Class PublicKeyEncryptionHandler

  • All Implemented Interfaces:
    Direct Known Subclasses:

    public class PublicKeyEncryptionHandler
    extends EncryptionHandler

    The PublicKeyEncryptionHandler can be used to encrypt and decrypt documents using public/private key Encryption, so documents can only be opened by certain individuals. It requires Java 1.4 or later, as it uses the javax.crypto package. The resulting documents can be opened in Acrobat 5 or later with the appropriate private key.

    We're going to assume you're familiar with public key cryptography if you're using this class, and instead jump straight in and give a couple of examples showing how to decrypt and encrypt a document. First, some important notes:

    1. This handler only works with Java 1.4 or above
    2. You must download and install the unrestricted policy files for the Sun JCE. You can download these from the same place you download Java - for Suns current 1.4.2 release, they are available at If they're not installed, you'll see an exception like: java.lang.SecurityException: Unsupported keysize or algorithm parameters
    3. You will need a JCE provider that implements the ciphers you need. Any JCE provider should work, including the default Sun JCE provider and the Bouncy Castle provider (available at

    Once these steps are done, to encrypt a document you need the X.509 certificate of the person you're sending it to. Typically you'd get this from a KeyStore, as in this example:

     KeyStore keystore = KeyStore.getInstance("PKCS12");
     keystore.load(new FileInputStream("keystore.p12"), "password".toCharArray());
     X509Certificate cert = (X509Certificate)keystore.getCertificate("john");
     PublicKeyEncryptionHandler handler = new PublicKeyEncryptionHandler(5);
     handler.addRecipient(cert, StandardEncryptionHandler.PRINT_HIGHRES,

    Other ways to get a certificate include using the FormSignature.loadPKCS7KeyStore( method to load your X.509 certificates from a PKCS#7 object, or the CertificateFactory class to load the certificate from .cer files exported by Acrobat:

     FileInputStream fis = new FileInputStream("certificate.cer");
     CertificateFactory cf = CertificateFactory.getInstance("X.509");
     X509Certificate cert = (X509Certificate)cf.generateCertificate(fis);

    To decrypt a document, you will need a KeyStore containing a private key that matches the public key used to encrypt the document. Typically this will be done like so:

     KeyStore keystore = KeyStore.getInstance("PKCS12");
     keystore.load(new FileInputStream("keystore.p12"), "storepassword".toCharArray());
     EncryptionHandler handler = new PublicKeyEncryptionHandler(keystore,
     PDF pdf = new PDF(new PDFReader(new File("encrypted.pdf"), handler));
    See Also:
    FormSignature, PDFReader(InputStream,EncryptionHandler), StandardEncryptionHandler
    • Constructor Detail

      • PublicKeyEncryptionHandler

        public PublicKeyEncryptionHandler()
        Create a new PublicKeyEncryptionHandler for decrypting a document encrypted with the Adobe.PubSec public key encryption handler. This constructor must be followed by a call to setDecryptionKey().
      • PublicKeyEncryptionHandler

        public PublicKeyEncryptionHandler​(KeyStore keystore,
                                          String alias,
                                          char[] password)
                                   throws GeneralSecurityException
        Create a new PublicKeyEncryptionHandler for decrypting a document encrypted with the Adobe.PubSec public key encryption handler.
        keystore - the KeyStore containing the private key to decrypt the document with
        alias - the alias of the key to use, or null to use the first key that fits
        password - the password to decrypt the private key, or null if no password is required
      • PublicKeyEncryptionHandler

        public PublicKeyEncryptionHandler​(int acrobatversion)
        Create a new PublicKeyEncryptionHandler for encrypting a document. Recipients can be added using the addRecipient() method. The version number specifies the minimum release of Acrobat required to open the document - valid values are from 5 to 8, to target Acrobat 5.0 to 8.0 respectively. Targetting Acrobat 7.0 or above will result in the AES cipher being used if it's available. Targetting earlier version will use the RC4 cipher.
        acrobatversion - the version of Acrobat that is being targeted. Must be between 5 and 8.