diff --git a/itext.tests/itext.forms.tests/resources/itext/forms/PdfEncryptionTest/cmp_encryptAes256Pdf2PermissionsTest01.pdf b/itext.tests/itext.forms.tests/resources/itext/forms/PdfEncryptionTest/cmp_encryptAes256Pdf2PermissionsTest01.pdf index ba3567db40..5635669094 100644 Binary files a/itext.tests/itext.forms.tests/resources/itext/forms/PdfEncryptionTest/cmp_encryptAes256Pdf2PermissionsTest01.pdf and b/itext.tests/itext.forms.tests/resources/itext/forms/PdfEncryptionTest/cmp_encryptAes256Pdf2PermissionsTest01.pdf differ diff --git a/itext.tests/itext.forms.tests/resources/itext/forms/PdfEncryptionTest/cmp_encryptAes256Pdf2PermissionsTest02.pdf b/itext.tests/itext.forms.tests/resources/itext/forms/PdfEncryptionTest/cmp_encryptAes256Pdf2PermissionsTest02.pdf index 6da4cf233f..e554cbc19f 100644 Binary files a/itext.tests/itext.forms.tests/resources/itext/forms/PdfEncryptionTest/cmp_encryptAes256Pdf2PermissionsTest02.pdf and b/itext.tests/itext.forms.tests/resources/itext/forms/PdfEncryptionTest/cmp_encryptAes256Pdf2PermissionsTest02.pdf differ diff --git a/itext.tests/itext.kernel.tests/itext/kernel/crypto/pdfencryption/PdfEncryptionTest.cs b/itext.tests/itext.kernel.tests/itext/kernel/crypto/pdfencryption/PdfEncryptionTest.cs index d76586229d..3a37d3f5a4 100644 --- a/itext.tests/itext.kernel.tests/itext/kernel/crypto/pdfencryption/PdfEncryptionTest.cs +++ b/itext.tests/itext.kernel.tests/itext/kernel/crypto/pdfencryption/PdfEncryptionTest.cs @@ -310,6 +310,37 @@ public virtual void EncryptWithPasswordAes128EmbeddedFilesOnly() { , textContent, ERROR_IS_EXPECTED); } + [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] + public virtual void EncryptWithPasswordAes256EmbeddedFilesOnly() { + String filename = "encryptWithPasswordAes256EmbeddedFilesOnly.pdf"; + int encryptionType = EncryptionConstants.ENCRYPTION_AES_256 | EncryptionConstants.EMBEDDED_FILES_ONLY; + String outFileName = destinationFolder + filename; + int permissions = EncryptionConstants.ALLOW_SCREENREADERS; + PdfWriter writer = CompareTool.CreateTestPdfWriter(outFileName, new WriterProperties().SetStandardEncryption + (PdfEncryptionTestUtils.USER, PdfEncryptionTestUtils.OWNER, permissions, encryptionType).AddXmpMetadata + ().SetPdfVersion(PdfVersion.PDF_2_0)); + PdfDocument document = new PdfDocument(writer); + document.GetDocumentInfo().SetMoreInfo(PdfEncryptionTestUtils.CUSTOM_INFO_ENTRY_KEY, PdfEncryptionTestUtils + .CUSTOM_INFO_ENTRY_VALUE); + PdfPage page = document.AddNewPage(); + String textContent = "Hello world!"; + PdfEncryptionTestUtils.WriteTextBytesOnPageContent(page, textContent); + String descripton = "encryptedFile"; + String path = sourceFolder + "pageWithContent.pdf"; + document.AddFileAttachment(descripton, PdfFileSpec.CreateEmbeddedFileSpec(document, path, descripton, path + , null, null)); + page.Flush(); + document.Close(); + //TODO DEVSIX-5355 Specific crypto filters for EFF StmF and StrF are not supported at the moment. + // However we can read embedded files only mode. + bool ERROR_IS_EXPECTED = false; + encryptionUtil.CheckDecryptedWithPasswordContent(destinationFolder + filename, PdfEncryptionTestUtils.OWNER + , textContent, ERROR_IS_EXPECTED); + encryptionUtil.CheckDecryptedWithPasswordContent(destinationFolder + filename, PdfEncryptionTestUtils.USER + , textContent, ERROR_IS_EXPECTED); + } + [NUnit.Framework.Test] [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void EncryptAes256Pdf2NotEncryptMetadata() { @@ -551,7 +582,7 @@ public virtual void CheckEncryptedWithPasswordDocumentAppending(String filename, newPage.Put(PdfName.Default, new PdfString("Hello world string")); PdfEncryptionTestUtils.WriteTextBytesOnPageContent(newPage, "Hello world page_2!"); document.Close(); - CompareTool compareTool = new CompareTool().EnableEncryptionCompare(); + CompareTool compareTool = new CompareTool().EnableEncryptionCompare(false); String compareResult = compareTool.CompareByContent(outFileName, sourceFolder + "cmp_appended_" + filename , destinationFolder, "diff_", PdfEncryptionTestUtils.USER, PdfEncryptionTestUtils.USER); if (compareResult != null) { diff --git a/itext.tests/itext.kernel.tests/itext/kernel/crypto/pdfencryption/PdfEncryptionTestUtils.cs b/itext.tests/itext.kernel.tests/itext/kernel/crypto/pdfencryption/PdfEncryptionTestUtils.cs index c977b6beaf..b683b704c1 100644 --- a/itext.tests/itext.kernel.tests/itext/kernel/crypto/pdfencryption/PdfEncryptionTestUtils.cs +++ b/itext.tests/itext.kernel.tests/itext/kernel/crypto/pdfencryption/PdfEncryptionTestUtils.cs @@ -52,7 +52,7 @@ public PdfEncryptionTestUtils(String destinationFolder, String sourceFolder) { public virtual void CompareEncryptedPdf(String filename) { CheckDecryptedWithPasswordContent(destinationFolder + filename, OWNER, PAGE_TEXT_CONTENT); CheckDecryptedWithPasswordContent(destinationFolder + filename, USER, PAGE_TEXT_CONTENT); - CompareTool compareTool = new CompareTool().EnableEncryptionCompare(); + CompareTool compareTool = new CompareTool().EnableEncryptionCompare(false); String compareResult = compareTool.CompareByContent(destinationFolder + filename, sourceFolder + "cmp_" + filename, destinationFolder, "diff_", USER, USER); if (compareResult != null) { diff --git a/itext.tests/itext.kernel.tests/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest.cs b/itext.tests/itext.kernel.tests/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest.cs index 297b472ad9..cb156c42f8 100644 --- a/itext.tests/itext.kernel.tests/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest.cs +++ b/itext.tests/itext.kernel.tests/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest.cs @@ -185,7 +185,7 @@ private void EncryptAes256AndCheck(String filename, byte[] ownerPassword) { document.Close(); encryptionUtil.CheckDecryptedWithPasswordContent(destinationFolder + filename, ownerPassword, PdfEncryptionTestUtils .PAGE_TEXT_CONTENT); - CompareTool compareTool = new CompareTool().EnableEncryptionCompare(); + CompareTool compareTool = new CompareTool().EnableEncryptionCompare(false); String compareResult = compareTool.CompareByContent(destinationFolder + filename, sourceFolder + "cmp_" + filename, destinationFolder, "diff_", ownerPassword, ownerPassword); if (compareResult != null) { diff --git a/itext.tests/itext.kernel.tests/itext/kernel/crypto/securityhandler/PubSecHandlerUsingAesGcmTest.cs b/itext.tests/itext.kernel.tests/itext/kernel/crypto/securityhandler/PubSecHandlerUsingAesGcmTest.cs index 9b4f71e95a..d63b4c36df 100644 --- a/itext.tests/itext.kernel.tests/itext/kernel/crypto/securityhandler/PubSecHandlerUsingAesGcmTest.cs +++ b/itext.tests/itext.kernel.tests/itext/kernel/crypto/securityhandler/PubSecHandlerUsingAesGcmTest.cs @@ -22,12 +22,13 @@ You should have received a copy of the GNU Affero General Public License */ using System; using System.Collections.Generic; +using NUnit.Framework; using iText.Bouncycastleconnector; -using iText.Bouncycastlefips; using iText.Commons.Bouncycastle; using iText.Commons.Bouncycastle.Cert; using iText.Commons.Bouncycastle.Crypto; using iText.Commons.Utils; +using iText.Kernel.Crypto; using iText.Kernel.Exceptions; using iText.Kernel.Logs; using iText.Kernel.Pdf; @@ -56,46 +57,48 @@ public static void SetUp() { [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] [NUnit.Framework.Test] public virtual void TestSimpleEncryptDecryptTest() { + try { + BouncyCastleFactoryCreator.GetFactory().IsEncryptionFeatureSupported(0, true); + } + catch (Exception) { + NUnit.Framework.Assume.That(false); + } + NUnit.Framework.Assume.That(!BouncyCastleFactoryCreator.GetFactory().IsInApprovedOnlyMode()); String fileName = "simpleEncryptDecrypt.pdf"; String srcFile = SOURCE_FOLDER + fileName; String outFile = DESTINATION_FOLDER + fileName; - if ("BCFIPS".Equals(FACTORY.GetProviderName())) { - Exception e = NUnit.Framework.Assert.Catch(typeof(UnsupportedEncryptionFeatureException), () => - DoEncrypt(srcFile, outFile, true)); - NUnit.Framework.Assert.AreEqual(UnsupportedEncryptionFeatureException.ENCRYPTION_WITH_CERTIFICATE_ISNT_SUPPORTED_IN_FIPS, e.Message); - } else { - DoEncrypt(srcFile, outFile, true); - DecryptWithCertificate(fileName, DESTINATION_FOLDER, "test.cer", "test.pem"); - } + DoEncrypt(srcFile, outFile, true); + DecryptWithCertificate(fileName, DESTINATION_FOLDER, "test.cer", "test.pem"); } [LogMessage(VersionConforming.NOT_SUPPORTED_AES_GCM, Ignore = true)] [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] [NUnit.Framework.Test] - public virtual void TestSimpleEncryptDecryptPdf15Test() { - String fileName = "simpleEncryptDecrypt.pdf"; + public virtual void TestSimpleEncryptDecryptPdf17Test() { + try { + BouncyCastleFactoryCreator.GetFactory().IsEncryptionFeatureSupported(0, true); + } + catch (Exception) { + NUnit.Framework.Assume.That(false); + } + NUnit.Framework.Assume.That(!BouncyCastleFactoryCreator.GetFactory().IsInApprovedOnlyMode()); + String fileName = "simpleEncryptDecrypt_1_7.pdf"; String srcFile = SOURCE_FOLDER + fileName; String outFile = DESTINATION_FOLDER + fileName; - if ("BCFIPS".Equals(FACTORY.GetProviderName())) { - Exception e = NUnit.Framework.Assert.Catch(typeof(UnsupportedEncryptionFeatureException), () => - DoEncrypt(srcFile, outFile, false)); - NUnit.Framework.Assert.AreEqual(UnsupportedEncryptionFeatureException.ENCRYPTION_WITH_CERTIFICATE_ISNT_SUPPORTED_IN_FIPS, e.Message); - } else { - DoEncrypt(srcFile, outFile, false); - DecryptWithCertificate(fileName, DESTINATION_FOLDER, "test.cer", "test.pem"); - } + DoEncrypt(srcFile, outFile, false); + DecryptWithCertificate(fileName, DESTINATION_FOLDER, "test.cer", "test.pem"); } [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] [NUnit.Framework.Test] public virtual void DecryptExternalFileTest() { - if ("BCFIPS".Equals(FACTORY.GetProviderName())) { - Exception e = NUnit.Framework.Assert.Catch(typeof(UnsupportedEncryptionFeatureException), () => - DecryptWithCertificate("externalFile.pdf", SOURCE_FOLDER, "decrypter.cert.pem", "signerkey.pem")); - NUnit.Framework.Assert.AreEqual(UnsupportedEncryptionFeatureException.ENCRYPTION_WITH_CERTIFICATE_ISNT_SUPPORTED_IN_FIPS, e.Message); - } else { - DecryptWithCertificate("externalFile.pdf", SOURCE_FOLDER, "decrypter.cert.pem", "signerkey.pem"); + try { + BouncyCastleFactoryCreator.GetFactory().IsEncryptionFeatureSupported(0, true); + } + catch (Exception) { + NUnit.Framework.Assume.That(false); } + DecryptWithCertificate("externalFile.pdf", SOURCE_FOLDER, "decrypter.cert.pem", "signerkey.pem"); } [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] diff --git a/itext.tests/itext.kernel.tests/itext/kernel/crypto/securityhandler/StandardHandlerUsingAesGcmTest.cs b/itext.tests/itext.kernel.tests/itext/kernel/crypto/securityhandler/StandardHandlerUsingAesGcmTest.cs index 9ca2836823..53c1099c7e 100644 --- a/itext.tests/itext.kernel.tests/itext/kernel/crypto/securityhandler/StandardHandlerUsingAesGcmTest.cs +++ b/itext.tests/itext.kernel.tests/itext/kernel/crypto/securityhandler/StandardHandlerUsingAesGcmTest.cs @@ -28,6 +28,7 @@ You should have received a copy of the GNU Affero General Public License using iText.Kernel.Logs; using iText.Kernel.Pdf; using iText.Kernel.Utils; +using iText.Kernel.Utils.Objectpathitems; using iText.Test; using iText.Test.Attributes; @@ -54,7 +55,6 @@ public static void SetUp() { [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void SimpleEncryptDecryptTest() { String srcFile = SRC + "simpleDocument.pdf"; - String decryptedCmpFile = SRC + "cmp_simpleEncryptDecrypt.pdf"; String encryptedCmpFile = SRC + "cmp_encryptedSimpleDocument.pdf"; String outFile = DEST + "simpleEncryptDecrypt.pdf"; // Set usage permissions. @@ -68,7 +68,7 @@ public virtual void SimpleEncryptDecryptTest() { docIn.CopyPagesTo(1, 1, docOut); } } - new CompareTool().CompareByContent(outFile, decryptedCmpFile, DEST, "diff", USER_PASSWORD, null); + new CToolNoDeveloperExtension().CompareByContent(outFile, srcFile, DEST, "diff", USER_PASSWORD, null); new CompareTool().CompareByContent(outFile, encryptedCmpFile, DEST, "diff", USER_PASSWORD, USER_PASSWORD); } @@ -77,14 +77,13 @@ public virtual void SimpleEncryptDecryptTest() { [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void SimpleEncryptDecryptPdf15Test() { String srcFile = SRC + "simpleDocument.pdf"; - String cmpFile = SRC + "cmp_simpleEncryptDecrypt.pdf"; String outFile = DEST + "notSupportedVersionDocument.pdf"; int perms = EncryptionConstants.ALLOW_PRINTING | EncryptionConstants.ALLOW_DEGRADED_PRINTING; WriterProperties wProps = new WriterProperties().SetStandardEncryption(USER_PASSWORD, OWNER_PASSWORD, perms , EncryptionConstants.ENCRYPTION_AES_GCM); PdfDocument ignored = new PdfDocument(new PdfReader(srcFile), new PdfWriter(outFile, wProps)); ignored.Close(); - new CompareTool().CompareByContent(outFile, cmpFile, DEST, "diff", USER_PASSWORD, null); + new CToolNoDeveloperExtension().CompareByContent(outFile, srcFile, DEST, "diff", USER_PASSWORD, null); } [NUnit.Framework.Test] @@ -260,4 +259,24 @@ private void AssertTampered(String outFile) { } } } + +//\cond DO_NOT_DOCUMENT + // Outside test class for porting + internal class CToolNoDeveloperExtension : CompareTool { + protected internal override bool CompareObjects(PdfObject outObj, PdfObject cmpObj, ObjectPath currentPath + , CompareTool.CompareResult compareResult) { + if (outObj != null && outObj.IsDictionary()) { + if (((PdfDictionary)outObj).Get(PdfName.ISO_) != null) { + return true; + } + } + if (cmpObj != null && cmpObj.IsDictionary()) { + if (((PdfDictionary)cmpObj).Get(PdfName.ISO_) != null) { + return true; + } + } + return base.CompareObjects(outObj, cmpObj, currentPath, compareResult); + } + } +//\endcond } diff --git a/itext.tests/itext.kernel.tests/itext/kernel/mac/MacIntegrityProtectorCreationTest.cs b/itext.tests/itext.kernel.tests/itext/kernel/mac/MacIntegrityProtectorCreationTest.cs index e46e2cd428..9e3465d390 100644 --- a/itext.tests/itext.kernel.tests/itext/kernel/mac/MacIntegrityProtectorCreationTest.cs +++ b/itext.tests/itext.kernel.tests/itext/kernel/mac/MacIntegrityProtectorCreationTest.cs @@ -70,54 +70,66 @@ public virtual void StandaloneMacStandardEncryptionTest() { String fileName = "standaloneMacStandardEncryptionTest.pdf"; String outputFileName = DESTINATION_FOLDER + fileName; String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName; - MacProperties macProperties = new MacProperties(MacProperties.MacDigestAlgorithm.SHA_256, MacProperties.MacAlgorithm - .HMAC_WITH_SHA_256, MacProperties.KeyWrappingAlgorithm.AES_256_NO_PADD); WriterProperties writerProperties = new WriterProperties().SetPdfVersion(PdfVersion.PDF_2_0).SetStandardEncryption - (PASSWORD, PASSWORD, 0, EncryptionConstants.ENCRYPTION_AES_256, macProperties); - using (PdfDocument pdfDoc = new PdfDocument(new PdfWriter(outputFileName, writerProperties))) { + (PASSWORD, PASSWORD, 0, EncryptionConstants.ENCRYPTION_AES_256, new MacProperties(MacProperties.MacDigestAlgorithm + .SHA_256)); + using (PdfDocument pdfDoc = new PdfDocument(CompareTool.CreateTestPdfWriter(outputFileName, writerProperties + ))) { + pdfDoc.AddNewPage().AddAnnotation(new PdfTextAnnotation(new Rectangle(100, 100, 100, 100))); + } + NUnit.Framework.Assert.IsNull(new CompareTool().EnableEncryptionCompare(false).CompareByContent(outputFileName + , cmpFileName, DESTINATION_FOLDER, "diff", PASSWORD, PASSWORD)); + } + + [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] + public virtual void NoMacProtectionTest() { + String fileName = "noMacProtectionTest.pdf"; + String outputFileName = DESTINATION_FOLDER + fileName; + String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName; + WriterProperties writerProperties = new WriterProperties().SetPdfVersion(PdfVersion.PDF_2_0).SetStandardEncryption + (PASSWORD, PASSWORD, 0, EncryptionConstants.ENCRYPTION_AES_256, null); + using (PdfDocument pdfDoc = new PdfDocument(CompareTool.CreateTestPdfWriter(outputFileName, writerProperties + ))) { pdfDoc.AddNewPage().AddAnnotation(new PdfTextAnnotation(new Rectangle(100, 100, 100, 100))); } - NUnit.Framework.Assert.IsNull(new CompareTool().CompareByContent(outputFileName, cmpFileName, DESTINATION_FOLDER - , "diff", PASSWORD, PASSWORD)); + NUnit.Framework.Assert.IsNull(new CompareTool().EnableEncryptionCompare().CompareByContent(outputFileName, + cmpFileName, DESTINATION_FOLDER, "diff", PASSWORD, PASSWORD)); } [NUnit.Framework.Test] [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] - public virtual void MacEncryptionWithAesGsmTest() { + public virtual void MacEncryptionWithAesGcmTest() { String fileName = "macEncryptionWithAesGsmTest.pdf"; String outputFileName = DESTINATION_FOLDER + fileName; String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName; - MacProperties macProperties = new MacProperties(MacProperties.MacDigestAlgorithm.SHA_256); WriterProperties writerProperties = new WriterProperties().SetPdfVersion(PdfVersion.PDF_2_0).SetStandardEncryption - (PASSWORD, PASSWORD, 0, EncryptionConstants.ENCRYPTION_AES_GCM, macProperties); + (PASSWORD, PASSWORD, 0, EncryptionConstants.ENCRYPTION_AES_GCM, new MacProperties(MacProperties.MacDigestAlgorithm + .SHA_256)); using (PdfDocument pdfDoc = new PdfDocument(CompareTool.CreateTestPdfWriter(outputFileName, writerProperties ))) { pdfDoc.AddNewPage().AddAnnotation(new PdfTextAnnotation(new Rectangle(100, 100, 100, 100))); } - NUnit.Framework.Assert.IsNull(new CompareTool().CompareByContent(outputFileName, cmpFileName, DESTINATION_FOLDER - , "diff", PASSWORD, PASSWORD)); + NUnit.Framework.Assert.IsNull(new CompareTool().EnableEncryptionCompare(false).CompareByContent(outputFileName + , cmpFileName, DESTINATION_FOLDER, "diff", PASSWORD, PASSWORD)); } [NUnit.Framework.Test] [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] + [LogMessage(iText.IO.Logs.IoLogMessageConstant.PDF_WRITER_CLOSING_FAILED)] public virtual void StandaloneMacUnwritableStreamTest() { - MacProperties macProperties = new MacProperties(MacProperties.MacDigestAlgorithm.SHA_256, MacProperties.MacAlgorithm - .HMAC_WITH_SHA_256, MacProperties.KeyWrappingAlgorithm.AES_256_NO_PADD); WriterProperties writerProperties = new WriterProperties().SetPdfVersion(PdfVersion.PDF_2_0).SetStandardEncryption - (PASSWORD, PASSWORD, 0, EncryptionConstants.ENCRYPTION_AES_256, macProperties); - MemoryStream unwritableStream = new _MemoryStream_129(); - String exceptionMessage = NUnit.Framework.Assert.Catch(typeof(Exception), () => { - using (PdfDocument pdfDoc = new PdfDocument(new PdfWriter(unwritableStream, writerProperties))) { - pdfDoc.AddNewPage().AddAnnotation(new PdfTextAnnotation(new Rectangle(100, 100, 100, 100))); - } + (PASSWORD, PASSWORD, 0, EncryptionConstants.ENCRYPTION_AES_256, new MacProperties(MacProperties.MacDigestAlgorithm + .SHA_256)); + MemoryStream unwritableStream = new _MemoryStream_152(); + using (PdfDocument pdfDoc = new PdfDocument(new PdfWriter(unwritableStream, writerProperties))) { + pdfDoc.AddNewPage().AddAnnotation(new PdfTextAnnotation(new Rectangle(100, 100, 100, 100))); } - ).Message; - NUnit.Framework.Assert.AreEqual("expected", exceptionMessage); unwritableStream.Dispose(); } - private sealed class _MemoryStream_129 : MemoryStream { - public _MemoryStream_129() { + private sealed class _MemoryStream_152 : MemoryStream { + public _MemoryStream_152() { } public override void Write(byte[] b, int off, int len) { @@ -141,8 +153,8 @@ public virtual void StandaloneMacWithAllHashAlgorithmsTest() { ))) { pdfDoc.AddNewPage().AddAnnotation(new PdfTextAnnotation(new Rectangle(100, 100, 100, 100))); } - NUnit.Framework.Assert.IsNull(new CompareTool().CompareByContent(outputFileName, cmpFileName, DESTINATION_FOLDER - , "diff", PASSWORD, PASSWORD)); + NUnit.Framework.Assert.IsNull(new CompareTool().EnableEncryptionCompare(false).CompareByContent(outputFileName + , cmpFileName, DESTINATION_FOLDER, "diff", PASSWORD, PASSWORD)); } } @@ -165,6 +177,70 @@ public virtual void StandaloneMacPdfVersionNotSetTest() { NUnit.Framework.Assert.AreEqual(KernelExceptionMessageConstant.MAC_FOR_PDF_2, exceptionMessage); } + [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] + public virtual void AddMacOnPreserveEncryptionTest() { + String fileName = "addMacOnPreserveEncryptionTest.pdf"; + String outputFileName = DESTINATION_FOLDER + fileName; + String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName; + using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "noMacProtectionDocument.pdf", new + ReaderProperties().SetPassword(PASSWORD)), CompareTool.CreateTestPdfWriter(outputFileName, new WriterProperties + ().SetPdfVersion(PdfVersion.PDF_2_0)), new StampingProperties().PreserveEncryption())) { + pdfDoc.AddNewPage().AddAnnotation(new PdfTextAnnotation(new Rectangle(100, 100, 100, 100))); + } + NUnit.Framework.Assert.IsNull(new CompareTool().EnableEncryptionCompare(false).CompareByContent(outputFileName + , cmpFileName, DESTINATION_FOLDER, "diff", PASSWORD, PASSWORD)); + } + + [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] + public virtual void AddMacOnAppendModeTest() { + // MAC should not be added in append mode + String fileName = "addMacOnAppendModeTest.pdf"; + String outputFileName = DESTINATION_FOLDER + fileName; + String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName; + using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "noMacProtectionDocument.pdf", new + ReaderProperties().SetPassword(PASSWORD)), CompareTool.CreateTestPdfWriter(outputFileName, new WriterProperties + ().SetPdfVersion(PdfVersion.PDF_2_0)), new StampingProperties().UseAppendMode())) { + pdfDoc.AddNewPage().AddAnnotation(new PdfTextAnnotation(new Rectangle(100, 100, 100, 100))); + } + NUnit.Framework.Assert.IsNull(new CompareTool().EnableEncryptionCompare().CompareByContent(outputFileName, + cmpFileName, DESTINATION_FOLDER, "diff", PASSWORD, PASSWORD)); + } + + [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] + public virtual void AddMacOnPreserveEncryptionWhileDowngradingTest() { + String fileName = "addMacOnPreserveEncryptionWhileDowngradingTest.pdf"; + String outputFileName = DESTINATION_FOLDER + fileName; + String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName; + using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "noMacProtectionDocument.pdf", new + ReaderProperties().SetPassword(PASSWORD)), CompareTool.CreateTestPdfWriter(outputFileName, new WriterProperties + ().SetPdfVersion(PdfVersion.PDF_1_7)), new StampingProperties().PreserveEncryption())) { + pdfDoc.AddNewPage().AddAnnotation(new PdfTextAnnotation(new Rectangle(100, 100, 100, 100))); + } + NUnit.Framework.Assert.IsNull(new CompareTool().EnableEncryptionCompare().CompareByContent(outputFileName, + cmpFileName, DESTINATION_FOLDER, "diff", PASSWORD, PASSWORD)); + } + + [NUnit.Framework.Test] + [LogMessage(VersionConforming.DEPRECATED_AES256_REVISION)] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] + public virtual void AddMacOnPreserveEncryptionFor17DocTest() { + // We can't embed MAC into encrypted documents during the conversion from earlier PDF version + // because their encryption does not support this. So WriterProperties should be used iso preserveEncryption + String fileName = "addMacOnPreserveEncryptionFor17DocTest.pdf"; + String outputFileName = DESTINATION_FOLDER + fileName; + String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName; + using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "noMacProtectionDocument_1_7.pdf" + , new ReaderProperties().SetPassword(PASSWORD)), CompareTool.CreateTestPdfWriter(outputFileName, new WriterProperties + ().SetPdfVersion(PdfVersion.PDF_2_0)), new StampingProperties().PreserveEncryption())) { + pdfDoc.AddNewPage().AddAnnotation(new PdfTextAnnotation(new Rectangle(100, 100, 100, 100))); + } + NUnit.Framework.Assert.IsNull(new CompareTool().EnableEncryptionCompare().CompareByContent(outputFileName, + cmpFileName, DESTINATION_FOLDER, "diff", PASSWORD, PASSWORD)); + } + [NUnit.Framework.Test] [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void StandaloneMacOldEncryptionAlgorithmTest() { @@ -185,6 +261,7 @@ public virtual void StandaloneMacOldEncryptionAlgorithmTest() { } [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void StandaloneMacPublicKeyEncryptionTest() { try { BouncyCastleFactoryCreator.GetFactory().IsEncryptionFeatureSupported(0, true); @@ -196,13 +273,11 @@ public virtual void StandaloneMacPublicKeyEncryptionTest() { String fileName = "standaloneMacPublicKeyEncryptionTest.pdf"; String outputFileName = DESTINATION_FOLDER + fileName; String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName; - MacProperties macProperties = new MacProperties(MacProperties.MacDigestAlgorithm.SHA_256, MacProperties.MacAlgorithm - .HMAC_WITH_SHA_256, MacProperties.KeyWrappingAlgorithm.AES_256_NO_PADD); IX509Certificate certificate = CryptoUtil.ReadPublicCertificate(FileUtil.GetInputStreamForFile(CERTS_SRC + "SHA256withRSA.cer")); WriterProperties writerProperties = new WriterProperties().SetPdfVersion(PdfVersion.PDF_2_0).SetPublicKeyEncryption - (new IX509Certificate[] { certificate }, new int[] { -1 }, EncryptionConstants.ENCRYPTION_AES_256, macProperties - ); + (new IX509Certificate[] { certificate }, new int[] { -1 }, EncryptionConstants.ENCRYPTION_AES_256, new + MacProperties(MacProperties.MacDigestAlgorithm.SHA_256)); using (PdfDocument pdfDoc = new PdfDocument(CompareTool.CreateTestPdfWriter(outputFileName, writerProperties ))) { pdfDoc.AddNewPage().AddAnnotation(new PdfTextAnnotation(new Rectangle(100, 100, 100, 100))); @@ -215,6 +290,36 @@ public virtual void StandaloneMacPublicKeyEncryptionTest() { , "diff")); } + [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] + public virtual void AddMacOnPreservePublicKeyEncryptionTest() { + // TODO DEVSIX-8635 - Verify MAC permission and embed MAC in stamping mode for public key encryption + try { + BouncyCastleFactoryCreator.GetFactory().IsEncryptionFeatureSupported(0, true); + } + catch (Exception) { + NUnit.Framework.Assume.That(false); + } + String fileName = "addMacOnPreservePublicKeyEncryptionTest.pdf"; + String outputFileName = DESTINATION_FOLDER + fileName; + String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName; + IX509Certificate certificate = CryptoUtil.ReadPublicCertificate(FileUtil.GetInputStreamForFile(CERTS_SRC + + "SHA256withRSA.cer")); + IPrivateKey privateKey = GetPrivateKey(CERTS_SRC + "SHA256withRSA.key"); + ReaderProperties readerProperties = new ReaderProperties(); + readerProperties.SetPublicKeySecurityParams(certificate, privateKey); + using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "noMacProtectionPublicKeyEncryptionDocument.pdf" + , readerProperties), CompareTool.CreateTestPdfWriter(outputFileName), new StampingProperties().PreserveEncryption + ())) { + pdfDoc.AddNewPage().AddAnnotation(new PdfTextAnnotation(new Rectangle(100, 100, 100, 100))); + } + CompareTool compareTool = new CompareTool(); + compareTool.GetCmpReaderProperties().SetPublicKeySecurityParams(certificate, privateKey); + compareTool.GetOutReaderProperties().SetPublicKeySecurityParams(certificate, privateKey); + NUnit.Framework.Assert.IsNull(compareTool.CompareByContent(outputFileName, cmpFileName, DESTINATION_FOLDER + , "diff")); + } + public static IPrivateKey GetPrivateKey(String keyName) { return PemFileHelper.ReadPrivateKeyFromPemFile(FileUtil.GetInputStreamForFile(keyName), "testpassphrase".ToCharArray ()); diff --git a/itext.tests/itext.kernel.tests/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest.cs b/itext.tests/itext.kernel.tests/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest.cs index 1ce7cd8b9f..776a118178 100644 --- a/itext.tests/itext.kernel.tests/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest.cs +++ b/itext.tests/itext.kernel.tests/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest.cs @@ -92,6 +92,37 @@ public virtual void PreserveEncryptionTest() { cmpFileName, DESTINATION_FOLDER, "diff", PASSWORD, PASSWORD)); } + [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] + public virtual void DisableMacTest() { + String fileName = "disableMacTest.pdf"; + String outputFileName = DESTINATION_FOLDER + fileName; + String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName; + using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "macProtectedDocument.pdf", new + ReaderProperties().SetPassword(PASSWORD)), CompareTool.CreateTestPdfWriter(outputFileName), new StampingProperties + ().PreserveEncryption().DisableMac())) { + pdfDoc.AddNewPage().AddAnnotation(new PdfTextAnnotation(new Rectangle(100, 100, 100, 100))); + } + NUnit.Framework.Assert.IsNull(new CompareTool().EnableEncryptionCompare().CompareByContent(outputFileName, + cmpFileName, DESTINATION_FOLDER, "diff", PASSWORD, PASSWORD)); + } + + [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] + public virtual void DisableMacInAppendModeTest() { + // We do not disable MAC in append mode if it was there + String fileName = "disableMacInAppendModeTest.pdf"; + String outputFileName = DESTINATION_FOLDER + fileName; + String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName; + using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "macProtectedDocument.pdf", new + ReaderProperties().SetPassword(PASSWORD)), CompareTool.CreateTestPdfWriter(outputFileName), new StampingProperties + ().UseAppendMode().DisableMac())) { + pdfDoc.AddNewPage().AddAnnotation(new PdfTextAnnotation(new Rectangle(100, 100, 100, 100))); + } + NUnit.Framework.Assert.IsNull(new CompareTool().EnableEncryptionCompare().CompareByContent(outputFileName, + cmpFileName, DESTINATION_FOLDER, "diff", PASSWORD, PASSWORD)); + } + [NUnit.Framework.Test] [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void WriterPropertiesTest() { @@ -258,5 +289,79 @@ public virtual void ReadMacProtectedPdf1_7() { } ); } + + [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] + public virtual void NoSaltTest() { + String message = NUnit.Framework.Assert.Catch(typeof(PdfException), () => { + using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "noSaltTest.pdf", new ReaderProperties + ().SetPassword(PASSWORD)))) { + } + } + ).Message; + NUnit.Framework.Assert.AreEqual(KernelExceptionMessageConstant.MAC_VALIDATION_NO_SALT, message); + } + + [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] + public virtual void ReadTamperedMacProtectedDocumentTest() { + String message = NUnit.Framework.Assert.Catch(typeof(PdfException), () => { + using (PdfDocument ignored = new PdfDocument(new PdfReader(SOURCE_FOLDER + "thirdPartyMacProtectedDocumentTampered.pdf" + , new ReaderProperties().SetPassword(PASSWORD)))) { + } + } + ).Message; + NUnit.Framework.Assert.AreEqual(KernelExceptionMessageConstant.MAC_VALIDATION_FAILED, message); + } + + [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] + public virtual void DoNotThrowOnValidationTest1() { + String fileName = "doNotThrowOnValidationTest1.pdf"; + String outputFileName = DESTINATION_FOLDER + fileName; + String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName; + StampingProperties stampingProperties = new StampingProperties(); + stampingProperties.RegisterDependency(typeof(IMacContainerLocator), new _StandaloneMacContainerLocator_360 + ()); + // do nothing + using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "macProtectionStrippedTest.pdf", + new ReaderProperties().SetPassword(PASSWORD)), CompareTool.CreateTestPdfWriter(outputFileName), stampingProperties + )) { + } + new CompareTool().CompareByContent(outputFileName, cmpFileName, DESTINATION_FOLDER, "diff"); + } + + private sealed class _StandaloneMacContainerLocator_360 : StandaloneMacContainerLocator { + public _StandaloneMacContainerLocator_360() { + } + + public override void HandleMacValidationError(MacValidationException exception) { + } + } + + [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] + public virtual void DoNotThrowOnValidationTest2() { + String fileName = "doNotThrowOnValidationTest2.pdf"; + String outputFileName = DESTINATION_FOLDER + fileName; + String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName; + StampingProperties stampingProperties = new StampingProperties(); + stampingProperties.RegisterDependency(typeof(IMacContainerLocator), new _StandaloneMacContainerLocator_384 + ()); + // do nothing + using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(SOURCE_FOLDER + "thirdPartyMacProtectedDocumentTampered.pdf" + , new ReaderProperties().SetPassword(PASSWORD)), CompareTool.CreateTestPdfWriter(outputFileName), stampingProperties + )) { + } + new CompareTool().CompareByContent(outputFileName, cmpFileName, DESTINATION_FOLDER, "diff"); + } + + private sealed class _StandaloneMacContainerLocator_384 : StandaloneMacContainerLocator { + public _StandaloneMacContainerLocator_384() { + } + + public override void HandleMacValidationError(MacValidationException exception) { + } + } } } diff --git a/itext.tests/itext.kernel.tests/itext/kernel/pdf/PdfDeveloperExtensionTest.cs b/itext.tests/itext.kernel.tests/itext/kernel/pdf/PdfDeveloperExtensionTest.cs index 56e66caf9e..a3a9b865fd 100644 --- a/itext.tests/itext.kernel.tests/itext/kernel/pdf/PdfDeveloperExtensionTest.cs +++ b/itext.tests/itext.kernel.tests/itext/kernel/pdf/PdfDeveloperExtensionTest.cs @@ -105,6 +105,28 @@ public virtual void AddMultivaluedExtensionNoOverrideTest() { .GetExtensionLevel(), MULTI_EXTENSION_2.GetExtensionLevel())); } + [NUnit.Framework.Test] + public virtual void RemoveSingleValuedExtensionTest() { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + using (PdfDocument pdfDoc = new PdfDocument(new PdfWriter(baos))) { + pdfDoc.GetCatalog().AddDeveloperExtension(SIMPLE_EXTENSION_L5); + pdfDoc.GetCatalog().RemoveDeveloperExtension(SIMPLE_EXTENSION_L5); + } + AssertNoExtensionWithPrefix(baos.ToArray(), SIMPLE_EXTENSION_L5.GetPrefix()); + } + + [NUnit.Framework.Test] + public virtual void RemoveMultivaluedExtensionTest() { + ByteArrayOutputStream baos = new ByteArrayOutputStream(); + using (PdfDocument pdfDoc = new PdfDocument(new PdfWriter(baos))) { + pdfDoc.GetCatalog().AddDeveloperExtension(MULTI_EXTENSION_1); + pdfDoc.GetCatalog().AddDeveloperExtension(MULTI_EXTENSION_2); + pdfDoc.GetCatalog().RemoveDeveloperExtension(MULTI_EXTENSION_2); + } + AssertMultiExtension(baos.ToArray(), MULTI_EXTENSION_1.GetPrefix(), JavaUtil.ArraysAsList(MULTI_EXTENSION_1 + .GetExtensionLevel())); + } + private void AssertSimpleExtension(byte[] docData, PdfName prefix, int expectedLevel) { using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(new MemoryStream(docData)))) { PdfDictionary extDict = pdfDoc.GetCatalog().GetPdfObject().GetAsDictionary(PdfName.Extensions).GetAsDictionary @@ -113,6 +135,14 @@ private void AssertSimpleExtension(byte[] docData, PdfName prefix, int expectedL } } + private void AssertNoExtensionWithPrefix(byte[] docData, PdfName prefix) { + using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(new MemoryStream(docData)))) { + PdfDictionary extDict = pdfDoc.GetCatalog().GetPdfObject().GetAsDictionary(PdfName.Extensions).GetAsDictionary + (prefix); + NUnit.Framework.Assert.IsNull(extDict); + } + } + private void AssertMultiExtension(byte[] docData, PdfName prefix, ICollection expectedLevels) { ICollection seen = new HashSet(); using (PdfDocument pdfDoc = new PdfDocument(new PdfReader(new MemoryStream(docData)))) { diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/PdfEncryptingTest/cmp_encryptWithPasswordAes256Pdf2.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/PdfEncryptingTest/cmp_encryptWithPasswordAes256Pdf2.pdf index 092fe20533..8f724a26d6 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/PdfEncryptingTest/cmp_encryptWithPasswordAes256Pdf2.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/PdfEncryptingTest/cmp_encryptWithPasswordAes256Pdf2.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/PdfEncryptionTest/cmp_appended_encryptAes256FullCompression.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/PdfEncryptionTest/cmp_appended_encryptAes256FullCompression.pdf index 533b80e956..d1a6fe05dd 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/PdfEncryptionTest/cmp_appended_encryptAes256FullCompression.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/PdfEncryptionTest/cmp_appended_encryptAes256FullCompression.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/PdfEncryptionTest/cmp_appended_encryptWithPasswordAes256Pdf2.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/PdfEncryptionTest/cmp_appended_encryptWithPasswordAes256Pdf2.pdf index 5b492a02f4..103cab5001 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/PdfEncryptionTest/cmp_appended_encryptWithPasswordAes256Pdf2.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/PdfEncryptionTest/cmp_appended_encryptWithPasswordAes256Pdf2.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/PdfEncryptionTest/cmp_encryptAes256FullCompression.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/PdfEncryptionTest/cmp_encryptAes256FullCompression.pdf index 36f8d33df7..67169d5a14 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/PdfEncryptionTest/cmp_encryptAes256FullCompression.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/PdfEncryptionTest/cmp_encryptAes256FullCompression.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/PdfEncryptionTest/cmp_encryptAes256Pdf2Permissions.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/PdfEncryptionTest/cmp_encryptAes256Pdf2Permissions.pdf index fc84e5a3c6..24f164693c 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/PdfEncryptionTest/cmp_encryptAes256Pdf2Permissions.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/PdfEncryptionTest/cmp_encryptAes256Pdf2Permissions.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/PdfEncryptionTest/cmp_encryptWithPasswordAes256Pdf2.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/PdfEncryptionTest/cmp_encryptWithPasswordAes256Pdf2.pdf index ad124a4201..0342ff69f2 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/PdfEncryptionTest/cmp_encryptWithPasswordAes256Pdf2.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/PdfEncryptionTest/cmp_encryptWithPasswordAes256Pdf2.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/PdfEncryptionTest/cmp_stampAndUpdateVersionNewAes256.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/PdfEncryptionTest/cmp_stampAndUpdateVersionNewAes256.pdf index 4e4e2c245b..81221803b7 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/PdfEncryptionTest/cmp_stampAndUpdateVersionNewAes256.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/PdfEncryptionTest/cmp_stampAndUpdateVersionNewAes256.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_arabic01.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_arabic01.pdf index fdbf27e6ce..9bf3c10bef 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_arabic01.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_arabic01.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_arabic02.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_arabic02.pdf index 594d85820e..c5a942b289 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_arabic02.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_arabic02.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_arabic03.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_arabic03.pdf index 22a95ed46c..1fef9fd751 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_arabic03.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_arabic03.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_arabic04.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_arabic04.pdf index 84f2984d92..908976c468 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_arabic04.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_arabic04.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_arabic05.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_arabic05.pdf index 0072a341ea..9651572068 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_arabic05.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_arabic05.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_devanagari01.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_devanagari01.pdf index 309fdcf2ef..c41d3c8123 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_devanagari01.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_devanagari01.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_devanagari02.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_devanagari02.pdf index 6481b11782..f23b6fbaa5 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_devanagari02.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_devanagari02.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_emoji01.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_emoji01.pdf index 0c3803b0d1..bcb49fb02e 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_emoji01.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_emoji01.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_gurmukhi01.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_gurmukhi01.pdf index c090428637..e88847346f 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_gurmukhi01.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_gurmukhi01.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_khmer01.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_khmer01.pdf index 79672d615d..a4182c6804 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_khmer01.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_khmer01.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_nfkcNormalization01.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_nfkcNormalization01.pdf index 994a3cf184..700818f509 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_nfkcNormalization01.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_nfkcNormalization01.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_nfkcNormalization02.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_nfkcNormalization02.pdf index d12efd75e3..5e53b3b77c 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_nfkcNormalization02.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_nfkcNormalization02.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_nfkcNormalization03.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_nfkcNormalization03.pdf index ac6400b63d..74608901bd 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_nfkcNormalization03.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_nfkcNormalization03.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_nfkcNormalization04.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_nfkcNormalization04.pdf index b26f7154ad..b4f60b0dd5 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_nfkcNormalization04.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_nfkcNormalization04.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_nfkcNormalization05.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_nfkcNormalization05.pdf index 20ad57efbc..41b2f7c667 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_nfkcNormalization05.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_nfkcNormalization05.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_nonAsciiSpace01.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_nonAsciiSpace01.pdf index 25866b1594..b3b13fe202 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_nonAsciiSpace01.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_nonAsciiSpace01.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_rfc4013Example01.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_rfc4013Example01.pdf index 0f5dcc5def..1bb32c6a41 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_rfc4013Example01.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_rfc4013Example01.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_rfc4013Example02.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_rfc4013Example02.pdf index 68fbdbdc47..54866c9766 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_rfc4013Example02.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_rfc4013Example02.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_rfc4013Example03.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_rfc4013Example03.pdf index d7d11aac6d..2de9ec3f40 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_rfc4013Example03.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_rfc4013Example03.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_rfc4013Example04.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_rfc4013Example04.pdf index c7fbaa9399..bd72132b51 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_rfc4013Example04.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_rfc4013Example04.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_tamil01.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_tamil01.pdf index 23e1032373..8a0132e81b 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_tamil01.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_tamil01.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_thai01.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_thai01.pdf index ec9ba63c25..d9344d4983 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_thai01.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_thai01.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_unicodeBom01.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_unicodeBom01.pdf index a87947fbad..b13c9602c0 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_unicodeBom01.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/pdfencryption/UnicodeBasedPasswordEncryptionTest/cmp_unicodePassword_unicodeBom01.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/securityhandler/PubSecHandlerUsingAesGcmTest/cmp_simpleEncryptDecrypt.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/securityhandler/PubSecHandlerUsingAesGcmTest/cmp_simpleEncryptDecrypt.pdf index fcf26de22f..04af4ab69a 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/securityhandler/PubSecHandlerUsingAesGcmTest/cmp_simpleEncryptDecrypt.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/securityhandler/PubSecHandlerUsingAesGcmTest/cmp_simpleEncryptDecrypt.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/securityhandler/StandardHandlerUsingAesGcmTest/cmp_simpleEncryptDecrypt.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/securityhandler/PubSecHandlerUsingAesGcmTest/cmp_simpleEncryptDecrypt_1_7.pdf similarity index 54% rename from itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/securityhandler/StandardHandlerUsingAesGcmTest/cmp_simpleEncryptDecrypt.pdf rename to itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/securityhandler/PubSecHandlerUsingAesGcmTest/cmp_simpleEncryptDecrypt_1_7.pdf index f13b5bc621..bfae56843b 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/securityhandler/StandardHandlerUsingAesGcmTest/cmp_simpleEncryptDecrypt.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/securityhandler/PubSecHandlerUsingAesGcmTest/cmp_simpleEncryptDecrypt_1_7.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/securityhandler/PubSecHandlerUsingAesGcmTest/simpleEncryptDecrypt_1_7.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/securityhandler/PubSecHandlerUsingAesGcmTest/simpleEncryptDecrypt_1_7.pdf new file mode 100644 index 0000000000..7f24d3a4fc Binary files /dev/null and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/securityhandler/PubSecHandlerUsingAesGcmTest/simpleEncryptDecrypt_1_7.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/securityhandler/StandardHandlerUsingAesGcmTest/cmp_encryptedSimpleDocument.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/securityhandler/StandardHandlerUsingAesGcmTest/cmp_encryptedSimpleDocument.pdf index d770a7aa3c..51981cdead 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/securityhandler/StandardHandlerUsingAesGcmTest/cmp_encryptedSimpleDocument.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/crypto/securityhandler/StandardHandlerUsingAesGcmTest/cmp_encryptedSimpleDocument.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/cmp_addMacOnAppendModeTest.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/cmp_addMacOnAppendModeTest.pdf new file mode 100644 index 0000000000..792884c274 Binary files /dev/null and b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/cmp_addMacOnAppendModeTest.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/cmp_addMacOnPreserveEncryptionFor17DocTest.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/cmp_addMacOnPreserveEncryptionFor17DocTest.pdf new file mode 100644 index 0000000000..2a95592bc0 Binary files /dev/null and b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/cmp_addMacOnPreserveEncryptionFor17DocTest.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/cmp_addMacOnPreserveEncryptionTest.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/cmp_addMacOnPreserveEncryptionTest.pdf new file mode 100644 index 0000000000..86eb20d0c6 Binary files /dev/null and b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/cmp_addMacOnPreserveEncryptionTest.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/cmp_addMacOnPreserveEncryptionWhileDowngradingTest.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/cmp_addMacOnPreserveEncryptionWhileDowngradingTest.pdf new file mode 100644 index 0000000000..31820a46c0 Binary files /dev/null and b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/cmp_addMacOnPreserveEncryptionWhileDowngradingTest.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/cmp_addMacOnPreservePublicKeyEncryptionTest.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/cmp_addMacOnPreservePublicKeyEncryptionTest.pdf new file mode 100644 index 0000000000..ea6b7c705d Binary files /dev/null and b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/cmp_addMacOnPreservePublicKeyEncryptionTest.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/cmp_noMacProtectionTest.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/cmp_noMacProtectionTest.pdf new file mode 100644 index 0000000000..963d5074ab Binary files /dev/null and b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/cmp_noMacProtectionTest.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/noMacProtectionDocument.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/noMacProtectionDocument.pdf new file mode 100644 index 0000000000..318f529543 Binary files /dev/null and b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/noMacProtectionDocument.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/noMacProtectionDocument_1_7.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/noMacProtectionDocument_1_7.pdf new file mode 100644 index 0000000000..db862c7069 Binary files /dev/null and b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/noMacProtectionDocument_1_7.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/noMacProtectionPublicKeyEncryptionDocument.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/noMacProtectionPublicKeyEncryptionDocument.pdf new file mode 100644 index 0000000000..4b5a106e64 Binary files /dev/null and b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorCreationTest/noMacProtectionPublicKeyEncryptionDocument.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest/cmp_disableMacInAppendModeTest.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest/cmp_disableMacInAppendModeTest.pdf new file mode 100644 index 0000000000..acd6ea98f1 Binary files /dev/null and b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest/cmp_disableMacInAppendModeTest.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest/cmp_disableMacTest.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest/cmp_disableMacTest.pdf new file mode 100644 index 0000000000..833985f2e5 Binary files /dev/null and b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest/cmp_disableMacTest.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest/cmp_doNotThrowOnValidationTest1.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest/cmp_doNotThrowOnValidationTest1.pdf new file mode 100644 index 0000000000..b1117bb947 Binary files /dev/null and b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest/cmp_doNotThrowOnValidationTest1.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest/cmp_doNotThrowOnValidationTest2.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest/cmp_doNotThrowOnValidationTest2.pdf new file mode 100644 index 0000000000..593d11e8fd Binary files /dev/null and b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest/cmp_doNotThrowOnValidationTest2.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest/cmp_macShouldNotBePreservedWithEncryptionTest.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest/cmp_macShouldNotBePreservedWithEncryptionTest.pdf index 9b54a711e1..c74d7239e3 100644 Binary files a/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest/cmp_macShouldNotBePreservedWithEncryptionTest.pdf and b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest/cmp_macShouldNotBePreservedWithEncryptionTest.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest/noSaltTest.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest/noSaltTest.pdf new file mode 100644 index 0000000000..dcf9bc7117 Binary files /dev/null and b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest/noSaltTest.pdf differ diff --git a/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest/thirdPartyMacProtectedDocumentTampered.pdf b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest/thirdPartyMacProtectedDocumentTampered.pdf new file mode 100644 index 0000000000..026b98534e Binary files /dev/null and b/itext.tests/itext.kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorReadingAndRewritingTest/thirdPartyMacProtectedDocumentTampered.pdf differ diff --git a/itext.tests/itext.pdfa.tests/itext/pdfa/PdfA4CatalogCheckTest.cs b/itext.tests/itext.pdfa.tests/itext/pdfa/PdfA4CatalogCheckTest.cs index 3fb4f7826f..4432430ee7 100644 --- a/itext.tests/itext.pdfa.tests/itext/pdfa/PdfA4CatalogCheckTest.cs +++ b/itext.tests/itext.pdfa.tests/itext/pdfa/PdfA4CatalogCheckTest.cs @@ -123,7 +123,7 @@ public virtual void EncryptInTrailerTest() { [NUnit.Framework.Test] public virtual void EncryptedDocumentTest() { - String outPdf = destinationFolder + "pdfA4_catalogCheck03.pdf"; + String outPdf = destinationFolder + "pdfA4_encryptedDocument.pdf"; byte[] userPassword = "user".GetBytes(iText.Commons.Utils.EncodingUtil.ISO_8859_1); byte[] ownerPassword = "owner".GetBytes(iText.Commons.Utils.EncodingUtil.ISO_8859_1); int permissions = EncryptionConstants.ALLOW_SCREENREADERS | EncryptionConstants.ALLOW_DEGRADED_PRINTING; diff --git a/itext.tests/itext.sign.tests/itext/signatures/mac/SignedDocumentWithMacTest.cs b/itext.tests/itext.sign.tests/itext/signatures/mac/SignedDocumentWithMacTest.cs index 738f4daf05..7bd82f2984 100644 --- a/itext.tests/itext.sign.tests/itext/signatures/mac/SignedDocumentWithMacTest.cs +++ b/itext.tests/itext.sign.tests/itext/signatures/mac/SignedDocumentWithMacTest.cs @@ -83,6 +83,73 @@ public virtual void SignMacProtectedDocTest() { , properties)); } + [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] + public virtual void SignNotMacProtectedDocTest() { + String fileName = "signNotMacProtectedDocTest.pdf"; + String srcFileName = SOURCE_FOLDER + "noMacProtectionDocument.pdf"; + String outputFileName = DESTINATION_FOLDER + fileName; + String signCertFileName = CERTS_SRC + "signCertRsa01.pem"; + String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName; + IX509Certificate[] signRsaChain = PemFileHelper.ReadFirstChain(signCertFileName); + IPrivateKey signRsaPrivateKey = PemFileHelper.ReadFirstKey(signCertFileName, PRIVATE_KEY_PASSWORD); + using (PdfReader reader = new PdfReader(srcFileName, new ReaderProperties().SetPassword(ENCRYPTION_PASSWORD + ))) { + using (Stream outputStream = FileUtil.GetFileOutputStream(outputFileName)) { + PdfSigner pdfSigner = new PdfSigner(reader, outputStream, new StampingProperties()); + PerformSignDetached(pdfSigner, signRsaPrivateKey, signRsaChain); + } + } + ReaderProperties properties = new ReaderProperties().SetPassword(ENCRYPTION_PASSWORD); + NUnit.Framework.Assert.IsNull(SignaturesCompareTool.CompareSignatures(outputFileName, cmpFileName, properties + , properties)); + } + + [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] + public virtual void SignNotMacProtectedDoc17Test() { + String fileName = "signNotMacProtectedDoc17Test.pdf"; + String srcFileName = SOURCE_FOLDER + "noMacProtectionDocument_1_7.pdf"; + String outputFileName = DESTINATION_FOLDER + fileName; + String signCertFileName = CERTS_SRC + "signCertRsa01.pem"; + String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName; + IX509Certificate[] signRsaChain = PemFileHelper.ReadFirstChain(signCertFileName); + IPrivateKey signRsaPrivateKey = PemFileHelper.ReadFirstKey(signCertFileName, PRIVATE_KEY_PASSWORD); + using (PdfReader reader = new PdfReader(srcFileName, new ReaderProperties().SetPassword(ENCRYPTION_PASSWORD + ))) { + using (Stream outputStream = FileUtil.GetFileOutputStream(outputFileName)) { + PdfSigner pdfSigner = new PdfSigner(reader, outputStream, new StampingProperties()); + PerformSignDetached(pdfSigner, signRsaPrivateKey, signRsaChain); + } + } + ReaderProperties properties = new ReaderProperties().SetPassword(ENCRYPTION_PASSWORD); + NUnit.Framework.Assert.IsNull(SignaturesCompareTool.CompareSignatures(outputFileName, cmpFileName, properties + , properties)); + } + + [NUnit.Framework.Test] + [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] + public virtual void SignNotMacProtectedDocInAppendModeTest() { + // MAC should not be added in append mode + String fileName = "signNotMacProtectedDocInAppendModeTest.pdf"; + String srcFileName = SOURCE_FOLDER + "noMacProtectionDocument.pdf"; + String outputFileName = DESTINATION_FOLDER + fileName; + String signCertFileName = CERTS_SRC + "signCertRsa01.pem"; + String cmpFileName = SOURCE_FOLDER + "cmp_" + fileName; + IX509Certificate[] signRsaChain = PemFileHelper.ReadFirstChain(signCertFileName); + IPrivateKey signRsaPrivateKey = PemFileHelper.ReadFirstKey(signCertFileName, PRIVATE_KEY_PASSWORD); + using (PdfReader reader = new PdfReader(srcFileName, new ReaderProperties().SetPassword(ENCRYPTION_PASSWORD + ))) { + using (Stream outputStream = FileUtil.GetFileOutputStream(outputFileName)) { + PdfSigner pdfSigner = new PdfSigner(reader, outputStream, new StampingProperties().UseAppendMode()); + PerformSignDetached(pdfSigner, signRsaPrivateKey, signRsaChain); + } + } + ReaderProperties properties = new ReaderProperties().SetPassword(ENCRYPTION_PASSWORD); + NUnit.Framework.Assert.IsNull(SignaturesCompareTool.CompareSignatures(outputFileName, cmpFileName, properties + , properties)); + } + [NUnit.Framework.Test] [LogMessage(KernelLogMessageConstant.MD5_IS_NOT_FIPS_COMPLIANT, Ignore = true)] public virtual void SignMacProtectedDocInAppendModeTest() { diff --git a/itext.tests/itext.sign.tests/resources/itext/signatures/mac/SignedDocumentWithMacTest/cmp_signNotMacProtectedDoc17Test.pdf b/itext.tests/itext.sign.tests/resources/itext/signatures/mac/SignedDocumentWithMacTest/cmp_signNotMacProtectedDoc17Test.pdf new file mode 100644 index 0000000000..eacc5b6be8 Binary files /dev/null and b/itext.tests/itext.sign.tests/resources/itext/signatures/mac/SignedDocumentWithMacTest/cmp_signNotMacProtectedDoc17Test.pdf differ diff --git a/itext.tests/itext.sign.tests/resources/itext/signatures/mac/SignedDocumentWithMacTest/cmp_signNotMacProtectedDocInAppendModeTest.pdf b/itext.tests/itext.sign.tests/resources/itext/signatures/mac/SignedDocumentWithMacTest/cmp_signNotMacProtectedDocInAppendModeTest.pdf new file mode 100644 index 0000000000..049f5503e3 Binary files /dev/null and b/itext.tests/itext.sign.tests/resources/itext/signatures/mac/SignedDocumentWithMacTest/cmp_signNotMacProtectedDocInAppendModeTest.pdf differ diff --git a/itext.tests/itext.sign.tests/resources/itext/signatures/mac/SignedDocumentWithMacTest/cmp_signNotMacProtectedDocTest.pdf b/itext.tests/itext.sign.tests/resources/itext/signatures/mac/SignedDocumentWithMacTest/cmp_signNotMacProtectedDocTest.pdf new file mode 100644 index 0000000000..49b98db1e7 Binary files /dev/null and b/itext.tests/itext.sign.tests/resources/itext/signatures/mac/SignedDocumentWithMacTest/cmp_signNotMacProtectedDocTest.pdf differ diff --git a/itext.tests/itext.sign.tests/resources/itext/signatures/mac/SignedDocumentWithMacTest/noMacProtectionDocument.pdf b/itext.tests/itext.sign.tests/resources/itext/signatures/mac/SignedDocumentWithMacTest/noMacProtectionDocument.pdf new file mode 100644 index 0000000000..318f529543 Binary files /dev/null and b/itext.tests/itext.sign.tests/resources/itext/signatures/mac/SignedDocumentWithMacTest/noMacProtectionDocument.pdf differ diff --git a/itext.tests/itext.sign.tests/resources/itext/signatures/mac/SignedDocumentWithMacTest/noMacProtectionDocument_1_7.pdf b/itext.tests/itext.sign.tests/resources/itext/signatures/mac/SignedDocumentWithMacTest/noMacProtectionDocument_1_7.pdf new file mode 100644 index 0000000000..db862c7069 Binary files /dev/null and b/itext.tests/itext.sign.tests/resources/itext/signatures/mac/SignedDocumentWithMacTest/noMacProtectionDocument_1_7.pdf differ diff --git a/itext/itext.kernel/itext/kernel/crypto/securityhandler/PubKeySecurityHandler.cs b/itext/itext.kernel/itext/kernel/crypto/securityhandler/PubKeySecurityHandler.cs index 9344d8eabf..9f8f16cbcf 100644 --- a/itext/itext.kernel/itext/kernel/crypto/securityhandler/PubKeySecurityHandler.cs +++ b/itext/itext.kernel/itext/kernel/crypto/securityhandler/PubKeySecurityHandler.cs @@ -177,14 +177,11 @@ private byte[] GetEncodedRecipient(int index) { //constants permissions: PdfWriter.AllowCopy | PdfWriter.AllowPrinting | PdfWriter.AllowScreenReaders | // PdfWriter.AllowAssembly; int permission = recipient.GetPermission(); - // NOTE! Added while porting to itext - // Previous strange code was: - // int revision = 3; - // permission |= revision == 3 ? 0xfffff0c0 : 0xffffffc0; - // revision value never changed, so code have been replaced to this: - permission |= unchecked((int)(0xfffff0c0)); - permission &= unchecked((int)(0xfffffffc)); - permission += 1; + // Force set 1 to 1, 7, 8 bits and all bits above 13. + // Basically to all not used bits. + // Bit 13 we do not touch. It's handled separately in PdfEncryption. + // Not sure about bit 1. But we always set it to 1 so let's not change for now. + permission |= unchecked((int)(0xffffe0c1)); byte[] pkcs7input = new byte[24]; byte one = (byte)permission; byte two = (byte)(permission >> 8); diff --git a/itext/itext.kernel/itext/kernel/crypto/securityhandler/StandardHandlerUsingAes256.cs b/itext/itext.kernel/itext/kernel/crypto/securityhandler/StandardHandlerUsingAes256.cs index 7e1264b6a3..504c045148 100644 --- a/itext/itext.kernel/itext/kernel/crypto/securityhandler/StandardHandlerUsingAes256.cs +++ b/itext/itext.kernel/itext/kernel/crypto/securityhandler/StandardHandlerUsingAes256.cs @@ -79,6 +79,13 @@ public override IDecryptor GetDecryptor() { return new AesDecryptor(nextObjectKey, 0, nextObjectKeySize); } + /// + public override void SetPermissions(int permissions, PdfDictionary encryptionDictionary) { + base.SetPermissions(permissions, encryptionDictionary); + byte[] aes256Perms = GetAes256Perms(permissions, IsEncryptMetadata()); + encryptionDictionary.Put(PdfName.Perms, new PdfLiteral(StreamUtil.CreateEscapedString(aes256Perms))); + } + //\cond DO_NOT_DOCUMENT internal virtual void SetAES256DicEntries(PdfDictionary encryptionDictionary, byte[] oeKey, byte[] ueKey, byte[] aes256Perms, bool encryptMetadata, bool embeddedFilesOnly) { @@ -175,21 +182,7 @@ private void InitKeyAndFillDictionary(PdfDictionary encryptionDictionary, byte[] ac = new AESCipherCBCnoPad(true, hash); oeKey = ac.ProcessBlock(nextObjectKey, 0, nextObjectKey.Length); // Algorithm 10 - byte[] permsp = IVGenerator.GetIV(16); - permsp[0] = (byte)permissions; - permsp[1] = (byte)(permissions >> 8); - permsp[2] = (byte)(permissions >> 16); - permsp[3] = (byte)(permissions >> 24); - permsp[4] = (byte)(255); - permsp[5] = (byte)(255); - permsp[6] = (byte)(255); - permsp[7] = (byte)(255); - permsp[8] = encryptMetadata ? (byte)'T' : (byte)'F'; - permsp[9] = (byte)'a'; - permsp[10] = (byte)'d'; - permsp[11] = (byte)'b'; - ac = new AESCipherCBCnoPad(true, nextObjectKey); - aes256Perms = ac.ProcessBlock(permsp, 0, permsp.Length); + aes256Perms = GetAes256Perms(permissions, encryptMetadata); this.permissions = permissions; this.encryptMetadata = encryptMetadata; SetStandardHandlerDicEntries(encryptionDictionary, userKey, ownerKey); @@ -200,6 +193,27 @@ private void InitKeyAndFillDictionary(PdfDictionary encryptionDictionary, byte[] } } + private byte[] GetAes256Perms(int permissions, bool encryptMetadata) { + byte[] aes256Perms; + AESCipherCBCnoPad ac; + byte[] permsp = IVGenerator.GetIV(16); + permsp[0] = (byte)permissions; + permsp[1] = (byte)(permissions >> 8); + permsp[2] = (byte)(permissions >> 16); + permsp[3] = (byte)(permissions >> 24); + permsp[4] = (byte)(255); + permsp[5] = (byte)(255); + permsp[6] = (byte)(255); + permsp[7] = (byte)(255); + permsp[8] = encryptMetadata ? (byte)'T' : (byte)'F'; + permsp[9] = (byte)'a'; + permsp[10] = (byte)'d'; + permsp[11] = (byte)'b'; + ac = new AESCipherCBCnoPad(true, nextObjectKey); + aes256Perms = ac.ProcessBlock(permsp, 0, permsp.Length); + return aes256Perms; + } + private void InitKeyAndReadDictionary(PdfDictionary encryptionDictionary, byte[] password) { try { if (password == null) { @@ -219,7 +233,7 @@ private void InitKeyAndReadDictionary(PdfDictionary encryptionDictionary, byte[] byte[] ueValue = GetIsoBytes(encryptionDictionary.GetAsString(PdfName.UE)); byte[] perms = GetIsoBytes(encryptionDictionary.GetAsString(PdfName.Perms)); PdfNumber pValue = (PdfNumber)encryptionDictionary.Get(PdfName.P); - this.permissions = pValue.LongValue(); + this.permissions = pValue.IntValue(); byte[] hash; hash = ComputeHash(password, oValue, VALIDATION_SALT_OFFSET, SALT_LENGTH, uValue); usedOwnerPassword = EqualsArray(hash, oValue, 32); diff --git a/itext/itext.kernel/itext/kernel/crypto/securityhandler/StandardHandlerUsingStandard40.cs b/itext/itext.kernel/itext/kernel/crypto/securityhandler/StandardHandlerUsingStandard40.cs index 4aae761362..4380cc21a7 100644 --- a/itext/itext.kernel/itext/kernel/crypto/securityhandler/StandardHandlerUsingStandard40.cs +++ b/itext/itext.kernel/itext/kernel/crypto/securityhandler/StandardHandlerUsingStandard40.cs @@ -163,7 +163,7 @@ private void InitKeyAndReadDictionary(PdfDictionary encryptionDictionary, byte[] byte[] uValue = GetIsoBytes(encryptionDictionary.GetAsString(PdfName.U)); byte[] oValue = GetIsoBytes(encryptionDictionary.GetAsString(PdfName.O)); PdfNumber pValue = (PdfNumber)encryptionDictionary.Get(PdfName.P); - this.permissions = pValue.LongValue(); + this.permissions = pValue.IntValue(); this.documentId = documentId; keyLength = GetKeyLength(encryptionDictionary); byte[] paddedPassword = PadPassword(password); diff --git a/itext/itext.kernel/itext/kernel/crypto/securityhandler/StandardSecurityHandler.cs b/itext/itext.kernel/itext/kernel/crypto/securityhandler/StandardSecurityHandler.cs index bbfe223d06..4b03dbf8a1 100644 --- a/itext/itext.kernel/itext/kernel/crypto/securityhandler/StandardSecurityHandler.cs +++ b/itext/itext.kernel/itext/kernel/crypto/securityhandler/StandardSecurityHandler.cs @@ -26,20 +26,28 @@ You should have received a copy of the GNU Affero General Public License namespace iText.Kernel.Crypto.Securityhandler { public abstract class StandardSecurityHandler : SecurityHandler { - protected internal const int PERMS_MASK_1_FOR_REVISION_2 = -64; + protected internal const int PERMS_MASK_1_FOR_REVISION_2 = unchecked((int)(0xffffffc0)); - protected internal const int PERMS_MASK_1_FOR_REVISION_3_OR_GREATER = -8000; + protected internal const int PERMS_MASK_1_FOR_REVISION_3_OR_GREATER = unchecked((int)(0xffffe0c0)); - protected internal const int PERMS_MASK_2 = -4; + protected internal const int PERMS_MASK_2 = unchecked((int)(0xfffffffc)); - protected internal long permissions; + protected internal int permissions; protected internal bool usedOwnerPassword = true; - public virtual long GetPermissions() { + public virtual int GetPermissions() { return permissions; } + /// Updates encryption dictionary with the security permissions provided. + /// new permissions to set + /// encryption dictionary to update + public virtual void SetPermissions(int permissions, PdfDictionary encryptionDictionary) { + this.permissions = permissions; + encryptionDictionary.Put(PdfName.P, new PdfNumber(permissions)); + } + public virtual bool IsUsedOwnerPassword() { return usedOwnerPassword; } diff --git a/itext/itext.kernel/itext/kernel/events/PdfDocumentEvent.cs b/itext/itext.kernel/itext/kernel/events/PdfDocumentEvent.cs index c221bea9a5..2b7319ec63 100644 --- a/itext/itext.kernel/itext/kernel/events/PdfDocumentEvent.cs +++ b/itext/itext.kernel/itext/kernel/events/PdfDocumentEvent.cs @@ -43,8 +43,8 @@ public class PdfDocumentEvent : Event { /// public const String END_PAGE = "EndPdfPage"; - /// Dispatched before writer is flushed to a document. - public const String END_WRITER_FLUSH = "EndWriterFlush"; + /// Dispatched before writer is closed. + public const String START_WRITER_CLOSING = "StartWriterClosing"; /// Dispatched after writer is flushed to a document. public const String START_DOCUMENT_CLOSING = "StartDocumentClosing"; diff --git a/itext/itext.kernel/itext/kernel/exceptions/KernelExceptionMessageConstant.cs b/itext/itext.kernel/itext/kernel/exceptions/KernelExceptionMessageConstant.cs index 2a332c6134..b61ae47368 100644 --- a/itext/itext.kernel/itext/kernel/exceptions/KernelExceptionMessageConstant.cs +++ b/itext/itext.kernel/itext/kernel/exceptions/KernelExceptionMessageConstant.cs @@ -374,6 +374,8 @@ public const String CONTENT_STREAM_MUST_NOT_INVOKE_OPERATORS_THAT_SPECIFY_COLORS public const String MAC_VALIDATION_FAILED = "MAC integrity protection was compromised. Document content was modified."; + public const String MAC_VALIDATION_NO_SALT = "MAC token validation failed. Salt is not found."; + public const String MISSING_REQUIRED_FIELD_IN_FONT_DICTIONARY = "Missing required field {0} in font dictionary."; public const String MUST_BE_A_TAGGED_DOCUMENT = "Must be a tagged document."; diff --git a/itext/itext.kernel/itext/kernel/mac/AbstractMacIntegrityProtector.cs b/itext/itext.kernel/itext/kernel/mac/AbstractMacIntegrityProtector.cs index aff577abf7..9159989953 100644 --- a/itext/itext.kernel/itext/kernel/mac/AbstractMacIntegrityProtector.cs +++ b/itext/itext.kernel/itext/kernel/mac/AbstractMacIntegrityProtector.cs @@ -133,6 +133,9 @@ public virtual void SetKdfSalt(byte[] kdfSalt) { /// introduced to the document in question, after MAC container is integrated. /// public virtual void ValidateMacToken() { + if (kdfSalt == null) { + throw new MacValidationException(KernelExceptionMessageConstant.MAC_VALIDATION_NO_SALT); + } try { byte[] macKey = GenerateDecryptedKey(macContainerReader.ParseMacKey()); long[] byteRange = macContainerReader.GetByteRange(); @@ -151,14 +154,14 @@ public virtual void ValidateMacToken() { byte[] actualMac = macContainerReader.ParseMac(); if (!JavaUtil.ArraysEquals(expectedMac, actualMac) || !JavaUtil.ArraysEquals(expectedMessageDigest, actualMessageDigest )) { - throw new PdfException(KernelExceptionMessageConstant.MAC_VALIDATION_FAILED); + throw new MacValidationException(KernelExceptionMessageConstant.MAC_VALIDATION_FAILED); } } catch (PdfException e) { throw; } catch (Exception e) { - throw new PdfException(KernelExceptionMessageConstant.MAC_VALIDATION_EXCEPTION, e); + throw new MacValidationException(KernelExceptionMessageConstant.MAC_VALIDATION_EXCEPTION, e); } } diff --git a/itext/itext.kernel/itext/kernel/mac/IMacContainerLocator.cs b/itext/itext.kernel/itext/kernel/mac/IMacContainerLocator.cs index 784bbe665e..6b4ab7f3ac 100644 --- a/itext/itext.kernel/itext/kernel/mac/IMacContainerLocator.cs +++ b/itext/itext.kernel/itext/kernel/mac/IMacContainerLocator.cs @@ -93,5 +93,13 @@ AbstractMacIntegrityProtector CreateMacIntegrityProtector(PdfDocument document, /// AbstractMacIntegrityProtector CreateMacIntegrityProtector(PdfDocument document, PdfDictionary authDictionary ); + + /// Handles MAC validation error. + /// + /// + /// + /// to handle. + /// + void HandleMacValidationError(MacValidationException exception); } } diff --git a/itext/itext.kernel/itext/kernel/mac/MacValidationException.cs b/itext/itext.kernel/itext/kernel/mac/MacValidationException.cs new file mode 100644 index 0000000000..16c3126e0d --- /dev/null +++ b/itext/itext.kernel/itext/kernel/mac/MacValidationException.cs @@ -0,0 +1,52 @@ +/* +This file is part of the iText (R) project. +Copyright (c) 1998-2024 Apryse Group NV +Authors: Apryse Software. + +This program is offered under a commercial and under the AGPL license. +For commercial licensing, contact us at https://itextpdf.com/sales. For AGPL licensing, see below. + +AGPL licensing: +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as published by +the Free Software Foundation, either version 3 of the License, or +(at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ +using System; +using iText.Kernel.Exceptions; + +namespace iText.Kernel.Mac { + /// Exception class for MAC validation errors. + public class MacValidationException : PdfException { + /// + /// Creates a new instance of + /// . + /// + /// the exception message + public MacValidationException(String message) + : base(message) { + } + + /// + /// Creates a new instance of + /// . + /// + /// the exception message + /// + /// the cause (which is saved for later retrieval by + /// + /// method) + /// + public MacValidationException(String message, Exception cause) + : base(message, cause) { + } + } +} diff --git a/itext/itext.kernel/itext/kernel/mac/StandaloneMacContainerLocator.cs b/itext/itext.kernel/itext/kernel/mac/StandaloneMacContainerLocator.cs index b9a5b62d85..60b00aed42 100644 --- a/itext/itext.kernel/itext/kernel/mac/StandaloneMacContainerLocator.cs +++ b/itext/itext.kernel/itext/kernel/mac/StandaloneMacContainerLocator.cs @@ -51,5 +51,10 @@ public virtual AbstractMacIntegrityProtector CreateMacIntegrityProtector(PdfDocu authDictionary) { return new StandaloneMacIntegrityProtector(document, authDictionary); } + + /// + public virtual void HandleMacValidationError(MacValidationException exception) { + throw exception; + } } } diff --git a/itext/itext.kernel/itext/kernel/mac/StandaloneMacIntegrityProtector.cs b/itext/itext.kernel/itext/kernel/mac/StandaloneMacIntegrityProtector.cs index d9023a910d..f2ded9ad2e 100644 --- a/itext/itext.kernel/itext/kernel/mac/StandaloneMacIntegrityProtector.cs +++ b/itext/itext.kernel/itext/kernel/mac/StandaloneMacIntegrityProtector.cs @@ -51,7 +51,7 @@ internal StandaloneMacIntegrityProtector(PdfDocument document, PdfDictionary aut internal virtual void PrepareDocument() { document.AddEventHandler(PdfDocumentEvent.START_DOCUMENT_CLOSING, new StandaloneMacIntegrityProtector.StandaloneMacPdfObjectAdder (this)); - document.AddEventHandler(PdfDocumentEvent.END_WRITER_FLUSH, new StandaloneMacIntegrityProtector.StandaloneMacContainerEmbedder + document.AddEventHandler(PdfDocumentEvent.START_WRITER_CLOSING, new StandaloneMacIntegrityProtector.StandaloneMacContainerEmbedder (this)); } //\endcond diff --git a/itext/itext.kernel/itext/kernel/pdf/EncryptionProperties.cs b/itext/itext.kernel/itext/kernel/pdf/EncryptionProperties.cs index d1a1c4609b..e2239aa967 100644 --- a/itext/itext.kernel/itext/kernel/pdf/EncryptionProperties.cs +++ b/itext/itext.kernel/itext/kernel/pdf/EncryptionProperties.cs @@ -47,6 +47,11 @@ public class EncryptionProperties { /// protected internal MacProperties macProperties; +//\cond DO_NOT_DOCUMENT + internal static readonly MacProperties DEFAULT_MAC_PROPERTIES = new MacProperties(MacProperties.MacDigestAlgorithm + .SHA3_512); +//\endcond + /// Sets the encryption options for the document. /// /// the user password. Can be null or of zero length, which is equal to @@ -108,7 +113,8 @@ public class EncryptionProperties { /// public virtual EncryptionProperties SetStandardEncryption(byte[] userPassword, byte[] ownerPassword, int permissions , int encryptionAlgorithm) { - return SetStandardEncryption(userPassword, ownerPassword, permissions, encryptionAlgorithm, null); + return SetStandardEncryption(userPassword, ownerPassword, permissions, encryptionAlgorithm, DEFAULT_MAC_PROPERTIES + ); } /// Sets the encryption options for the document. @@ -169,7 +175,10 @@ public virtual EncryptionProperties SetStandardEncryption(byte[] userPassword, b /// /// /// - /// class to configure MAC integrity protection properties + /// class to configure MAC integrity protection properties. + /// Pass + /// + /// if you want to disable MAC protection for any reason /// /// /// this @@ -249,7 +258,10 @@ public virtual EncryptionProperties SetStandardEncryption(byte[] userPassword, b /// /// /// - /// class to configure MAC integrity protection properties + /// class to configure MAC integrity protection properties. + /// Pass + /// + /// if you want to disable MAC protection for any reason /// /// /// this @@ -265,69 +277,6 @@ public virtual EncryptionProperties SetPublicKeyEncryption(IX509Certificate[] ce return this; } - /// Sets the certificate encryption options for the document. - /// - /// Sets the certificate encryption options for the document. - /// - /// An array of one or more public certificates must be provided together with an array of the same size - /// for the permissions for each certificate. - /// - /// the public certificates to be used for the encryption - /// - /// the user permissions for each of the certificates - /// The open permissions for the document can be - /// - /// , - /// - /// , - /// - /// , - /// - /// , - /// - /// , - /// - /// , - /// - /// and - /// . - /// The permissions can be combined by ORing them - /// - /// - /// the type of encryption. It can be one of - /// - /// , - /// - /// , - /// - /// or - /// . - /// Optionally - /// - /// can be ORed to output the metadata in cleartext. - /// - /// can be ORed as well. - /// Please be aware that the passed encryption types may override permissions: - /// - /// implicitly sets - /// - /// and - /// - /// as false; - /// - /// implicitly sets - /// - /// as false; - /// - /// - /// this - /// - /// - public virtual EncryptionProperties SetPublicKeyEncryption(IX509Certificate[] certs, int[] permissions, int - encryptionAlgorithm) { - return SetPublicKeyEncryption(certs, permissions, encryptionAlgorithm, null); - } - //\cond DO_NOT_DOCUMENT internal virtual bool IsStandardEncryptionUsed() { return ownerPassword != null; diff --git a/itext/itext.kernel/itext/kernel/pdf/PdfCatalog.cs b/itext/itext.kernel/itext/kernel/pdf/PdfCatalog.cs index e544b920ab..c566b3ccb7 100644 --- a/itext/itext.kernel/itext/kernel/pdf/PdfCatalog.cs +++ b/itext/itext.kernel/itext/kernel/pdf/PdfCatalog.cs @@ -376,11 +376,11 @@ public virtual void SetLang(PdfString lang) { } /// - /// Add an extensions dictionary containing developer prefix identification and version + /// Adds an extensions dictionary containing developer prefix identification and version /// numbers for developer extensions that occur in this document. /// /// - /// Add an extensions dictionary containing developer prefix identification and version + /// Adds an extensions dictionary containing developer prefix identification and version /// numbers for developer extensions that occur in this document. /// See ISO 32000-1, Table 28 – Entries in the catalog dictionary. /// @@ -432,6 +432,41 @@ public virtual void AddDeveloperExtension(PdfDeveloperExtension extension) { } } + /// + /// Removes an extensions dictionary containing developer prefix identification and version + /// numbers for developer extensions that do not occur in this document. + /// + /// + /// Removes an extensions dictionary containing developer prefix identification and version + /// numbers for developer extensions that do not occur in this document. + /// See ISO 32000-1, Table 28 – Entries in the catalog dictionary. + /// + /// developer extension to be removed from the document + public virtual void RemoveDeveloperExtension(PdfDeveloperExtension extension) { + PdfDictionary extensions = GetPdfObject().GetAsDictionary(PdfName.Extensions); + if (extensions == null) { + return; + } + if (extension.IsMultiValued()) { + PdfArray existingExtensionArray = extensions.GetAsArray(extension.GetPrefix()); + if (existingExtensionArray == null) { + return; + } + for (int i = 0; i < existingExtensionArray.Size(); i++) { + PdfDictionary pdfDict = existingExtensionArray.GetAsDictionary(i); + // for array-based extensions, we check for membership only, since comparison doesn't make sense + if (pdfDict.GetAsNumber(PdfName.ExtensionLevel).IntValue() == extension.GetExtensionLevel()) { + existingExtensionArray.Remove(i); + existingExtensionArray.SetModified(); + return; + } + } + } + else { + extensions.Remove(extension.GetPrefix()); + } + } + /// /// Gets collection dictionary that a conforming reader shall use to enhance the presentation of file attachments /// stored in the PDF document. diff --git a/itext/itext.kernel/itext/kernel/pdf/PdfDocument.cs b/itext/itext.kernel/itext/kernel/pdf/PdfDocument.cs index fa19ec34e6..8e135859e1 100644 --- a/itext/itext.kernel/itext/kernel/pdf/PdfDocument.cs +++ b/itext/itext.kernel/itext/kernel/pdf/PdfDocument.cs @@ -993,6 +993,12 @@ public virtual void Close() { long amountOfBytes = ((CountOutputStream)writer.GetOutputStream()).GetAmountOfWrittenBytes(); manager.OnEvent(new SizeOfPdfStatisticsEvent(amountOfBytes, ITextCoreProductData.GetInstance())); } + else { + if (writer.GetOutputStream() is ByteArrayOutputStream) { + long amountOfBytes = ((ByteArrayOutputStream)writer.GetOutputStream()).Length; + manager.OnEvent(new SizeOfPdfStatisticsEvent(amountOfBytes, ITextCoreProductData.GetInstance())); + } + } } catalog.GetPageTree().ClearPageRefs(); } @@ -1002,7 +1008,7 @@ public virtual void Close() { finally { if (writer != null && IsCloseWriter()) { try { - writer.Dispose(); + writer.Finish(); } catch (Exception e) { ILogger logger = ITextLogManager.GetLogger(typeof(iText.Kernel.Pdf.PdfDocument)); @@ -2456,7 +2462,8 @@ private void EnableByteArrayWritingMode() { } else { if (writer.properties.encryptionProperties != null && writer.properties.encryptionProperties.macProperties - != null) { + != null && writer.properties.pdfVersion != null && PdfVersion.PDF_2_0.CompareTo(writer.properties.pdfVersion + ) <= 0) { writer.EnableByteArrayWritingMode(); } } diff --git a/itext/itext.kernel/itext/kernel/pdf/PdfEncryption.cs b/itext/itext.kernel/itext/kernel/pdf/PdfEncryption.cs index 0301e80a2e..d68e809f64 100644 --- a/itext/itext.kernel/itext/kernel/pdf/PdfEncryption.cs +++ b/itext/itext.kernel/itext/kernel/pdf/PdfEncryption.cs @@ -54,7 +54,7 @@ public class PdfEncryption : PdfObjectWrapper { private int cryptoMode; - private long? permissions; + private int? permissions; private bool encryptMetadata; @@ -66,73 +66,6 @@ public class PdfEncryption : PdfObjectWrapper { private AbstractMacIntegrityProtector macContainer; - /// Creates the encryption. - /// - /// the user password. Can be null or of zero length, which is equal to - /// omitting the user password - /// - /// - /// the owner password. If it's null or empty, iText will generate - /// a random string to be used as the owner password - /// - /// - /// the user permissions - /// The open permissions for the document can be - /// - /// , - /// - /// , - /// - /// , - /// - /// , - /// - /// , - /// - /// , - /// - /// and - /// . - /// The permissions can be combined by ORing them - /// - /// - /// the type of encryption. It can be one of - /// - /// , - /// - /// , - /// - /// or - /// . - /// Optionally - /// - /// can be - /// ORed to output the metadata in cleartext. - /// - /// can be ORed as well. - /// Please be aware that the passed encryption types may override permissions: - /// - /// implicitly sets - /// - /// and - /// - /// as false; - /// - /// implicitly sets - /// - /// as false; - /// - /// document id which will be used for encryption - /// - /// the - /// - /// of the target document for encryption - /// - public PdfEncryption(byte[] userPassword, byte[] ownerPassword, int permissions, int encryptionType, byte[] - documentId, PdfVersion version) - : this(userPassword, ownerPassword, permissions, encryptionType, documentId, version, null) { - } - /// Creates the encryption. /// /// the user password. Can be null or of zero length, which is equal to @@ -253,70 +186,6 @@ public PdfEncryption(byte[] userPassword, byte[] ownerPassword, int permissions, } } - /// Creates the certificate encryption. - /// - /// Creates the certificate encryption. - /// - /// An array of one or more public certificates must be provided together with - /// an array of the same size for the permissions for each certificate. - /// - /// the public certificates to be used for the encryption - /// - /// the user permissions for each of the certificates - /// The open permissions for the document can be - /// - /// , - /// - /// , - /// - /// , - /// - /// , - /// - /// , - /// - /// , - /// - /// and - /// . - /// The permissions can be combined by ORing them - /// - /// - /// the type of encryption. It can be one of - /// - /// , - /// - /// , - /// - /// or - /// . - /// Optionally - /// - /// can be ORed - /// to output the metadata in cleartext. - /// - /// can be ORed as well. - /// Please be aware that the passed encryption types may override permissions: - /// - /// implicitly sets - /// - /// and - /// - /// as false; - /// - /// implicitly sets - /// - /// as false; - /// - /// - /// the - /// - /// of the target document for encryption - /// - public PdfEncryption(IX509Certificate[] certs, int[] permissions, int encryptionType, PdfVersion version) - : this(certs, permissions, encryptionType, version, null) { - } - /// Creates the certificate encryption. /// /// Creates the certificate encryption. @@ -426,30 +295,6 @@ public PdfEncryption(IX509Certificate[] certs, int[] permissions, int encryption } } - /// - /// Creates - /// - /// instance based on already existing standard encryption dictionary. - /// - /// - /// - /// - /// , which represents encryption dictionary - /// - /// - /// - /// byte[] - /// , which represents encryption password - /// - /// - /// original file ID, the first element in - /// - /// key of trailer. - /// - public PdfEncryption(PdfDictionary pdfDict, byte[] password, byte[] documentId) - : this(pdfDict, password, documentId, null) { - } - /// /// Creates /// @@ -470,16 +315,9 @@ public PdfEncryption(PdfDictionary pdfDict, byte[] password, byte[] documentId) /// /// key of trailer /// - /// - /// - /// - /// class for MAC integrity protection - /// - public PdfEncryption(PdfDictionary pdfDict, byte[] password, byte[] documentId, AbstractMacIntegrityProtector - macContainer) + public PdfEncryption(PdfDictionary pdfDict, byte[] password, byte[] documentId) : base(pdfDict) { SetForbidRelease(); - this.macContainer = macContainer; this.documentId = documentId; int revision = ReadAndSetCryptoModeForStdHandler(pdfDict); switch (revision) { @@ -555,47 +393,7 @@ public PdfEncryption(PdfDictionary pdfDict, byte[] password, byte[] documentId, /// the external decryption process to be used /// public PdfEncryption(PdfDictionary pdfDict, IPrivateKey certificateKey, IX509Certificate certificate) - : this(pdfDict, certificateKey, certificate, null) { - } - - /// - /// Creates - /// - /// instance based on already existing public encryption dictionary. - /// - /// - /// - /// - /// , which represents encryption dictionary - /// - /// - /// the recipient private - /// - /// to the certificate - /// - /// - /// the recipient - /// - /// , which serves as recipient identifier - /// - /// - /// the certificate key provider id for - /// - /// - /// - /// - /// - /// the external decryption process to be used - /// - /// - /// - /// - /// class for MAC integrity protection - /// - public PdfEncryption(PdfDictionary pdfDict, IPrivateKey certificateKey, IX509Certificate certificate, AbstractMacIntegrityProtector - macContainer) : base(pdfDict) { - this.macContainer = macContainer; SetForbidRelease(); int revision = ReadAndSetCryptoModeForPubSecHandler(pdfDict); switch (revision) { @@ -708,7 +506,7 @@ private static byte[] PadByteArrayTo16(byte[] documentId) { /// See ISO 32000-1, Table 22 for more details. /// /// the encryption permissions, an unsigned 32-bit quantity. - public virtual long? GetPermissions() { + public virtual int? GetPermissions() { return permissions; } @@ -719,6 +517,13 @@ public virtual int GetCryptoMode() { return cryptoMode; } + /// Gets encryption algorithm. + /// the encryption algorithm + /// + public virtual int GetEncryptionAlgorithm() { + return cryptoMode & EncryptionConstants.ENCRYPTION_MASK; + } + public virtual bool IsMetadataEncrypted() { return encryptMetadata; } @@ -1137,12 +942,13 @@ internal virtual void CheckEncryptionRequirements(PdfDocument document) { throw new PdfException(KernelExceptionMessageConstant.MAC_FOR_ENCRYPTION_5); } } - if (GetCryptoMode() < EncryptionConstants.ENCRYPTION_AES_256) { + int encryption = GetEncryptionAlgorithm(); + if (encryption < EncryptionConstants.ENCRYPTION_AES_256) { VersionConforming.ValidatePdfVersionForDeprecatedFeatureLogWarn(document, PdfVersion.PDF_2_0, VersionConforming .DEPRECATED_ENCRYPTION_ALGORITHMS); } else { - if (GetCryptoMode() == EncryptionConstants.ENCRYPTION_AES_256) { + if (encryption == EncryptionConstants.ENCRYPTION_AES_256) { PdfNumber r = GetPdfObject().GetAsNumber(PdfName.R); if (r != null && r.IntValue() == 5) { VersionConforming.ValidatePdfVersionForDeprecatedFeatureLogWarn(document, PdfVersion.PDF_2_0, VersionConforming @@ -1150,7 +956,7 @@ internal virtual void CheckEncryptionRequirements(PdfDocument document) { } } else { - if (GetCryptoMode() == EncryptionConstants.ENCRYPTION_AES_GCM) { + if (encryption == EncryptionConstants.ENCRYPTION_AES_GCM) { VersionConforming.ValidatePdfVersionForNotSupportedFeatureLogError(document, PdfVersion.PDF_2_0, VersionConforming .NOT_SUPPORTED_AES_GCM); } @@ -1169,11 +975,18 @@ internal virtual void ConfigureEncryptionParametersFromWriter(PdfDocument docume PdfString kdfSalt = GetPdfObject().GetAsString(PdfName.KDFSalt); if (kdfSalt == null) { GetPdfObject().Put(PdfName.KDFSalt, new PdfString(macContainer.GetKdfSalt()).SetHexWriting(true)); + GetPdfObject().SetModified(); } } - if (GetCryptoMode() == EncryptionConstants.ENCRYPTION_AES_GCM) { + else { + document.GetCatalog().RemoveDeveloperExtension(PdfDeveloperExtension.ISO_32004); + } + if (GetEncryptionAlgorithm() == EncryptionConstants.ENCRYPTION_AES_GCM) { document.GetCatalog().AddDeveloperExtension(PdfDeveloperExtension.ISO_32003); } + else { + document.GetCatalog().RemoveDeveloperExtension(PdfDeveloperExtension.ISO_32003); + } } //\endcond @@ -1185,23 +998,75 @@ internal virtual AbstractMacIntegrityProtector GetMacContainer() { //\cond DO_NOT_DOCUMENT internal virtual void ConfigureEncryptionParametersFromReader(PdfDocument document, PdfDictionary trailer) { - if (trailer.GetAsDictionary(PdfName.AuthCode) != null) { - macContainer = document.GetDiContainer().GetInstance().CreateMacIntegrityProtector(document - , trailer.GetAsDictionary(PdfName.AuthCode)); - macContainer.SetFileEncryptionKey(securityHandler.GetMkey().Length == 0 ? securityHandler.GetNextObjectKey - () : securityHandler.GetMkey()); - PdfString kdfSalt = GetPdfObject().GetAsString(PdfName.KDFSalt); - if (kdfSalt != null) { - macContainer.SetKdfSalt(kdfSalt.GetValueBytes()); - } - macContainer.ValidateMacToken(); + PdfVersion sourceVersion = document.GetReader().headerPdfVersion; + PdfVersion destVersion = sourceVersion; + if (document.GetWriter() != null && document.GetWriter().GetProperties().pdfVersion != null) { + destVersion = document.GetWriter().GetProperties().pdfVersion; } - else { - if (permissions != null && (permissions & MAC_DISABLED) == 0) { - throw new PdfException(KernelExceptionMessageConstant.MAC_PERMS_WITHOUT_MAC); + try { + if (trailer.GetAsDictionary(PdfName.AuthCode) != null) { + macContainer = document.GetDiContainer().GetInstance().CreateMacIntegrityProtector(document + , trailer.GetAsDictionary(PdfName.AuthCode)); + macContainer.SetFileEncryptionKey(securityHandler.GetMkey().Length == 0 ? securityHandler.GetNextObjectKey + () : securityHandler.GetMkey()); + PdfString kdfSalt = GetPdfObject().GetAsString(PdfName.KDFSalt); + if (kdfSalt != null) { + macContainer.SetKdfSalt(kdfSalt.GetValueBytes()); + } + macContainer.ValidateMacToken(); + // Disable MAC for writing if explicitly requested. In append mode we cannot disable it because it will + // remove MAC protection from all previous revisions also for knowledgeable attackers + // TODO DEVSIX-8635 - Verify MAC permission and embed MAC in stamping mode for public key encryption + if (document.properties.disableMac && !document.properties.appendMode && securityHandler is StandardSecurityHandler + ) { + macContainer = null; + UpdateMacPermission(); + } + } + else { + if (PdfVersion.PDF_2_0.CompareTo(destVersion) <= 0 && permissions != null && (permissions & MAC_DISABLED) + == 0) { + // TODO DEVSIX-8635 - Verify MAC permission and embed MAC in stamping mode for public key encryption + throw new MacValidationException(KernelExceptionMessageConstant.MAC_PERMS_WITHOUT_MAC); + } + else { + if (!document.properties.disableMac && !document.properties.appendMode && securityHandler is StandardSecurityHandler + ) { + // TODO DEVSIX-8635 - Verify MAC permission and embed MAC in stamping mode for public key encryption + // This is the branch responsible for embedding MAC into the documents without MAC + // Do not embed MAC in append mode as it does not add extra security + PdfNumber vValue = GetPdfObject().GetAsNumber(PdfName.V); + if (vValue == null) { + throw new PdfException(KernelExceptionMessageConstant.ILLEGAL_V_VALUE); + } + int v = vValue.IntValue(); + // We do not support MAC for increasing PDF version to 2.0 (old encryption do not support it) + // and decreasing from 2.0 (not supported by the spec) + // v >= 5 stands for supported encryption algorithms for MAC being used + if (PdfVersion.PDF_2_0.CompareTo(destVersion) <= 0 && PdfVersion.PDF_2_0.CompareTo(sourceVersion) <= 0 && + v >= 5) { + macContainer = document.GetDiContainer().GetInstance().CreateMacIntegrityProtector(document + , EncryptionProperties.DEFAULT_MAC_PROPERTIES); + UpdateMacPermission(); + } + } + } } } + catch (MacValidationException exception) { + document.GetDiContainer().GetInstance().HandleMacValidationError(exception); + } } //\endcond + + private void UpdateMacPermission() { + // We don't parse permissions on reading for PubSec currently + if (permissions != null) { + permissions = ConfigureAccessibilityPermissionsForMac(permissions.Value); + if (securityHandler is StandardSecurityHandler) { + ((StandardSecurityHandler)securityHandler).SetPermissions(permissions.Value, this.GetPdfObject()); + } + } + } } } diff --git a/itext/itext.kernel/itext/kernel/pdf/PdfReader.cs b/itext/itext.kernel/itext/kernel/pdf/PdfReader.cs index e2962c86ab..1ef28ebff2 100644 --- a/itext/itext.kernel/itext/kernel/pdf/PdfReader.cs +++ b/itext/itext.kernel/itext/kernel/pdf/PdfReader.cs @@ -615,8 +615,8 @@ public virtual bool IsOpenedWithFullPermission() { /// . /// See ISO 32000-1, Table 22 for more details. /// - /// the encryption permissions, an unsigned 32-bit quantity. - public virtual long GetPermissions() { + /// the encryption permissions. + public virtual int GetPermissions() { /* !pdfDocument.getXref().isReadingCompleted() can be used for encryption properties as well, * because decrypt object is initialized in private readDecryptObj method which is called in our code * in the next line after the setting isReadingCompleted line. This means that there's no way for users @@ -625,9 +625,9 @@ public virtual long GetPermissions() { if (pdfDocument == null || !pdfDocument.GetXref().IsReadingCompleted()) { throw new PdfException(KernelExceptionMessageConstant.DOCUMENT_HAS_NOT_BEEN_READ_YET); } - long perm = 0; + int perm = 0; if (encrypted && decrypt.GetPermissions() != null) { - perm = (long)decrypt.GetPermissions(); + perm = decrypt.GetPermissions().Value; } return perm; } diff --git a/itext/itext.kernel/itext/kernel/pdf/PdfWriter.cs b/itext/itext.kernel/itext/kernel/pdf/PdfWriter.cs index bc4ea878f4..65c0ae5799 100644 --- a/itext/itext.kernel/itext/kernel/pdf/PdfWriter.cs +++ b/itext/itext.kernel/itext/kernel/pdf/PdfWriter.cs @@ -115,17 +115,6 @@ public PdfWriter(String filename, WriterProperties properties) : this(FileUtil.GetBufferedOutputStream(filename), properties) { } - /// - public override void Flush() { - base.Flush(); - if (document != null) { - document.DispatchEvent(new PdfDocumentEvent(PdfDocumentEvent.END_WRITER_FLUSH, document)); - } - if (IsByteArrayWritingMode()) { - CompleteByteArrayWritingMode(); - } - } - /// Indicates if to use full compression mode. /// true if to use full compression, false otherwise. public virtual bool IsFullCompression() { @@ -204,6 +193,16 @@ public virtual iText.Kernel.Pdf.PdfWriter SetSmartMode(bool smartMode) { /// protected internal virtual void InitCryptoIfSpecified(PdfVersion version) { EncryptionProperties encryptProps = properties.encryptionProperties; + // Suppress MAC properties for PDF version < 2.0 and old deprecated encryption algorithms + // if default ones have been passed to WriterProperties + int encryptionAlgorithm = crypto == null ? (encryptProps.encryptionAlgorithm & EncryptionConstants.ENCRYPTION_MASK + ) : crypto.GetEncryptionAlgorithm(); + if (encryptProps.macProperties == EncryptionProperties.DEFAULT_MAC_PROPERTIES) { + if ((version == null || version.CompareTo(PdfVersion.PDF_2_0) < 0) || (encryptionAlgorithm != EncryptionConstants + .ENCRYPTION_AES_256 && encryptionAlgorithm != EncryptionConstants.ENCRYPTION_AES_GCM)) { + encryptProps.macProperties = null; + } + } AbstractMacIntegrityProtector mac = encryptProps.macProperties == null ? null : document.GetDiContainer(). GetInstance().CreateMacIntegrityProtector(document, encryptProps.macProperties); if (properties.IsStandardEncryptionUsed()) { @@ -418,6 +417,19 @@ protected internal virtual void FlushModifiedWaitingObjects(ICollectionGets the current object stream. /// object stream. diff --git a/itext/itext.kernel/itext/kernel/pdf/StampingProperties.cs b/itext/itext.kernel/itext/kernel/pdf/StampingProperties.cs index e2b2a4b2c7..cb86b0cfb7 100644 --- a/itext/itext.kernel/itext/kernel/pdf/StampingProperties.cs +++ b/itext/itext.kernel/itext/kernel/pdf/StampingProperties.cs @@ -26,6 +26,8 @@ public class StampingProperties : DocumentProperties { protected internal bool preserveEncryption = false; + protected internal bool disableMac = false; + public StampingProperties() { } @@ -67,5 +69,22 @@ public virtual iText.Kernel.Pdf.StampingProperties PreserveEncryption() { this.preserveEncryption = true; return this; } + + /// Disables MAC token in the output PDF-2.0 document. + /// + /// Disables MAC token in the output PDF-2.0 document. + /// By default, MAC token will be embedded. + /// This property does not remove MAC token from existing document in append mode because it removes MAC protection + /// from all previous revisions also. + /// + /// + /// this + /// + /// instance + /// + public virtual iText.Kernel.Pdf.StampingProperties DisableMac() { + this.disableMac = true; + return this; + } } } diff --git a/itext/itext.kernel/itext/kernel/pdf/WriterProperties.cs b/itext/itext.kernel/itext/kernel/pdf/WriterProperties.cs index 20014c03f9..799183609e 100644 --- a/itext/itext.kernel/itext/kernel/pdf/WriterProperties.cs +++ b/itext/itext.kernel/itext/kernel/pdf/WriterProperties.cs @@ -214,7 +214,8 @@ public virtual iText.Kernel.Pdf.WriterProperties SetFullCompressionMode(bool ful /// public virtual iText.Kernel.Pdf.WriterProperties SetStandardEncryption(byte[] userPassword, byte[] ownerPassword , int permissions, int encryptionAlgorithm) { - return SetStandardEncryption(userPassword, ownerPassword, permissions, encryptionAlgorithm, null); + return SetStandardEncryption(userPassword, ownerPassword, permissions, encryptionAlgorithm, EncryptionProperties + .DEFAULT_MAC_PROPERTIES); } /// Sets the encryption options for the document. @@ -276,7 +277,10 @@ public virtual iText.Kernel.Pdf.WriterProperties SetStandardEncryption(byte[] us /// /// /// - /// class to configure MAC integrity protection properties + /// class to configure MAC integrity protection properties. + /// Pass + /// + /// if you want to disable MAC protection for any reason /// /// /// this @@ -350,7 +354,8 @@ public virtual iText.Kernel.Pdf.WriterProperties SetStandardEncryption(byte[] us /// public virtual iText.Kernel.Pdf.WriterProperties SetPublicKeyEncryption(IX509Certificate[] certs, int[] permissions , int encryptionAlgorithm) { - return SetPublicKeyEncryption(certs, permissions, encryptionAlgorithm, null); + return SetPublicKeyEncryption(certs, permissions, encryptionAlgorithm, EncryptionProperties.DEFAULT_MAC_PROPERTIES + ); } /// Sets the certificate encryption options for the document. @@ -409,7 +414,10 @@ public virtual iText.Kernel.Pdf.WriterProperties SetPublicKeyEncryption(IX509Cer /// /// /// - /// class to configure MAC integrity protection properties + /// class to configure MAC integrity protection properties. + /// Pass + /// + /// if you want to disable MAC protection for any reason /// /// /// this diff --git a/itext/itext.kernel/itext/kernel/utils/CompareTool.cs b/itext/itext.kernel/itext/kernel/utils/CompareTool.cs index bea60a43f0..f1b3ca52e7 100644 --- a/itext/itext.kernel/itext/kernel/utils/CompareTool.cs +++ b/itext/itext.kernel/itext/kernel/utils/CompareTool.cs @@ -108,6 +108,8 @@ public class CompareTool { private bool encryptionCompareEnabled = false; + private bool kdfSaltCompareEnabled = true; + private bool useCachedPagesForComparison = true; private IMetaInfo metaInfo; @@ -359,7 +361,31 @@ public virtual void SetEventCountingMetaInfo(IMetaInfo metaInfo) { /// /// this CompareTool instance. public virtual iText.Kernel.Utils.CompareTool EnableEncryptionCompare() { + return EnableEncryptionCompare(true); + } + + /// Enables the comparison of the encryption properties of the documents. + /// + /// Enables the comparison of the encryption properties of the documents. Encryption properties comparison + /// results are returned along with all other comparison results. + /// + /// IMPORTANT NOTE: this flag affects only the comparison performed by compareByContent methods! + /// + /// doesn't compare encryption properties + /// because encryption properties aren't part of the document's Catalog. + /// + /// + /// set to + /// + /// if + /// + /// entry must be compared, + /// {code false} otherwise + /// + /// this CompareTool instance. + public virtual iText.Kernel.Utils.CompareTool EnableEncryptionCompare(bool kdfSaltCompareEnabled) { this.encryptionCompareEnabled = true; + this.kdfSaltCompareEnabled = kdfSaltCompareEnabled; return this; } @@ -1415,6 +1441,7 @@ private String CompareByContent(String outPath, String differenceImagePrefix, ID (), catalogPath, compareResult, ignoredCatalogEntries); if (encryptionCompareEnabled) { CompareDocumentsEncryption(outDocument, cmpDocument, compareResult); + CompareDocumentsMac(outDocument, cmpDocument, compareResult); } if (generateCompareByContentXmlReport) { String outPdfName = new FileInfo(outPdf).Name; @@ -1525,6 +1552,26 @@ private void CompareDocumentsEncryption(PdfDocument outDocument, PdfDocument cmp } } + private void CompareDocumentsMac(PdfDocument outDocument, PdfDocument cmpDocument, CompareTool.CompareResult + compareResult) { + PdfDictionary outAuthCode = outDocument.GetTrailer().GetAsDictionary(PdfName.AuthCode); + PdfDictionary cmpAuthCode = cmpDocument.GetTrailer().GetAsDictionary(PdfName.AuthCode); + if (outAuthCode == null && cmpAuthCode == null) { + return; + } + ObjectPath trailerPath = new TrailerPath(cmpDocument, outDocument); + if (outAuthCode == null) { + compareResult.AddError(trailerPath, "Output document does not contain MAC."); + return; + } + if (cmpAuthCode == null) { + compareResult.AddError(trailerPath, "Output document contains MAC which is not expected."); + return; + } + CompareDictionariesExtended(outAuthCode, cmpAuthCode, trailerPath, compareResult, new HashSet(JavaUtil.ArraysAsList + (PdfName.ByteRange, PdfName.MAC))); + } + private bool CompareStreams(Stream is1, Stream is2) { byte[] buffer1 = new byte[64 * 1024]; byte[] buffer2 = new byte[64 * 1024]; @@ -1569,7 +1616,8 @@ private bool CompareDictionariesExtended(PdfDictionary outDict, PdfDictionary cm if (excludedKeys != null && excludedKeys.Contains(key)) { continue; } - if (key.Equals(PdfName.Parent) || key.Equals(PdfName.P) || key.Equals(PdfName.ModDate)) { + if (key.Equals(PdfName.Parent) || key.Equals(PdfName.P) || key.Equals(PdfName.ModDate) || (key.Equals(PdfName + .KDFSalt) && !kdfSaltCompareEnabled)) { continue; } if (outDict.IsStream() && cmpDict.IsStream() && (key.Equals(PdfName.Filter) || key.Equals(PdfName.Length)) diff --git a/itext/itext.sign/itext/signatures/OcspClientBouncyCastle.cs b/itext/itext.sign/itext/signatures/OcspClientBouncyCastle.cs index 261d841f8b..d488045608 100644 --- a/itext/itext.sign/itext/signatures/OcspClientBouncyCastle.cs +++ b/itext/itext.sign/itext/signatures/OcspClientBouncyCastle.cs @@ -124,7 +124,6 @@ public virtual byte[] GetEncoded(IX509Certificate checkCert, IX509Certificate ro /// protected internal static IOcspRequest GenerateOCSPRequest(IX509Certificate issuerCert, IBigInteger serialNumber ) { - //Add provider BC // Generate the id for the certificate we are looking for ICertID id = SignUtils.GenerateCertificateId(issuerCert, serialNumber, BOUNCY_CASTLE_FACTORY.CreateCertificateID ().GetHashSha1()); diff --git a/itext/itext.sign/itext/signatures/mac/SignatureMacContainerLocator.cs b/itext/itext.sign/itext/signatures/mac/SignatureMacContainerLocator.cs index e726f5f1c2..61db328eb5 100644 --- a/itext/itext.sign/itext/signatures/mac/SignatureMacContainerLocator.cs +++ b/itext/itext.sign/itext/signatures/mac/SignatureMacContainerLocator.cs @@ -56,5 +56,10 @@ public virtual AbstractMacIntegrityProtector CreateMacIntegrityProtector(PdfDocu authDictionary) { return new SignatureMacIntegrityProtector(document, authDictionary); } + + /// + public virtual void HandleMacValidationError(MacValidationException exception) { + throw exception; + } } } diff --git a/port-hash b/port-hash index a523416cfd..238dce8913 100644 --- a/port-hash +++ b/port-hash @@ -1 +1 @@ -dc76524bdb9871dfcd4e2b6d156e42a653d2396d +20941942038f765b1cbc9df1c8ea7f895b03a730