Menu

#519 computeEncryptedKey() is incomplete

closed-out-of-date
Ben Litchfield
parsing (91)
5
2010-04-07
2008-10-24
Yves Bussard
No

Hi Ben,

I tried to decrypt the attached pdf. The pdf only contains an owner password but no user password. I.e. when opening the document with Acroread I am not asked to provide a password to read the document. What makes this document somehow special is, that although the content is encrypted the metadata are not. I.e. the EncryptMetadata flag is false in the ecnryption dictionary.

The step to handle this special case is missing in StandardSecurityHandler.computeEncryptedKey(). According to PdfReference 1.6 page 101, Step 6 you need pass 4 bytes with the value 0xFF to the MD5 hash function. So the method would look somthing like:

public final byte[] computeEncryptedKey(...) .. {
.
.
//step 5
md.update( id );

//step 6
if (!encryptMetadata) {
md.update(
new byte[] {
(byte)0xFF, (byte)0xFF,
(byte)0xFF, (byte)0xFF
}
);
}
byte[] digest = md.digest();
.
.

}

You also need to read that flag from the encryption dictionary and pass it to computeEncryptedKey(). Of course you'd want to have the byte[] as a constant. I just put it this way for the readability.

I have tried it in my checked out version and it works. If you need further informations, don't hesitate to contact me.

Cheers
Yves

Discussion

  • Yves Bussard

    Yves Bussard - 2008-10-24

    Sample pdf with encrypted content, metadata not encrypted

     
    attachment.pdf

  • Ben Litchfield

    Ben Litchfield - 2010-04-07
    • status: open --> closed-out-of-date
     

  • Ben Litchfield

    Ben Litchfield - 2010-04-07

    PDFBox has moved to Apache. Bugs have been moved over to the Apache bug tracking system. If you don't see the bug and it's still not fixed in the current release then please create a new bug on the Apache site.

    http://pdfbox.apache.org

     

Log in to post a comment.