FILL_IN, EncryptionConstants.ALLOW_SCREENREADERS, EncryptionConstants.ALLOW_ASSEMBLY and EncryptionConstants.ALLOW_DEGRADED_PRINTING. The permissions can be combined by ORing them

encryptionType - the type of encryption. It can be one of EncryptionConstants.STANDARD_ENCRYPTION_40, EncryptionConstants.STANDARD_ENCRYPTION_128, EncryptionConstants.ENCRYPTION_AES_128 or EncryptionConstants.ENCRYPTION_AES_256. Optionally EncryptionConstants.DO_NOT_ENCRYPT_METADATA can be ORed to output the metadata in cleartext. EncryptionConstants.EMBEDDED_FILES_ONLY can be ORed as well. Please be aware that the passed encryption types may override permissions: EncryptionConstants.STANDARD_ENCRYPTION_40 implicitly sets EncryptionConstants.DO_NOT_ENCRYPT_METADATA and EncryptionConstants.EMBEDDED_FILES_ONLY as false; EncryptionConstants.STANDARD_ENCRYPTION_128 implicitly sets EncryptionConstants.EMBEDDED_FILES_ONLY as false;

documentId - document id which will be used for encryption

version - the PdfVersion of the target document for encryption

macContainer - AbstractMacIntegrityProtector class for MAC integrity protection

PdfEncryption

public PdfEncryption(Certificate[] certs,
 int[] permissions,
 int encryptionType,
 PdfVersion version,
 AbstractMacIntegrityProtector macContainer)

Creates the certificate encryption.

An array of one or more public certificates must be provided together with an array of the same size for the permissions for each certificate.

Parameters:

certs - the public certificates to be used for the encryption

permissions - the user permissions for each of the certificates The open permissions for the document can be EncryptionConstants.ALLOW_PRINTING, EncryptionConstants.ALLOW_MODIFY_CONTENTS, EncryptionConstants.ALLOW_COPY, EncryptionConstants.ALLOW_MODIFY_ANNOTATIONS, EncryptionConstants.ALLOW_FILL_IN, EncryptionConstants.ALLOW_SCREENREADERS, EncryptionConstants.ALLOW_ASSEMBLY and EncryptionConstants.ALLOW_DEGRADED_PRINTING. The permissions can be combined by ORing them

encryptionType - the type of encryption. It can be one of EncryptionConstants.STANDARD_ENCRYPTION_40, EncryptionConstants.STANDARD_ENCRYPTION_128, EncryptionConstants.ENCRYPTION_AES_128 or EncryptionConstants.ENCRYPTION_AES_256. Optionally EncryptionConstants.DO_NOT_ENCRYPT_METADATA can be ORed to output the metadata in cleartext. EncryptionConstants.EMBEDDED_FILES_ONLY can be ORed as well. Please be aware that the passed encryption types may override permissions: EncryptionConstants.STANDARD_ENCRYPTION_40 implicitly sets EncryptionConstants.DO_NOT_ENCRYPT_METADATA and EncryptionConstants.EMBEDDED_FILES_ONLY as false; EncryptionConstants.STANDARD_ENCRYPTION_128 implicitly sets EncryptionConstants.EMBEDDED_FILES_ONLY as false;

version - the PdfVersion of the target document for encryption

macContainer - AbstractMacIntegrityProtector class for MAC integrity protection

PdfEncryption

public PdfEncryption(PdfDictionary pdfDict,
 byte[] password,
 byte[] documentId)

Creates PdfEncryption instance based on already existing standard encryption dictionary.

Parameters:

pdfDict - PdfDictionary, which represents encryption dictionary

password - byte[], which represents encryption password

documentId - original file ID, the first element in PdfName.ID key of trailer

PdfEncryption

public PdfEncryption(PdfDictionary pdfDict,
 Key certificateKey,
 Certificate certificate,
 String certificateKeyProvider,
 IExternalDecryptionProcess externalDecryptionProcess)

Creates PdfEncryption instance based on already existing public encryption dictionary.

Parameters:

pdfDict - PdfDictionary, which represents encryption dictionary

certificateKey - the recipient private Key to the certificate

certificate - the recipient Certificate, which serves as recipient identifier

certificateKeyProvider - the certificate key provider id for Security.getProvider(String)

externalDecryptionProcess - IExternalDecryptionProcess the external decryption process to be used

Method Details

generateNewDocumentId

public static byte[] generateNewDocumentId()

createInfoId

public static PdfObject createInfoId(byte[] id,
 boolean modified)

Creates a PdfLiteral that contains an array of two id entries. These entries are both hexadecimal strings containing 16 hex characters. The first entry is the original id, the second entry should be different from the first one if the document has changed.

Parameters:

id - the first id

modified - whether the document has been changed or not

Returns:

PdfObject containing the two entries

createInfoId

public static PdfObject createInfoId(byte[] firstId,
 byte[] secondId,
 boolean preserveEncryption)

Creates a PdfLiteral that contains an array of two id entries. These entries are both hexadecimal strings containing up to 16 hex characters. The first entry is the original id, the second entry should be different from the first one if the document has changed.

Parameters:

firstId - the first id

secondId - the second id

preserveEncryption - the encryption preserve

Returns:

PdfObject containing the two entries.

padByteArrayTo16

private static byte[] padByteArrayTo16(byte[] documentId)

getPermissions

public Integer getPermissions()

Gets the encryption permissions. It can be used directly in WriterProperties.setStandardEncryption(byte[], byte[], int, int). See ISO 32000-1, Table 22 for more details.

Returns:

the encryption permissions, an unsigned 32-bit quantity.

getCryptoMode

public int getCryptoMode()

Gets encryption algorithm and access permissions.

Returns:

the crypto mode value

See Also:

• EncryptionConstants

getEncryptionAlgorithm

public int getEncryptionAlgorithm()

Gets encryption algorithm.

Returns:

the encryption algorithm

See Also:

• EncryptionConstants

isMetadataEncrypted

public boolean isMetadataEncrypted()

isEmbeddedFilesOnly

public boolean isEmbeddedFilesOnly()

getDocumentId

public byte[] getDocumentId()

Returns:

document id which was used for encryption. Could be null, if encryption doesn't rely on document id.

setHashKeyForNextObject

public void setHashKeyForNextObject(int objNumber,
 int objGeneration)

getEncryptionStream

public OutputStreamEncryption getEncryptionStream(OutputStream os)

encryptByteArray

public byte[] encryptByteArray(byte[] b)

decryptByteArray

public byte[] decryptByteArray(byte[] b)

isOpenedWithFullPermission

public boolean isOpenedWithFullPermission()

computeUserPassword

public byte[] computeUserPassword(byte[] ownerPassword)

Computes user password if standard encryption handler is used with Standard40, Standard128 or AES128 algorithm.

Parameters:

ownerPassword - owner password of the encrypted document.

Returns:

user password, or null if not a standard encryption handler was used.

flush

public void flush()

To manually flush a PdfObject behind this wrapper, you have to ensure that this object is added to the document, i.e. it has an indirect reference. Basically this means that before flushing you need to explicitly call PdfObjectWrapper.makeIndirect(PdfDocument). For example: wrapperInstance.makeIndirect(document).flush(); Note that not every wrapper require this, only those that have such warning in documentation.

Overrides:

flush in class PdfObjectWrapper<PdfDictionary>

isWrappedObjectMustBeIndirect

protected boolean isWrappedObjectMustBeIndirect()

Description copied from class: PdfObjectWrapper

Defines if the object behind this wrapper must be an indirect object in the resultant document.

If this method returns true it doesn't necessarily mean that object must be in the indirect state at any moment, but rather defines that when the object will be written to the document it will be transformed into indirect object if it's not indirect yet.

Return value of this method shouldn't depend on any logic, it should return always true or false.

Specified by:

isWrappedObjectMustBeIndirect in class PdfObjectWrapper<PdfDictionary>

Returns:

true if in the resultant document the object behind the wrapper must be indirect, otherwise false.

setKeyLength

private void setKeyLength(int keyLength)

setCryptoMode

private int setCryptoMode(int mode)

setCryptoMode

private int setCryptoMode(int mode,
 int length)

readAndSetCryptoModeForStdHandler

private int readAndSetCryptoModeForStdHandler(PdfDictionary encDict)

readAndSetCryptoModeForPubSecHandler

private int readAndSetCryptoModeForPubSecHandler(PdfDictionary encDict)

configureAccessibilityPermissionsForMac

private int configureAccessibilityPermissionsForMac(int permissions)

readEmbeddedFilesOnlyFromEncryptDictionary

static boolean readEmbeddedFilesOnlyFromEncryptDictionary(PdfDictionary encDict)

fixAccessibilityPermissionPdf20

private static int fixAccessibilityPermissionPdf20(int permissions)

checkEncryptionRequirements

void checkEncryptionRequirements(PdfDocument document)

configureEncryptionParametersFromWriter

void configureEncryptionParametersFromWriter(PdfDocument document)

getMacContainer

AbstractMacIntegrityProtector getMacContainer()

configureEncryptionParametersFromReader

void configureEncryptionParametersFromReader(PdfDocument document,
 PdfDictionary trailer)

updateMacPermission

private void updateMacPermission()