From 89f53d196e10a1874cd61e3ee42f57dfd77eb856 Mon Sep 17 00:00:00 2001 From: emusic Date: Thu, 18 Jan 2018 17:36:08 +0100 Subject: protecting pdf file # Conflicts: # pdf-as-pdfbox-2/src/main/java/at/gv/egiz/pdfas/lib/impl/signing/pdfbox2/PADESPDFBOXSigner.java --- ...radle__org_bouncycastle_bcprov_jdk15on_1_59.xml | 11 +++ .../src/main/java/at/gv/egiz/pdfas/cli/Main.java | 3 +- pdf-as-lib/build.gradle | 3 + pdf-as-lib/libs/bcprov-jdk15on-159.jar | Bin 0 -> 4092400 bytes .../configuration/cfg/advancedconfig.properties | 6 +- pdf-as-lib/src/configuration/cfg/config.properties | 3 + .../pdfas/lib/api/IConfigurationConstants.java | 12 ++- .../at/gv/egiz/pdfas/lib/api/PdfAsFactory.java | 8 ++ .../impl/configuration/GlobalConfiguration.java | 18 +++- .../impl/signing/pdfbox2/PADESPDFBOXSigner.java | 104 ++++++++++++++------- 10 files changed, 128 insertions(+), 40 deletions(-) create mode 100644 .idea/libraries/Gradle__org_bouncycastle_bcprov_jdk15on_1_59.xml create mode 100644 pdf-as-lib/libs/bcprov-jdk15on-159.jar diff --git a/.idea/libraries/Gradle__org_bouncycastle_bcprov_jdk15on_1_59.xml b/.idea/libraries/Gradle__org_bouncycastle_bcprov_jdk15on_1_59.xml new file mode 100644 index 00000000..ef62e981 --- /dev/null +++ b/.idea/libraries/Gradle__org_bouncycastle_bcprov_jdk15on_1_59.xml @@ -0,0 +1,11 @@ + + + + + + + + + + + \ No newline at end of file diff --git a/pdf-as-cli/src/main/java/at/gv/egiz/pdfas/cli/Main.java b/pdf-as-cli/src/main/java/at/gv/egiz/pdfas/cli/Main.java index 7c1255cf..6cae9b63 100644 --- a/pdf-as-cli/src/main/java/at/gv/egiz/pdfas/cli/Main.java +++ b/pdf-as-cli/src/main/java/at/gv/egiz/pdfas/cli/Main.java @@ -434,7 +434,7 @@ public class Main { SignResult result = null; try { - result = pdfAs.sign(signParameter); + result = pdfAs.sign(signParameter); } finally { if (result != null) { Iterator> infoIt = result @@ -450,6 +450,7 @@ public class Main { fos.close(); System.out.println("Signed document " + outputFile); + } private static void perform_verify(CommandLine cli) throws Exception { diff --git a/pdf-as-lib/build.gradle b/pdf-as-lib/build.gradle index d2345648..d6e813ac 100644 --- a/pdf-as-lib/build.gradle +++ b/pdf-as-lib/build.gradle @@ -58,6 +58,9 @@ dependencies { compile group: 'org.apache.commons', name: 'commons-lang3', version: '3.3.2' compile group: 'org.apache.httpcomponents', name: 'httpmime', version: '4.3.5' compile group: 'org.apache.httpcomponents', name: 'httpclient', version: '4.3.5' + + compile group: 'org.bouncycastle', name: 'bcprov-jdk15on', version: '1.59' + compile group: 'commons-io', name: 'commons-io', version: '2.4' compile 'org.apache.commons:commons-collections4:4.0' compile group: 'ognl', name: 'ognl', version: '3.0.8' diff --git a/pdf-as-lib/libs/bcprov-jdk15on-159.jar b/pdf-as-lib/libs/bcprov-jdk15on-159.jar new file mode 100644 index 00000000..9049e565 Binary files /dev/null and b/pdf-as-lib/libs/bcprov-jdk15on-159.jar differ diff --git a/pdf-as-lib/src/configuration/cfg/advancedconfig.properties b/pdf-as-lib/src/configuration/cfg/advancedconfig.properties index 5fd8b5cb..726deba8 100644 --- a/pdf-as-lib/src/configuration/cfg/advancedconfig.properties +++ b/pdf-as-lib/src/configuration/cfg/advancedconfig.properties @@ -87,12 +87,10 @@ #default.adobeSignReasonValue=Informationen zur Pr\u00FCfung finden Sie unter http://www.signaturpruefung.gv.at - # Standard Prueflink fuer die Adobe Signaturkennzeichnung (nur relevant falls Adobe Plugin fuer Pruefung verwendet wird) #default.verifyURL=http://www.signaturpruefung.gv.at - # Standard Alternativer Text fuer den Signaturblock (WAI) (globale Einstellung) #default.sigLogoAltText=Abgebildet ist eine Standard-Signaturbildmarke. @@ -108,3 +106,7 @@ default.verifier.01=at.gv.egiz.pdfas.sigs.pades.PAdESVerifier #sigblock.placement.debug.file=/home/user/temp/debugImg.png #runtime.backend=PDFBOX_2_BACKEND +################## +# Protect PDF files from copying and extractiong content +# Set values to be true|false|unchanged + diff --git a/pdf-as-lib/src/configuration/cfg/config.properties b/pdf-as-lib/src/configuration/cfg/config.properties index f9eaeb98..fe2385a8 100644 --- a/pdf-as-lib/src/configuration/cfg/config.properties +++ b/pdf-as-lib/src/configuration/cfg/config.properties @@ -102,3 +102,6 @@ include.01 = profiles/*.properties # Legt das Standard-Signaturprofil fest sig_obj.type.default=SIGNATURBLOCK_SMALL_DE_NOTE +################## +# Protect PDF files from copying and extractiong content +# Set values to be true|false|unchanged diff --git a/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/api/IConfigurationConstants.java b/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/api/IConfigurationConstants.java index f8f71f2f..713948ba 100644 --- a/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/api/IConfigurationConstants.java +++ b/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/api/IConfigurationConstants.java @@ -108,12 +108,18 @@ public interface IConfigurationConstants { public static final String BG_COLOR_DETECTION = "sigblock.placement.bgcolor.detection.enabled"; public static final String SIG_PLACEMENT_DEBUG_OUTPUT = "sigblock.placement.debug.file"; - - - /** * PADES Constants */ public static final String SIG_PADES_FORCE_FLAG= SIG_OBJECT + SEPERATOR+"PAdESCompatibility"; public static final String SIG_PADES_INTELL_FLAG = SIG_OBJECT + SEPERATOR+"CheckPAdESCompatibility"; + + + /** + * Protect PDF file from copying content and extracting + */ + + public static final String DEFAULT_CONFIG_PROTECT_COPY_PDF = DEFAULT_CONFIG_PROTECT_PDF + SEPERATOR + "accessCopy"; + public static final String DEFAULT_CONFIG_PROTECT_EXTRACT_PDF = DEFAULT_CONFIG_PROTECT_PDF + SEPERATOR + "canModify"; + } diff --git a/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/api/PdfAsFactory.java b/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/api/PdfAsFactory.java index 72d182ed..c3c2b6fd 100644 --- a/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/api/PdfAsFactory.java +++ b/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/api/PdfAsFactory.java @@ -61,6 +61,11 @@ import at.gv.egiz.pdfas.lib.impl.SignParameterImpl; import at.gv.egiz.pdfas.lib.impl.VerifyParameterImpl; import at.gv.egiz.pdfas.lib.impl.configuration.ConfigValidatorLoader; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; + +import org.bouncycastle.jce.provider.BouncyCastleProvider; + public class PdfAsFactory implements IConfigurationConstants { private static final Logger logger = LoggerFactory @@ -118,6 +123,9 @@ public class PdfAsFactory implements IConfigurationConstants { // TODO: register ECCelerate in second position when TLS issue is // fixed registerProvider(new ECCelerate(), -1); + + registerProvider( new BouncyCastleProvider(), -2); + } else { logger.info("Skipping Security Provider registration!"); } diff --git a/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/configuration/GlobalConfiguration.java b/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/configuration/GlobalConfiguration.java index d04f6878..a40c336d 100644 --- a/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/configuration/GlobalConfiguration.java +++ b/pdf-as-lib/src/main/java/at/gv/egiz/pdfas/lib/impl/configuration/GlobalConfiguration.java @@ -21,6 +21,7 @@ * The "NOTICE" text file is part of the distribution. Any derivative works * that you distribute must include a readable copy of the "NOTICE" text file. ******************************************************************************/ + package at.gv.egiz.pdfas.lib.impl.configuration; import at.gv.egiz.pdfas.common.settings.ISettings; @@ -46,5 +47,20 @@ public class GlobalConfiguration extends SpecificBaseConfiguration } return null; } - + + public String getDefaultCopyProtection() { + if(this.configuration.hasValue(DEFAULT_CONFIG_PROTECT_COPY_PDF)) { + return this.configuration.getValue(DEFAULT_CONFIG_PROTECT_COPY_PDF); + } + return null; + } + + public String getDefaultExtractProtection() { + if(this.configuration.hasValue(DEFAULT_CONFIG_PROTECT_EXTRACT_PDF)) { + return this.configuration.getValue(DEFAULT_CONFIG_PROTECT_EXTRACT_PDF); + } + return null; + } + + } diff --git a/pdf-as-pdfbox-2/src/main/java/at/gv/egiz/pdfas/lib/impl/signing/pdfbox2/PADESPDFBOXSigner.java b/pdf-as-pdfbox-2/src/main/java/at/gv/egiz/pdfas/lib/impl/signing/pdfbox2/PADESPDFBOXSigner.java index e27597d1..a7b1655f 100644 --- a/pdf-as-pdfbox-2/src/main/java/at/gv/egiz/pdfas/lib/impl/signing/pdfbox2/PADESPDFBOXSigner.java +++ b/pdf-as-pdfbox-2/src/main/java/at/gv/egiz/pdfas/lib/impl/signing/pdfbox2/PADESPDFBOXSigner.java @@ -24,7 +24,6 @@ package at.gv.egiz.pdfas.lib.impl.signing.pdfbox2; import at.gv.egiz.pdfas.lib.api.Configuration; -import at.gv.egiz.pdfas.lib.util.PDDocumentUtil; import iaik.x509.X509Certificate; import java.awt.Graphics2D; @@ -114,7 +113,6 @@ import at.gv.egiz.pdfas.lib.impl.status.RequestedSignature; import at.knowcenter.wag.egov.egiz.pdf.PositioningInstruction; import at.knowcenter.wag.egov.egiz.pdf.TablePos; import at.knowcenter.wag.egov.egiz.table.Table; - import javax.activation.DataSource; public class PADESPDFBOXSigner implements IPdfSigner, IConfigurationConstants { @@ -603,6 +601,7 @@ public class PADESPDFBOXSigner implements IPdfSigner, IConfigurationConstants { try { ByteArrayOutputStream bos = new ByteArrayOutputStream(); + /*/ Check if document should be protected*/ synchronized (doc) { doc.saveIncremental(bos); @@ -612,45 +611,76 @@ public class PADESPDFBOXSigner implements IPdfSigner, IConfigurationConstants { } + /* + Check if resulting pdf is PDF-A conform + */ + if (signatureProfileSettings.isPDFA()) { + runPDFAPreflight(new ByteArrayDataSource(pdfObject.getSignedDocument())); + } + + /*Check if doc has to be protected*/ + /* if (requestedSignature.getStatus().getSettings().hasValue(DEFAULT_CONFIG_PROTECT_PDF)) { + if (IConfigurationConstants.TRUE.equalsIgnoreCase(requestedSignature.getStatus().getSettings().getValue(IConfigurationConstants.DEFAULT_CONFIG_PROTECT_PDF))) + { //Protect document before setting output + //Policies for docs + AccessPermission ap = doc.getCurrentAccessPermission(); + ap.setReadOnly(); + ap.setCanModify(false); + ap.setCanExtractForAccessibility(false); + doc = new PDDocument(doc.getDocument(),null,ap); + logger.info("Added Protection Parameters"); + } + + } +*/ + /*Check if doc has to be protected*/ - /*/ Check if document should be protected*/ - //Check if doc has to be protected// - if (requestedSignature.getStatus().getSettings().hasValue(DEFAULT_CONFIG_PROTECT_PDF)) { - //TODO: Test and Check ProtectionSettings// --> overwritten DefaultSecHandler and PDDocumentUtil - if (IConfigurationConstants.TRUE.equalsIgnoreCase(requestedSignature.getStatus().getSettings().getValue(IConfigurationConstants.DEFAULT_CONFIG_PROTECT_PDF))) - { //Protect document before setting output - //Policies for docs + if (requestedSignature.getStatus().getSettings().hasValue(DEFAULT_CONFIG_PROTECT_COPY_PDF)) + { AccessPermission ap = doc.getCurrentAccessPermission(); - ap.setCanModify(false); - ap.setCanExtractForAccessibility(false); - ap.setCanAssembleDocument(false); - ap.setCanExtractContent(false); - //StandardProtectionPolicy spp = new StandardProtectionPolicy("", "", ap); - //doc = PDDocument.load(pdfObject.getSignedDocument(), spp.getOwnerPassword()); - //PDDocumentUtil docProtected = new PDDocumentUtil(); - //docProtected.protect(spp); - - //TODO Save File Settings to signed document// - //Byte-Array and PDF-File// - //doc = docProtected; - //doc.close(); - - logger.info("Added Protection Parameters"); - } + if (IConfigurationConstants.TRUE.equalsIgnoreCase(requestedSignature.getStatus().getSettings().getValue(IConfigurationConstants.DEFAULT_CONFIG_PROTECT_COPY_PDF))) + { + try { + if (doc.isEncrypted()) { //remove the security before adding protections + //doc.decrypt(""); + doc.setAllSecurityToBeRemoved(true); + } + String ownerPassword = ""; + String userPassword = ""; + ap.setCanExtractContent(false); + ap.setCanModify(false); + ap.setCanPrint(false); + ap.setReadOnly(); + ap.setCanExtractForAccessibility(false); + StandardProtectionPolicy policy = new StandardProtectionPolicy(ownerPassword,userPassword,ap); + doc.protect(policy); - } + //doc = new PDDocument(doc.getDocument(),null,ap); + logger.info("Added Protection Parameters"); + AccessPermission ap_new = doc.getCurrentAccessPermission(); - /* - Check if resulting pdf is PDF-A conform - */ - if (signatureProfileSettings.isPDFA()) { - runPDFAPreflight(new ByteArrayDataSource(pdfObject.getSignedDocument())); - } + Boolean canextract = ap_new.canExtractContent(); + Boolean bool = ap_new.isReadOnly(); + } + catch (Exception e) + { + logger.info("Error message" + e.getMessage()); + } + } + else if (IConfigurationConstants.FALSE.equalsIgnoreCase(requestedSignature.getStatus().getSettings().getValue(IConfigurationConstants.DEFAULT_CONFIG_PROTECT_COPY_PDF))) + { + /*ap.setCanExtractContent(true); + doc = new PDDocument(doc.getDocument(),null,ap); + logger.info("Added Protection Parameters");*/ + } + + } + } catch (IOException e1) { e1.printStackTrace(); } @@ -671,6 +701,14 @@ public class PADESPDFBOXSigner implements IPdfSigner, IConfigurationConstants { if (doc != null) { try { doc.close(); + + + AccessPermission ap_new = doc.getCurrentAccessPermission(); + + + Boolean canextract = ap_new.canExtractContent(); + Boolean bool = ap_new.isReadOnly(); + String test = ""; } catch (IOException e) { logger.debug("Failed to close COS Doc!", e); // Ignore @@ -890,4 +928,4 @@ public class PADESPDFBOXSigner implements IPdfSigner, IConfigurationConstants { } return null; } -} +} \ No newline at end of file -- cgit v1.2.3