org.apache.pdfbox.pdmodel.encryption: public class: PublicKeySecurityHandler

org.apache.pdfbox.pdmodel.encryption
public class: PublicKeySecurityHandler [javadoc | source]

java.lang.Object
   org.apache.pdfbox.pdmodel.encryption.SecurityHandler
      org.apache.pdfbox.pdmodel.encryption.PublicKeySecurityHandler

This class implements the public key security handler described in the PDF specification.

Also see:

PDF Spec 1.6 p104

PublicKeyProtectionPolicy to see how to protect document with this security handler.

author: Benoit - Guillon (benoit.guillon@snv.jussieu.fr)

version: $ - Revision: 1.3 $

Field Summary
public static final String	FILTER	The filter name.

Fields inherited from org.apache.pdfbox.pdmodel.encryption.SecurityHandler:
version, keyLength, encryptionKey, document, rc4, currentAccessPermission

Constructor:

Constructor:
public PublicKeySecurityHandler() { } Constructor.
public PublicKeySecurityHandler(PublicKeyProtectionPolicy p) { policy = p; this.keyLength = policy.getEncryptionKeyLength(); } Constructor used for encryption. Parameters: `p` - The protection policy.

 public PublicKeySecurityHandler() {

}

Constructor.

 public PublicKeySecurityHandler(PublicKeyProtectionPolicy p) {
        policy = p;
        this.keyLength = policy.getEncryptionKeyLength();
}

Constructor used for encryption.

Parameters:

p - The protection policy.

Method from org.apache.pdfbox.pdmodel.encryption.PublicKeySecurityHandler Summary:
decryptDocument, prepareDocumentForEncryption

Methods from org.apache.pdfbox.pdmodel.encryption.SecurityHandler:
decryptDocument, decryptStream, decryptString, encryptData, getCurrentAccessPermission, getKeyLength, prepareDocumentForEncryption, proceedDecryption, setKeyLength

Methods from java.lang.Object:
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method from org.apache.pdfbox.pdmodel.encryption.PublicKeySecurityHandler Detail:
public void decryptDocument(PDDocument doc, DecryptionMaterial decryptionMaterial) throws CryptographyException, IOException { this.document = doc; PDEncryptionDictionary dictionary = doc.getEncryptionDictionary(); if(dictionary.getLength() != 0) { this.keyLength = dictionary.getLength(); } if(!(decryptionMaterial instanceof PublicKeyDecryptionMaterial)) { throw new CryptographyException( "Provided decryption material is not compatible with the document"); } PublicKeyDecryptionMaterial material = (PublicKeyDecryptionMaterial)decryptionMaterial; try { boolean foundRecipient = false; // the decrypted content of the enveloped data that match // the certificate in the decryption material provided byte[] envelopedData = null; // the bytes of each recipient in the recipients array byte[][] recipientFieldsBytes = new byte[dictionary.getRecipientsLength()][]; int recipientFieldsLength = 0; for(int i=0; i< dictionary.getRecipientsLength(); i++) { COSString recipientFieldString = dictionary.getRecipientStringAt(i); byte[] recipientBytes = recipientFieldString.getBytes(); CMSEnvelopedData data = new CMSEnvelopedData(recipientBytes); Iterator recipCertificatesIt = data.getRecipientInfos().getRecipients().iterator(); while(recipCertificatesIt.hasNext()) { RecipientInformation ri = (RecipientInformation)recipCertificatesIt.next(); // Impl: if a matching certificate was previously found it is an error, // here we just don't care about it if(ri.getRID().match(material.getCertificate()) && !foundRecipient) { foundRecipient = true; envelopedData = ri.getContent(material.getPrivateKey(), "BC"); } } recipientFieldsBytes[i] = recipientBytes; recipientFieldsLength += recipientBytes.length; } if(!foundRecipient \|\| envelopedData == null) { throw new CryptographyException("The certificate matches no recipient entry"); } if(envelopedData.length != 24) { throw new CryptographyException("The enveloped data does not contain 24 bytes"); } // now envelopedData contains: // - the 20 bytes seed // - the 4 bytes of permission for the current user byte[] accessBytes = new byte[4]; System.arraycopy(envelopedData, 20, accessBytes, 0, 4); currentAccessPermission = new AccessPermission(accessBytes); currentAccessPermission.setReadOnly(); // what we will put in the SHA1 = the seed + each byte contained in the recipients array byte[] sha1Input = new byte[recipientFieldsLength + 20]; // put the seed in the sha1 input System.arraycopy(envelopedData, 0, sha1Input, 0, 20); // put each bytes of the recipients array in the sha1 input int sha1InputOffset = 20; for(int i=0; i< recipientFieldsBytes.length; i++) { System.arraycopy( recipientFieldsBytes[i], 0, sha1Input, sha1InputOffset, recipientFieldsBytes[i].length); sha1InputOffset += recipientFieldsBytes[i].length; } MessageDigest md = MessageDigest.getInstance("SHA-1"); byte[] mdResult = md.digest(sha1Input); // we have the encryption key ... encryptionKey = new byte[this.keyLength/8]; System.arraycopy(mdResult, 0, encryptionKey, 0, this.keyLength/8); proceedDecryption(); } catch(CMSException e) { throw new CryptographyException(e); } catch(KeyStoreException e) { throw new CryptographyException(e); } catch(NoSuchProviderException e) { throw new CryptographyException(e); } catch(NoSuchAlgorithmException e) { throw new CryptographyException(e); } } Decrypt the document.
public void prepareDocumentForEncryption(PDDocument doc) throws CryptographyException { try { Security.addProvider(new BouncyCastleProvider()); PDEncryptionDictionary dictionary = doc.getEncryptionDictionary(); if (dictionary == null) { dictionary = new PDEncryptionDictionary(); } dictionary.setFilter(FILTER); dictionary.setLength(this.keyLength); dictionary.setVersion(2); dictionary.setSubFilter(SUBFILTER); byte[][] recipientsField = new byte[policy.getRecipientsNumber()][]; // create the 20 bytes seed byte[] seed = new byte[20]; KeyGenerator key = KeyGenerator.getInstance("AES"); key.init(192, new SecureRandom()); SecretKey sk = key.generateKey(); System.arraycopy(sk.getEncoded(), 0, seed, 0, 20); // create the 20 bytes seed Iterator it = policy.getRecipientsIterator(); int i = 0; while(it.hasNext()) { PublicKeyRecipient recipient = (PublicKeyRecipient)it.next(); X509Certificate certificate = recipient.getX509(); int permission = recipient.getPermission().getPermissionBytesForPublicKey(); byte[] pkcs7input = new byte[24]; byte one = (byte)(permission); byte two = (byte)(permission > > > 8); byte three = (byte)(permission > > > 16); byte four = (byte)(permission > > > 24); System.arraycopy(seed, 0, pkcs7input, 0, 20); // put this seed in the pkcs7 input pkcs7input[20] = four; pkcs7input[21] = three; pkcs7input[22] = two; pkcs7input[23] = one; DERObject obj = createDERForRecipient(pkcs7input, certificate); ByteArrayOutputStream baos = new ByteArrayOutputStream(); DEROutputStream k = new DEROutputStream(baos); k.writeObject(obj); recipientsField[i] = baos.toByteArray(); i++; } dictionary.setRecipients(recipientsField); int sha1InputLength = seed.length; for(int j=0; j< dictionary.getRecipientsLength(); j++) { COSString string = dictionary.getRecipientStringAt(j); sha1InputLength += string.getBytes().length; } byte[] sha1Input = new byte[sha1InputLength]; System.arraycopy(seed, 0, sha1Input, 0, 20); int sha1InputOffset = 20; for(int j=0; j< dictionary.getRecipientsLength(); j++) { COSString string = dictionary.getRecipientStringAt(j); System.arraycopy( string.getBytes(), 0, sha1Input, sha1InputOffset, string.getBytes().length); sha1InputOffset += string.getBytes().length; } MessageDigest md = MessageDigest.getInstance("SHA-1"); byte[] mdResult = md.digest(sha1Input); this.encryptionKey = new byte[this.keyLength/8]; System.arraycopy(mdResult, 0, this.encryptionKey, 0, this.keyLength/8); doc.setEncryptionDictionary(dictionary); doc.getDocument().setEncryptionDictionary(dictionary.encryptionDictionary); } catch(NoSuchAlgorithmException ex) { throw new CryptographyException(ex); } catch(NoSuchProviderException ex) { throw new CryptographyException(ex); } catch(Exception e) { e.printStackTrace(); throw new CryptographyException(e); } } Prepare the document for encryption.

Method from org.apache.pdfbox.pdmodel.encryption.PublicKeySecurityHandler Detail:

 public  void decryptDocument(PDDocument doc,
    DecryptionMaterial decryptionMaterial) throws CryptographyException, IOException {
        this.document = doc;
        PDEncryptionDictionary dictionary = doc.getEncryptionDictionary();
        if(dictionary.getLength() != 0)
        {
            this.keyLength = dictionary.getLength();
        }
        if(!(decryptionMaterial instanceof PublicKeyDecryptionMaterial))
        {
            throw new CryptographyException(
                "Provided decryption material is not compatible with the document");
        }
        PublicKeyDecryptionMaterial material = (PublicKeyDecryptionMaterial)decryptionMaterial;
        try
        {
            boolean foundRecipient = false;
            // the decrypted content of the enveloped data that match
            // the certificate in the decryption material provided
            byte[] envelopedData = null;
            // the bytes of each recipient in the recipients array
            byte[][] recipientFieldsBytes = new byte[dictionary.getRecipientsLength()][];
            int recipientFieldsLength = 0;
            for(int i=0; i< dictionary.getRecipientsLength(); i++)
            {
                COSString recipientFieldString = dictionary.getRecipientStringAt(i);
                byte[] recipientBytes = recipientFieldString.getBytes();
                CMSEnvelopedData data = new CMSEnvelopedData(recipientBytes);
                Iterator recipCertificatesIt = data.getRecipientInfos().getRecipients().iterator();
                while(recipCertificatesIt.hasNext())
                {
                    RecipientInformation ri =
                        (RecipientInformation)recipCertificatesIt.next();
                    // Impl: if a matching certificate was previously found it is an error,
                    // here we just don't care about it
                    if(ri.getRID().match(material.getCertificate()) && !foundRecipient)
                    {
                        foundRecipient = true;
                        envelopedData = ri.getContent(material.getPrivateKey(), "BC");
                    }
                }
                recipientFieldsBytes[i] = recipientBytes;
                recipientFieldsLength += recipientBytes.length;
            }
            if(!foundRecipient || envelopedData == null)
            {
                throw new CryptographyException("The certificate matches no recipient entry");
            }
            if(envelopedData.length != 24)
            {
                throw new CryptographyException("The enveloped data does not contain 24 bytes");
            }
            // now envelopedData contains:
            // - the 20 bytes seed
            // - the 4 bytes of permission for the current user
            byte[] accessBytes = new byte[4];
            System.arraycopy(envelopedData, 20, accessBytes, 0, 4);
            currentAccessPermission = new AccessPermission(accessBytes);
            currentAccessPermission.setReadOnly();
             // what we will put in the SHA1 = the seed + each byte contained in the recipients array
            byte[] sha1Input = new byte[recipientFieldsLength + 20];
            // put the seed in the sha1 input
            System.arraycopy(envelopedData, 0, sha1Input, 0, 20);
            // put each bytes of the recipients array in the sha1 input
            int sha1InputOffset = 20;
            for(int i=0; i< recipientFieldsBytes.length; i++)
            {
                System.arraycopy(
                    recipientFieldsBytes[i], 0,
                    sha1Input, sha1InputOffset, recipientFieldsBytes[i].length);
                sha1InputOffset += recipientFieldsBytes[i].length;
            }
            MessageDigest md = MessageDigest.getInstance("SHA-1");
            byte[] mdResult = md.digest(sha1Input);
            // we have the encryption key ...
            encryptionKey = new byte[this.keyLength/8];
            System.arraycopy(mdResult, 0, encryptionKey, 0, this.keyLength/8);
            proceedDecryption();
        }
        catch(CMSException e)
        {
            throw new CryptographyException(e);
        }
        catch(KeyStoreException e)
        {
            throw new CryptographyException(e);
        }
        catch(NoSuchProviderException e)
        {
            throw new CryptographyException(e);
        }
        catch(NoSuchAlgorithmException e)
        {
            throw new CryptographyException(e);
        }
}

Decrypt the document.

 public  void prepareDocumentForEncryption(PDDocument doc) throws CryptographyException {
        try
        {
            Security.addProvider(new BouncyCastleProvider());
            PDEncryptionDictionary dictionary = doc.getEncryptionDictionary();
            if (dictionary == null) 
            {
                dictionary = new PDEncryptionDictionary();
            }
            dictionary.setFilter(FILTER);
            dictionary.setLength(this.keyLength);
            dictionary.setVersion(2);
            dictionary.setSubFilter(SUBFILTER);
            byte[][] recipientsField = new byte[policy.getRecipientsNumber()][];
            // create the 20 bytes seed
            byte[] seed = new byte[20];
            KeyGenerator key = KeyGenerator.getInstance("AES");
            key.init(192, new SecureRandom());
            SecretKey sk = key.generateKey();
            System.arraycopy(sk.getEncoded(), 0, seed, 0, 20); // create the 20 bytes seed
            Iterator it = policy.getRecipientsIterator();
            int i = 0;
            while(it.hasNext())
            {
                PublicKeyRecipient recipient = (PublicKeyRecipient)it.next();
                X509Certificate certificate = recipient.getX509();
                int permission = recipient.getPermission().getPermissionBytesForPublicKey();
                byte[] pkcs7input = new byte[24];
                byte one = (byte)(permission);
                byte two = (byte)(permission  > > > 8);
                byte three = (byte)(permission  > > > 16);
                byte four = (byte)(permission  > > > 24);
                System.arraycopy(seed, 0, pkcs7input, 0, 20); // put this seed in the pkcs7 input
                pkcs7input[20] = four;
                pkcs7input[21] = three;
                pkcs7input[22] = two;
                pkcs7input[23] = one;
                DERObject obj = createDERForRecipient(pkcs7input, certificate);
                ByteArrayOutputStream baos = new ByteArrayOutputStream();
                DEROutputStream k = new DEROutputStream(baos);
                k.writeObject(obj);
                recipientsField[i] = baos.toByteArray();
                i++;
            }
            dictionary.setRecipients(recipientsField);
            int sha1InputLength = seed.length;
            for(int j=0; j< dictionary.getRecipientsLength(); j++)
            {
                COSString string = dictionary.getRecipientStringAt(j);
                sha1InputLength += string.getBytes().length;
            }
            byte[] sha1Input = new byte[sha1InputLength];
            System.arraycopy(seed, 0, sha1Input, 0, 20);
            int sha1InputOffset = 20;
            for(int j=0; j< dictionary.getRecipientsLength(); j++)
            {
                COSString string = dictionary.getRecipientStringAt(j);
                System.arraycopy(
                    string.getBytes(), 0,
                    sha1Input, sha1InputOffset, string.getBytes().length);
                sha1InputOffset += string.getBytes().length;
            }
            MessageDigest md = MessageDigest.getInstance("SHA-1");
            byte[] mdResult = md.digest(sha1Input);
            this.encryptionKey = new byte[this.keyLength/8];
            System.arraycopy(mdResult, 0, this.encryptionKey, 0, this.keyLength/8);
            doc.setEncryptionDictionary(dictionary);
            doc.getDocument().setEncryptionDictionary(dictionary.encryptionDictionary);
        }
        catch(NoSuchAlgorithmException ex)
        {
            throw new CryptographyException(ex);
        }
        catch(NoSuchProviderException ex)
        {
            throw new CryptographyException(ex);
        }
        catch(Exception e)
        {
            e.printStackTrace();
            throw new CryptographyException(e);
        }
}

Prepare the document for encryption.