Class PublicKeyEncryptionHandler

  • All Implemented Interfaces:
    Cloneable
    Direct Known Subclasses:
    PublicKeyPromptEncryptionHandler

    public class PublicKeyEncryptionHandler
    extends EncryptionHandler

    The PublicKeyEncryptionHandler can be used to encrypt and decrypt documents using public/private key Encryption, so documents can only be opened by someone in posession of the private key. This form of encryption requires key management so is not as widely supported as password encryption, however dedicated PDF viewers (including Acrobat and Foxit) should support it.

    To encrypt a document you need the X.509 certificates of the recipients - multiple recipients are allowed. RSA and (since 2.28.5) Elliptic Curve keys are supported.

    Typically you'd get this from KeyStore, as in this example:

     KeyStore keystore = KeyStore.getInstance("PKCS12");
     keystore.load(new FileInputStream("keystore.p12"), "password".toCharArray());
     X509Certificate cert = (X509Certificate)keystore.getCertificate("john");
    
     PublicKeyEncryptionHandler handler = new PublicKeyEncryptionHandler(PublicKeyEncryptionHandler.METHOD_AES256);
     handler.addRecipient(cert, StandardEncryptionHandler.PRINT_HIGHRES,
                                StandardEncryptionHandler.CHANGE_ALL,
                                StandardEncryptionHandler.EXTRACT_ALL);
    
     pdf.setEncryptionHandler(handler);
     

    Other ways to get a certificate include using the FormSignature.loadPKCS7KeyStore(java.io.InputStream) method to load your X.509 certificates from a PKCS#7 object, or the CertificateFactory class to load the certificate from .cer files exported by Acrobat:

     FileInputStream fis = new FileInputStream("certificate.cer");
     CertificateFactory cf = CertificateFactory.getInstance("X.509");
     X509Certificate cert = (X509Certificate)cf.generateCertificate(fis);
     

    To decrypt a document, you will need a KeyStore containing a private key that matches a public key used to encrypt the document.

     KeyStore keystore = KeyStore.getInstance("PKCS12");
     keystore.load(new FileInputStream("keystore.p12"), "storepassword".toCharArray());
     EncryptionHandler handler = new PublicKeyEncryptionHandler(keystore,
                                                                null,
                                                                "keypassword".toCharArray());
     PDF pdf = new PDF(new PDFReader(new File("encrypted.pdf"), handler));
     
    Since:
    2.2.5
    See Also:
    PDFReader(InputStream,EncryptionHandler), StandardEncryptionHandler
    • Field Detail

      • METHOD_RC4_3DES128_OLD

        public static final int METHOD_RC4_3DES128_OLD
        A constant that can be passed to the constructor to encrypt using the 128-bit RC4/3DES ciphers and the original method defined in PDF 1.4 and supported in Acrobat 5.
        Since:
        2.2.5, with the constant added in 2.28.5
        See Also:
        Constant Field Values
      • METHOD_RC4_3DES128

        public static final int METHOD_RC4_3DES128
        A constant that can be passed to the constructor to encrypt using the 128-bit RC4/3DES ciphers defined in PDF 1.5 and supported in Acrobat 6 First added to the API in 2.2.5
        Since:
        2.2.5, with the constant added in 2.28.5
        See Also:
        Constant Field Values
      • METHOD_AES128

        public static final int METHOD_AES128
        A constant that can be passed to the constructor to encrypt using the 128-bit AES ciphers defined in PDF 1.6 and supported in Acrobat 7 First added to the API in 2.8.2
        Since:
        2.8.2, with the constant added in 2.28.5
        See Also:
        Constant Field Values
      • METHOD_AES256

        public static final int METHOD_AES256
        A constant that can be passed to the constructor to encrypt using the 256-bit AES ciphers defined in PDF 2.0 (ISO 32000-2)
        Since:
        2.28.5
        See Also:
        Constant Field Values
      • METHOD_AES256_GCM

        public static final int METHOD_AES256_GCM
        A constant that can be passed to the constructor to encrypt using the 256-bit AES ciphers in Galois Counter Mode, defined in ISO 32003.
        Since:
        2.28.5
        See Also:
        Constant Field Values
    • Constructor Detail

      • PublicKeyEncryptionHandler

        public PublicKeyEncryptionHandler()
        Create a new PublicKeyEncryptionHandler for decrypting a document encrypted with the Adobe.PubSec public key encryption handler. This constructor must be followed by a call to setDecryptionKey().
        Since:
        2.8.2
      • PublicKeyEncryptionHandler

        public PublicKeyEncryptionHandler​(KeyStore keystore,
                                          String alias,
                                          char[] password)
                                   throws GeneralSecurityException
        Create a new PublicKeyEncryptionHandler for decrypting a document encrypted with the Adobe.PubSec public key encryption handler.
        Parameters:
        keystore - the KeyStore containing the private key to decrypt the document with
        alias - the alias of the key to use, or null to use the first key that fits
        password - the password to decrypt the private key, or null if no password is required
        Throws:
        GeneralSecurityException
        Since:
        2.2.5
      • PublicKeyEncryptionHandler

        public PublicKeyEncryptionHandler​(int method)
        Create a new PublicKeyEncryptionHandler for encrypting a document. Recipients can be added using the addRecipient() method. The parameter should be one of the METHOD constants defined in this class (prior to release 2.28.5 the supplied value was an "acrobat version number", but it has been redefined using these constants)
        Parameters:
        method - one of METHOD_RC4_3DES128_OLD, METHOD_RC4_3DES128, METHOD_AES128, METHOD_AES256 or METHOD_AES256_GCM
        Since:
        2.2.5