Class StandardEncryptionHandler
- java.lang.Object
-
- org.faceless.pdf2.EncryptionHandler
-
- org.faceless.pdf2.StandardEncryptionHandler
-
- All Implemented Interfaces:
java.lang.Cloneable
public class StandardEncryptionHandler extends EncryptionHandler
Represents the standard Acrobat encryption algorithm, both 40-bit and 128-bit variants. The only methods the end-user need worry about are
setUserPassword(java.lang.String)
,setOwnerPassword(java.lang.String)
, and choosing an appropriate encryption level by calling one ofsetAcrobat3Level
for 40-bit RC4setAcrobat5Level
for 128-bit RC4 (old style)setAcrobat6Level
for 128-bit RC4, first specified in PDF 1.5setAcrobat7Level
for 128-bit AES, first specified in PDF 1.6setAcrobatXLevel
for 256-bit AES, first specified in PDF 1.7ext8 and first supported in Acrobat XsetAES256_GCM
for 256-bit AES/GCM, first specified in ISO 32003
Unless you are generating a PDF for a specific workflow that requires an older encryption standard we strongly 256-bit AES, which was first specified in 2011 and is very widely supported. But note that the AES/GCM-256 mode was first specified in 2023, added to this API around April 2024: this encryption mode was not supported by any other product at that point.
A typical use would be to create a PDF document that cannot be printed. This is done like so:
StandardEncryptionHandler encrypt = new StandardEncryptionHandler(); encrypt.setAcrobatXLevel(encrypt.PRINT_NONE, encrypt.EXTRACT_ALL, encrypt.CHANGE_ALL, true); pdf.setEncryptionHandler(encrypt);
For reading a document with a password, the
PDFReader
class has a convenience method whereby a password can be passed in as aString
to decrypt. However, if you wanted to pass in anEncryptionHandler
that would have the same result, you could do this:StandardEncryptionHandler encrypt = new StandardEncryptionHandler(); encrypt.setUserPassword("secret"); PDFReader reader = new PDFReader(inputstream, encrypt); inputstream.close(); PDF pdf = new PDF(reader);
-
-
Field Summary
Fields Modifier and Type Field Description static int
CHANGE_ALL
Parameter tosetAcrobat5Level(int, int, int)
to allow the document to be modified in any waystatic int
CHANGE_ANNOTATIONS
Parameter tosetAcrobat5Level(int, int, int)
to allow form fields and annotations to be added or modifiedstatic int
CHANGE_FORMS
Parameter tosetAcrobat5Level(int, int, int)
to allow only form fields to be completedstatic int
CHANGE_LAYOUT
Parameter tosetAcrobat5Level(int, int, int)
to allow only pages to be inserted, deleted, rotated and reorderedstatic int
CHANGE_NONE
Parameter tosetAcrobat5Level(int, int, int)
to disallow all changes to the documentstatic int
EXTRACT_ACCESSIBILITY
Parameter tosetAcrobat5Level(int, int, int)
to allow the limited copying of images and text for the purposes of accessibility for disabled usersstatic int
EXTRACT_ALL
Parameter tosetAcrobat5Level(int, int, int)
to allow copying of images and text from the document.static int
EXTRACT_NONE
Parameter tosetAcrobat5Level(int, int, int)
to prevent any copying of images of textstatic int
PRINT_HIGHRES
Parameter tosetAcrobat5Level(int, int, int)
to allow full print accessstatic int
PRINT_LOWRES
Parameter tosetAcrobat5Level(int, int, int)
to limit printing to lo-res (theoretically about 150dpi)static int
PRINT_NONE
Parameter tosetAcrobat5Level(int, int, int)
to prevent printing altogether
-
Constructor Summary
Constructors Constructor Description StandardEncryptionHandler()
Create a new StandardEncryptionHandler for encryption or decryption of documents.StandardEncryptionHandler(java.lang.String password)
Create a new StandardEncryptionHandler with the password specified.
-
Method Summary
All Methods Instance Methods Concrete Methods Deprecated Methods Modifier and Type Method Description java.lang.Object
clone()
boolean
equals(java.lang.Object o)
void
finishedDecrypt()
This method is called after the PDF has been read.void
finishedEncrypt()
This method is called after the PDF has been written.int
getChange()
Return the value of the "Change" flagsint
getDecryptedStreamLength(int len)
Return the length that an encrypted stream o the specified length would be after decryption.java.io.InputStream
getDecryptionStream(java.io.InputStream in, int num, int gen)
Return aFilterInputStream
that will decrypt anything read from it.java.lang.String
getDescription()
Return a textual description of the algorithm usedint
getEncryptedStreamLength(int len)
Return the length that a stream of the specified length would be after encryption.java.io.OutputStream
getEncryptionStream(java.io.OutputStream out, int num, int gen)
Return aFilterOutputStream
that will encrypt anything written to it.int
getExtract()
Return the value of the "Extract" flagsjava.lang.String
getFilterName()
Return the name of the "Filter" field in the Encryption dictionary.int
getPrint()
Return the value of the "Print" flagsjava.lang.String
getSubFilterName()
Return the name of the "Subfilter" field in the Encryption dictionary.int
getVersion()
Return the version of the encryption algorithm used.int
hashCode()
boolean
hasRight(java.lang.String right)
Returns true if the EncryptionHandler wil grant the specified right to the PDF library.boolean
isEmbeddedFileEncrypted()
This method returns true if Embedded Files in the document should be stored encrypted.boolean
isMetadataEncrypted()
This method returns true if XMP MetaData should be stored encrypted, or false otherwise.boolean
isOwnerPasswordKnown()
Return true if the Owner password was used to open this PDF, false if the User password was used.boolean
isRequired()
This method should returntrue
if the document needs to be encrypted.boolean
isStreamEncrypted()
This method returns true if Streams in the document should be stored encrypted.boolean
isStringEncrypted()
This method returns true if Strings in the document should be stored encrypted.void
prepareToDecrypt()
This method is called just before the PDF is read in.void
prepareToEncrypt()
This method is called when the PDF is about to be written out.void
setAcrobat3Level(boolean print, boolean annotations, boolean extraction, boolean change)
Set the access levels for Acrobat 3 and greater.void
setAcrobat5Level(int print, int extraction, int change)
Set the access levels for Acrobat 5 and greater.void
setAcrobat6Level(int print, int extraction, int change, boolean encryptmetadata)
Set the access levels for Acrobat 6 and greater.void
setAcrobat7Level(int print, int extraction, int change, boolean encryptmetadata)
Set the access levels for Acrobat 7 and greater.void
setAcrobat9Level(int print, int extraction, int change, boolean encryptmetadata)
Deprecated.the encryption algorithm used by Acrobat 9 has ben found to be less secure than the algorithm used by Acrobat 7, so as of 2.11.19 a request for Acrobat 9 encryption will fall back to Acrobat 7 encryption.void
setAcrobatXLevel(int print, int extraction, int change, boolean encryptmetadata)
Set the access levels for Acrobat X and greater.void
setAES256_GCM(int print, int extraction, int change, boolean encryptmetadata)
Set the access levels and use AES256/GCM encryption, which was added in ISO 32003.void
setOwnerPassword(java.lang.String password)
Set the "security" password for the PDF document - the password required to change the security settings of the document (the access level and the open password).void
setUserPassword(java.lang.String password)
Set the password required to open the document (also called the "User" password).-
Methods inherited from class org.faceless.pdf2.EncryptionHandler
containsKey, getArrayValueSize, getBooleanValue, getDictionaryValueKeys, getFileId, getIntegerValue, getNameValue, getNumericValue, getStringValue, getTextStringValue, isChanged, markChanged, putArrayValue, putBooleanValue, putDictionaryValue, putNameValue, putNumericValue, putStringValue, putTextStringValue, setFileId
-
-
-
-
Field Detail
-
PRINT_NONE
public static final int PRINT_NONE
Parameter tosetAcrobat5Level(int, int, int)
to prevent printing altogether- See Also:
- Constant Field Values
-
PRINT_LOWRES
public static final int PRINT_LOWRES
Parameter tosetAcrobat5Level(int, int, int)
to limit printing to lo-res (theoretically about 150dpi)- See Also:
- Constant Field Values
-
PRINT_HIGHRES
public static final int PRINT_HIGHRES
Parameter tosetAcrobat5Level(int, int, int)
to allow full print access- See Also:
- Constant Field Values
-
EXTRACT_NONE
public static final int EXTRACT_NONE
Parameter tosetAcrobat5Level(int, int, int)
to prevent any copying of images of text- See Also:
- Constant Field Values
-
EXTRACT_ACCESSIBILITY
public static final int EXTRACT_ACCESSIBILITY
Parameter tosetAcrobat5Level(int, int, int)
to allow the limited copying of images and text for the purposes of accessibility for disabled users- See Also:
- Constant Field Values
-
EXTRACT_ALL
public static final int EXTRACT_ALL
Parameter tosetAcrobat5Level(int, int, int)
to allow copying of images and text from the document.- See Also:
- Constant Field Values
-
CHANGE_NONE
public static final int CHANGE_NONE
Parameter tosetAcrobat5Level(int, int, int)
to disallow all changes to the document- See Also:
- Constant Field Values
-
CHANGE_LAYOUT
public static final int CHANGE_LAYOUT
Parameter tosetAcrobat5Level(int, int, int)
to allow only pages to be inserted, deleted, rotated and reordered- See Also:
- Constant Field Values
-
CHANGE_FORMS
public static final int CHANGE_FORMS
Parameter tosetAcrobat5Level(int, int, int)
to allow only form fields to be completed- See Also:
- Constant Field Values
-
CHANGE_ANNOTATIONS
public static final int CHANGE_ANNOTATIONS
Parameter tosetAcrobat5Level(int, int, int)
to allow form fields and annotations to be added or modified- See Also:
- Constant Field Values
-
CHANGE_ALL
public static final int CHANGE_ALL
Parameter tosetAcrobat5Level(int, int, int)
to allow the document to be modified in any way- See Also:
- Constant Field Values
-
-
Constructor Detail
-
StandardEncryptionHandler
public StandardEncryptionHandler()
Create a new StandardEncryptionHandler for encryption or decryption of documents. The default access level is 40-bit RC4 encryption with everything allowed (ie. the same as callingsetAcrobat3Level(true,true,true,true)
)- Since:
- 2.0
-
StandardEncryptionHandler
public StandardEncryptionHandler(java.lang.String password)
Create a new StandardEncryptionHandler with the password specified. Calls the no-argument constructor and thensetUserPassword(java.lang.String)
.- Parameters:
password
- the password- Since:
- 2.26
-
-
Method Detail
-
hashCode
public int hashCode()
- Overrides:
hashCode
in classjava.lang.Object
-
equals
public boolean equals(java.lang.Object o)
- Overrides:
equals
in classjava.lang.Object
-
clone
public java.lang.Object clone()
- Overrides:
clone
in classEncryptionHandler
-
setOwnerPassword
public void setOwnerPassword(java.lang.String password)
Set the "security" password for the PDF document - the password required to change the security settings of the document (the access level and the open password). If you don't anticipate changing the security settings at a later date, you can leave this blank.
- Since:
- 2.0
-
setUserPassword
public void setUserPassword(java.lang.String password)
Set the password required to open the document (also called the "User" password). It can be left blank, in which case anyone can open the document with out a password- Since:
- 2.0
-
setAcrobat3Level
public void setAcrobat3Level(boolean print, boolean annotations, boolean extraction, boolean change)
Set the access levels for Acrobat 3 and greater. The document will be encrypted using 40-bit RC4 encryption, so that any browser after Acrobat 3 can open the document.- Parameters:
print
- true if the document can be printedannotations
- true if form field and other annotations can be added or editedextraction
- true if text and images can be copied from the documentchange
- true if the document can have pages added, deleted, reordered or rotated- Since:
- 2.0
-
setAcrobat5Level
public void setAcrobat5Level(int print, int extraction, int change)
Set the access levels for Acrobat 5 and greater. The document will be encrypted using 128-bit RC4 encryption, so that only Acrobat 5.0 and later browsers can open the document.
The various parameter control the level of printing, the level of data extraction and the types of changes that can be made to the document.
- Parameters:
print
- one ofPRINT_NONE
PRINT_LOWRES
PRINT_HIGHRES
extraction
- one ofEXTRACT_NONE
EXTRACT_ACCESSIBILITY
EXTRACT_ALL
change
- one ofCHANGE_NONE
CHANGE_LAYOUT
CHANGE_FORMS
CHANGE_ANNOTATIONS
CHANGE_ALL
- Since:
- 2.0
-
setAcrobat6Level
public void setAcrobat6Level(int print, int extraction, int change, boolean encryptmetadata)
Set the access levels for Acrobat 6 and greater. Acrobat 6 encryption is identical to Acrobat 5 except that it optionally allows leaving XMP MetaData unencrypted. Because of this, if the
encryptmetadata
param is set to true, this method is identical to callingsetAcrobat5Level(int, int, int)
.- Parameters:
print
- one ofPRINT_NONE
PRINT_LOWRES
PRINT_HIGHRES
extraction
- one ofEXTRACT_NONE
EXTRACT_ACCESSIBILITY
EXTRACT_ALL
change
- one ofCHANGE_NONE
CHANGE_LAYOUT
CHANGE_FORMS
CHANGE_ANNOTATIONS
CHANGE_ALL
encryptmetadata
- whether to encrypt the XMP metadata- Since:
- 2.0.1
-
setAcrobat7Level
public void setAcrobat7Level(int print, int extraction, int change, boolean encryptmetadata) throws java.security.NoSuchAlgorithmException
Set the access levels for Acrobat 7 and greater. Acrobat 7 encryption is identical to Acrobat 6 except that the Advanced Encryption Standard (AES) is used as the block cipher rather than RC4. Documents encrypted with AES can only be opened in Acrobat 7.0 or later. AES encryption requires the JCE to be installed - in practice this means Java 1.4 or later is required.
- Parameters:
print
- one ofPRINT_NONE
PRINT_LOWRES
PRINT_HIGHRES
extraction
- one ofEXTRACT_NONE
EXTRACT_ACCESSIBILITY
EXTRACT_ALL
change
- one ofCHANGE_NONE
CHANGE_LAYOUT
CHANGE_FORMS
CHANGE_ANNOTATIONS
CHANGE_ALL
encryptmetadata
- whether to encrypt the XMP metadata- Throws:
java.security.NoSuchAlgorithmException
- if the AES cipher isn't available- Since:
- 2.4.3
-
setAcrobat9Level
@Deprecated public void setAcrobat9Level(int print, int extraction, int change, boolean encryptmetadata) throws java.security.NoSuchAlgorithmException
Deprecated.the encryption algorithm used by Acrobat 9 has ben found to be less secure than the algorithm used by Acrobat 7, so as of 2.11.19 a request for Acrobat 9 encryption will fall back to Acrobat 7 encryption.Set the access levels for Acrobat 9 and greater. Acrobat 9 encryption is identical to Acrobat 7 except that the key length for the AES block cipher is 256 bit rather than 128. Documents encrypted this way can only be opened with Acrobat 9.0 or later.
Users of Sun JVMs will require the "unlimited strength" policy files to use AES256 encryption, and other JVMs may have similar requirements.
- Parameters:
print
- one ofPRINT_NONE
PRINT_LOWRES
PRINT_HIGHRES
extraction
- one ofEXTRACT_NONE
EXTRACT_ACCESSIBILITY
EXTRACT_ALL
change
- one ofCHANGE_NONE
CHANGE_LAYOUT
CHANGE_FORMS
CHANGE_ANNOTATIONS
CHANGE_ALL
encryptmetadata
- whether to encrypt the XMP metadata- Throws:
java.security.NoSuchAlgorithmException
- if the AES cipher isn't available- Since:
- 2.11
-
setAcrobatXLevel
public void setAcrobatXLevel(int print, int extraction, int change, boolean encryptmetadata) throws java.security.NoSuchAlgorithmException
Set the access levels for Acrobat X and greater. Acrobat X encryption is identical to Acrobat 7 except that the key length for the AES block cipher is 256 bit rather than 128. Documents encrypted this way can only be opened with Acrobat X or later.
Users of Sun JVMs will require the "unlimited strength" policy files to use AES256 encryption, and other JVMs may have similar requirements.
- Parameters:
print
- one ofPRINT_NONE
PRINT_LOWRES
PRINT_HIGHRES
extraction
- one ofEXTRACT_NONE
EXTRACT_ACCESSIBILITY
EXTRACT_ALL
change
- one ofCHANGE_NONE
CHANGE_LAYOUT
CHANGE_FORMS
CHANGE_ANNOTATIONS
CHANGE_ALL
encryptmetadata
- whether to encrypt the XMP metadata- Throws:
java.security.NoSuchAlgorithmException
- if the AES cipher isn't available- Since:
- 2.11.23
-
setAES256_GCM
public void setAES256_GCM(int print, int extraction, int change, boolean encryptmetadata) throws java.security.NoSuchAlgorithmException
Set the access levels and use AES256/GCM encryption, which was added in ISO 32003.
- Parameters:
print
- one ofPRINT_NONE
PRINT_LOWRES
PRINT_HIGHRES
extraction
- one ofEXTRACT_NONE
EXTRACT_ACCESSIBILITY
EXTRACT_ALL
change
- one ofCHANGE_NONE
CHANGE_LAYOUT
CHANGE_FORMS
CHANGE_ANNOTATIONS
CHANGE_ALL
encryptmetadata
- whether to encrypt the XMP metadata- Throws:
java.security.NoSuchAlgorithmException
- if the AES cipher isn't available- Since:
- 2.28.5
-
getVersion
public int getVersion()
Return the version of the encryption algorithm used.- Returns:
- 1 for 40-bit RC4 as used by Acrobat 3 and later, 2 for 128-bit RC4 as used by Acrobat 5 and later, or 4 for the variant in Acrobat 6 or later and 5 for the variant in Acrobat 9 or later.
- Since:
- 2.0
-
isOwnerPasswordKnown
public boolean isOwnerPasswordKnown()
Return true if the Owner password was used to open this PDF, false if the User password was used.- Since:
- 2.11.8
-
isMetadataEncrypted
public boolean isMetadataEncrypted()
Description copied from class:EncryptionHandler
This method returns true if XMP MetaData should be stored encrypted, or false otherwise. The default implementation returns true, subclasses should override as necessary.- Overrides:
isMetadataEncrypted
in classEncryptionHandler
-
isStreamEncrypted
public boolean isStreamEncrypted()
Description copied from class:EncryptionHandler
This method returns true if Streams in the document should be stored encrypted. By default this method returns true.- Overrides:
isStreamEncrypted
in classEncryptionHandler
-
isStringEncrypted
public boolean isStringEncrypted()
Description copied from class:EncryptionHandler
This method returns true if Strings in the document should be stored encrypted. By default this method returns true.- Overrides:
isStringEncrypted
in classEncryptionHandler
-
isEmbeddedFileEncrypted
public boolean isEmbeddedFileEncrypted()
Description copied from class:EncryptionHandler
This method returns true if Embedded Files in the document should be stored encrypted. By default this method returns true.- Overrides:
isEmbeddedFileEncrypted
in classEncryptionHandler
-
getChange
public int getChange()
Return the value of the "Change" flags- Returns:
- one of
CHANGE_NONE
CHANGE_LAYOUT
CHANGE_FORMS
CHANGE_ANNOTATIONS
orCHANGE_ALL
- Since:
- 2.2.6
-
getExtract
public int getExtract()
Return the value of the "Extract" flags- Returns:
- one of
EXTRACT_NONE
EXTRACT_ACCESSIBILITY
EXTRACT_ALL
- Since:
- 2.2.6
-
getPrint
public int getPrint()
Return the value of the "Print" flags- Returns:
- one of
PRINT_NONE
PRINT_LOWRES
PRINT_HIGHRES
- Since:
- 2.2.6
-
hasRight
public boolean hasRight(java.lang.String right)
Description copied from class:EncryptionHandler
Returns true if the EncryptionHandler wil grant the specified right to the PDF library. The default implementation of this method returns true, but subclasses will override this method based on the rights applied to the document. This method should always returnsuper.hasRight()
if it doesn't recognise the value of "right"- Overrides:
hasRight
in classEncryptionHandler
- Parameters:
right
- an interned() String defining the usage right the PDF library is querying.
-
getFilterName
public java.lang.String getFilterName()
Description copied from class:EncryptionHandler
Return the name of the "Filter" field in the Encryption dictionary. This is used to determine whether an appropriate filter has been supplied by the decryption process. For example, theStandardEncryptionHandler
class returns "Standard" from this method.- Specified by:
getFilterName
in classEncryptionHandler
-
getSubFilterName
public java.lang.String getSubFilterName()
Description copied from class:EncryptionHandler
Return the name of the "Subfilter" field in the Encryption dictionary. This is used to determine whether an appropriate filter has been supplied by the decryption process. As "Subfilter" is an optional field, this method may returnnull
.- Specified by:
getSubFilterName
in classEncryptionHandler
-
getDescription
public java.lang.String getDescription()
Return a textual description of the algorithm used- Since:
- 2.8.2
-
isRequired
public boolean isRequired()
Description copied from class:EncryptionHandler
This method should returntrue
if the document needs to be encrypted. For example, theStandardEncryptionHandler
returnsfalse
here if and only if no passwords are set and the document is set to allow full access.- Specified by:
isRequired
in classEncryptionHandler
-
getDecryptedStreamLength
public int getDecryptedStreamLength(int len)
Description copied from class:EncryptionHandler
Return the length that an encrypted stream o the specified length would be after decryption. Generally this will be the same as the input length, which is what this method returns unless overridden. However for some encryption algorithms like AES the size will be altered. If an exact number is known this method should return it, or if it's not possible to deduce the decrypted length from the input length this method should return -1.- Overrides:
getDecryptedStreamLength
in classEncryptionHandler
-
getEncryptedStreamLength
public int getEncryptedStreamLength(int len)
Description copied from class:EncryptionHandler
Return the length that a stream of the specified length would be after encryption. Generally this will be the same same as the input length (and that's what this method returns, unless overridden), but for some Encryption algorithms like AES, the size may be rounded up to the nearest block size.- Overrides:
getEncryptedStreamLength
in classEncryptionHandler
-
getEncryptionStream
public java.io.OutputStream getEncryptionStream(java.io.OutputStream out, int num, int gen)
Description copied from class:EncryptionHandler
Return aFilterOutputStream
that will encrypt anything written to it. The encryption parameters are set inEncryptionHandler.prepareToEncrypt()
, which is called once at the start of the render.- Specified by:
getEncryptionStream
in classEncryptionHandler
- Parameters:
out
- the OuptutStream that should be written tonum
- the object number of the top-level objectgen
- the generation number of the top-level object
-
getDecryptionStream
public java.io.InputStream getDecryptionStream(java.io.InputStream in, int num, int gen)
Description copied from class:EncryptionHandler
Return aFilterInputStream
that will decrypt anything read from it. The decryption parameters are set inEncryptionHandler.prepareToDecrypt()
, which is called once at the start of the PDF read.- Specified by:
getDecryptionStream
in classEncryptionHandler
- Parameters:
in
- the InputStream that should be read fromnum
- the object number of the top-level objectgen
- the generation number of the top-level object
-
prepareToDecrypt
public void prepareToDecrypt() throws java.io.IOException
Description copied from class:EncryptionHandler
This method is called just before the PDF is read in. It is expected that this method will read various parameters from theEncrypt
dictionary by way of the variousget...
methods, and use them and the value ofEncryptionHandler.getFileId()
to set its internal state so that it's ready to start decryption. It may throw anIOException
if these parameters are invalid, in which case the document cannot be read.- Specified by:
prepareToDecrypt
in classEncryptionHandler
- Throws:
java.io.IOException
-
prepareToEncrypt
public void prepareToEncrypt() throws java.io.IOException
Description copied from class:EncryptionHandler
This method is called when the PDF is about to be written out. It is expected that this method will write various parameters which have been set by the user to theEncrypt
dictionary (including the "Filter" field) by way of the variousput...
methods, and will use these and the value ofEncryptionHandler.getFileId()
to set its internal state so that it's ready to start encryption. It may throw anIOException
if these parameters are in any way invalid, in which case the document cannot be written.- Specified by:
prepareToEncrypt
in classEncryptionHandler
- Throws:
java.io.IOException
-
finishedEncrypt
public void finishedEncrypt()
Description copied from class:EncryptionHandler
This method is called after the PDF has been written. It may be used to clean up any internal state that needs to be cleaned.- Specified by:
finishedEncrypt
in classEncryptionHandler
-
finishedDecrypt
public void finishedDecrypt()
Description copied from class:EncryptionHandler
This method is called after the PDF has been read. It may be used to clean up any internal state that needs to be cleaned.- Specified by:
finishedDecrypt
in classEncryptionHandler
-
-