def test_key_encipherment_requirement():
with pytest.raises(misc.PdfWriteError):
PubKeySecurityHandler.build_from_certs(
[PUBKEY_SELFSIGNED_DECRYPTER.cert],
keylen_bytes=32,
version=SecurityHandlerVersion.AES256,
use_aes=True,
use_crypt_filters=True,
perms=-44)
def encrypt_pubkey(self, recipients: List[x509.Certificate]):
"""
Mark this document to be encrypted with PDF 2.0 public key encryption.
The certificates passed in should be RSA certificates.
PyHanko defaults to AES-256 to encrypt the actual file contents.
The seed used to derive the file encryption key is also encrypted
using AES-256 and bundled in a CMS EnvelopedData object.
The envelope key is then encrypted separately for each recipient, using
their respective public keys.
.. caution::
While pyHanko supports legacy PDF encryption as well, the API
to create new documents using outdated encryption is left
undocumented on purpose to discourage its use.
This caveat does _not_ apply to incremental updates added to
existing documents.
:param recipients:
Certificates of the recipients that should be able to decrypt
the document.
"""
self.output_version = (2, 0)
sh = PubKeySecurityHandler.build_from_certs(recipients)
self._assign_security_handler(sh)
def test_key_encipherment_requirement_override(version, keylen, use_aes,
use_crypt_filters):
r = PdfFileReader(BytesIO(VECTOR_IMAGE_PDF))
w = writer.PdfFileWriter()
sh = PubKeySecurityHandler.build_from_certs(
[PUBKEY_SELFSIGNED_DECRYPTER.cert],
keylen_bytes=keylen,
version=version,
use_aes=use_aes,
use_crypt_filters=use_crypt_filters,
perms=-44,
ignore_key_usage=True)
w.security_handler = sh
w._encrypt = w.add_object(sh.as_pdf_object())
new_page_tree = w.import_object(r.root.raw_get('/Pages'), )
w.root['/Pages'] = new_page_tree
out = BytesIO()
w.write(out)
r = PdfFileReader(out)
result = r.decrypt_pubkey(PUBKEY_SELFSIGNED_DECRYPTER)
assert result.status == AuthStatus.USER
assert result.permission_flags == -44
page = r.root['/Pages']['/Kids'][0].get_object()
assert '/ExtGState' in page['/Resources']
# just a piece of data I know occurs in the decoded content stream
# of the (only) page in VECTOR_IMAGE_PDF
assert b'0 1 0 rg /a0 gs' in page['/Contents'].data
def test_pubkey_encryption_s5_requires_cfs():
w = writer.PdfFileWriter()
sh = PubKeySecurityHandler.build_from_certs([PUBKEY_TEST_DECRYPTER.cert])
w._assign_security_handler(sh)
encrypt = w._encrypt.get_object()
del encrypt['/CF']
out = BytesIO()
w.write(out)
with pytest.raises(misc.PdfReadError):
PdfFileReader(out)
def test_pubkey_encryption_dict_errors():
sh = PubKeySecurityHandler.build_from_certs([PUBKEY_TEST_DECRYPTER.cert])
original = sh.as_pdf_object()
encrypt = generic.DictionaryObject(original)
encrypt['/SubFilter'] = pdf_name('/asdflakdsjf')
with pytest.raises(misc.PdfReadError):
PubKeySecurityHandler.build(encrypt)
encrypt = generic.DictionaryObject(original)
encrypt['/Length'] = generic.NumberObject(13)
with pytest.raises(misc.PdfError):
PubKeySecurityHandler.build(encrypt)
encrypt = generic.DictionaryObject(original)
del encrypt['/CF']['/DefaultCryptFilter']['/CFM']
with pytest.raises(misc.PdfReadError):
PubKeySecurityHandler.build(encrypt)
encrypt = generic.DictionaryObject(original)
encrypt['/CF']['/DefaultCryptFilter']['/CFM'] = pdf_name('/None')
with pytest.raises(misc.PdfReadError):
PubKeySecurityHandler.build(encrypt)
def encrypt_pubkey(self, recipients: List[x509.Certificate]):
"""
Mark this document to be encrypted with PDF 2.0 public key encryption.
The certificates passed in should be RSA certificates.
PyHanko defaults to AES-256 to encrypt the actual file contents.
The seed used to derive the file encryption key is also encrypted
using AES-256 and bundled in a CMS EnvelopedData object.
The envelope key is then encrypted separately for each recipient, using
their respective public keys.
.. caution::
The caveats for :meth:`encrypt` also apply here.
:param recipients:
Certificates of the recipients that should be able to decrypt
the document.
"""
self.output_version = (2, 0)
sh = PubKeySecurityHandler.build_from_certs(recipients)
self._assign_security_handler(sh)
def test_pubkey_encryption(version, keylen, use_aes, use_crypt_filters):
r = PdfFileReader(BytesIO(VECTOR_IMAGE_PDF))
w = writer.PdfFileWriter()
sh = PubKeySecurityHandler.build_from_certs(
[PUBKEY_TEST_DECRYPTER.cert],
keylen_bytes=keylen,
version=version,
use_aes=use_aes,
use_crypt_filters=use_crypt_filters)
w.security_handler = sh
w._encrypt = w.add_object(sh.as_pdf_object())
new_page_tree = w.import_object(r.root.raw_get('/Pages'), )
w.root['/Pages'] = new_page_tree
out = BytesIO()
w.write(out)
r = PdfFileReader(out)
r.decrypt_pubkey(PUBKEY_TEST_DECRYPTER)
page = r.root['/Pages']['/Kids'][0].get_object()
assert '/ExtGState' in page['/Resources']
# just a piece of data I know occurs in the decoded content stream
# of the (only) page in VECTOR_IMAGE_PDF
assert b'0 1 0 rg /a0 gs' in page['/Contents'].data
def test_custom_pubkey_crypt_filter(with_hex_filter, main_unencrypted):
w = writer.PdfFileWriter()
custom = pdf_name('/Custom')
crypt_filters = {
custom: PubKeyRC4CryptFilter(keylen=16),
}
if main_unencrypted:
# streams/strings are unencrypted by default
cfc = CryptFilterConfiguration(crypt_filters=crypt_filters)
else:
crypt_filters[DEFAULT_CRYPT_FILTER] = PubKeyAESCryptFilter(
keylen=16, acts_as_default=True)
cfc = CryptFilterConfiguration(
crypt_filters=crypt_filters,
default_string_filter=DEFAULT_CRYPT_FILTER,
default_stream_filter=DEFAULT_CRYPT_FILTER)
sh = PubKeySecurityHandler(version=SecurityHandlerVersion.RC4_OR_AES128,
pubkey_handler_subfilter=PubKeyAdbeSubFilter.S5,
legacy_keylen=16,
crypt_filter_config=cfc)
# if main_unencrypted, these should be no-ops
sh.add_recipients([PUBKEY_TEST_DECRYPTER.cert])
# (this is always pointless, but it should be allowed)
sh.add_recipients([PUBKEY_TEST_DECRYPTER.cert])
crypt_filters[custom].add_recipients([PUBKEY_TEST_DECRYPTER.cert])
w._assign_security_handler(sh)
encrypt_dict = w._encrypt.get_object()
cfs = encrypt_dict['/CF']
# no /Recipients in S5 mode
assert '/Recipients' not in encrypt_dict
assert isinstance(cfs[custom]['/Recipients'], generic.ByteStringObject)
if main_unencrypted:
assert DEFAULT_CRYPT_FILTER not in cfs
else:
default_rcpts = cfs[DEFAULT_CRYPT_FILTER]['/Recipients']
assert isinstance(default_rcpts, generic.ArrayObject)
assert len(default_rcpts) == 2
# custom crypt filters can only have one set of recipients
with pytest.raises(misc.PdfError):
crypt_filters[custom].add_recipients([PUBKEY_TEST_DECRYPTER.cert])
test_data = b'This is test data!'
dummy_stream = generic.StreamObject(stream_data=test_data)
dummy_stream.add_crypt_filter(name=custom, handler=sh)
ref = w.add_object(dummy_stream)
dummy_stream2 = generic.StreamObject(stream_data=test_data)
ref2 = w.add_object(dummy_stream2)
if with_hex_filter:
dummy_stream.apply_filter(pdf_name('/AHx'))
out = BytesIO()
w.write(out)
r = PdfFileReader(out)
r.decrypt_pubkey(PUBKEY_TEST_DECRYPTER)
# the custom test filter shouldn't have been decrypted yet
# so attempting to decode the stream should cause the crypt filter
# to throw an error
obj: generic.StreamObject = r.get_object(ref.reference)
with pytest.raises(misc.PdfError):
# noinspection PyStatementEffect
obj.data
r.security_handler.crypt_filter_config[custom].authenticate(
PUBKEY_TEST_DECRYPTER)
assert obj.data == test_data
if with_hex_filter:
cf_dict = obj['/DecodeParms'][1]
else:
cf_dict = obj['/DecodeParms']
assert cf_dict['/Name'] == pdf_name('/Custom')
obj2: generic.DecryptedObjectProxy = r.get_object(
ref2.reference, transparent_decrypt=False)
raw = obj2.raw_object
assert isinstance(raw, generic.StreamObject)
if main_unencrypted:
assert raw.encoded_data == test_data
else:
assert raw.encoded_data != test_data
