123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560 |
- /*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
- /* $Id$ */
-
- package org.apache.fop.pdf;
-
- import java.io.IOException;
- import java.io.OutputStream;
- import java.security.InvalidKeyException;
- import java.security.MessageDigest;
- import java.security.NoSuchAlgorithmException;
- import java.util.Arrays;
-
- import javax.crypto.BadPaddingException;
- import javax.crypto.Cipher;
- import javax.crypto.CipherOutputStream;
- import javax.crypto.IllegalBlockSizeException;
- import javax.crypto.NoSuchPaddingException;
- import javax.crypto.spec.SecretKeySpec;
-
- /**
- * An implementation of the Standard Security Handler.
- */
- public final class PDFEncryptionJCE extends PDFObject implements PDFEncryption {
-
- private final MessageDigest digest;
-
- private byte[] encryptionKey;
-
- private String encryptionDictionary;
-
- private class EncryptionInitializer {
-
- private final PDFEncryptionParams encryptionParams;
-
- private int encryptionLength;
-
- private int version;
-
- private int revision;
-
- EncryptionInitializer(PDFEncryptionParams params) {
- this.encryptionParams = new PDFEncryptionParams(params);
- }
-
- void init() {
- encryptionLength = encryptionParams.getEncryptionLengthInBits();
- determineEncryptionAlgorithm();
- int permissions = Permission.computePermissions(encryptionParams);
- EncryptionSettings encryptionSettings = new EncryptionSettings(
- encryptionLength, permissions,
- encryptionParams.getUserPassword(), encryptionParams.getOwnerPassword());
- InitializationEngine initializationEngine = (revision == 2)
- ? new Rev2Engine(encryptionSettings)
- : new Rev3Engine(encryptionSettings);
- initializationEngine.run();
- encryptionDictionary = createEncryptionDictionary(getObjectID(), permissions,
- initializationEngine.oValue, initializationEngine.uValue);
- }
-
- private void determineEncryptionAlgorithm() {
- if (isVersion1Revision2Algorithm()) {
- version = 1;
- revision = 2;
- } else {
- version = 2;
- revision = 3;
- }
- }
-
- private boolean isVersion1Revision2Algorithm() {
- return encryptionLength == 40
- && encryptionParams.isAllowFillInForms()
- && encryptionParams.isAllowAccessContent()
- && encryptionParams.isAllowAssembleDocument()
- && encryptionParams.isAllowPrintHq();
- }
-
- private String createEncryptionDictionary(final String objectId, final int permissions,
- final byte[] oValue, final byte[] uValue) {
- return objectId
- + "<< /Filter /Standard\n"
- + "/V " + version + "\n"
- + "/R " + revision + "\n"
- + "/Length " + encryptionLength + "\n"
- + "/P " + permissions + "\n"
- + "/O " + PDFText.toHex(oValue) + "\n"
- + "/U " + PDFText.toHex(uValue) + "\n"
- + ">>\n"
- + "endobj\n";
- }
-
- }
-
- private static enum Permission {
-
- PRINT(3),
- EDIT_CONTENT(4),
- COPY_CONTENT(5),
- EDIT_ANNOTATIONS(6),
- FILL_IN_FORMS(9),
- ACCESS_CONTENT(10),
- ASSEMBLE_DOCUMENT(11),
- PRINT_HQ(12);
-
- private final int mask;
-
- /**
- * Creates a new permission.
- *
- * @param bit bit position for this permission, 1-based to match the PDF Reference
- */
- private Permission(int bit) {
- mask = 1 << (bit - 1);
- }
-
- private int removeFrom(int permissions) {
- return permissions - mask;
- }
-
- static int computePermissions(PDFEncryptionParams encryptionParams) {
- int permissions = -4;
-
- if (!encryptionParams.isAllowPrint()) {
- permissions = PRINT.removeFrom(permissions);
- }
- if (!encryptionParams.isAllowCopyContent()) {
- permissions = COPY_CONTENT.removeFrom(permissions);
- }
- if (!encryptionParams.isAllowEditContent()) {
- permissions = EDIT_CONTENT.removeFrom(permissions);
- }
- if (!encryptionParams.isAllowEditAnnotations()) {
- permissions = EDIT_ANNOTATIONS.removeFrom(permissions);
- }
- if (!encryptionParams.isAllowFillInForms()) {
- permissions = FILL_IN_FORMS.removeFrom(permissions);
- }
- if (!encryptionParams.isAllowAccessContent()) {
- permissions = ACCESS_CONTENT.removeFrom(permissions);
- }
- if (!encryptionParams.isAllowAssembleDocument()) {
- permissions = ASSEMBLE_DOCUMENT.removeFrom(permissions);
- }
- if (!encryptionParams.isAllowPrintHq()) {
- permissions = PRINT_HQ.removeFrom(permissions);
- }
- return permissions;
- }
- }
-
- private static final class EncryptionSettings {
-
- final int encryptionLength; // CSOK: VisibilityModifier
-
- final int permissions; // CSOK: VisibilityModifier
-
- final String userPassword; // CSOK: VisibilityModifier
-
- final String ownerPassword; // CSOK: VisibilityModifier
-
- EncryptionSettings(int encryptionLength, int permissions,
- String userPassword, String ownerPassword) {
- this.encryptionLength = encryptionLength;
- this.permissions = permissions;
- this.userPassword = userPassword;
- this.ownerPassword = ownerPassword;
- }
-
- }
-
- private abstract class InitializationEngine {
-
- /** Padding for passwords. */
- protected final byte[] padding = new byte[] {
- (byte) 0x28, (byte) 0xBF, (byte) 0x4E, (byte) 0x5E,
- (byte) 0x4E, (byte) 0x75, (byte) 0x8A, (byte) 0x41,
- (byte) 0x64, (byte) 0x00, (byte) 0x4E, (byte) 0x56,
- (byte) 0xFF, (byte) 0xFA, (byte) 0x01, (byte) 0x08,
- (byte) 0x2E, (byte) 0x2E, (byte) 0x00, (byte) 0xB6,
- (byte) 0xD0, (byte) 0x68, (byte) 0x3E, (byte) 0x80,
- (byte) 0x2F, (byte) 0x0C, (byte) 0xA9, (byte) 0xFE,
- (byte) 0x64, (byte) 0x53, (byte) 0x69, (byte) 0x7A};
-
- protected final int encryptionLengthInBytes;
-
- private final int permissions;
-
- private byte[] oValue;
-
- private byte[] uValue;
-
- private final byte[] preparedUserPassword;
-
- protected final String ownerPassword;
-
- InitializationEngine(EncryptionSettings encryptionSettings) {
- this.encryptionLengthInBytes = encryptionSettings.encryptionLength / 8;
- this.permissions = encryptionSettings.permissions;
- this.preparedUserPassword = preparePassword(encryptionSettings.userPassword);
- this.ownerPassword = encryptionSettings.ownerPassword;
- }
-
- void run() {
- oValue = computeOValue();
- createEncryptionKey();
- uValue = computeUValue();
- }
-
- /**
- * Applies Algorithm 3.3 Page 79 of the PDF 1.4 Reference.
- *
- * @return the O value
- */
- private byte[] computeOValue() {
- // Step 1
- byte[] md5Input = prepareMD5Input();
- // Step 2
- digest.reset();
- byte[] hash = digest.digest(md5Input);
- // Step 3
- hash = computeOValueStep3(hash);
- // Step 4
- byte[] key = new byte[encryptionLengthInBytes];
- System.arraycopy(hash, 0, key, 0, encryptionLengthInBytes);
- // Steps 5, 6
- byte[] encryptionResult = encryptWithKey(key, preparedUserPassword);
- // Step 7
- encryptionResult = computeOValueStep7(key, encryptionResult);
- // Step 8
- return encryptionResult;
- }
-
- /**
- * Applies Algorithm 3.2 Page 78 of the PDF 1.4 Reference.
- */
- private void createEncryptionKey() {
- // Steps 1, 2
- digest.reset();
- digest.update(preparedUserPassword);
- // Step 3
- digest.update(oValue);
- // Step 4
- digest.update((byte) (permissions >>> 0));
- digest.update((byte) (permissions >>> 8));
- digest.update((byte) (permissions >>> 16));
- digest.update((byte) (permissions >>> 24));
- // Step 5
- digest.update(getDocumentSafely().getFileIDGenerator().getOriginalFileID());
- byte[] hash = digest.digest();
- // Step 6
- hash = createEncryptionKeyStep6(hash);
- // Step 7
- encryptionKey = new byte[encryptionLengthInBytes];
- System.arraycopy(hash, 0, encryptionKey, 0, encryptionLengthInBytes);
- }
-
- protected abstract byte[] computeUValue();
-
- /**
- * Adds padding to the password as directed in page 78 of the PDF 1.4 Reference.
- *
- * @param password the password
- * @return the password with additional padding if necessary
- */
- private byte[] preparePassword(String password) {
- int finalLength = 32;
- byte[] preparedPassword = new byte[finalLength];
- byte[] passwordBytes = password.getBytes();
- System.arraycopy(passwordBytes, 0, preparedPassword, 0, passwordBytes.length);
- System.arraycopy(padding, 0, preparedPassword, passwordBytes.length,
- finalLength - passwordBytes.length);
- return preparedPassword;
- }
-
- private byte[] prepareMD5Input() {
- if (ownerPassword.length() != 0) {
- return preparePassword(ownerPassword);
- } else {
- return preparedUserPassword;
- }
- }
-
- protected abstract byte[] computeOValueStep3(byte[] hash);
-
- protected abstract byte[] computeOValueStep7(byte[] key, byte[] encryptionResult);
-
- protected abstract byte[] createEncryptionKeyStep6(byte[] hash);
-
- }
-
- private class Rev2Engine extends InitializationEngine {
-
- Rev2Engine(EncryptionSettings encryptionSettings) {
- super(encryptionSettings);
- }
-
- @Override
- protected byte[] computeOValueStep3(byte[] hash) {
- return hash;
- }
-
- @Override
- protected byte[] computeOValueStep7(byte[] key, byte[] encryptionResult) {
- return encryptionResult;
- }
-
- @Override
- protected byte[] createEncryptionKeyStep6(byte[] hash) {
- return hash;
- }
-
- @Override
- protected byte[] computeUValue() {
- return encryptWithKey(encryptionKey, padding);
- }
-
- }
-
- private class Rev3Engine extends InitializationEngine {
-
- Rev3Engine(EncryptionSettings encryptionSettings) {
- super(encryptionSettings);
- }
-
- @Override
- protected byte[] computeOValueStep3(byte[] hash) {
- for (int i = 0; i < 50; i++) {
- hash = digest.digest(hash);
- }
- return hash;
- }
-
- @Override
- protected byte[] computeOValueStep7(byte[] key, byte[] encryptionResult) {
- return xorKeyAndEncrypt19Times(key, encryptionResult);
- }
-
- @Override
- protected byte[] createEncryptionKeyStep6(byte[] hash) {
- for (int i = 0; i < 50; i++) {
- digest.update(hash, 0, encryptionLengthInBytes);
- hash = digest.digest();
- }
- return hash;
- }
-
- @Override
- protected byte[] computeUValue() {
- // Step 1 is encryptionKey
- // Step 2
- digest.reset();
- digest.update(padding);
- // Step 3
- digest.update(getDocumentSafely().getFileIDGenerator().getOriginalFileID());
- // Step 4
- byte[] encryptionResult = encryptWithKey(encryptionKey, digest.digest());
- // Step 5
- encryptionResult = xorKeyAndEncrypt19Times(encryptionKey, encryptionResult);
- // Step 6
- byte[] uValue = new byte[32];
- System.arraycopy(encryptionResult, 0, uValue, 0, 16);
- // Add the arbitrary padding
- Arrays.fill(uValue, 16, 32, (byte) 0);
- return uValue;
- }
-
- private byte[] xorKeyAndEncrypt19Times(byte[] key, byte[] input) {
- byte[] result = input;
- byte[] encryptionKey = new byte[key.length];
- for (int i = 1; i <= 19; i++) {
- for (int j = 0; j < key.length; j++) {
- encryptionKey[j] = (byte) (key[j] ^ i);
- }
- result = encryptWithKey(encryptionKey, result);
- }
- return result;
- }
-
- }
-
- private class EncryptionFilter extends PDFFilter {
-
- private int streamNumber;
-
- private int streamGeneration;
-
- EncryptionFilter(int streamNumber, int streamGeneration) {
- this.streamNumber = streamNumber;
- this.streamGeneration = streamGeneration;
- }
-
- /**
- * Returns a PDF string representation of this filter.
- *
- * @return the empty string
- */
- public String getName() {
- return "";
- }
-
- /**
- * Returns a parameter dictionary for this filter.
- *
- * @return null, this filter has no parameters
- */
- public PDFObject getDecodeParms() {
- return null;
- }
-
- /** {@inheritDoc} */
- public OutputStream applyFilter(OutputStream out) throws IOException {
- byte[] key = createEncryptionKey(streamNumber, streamGeneration);
- Cipher cipher = initCipher(key);
- return new CipherOutputStream(out, cipher);
- }
-
- }
-
- private PDFEncryptionJCE(int objectNumber, PDFEncryptionParams params, PDFDocument pdf) {
- setObjectNumber(objectNumber);
- try {
- digest = MessageDigest.getInstance("MD5");
- } catch (NoSuchAlgorithmException e) {
- throw new UnsupportedOperationException(e.getMessage());
- }
- setDocument(pdf);
- EncryptionInitializer encryptionInitializer = new EncryptionInitializer(params);
- encryptionInitializer.init();
- }
-
- /**
- * Creates and returns an encryption object.
- *
- * @param objectNumber the object number for the encryption dictionary
- * @param params the encryption parameters
- * @param pdf the PDF document to be encrypted
- * @return the newly created encryption object
- */
- public static PDFEncryption make(
- int objectNumber, PDFEncryptionParams params, PDFDocument pdf) {
- return new PDFEncryptionJCE(objectNumber, params, pdf);
- }
-
- /** {@inheritDoc} */
- public byte[] encrypt(byte[] data, PDFObject refObj) {
- PDFObject o = refObj;
- while (o != null && !o.hasObjectNumber()) {
- o = o.getParent();
- }
- if (o == null) {
- throw new IllegalStateException("No object number could be obtained for a PDF object");
- }
- byte[] key = createEncryptionKey(o.getObjectNumber(), o.getGeneration());
- return encryptWithKey(key, data);
- }
-
- /** {@inheritDoc} */
- public void applyFilter(AbstractPDFStream stream) {
- stream.getFilterList().addFilter(
- new EncryptionFilter(stream.getObjectNumber(), stream.getGeneration()));
- }
-
- /**
- * Prepares the encryption dictionary for output to a PDF file.
- *
- * @return the encryption dictionary as a byte array
- */
- public byte[] toPDF() {
- assert encryptionDictionary != null;
- return encode(this.encryptionDictionary);
- }
-
- /** {@inheritDoc} */
- public String getTrailerEntry() {
- PDFDocument doc = getDocumentSafely();
- FileIDGenerator gen = doc.getFileIDGenerator();
- return "/Encrypt " + getObjectNumber() + " "
- + getGeneration() + " R\n"
- + "/ID["
- + PDFText.toHex(gen.getOriginalFileID())
- + PDFText.toHex(gen.getUpdatedFileID())
- + "]\n";
- }
-
- private static byte[] encryptWithKey(byte[] key, byte[] data) {
- try {
- final Cipher c = initCipher(key);
- return c.doFinal(data);
- } catch (IllegalBlockSizeException e) {
- throw new IllegalStateException(e.getMessage());
- } catch (BadPaddingException e) {
- throw new IllegalStateException(e.getMessage());
- }
- }
-
- private static Cipher initCipher(byte[] key) {
- try {
- Cipher c = Cipher.getInstance("RC4");
- SecretKeySpec keyspec = new SecretKeySpec(key, "RC4");
- c.init(Cipher.ENCRYPT_MODE, keyspec);
- return c;
- } catch (InvalidKeyException e) {
- throw new IllegalStateException(e);
- } catch (NoSuchAlgorithmException e) {
- throw new UnsupportedOperationException(e);
- } catch (NoSuchPaddingException e) {
- throw new UnsupportedOperationException(e);
- }
- }
-
- /**
- * Applies Algorithm 3.1 from the PDF 1.4 Reference.
- *
- * @param objectNumber the object number
- * @param generationNumber the generation number
- * @return the key to use for encryption
- */
- private byte[] createEncryptionKey(int objectNumber, int generationNumber) {
- // Step 1 passed in
- // Step 2
- byte[] md5Input = prepareMD5Input(objectNumber, generationNumber);
- // Step 3
- digest.reset();
- byte[] hash = digest.digest(md5Input);
- // Step 4
- int keyLength = Math.min(16, md5Input.length);
- byte[] key = new byte[keyLength];
- System.arraycopy(hash, 0, key, 0, keyLength);
- return key;
- }
-
- private byte[] prepareMD5Input(int objectNumber, int generationNumber) {
- byte[] md5Input = new byte[encryptionKey.length + 5];
- System.arraycopy(encryptionKey, 0, md5Input, 0, encryptionKey.length);
- int i = encryptionKey.length;
- md5Input[i++] = (byte) (objectNumber >>> 0);
- md5Input[i++] = (byte) (objectNumber >>> 8);
- md5Input[i++] = (byte) (objectNumber >>> 16);
- md5Input[i++] = (byte) (generationNumber >>> 0);
- md5Input[i++] = (byte) (generationNumber >>> 8);
- return md5Input;
- }
-
- }
|