Fix crypt filter for AES-GSM

Fix tests

DEVSIX-8588

Author: Andrei Stryhelski

kernel/src/main/java/com/itextpdf/kernel/crypto/securityhandler/PubSecHandlerUsingAes256.java

@@ -33,12 +33,16 @@ This file is part of the iText (R) project.
 
 public class PubSecHandlerUsingAes256 extends PubSecHandlerUsingAes128 {
 
-    public PubSecHandlerUsingAes256(PdfDictionary encryptionDictionary, Certificate[] certs, int[] permissions, boolean encryptMetadata, boolean embeddedFilesOnly) {
+    public PubSecHandlerUsingAes256(PdfDictionary encryptionDictionary, Certificate[] certs, int[] permissions,
+                                    boolean encryptMetadata, boolean embeddedFilesOnly) {
         super(encryptionDictionary, certs, permissions, encryptMetadata, embeddedFilesOnly);
     }
 
-    public PubSecHandlerUsingAes256(PdfDictionary encryptionDictionary, Key certificateKey, Certificate certificate, String certificateKeyProvider, IExternalDecryptionProcess externalDecryptionProcess, boolean encryptMetadata) {
-        super(encryptionDictionary, certificateKey, certificate, certificateKeyProvider, externalDecryptionProcess, encryptMetadata);
+    public PubSecHandlerUsingAes256(PdfDictionary encryptionDictionary, Key certificateKey, Certificate certificate,
+                                    String certificateKeyProvider, IExternalDecryptionProcess externalDecryptionProcess,
+                                    boolean encryptMetadata) {
+        super(encryptionDictionary, certificateKey, certificate, certificateKeyProvider, externalDecryptionProcess,
+                encryptMetadata);
     }
 
     @Override
@@ -57,19 +61,27 @@ protected void initKey(byte[] globalKey, int keyLength) {
     }
 
     @Override
-    protected void setPubSecSpecificHandlerDicEntries(PdfDictionary encryptionDictionary, boolean encryptMetadata, boolean embeddedFilesOnly) {
+    protected void setPubSecSpecificHandlerDicEntries(PdfDictionary encryptionDictionary, boolean encryptMetadata,
+                                                      boolean embeddedFilesOnly) {
+        int version = 5;
+        PdfName filter = PdfName.AESV3;
+        setEncryptionDictEntries(encryptionDictionary, encryptMetadata, embeddedFilesOnly, version, filter);
+    }
+
+    void setEncryptionDictEntries(PdfDictionary encryptionDictionary, boolean encryptMetadata,
+                                        boolean embeddedFilesOnly, int version, PdfName cryptFilter) {
         encryptionDictionary.put(PdfName.Filter, PdfName.Adobe_PubSec);
         encryptionDictionary.put(PdfName.SubFilter, PdfName.Adbe_pkcs7_s5);
 
-        encryptionDictionary.put(PdfName.V, new PdfNumber(5));
+        encryptionDictionary.put(PdfName.V, new PdfNumber(version));
 
         PdfArray recipients = createRecipientsArray();
         PdfDictionary stdcf = new PdfDictionary();
         stdcf.put(PdfName.Recipients, recipients);
         if (!encryptMetadata) {
             stdcf.put(PdfName.EncryptMetadata, PdfBoolean.FALSE);
         }
-        stdcf.put(PdfName.CFM, PdfName.AESV3);
+        stdcf.put(PdfName.CFM, cryptFilter);
         stdcf.put(PdfName.Length, new PdfNumber(256));
         PdfDictionary cf = new PdfDictionary();
         cf.put(PdfName.DefaultCryptFilter, stdcf);

kernel/src/main/java/com/itextpdf/kernel/crypto/securityhandler/PubSecHandlerUsingAesGcm.java

@@ -28,7 +28,6 @@ This file is part of the iText (R) project.
 import com.itextpdf.kernel.crypto.OutputStreamEncryption;
 import com.itextpdf.kernel.pdf.PdfDictionary;
 import com.itextpdf.kernel.pdf.PdfName;
-import com.itextpdf.kernel.pdf.PdfNumber;
 import com.itextpdf.kernel.security.IExternalDecryptionProcess;
 
 import java.io.OutputStream;
@@ -77,6 +76,12 @@ public PubSecHandlerUsingAesGcm(PdfDictionary encryptionDictionary, Key certific
 
     @Override
     public void setHashKeyForNextObject(int objNumber, int objGeneration) {
+        // Make sure the same IV is never used twice in the same file. We do this by turning the objId/objGen into a
+        // 5-byte nonce (with generation restricted to 1 byte instead of 2) plus an in-object 2-byte counter that
+        // increments each time a new string is encrypted within the same object. The remaining 5 bytes will be
+        // generated randomly using a strong PRNG.
+        // This is very different from the situation with AES-CBC, where randomness is paramount.
+        // GCM uses a variation of counter mode, so making sure the IV is unique is more important than randomness.
         this.inObjectNonceCounter = 0;
         this.noncePart = new byte[]{
                 0, 0,
@@ -102,8 +107,10 @@ public IDecryptor getDecryptor() {
     }
 
     @Override
-    protected void setPubSecSpecificHandlerDicEntries(PdfDictionary encryptionDictionary, boolean encryptMetadata, boolean embeddedFilesOnly) {
-        super.setPubSecSpecificHandlerDicEntries(encryptionDictionary, encryptMetadata, embeddedFilesOnly);
-        encryptionDictionary.put(PdfName.V, new PdfNumber(7));
+    protected void setPubSecSpecificHandlerDicEntries(PdfDictionary encryptionDictionary, boolean encryptMetadata,
+                                                      boolean embeddedFilesOnly) {
+        int version = 6;
+        PdfName filter = PdfName.AESV4;
+        setEncryptionDictEntries(encryptionDictionary, encryptMetadata, embeddedFilesOnly, version, filter);
     }
 }

kernel/src/main/java/com/itextpdf/kernel/crypto/securityhandler/StandardHandlerUsingAes256.java

@@ -53,12 +53,12 @@ public class StandardHandlerUsingAes256 extends StandardSecurityHandler {
     private static final int KEY_SALT_OFFSET = 40;
     private static final int SALT_LENGTH = 8;
 
-    private boolean isPdf2;
     protected boolean encryptMetadata;
-
+    private boolean isPdf2;
 
     public StandardHandlerUsingAes256(PdfDictionary encryptionDictionary, byte[] userPassword, byte[] ownerPassword,
-            int permissions, boolean encryptMetadata, boolean embeddedFilesOnly, PdfVersion version) {
+                                      int permissions, boolean encryptMetadata, boolean embeddedFilesOnly,
+                                      PdfVersion version) {
         isPdf2 = version != null && version.compareTo(PdfVersion.PDF_2_0) >= 0;
         initKeyAndFillDictionary(encryptionDictionary, userPassword, ownerPassword, permissions, encryptMetadata,
                 embeddedFilesOnly);
@@ -68,6 +68,11 @@ public StandardHandlerUsingAes256(PdfDictionary encryptionDictionary, byte[] pas
         initKeyAndReadDictionary(encryptionDictionary, password);
     }
 
+    /**
+     * Checks whether the document-level metadata stream will be encrypted.
+     *
+     * @return {@code true} if the document-level metadata stream shall be encrypted, {@code false} otherwise
+     */
     public boolean isEncryptMetadata() {
         return encryptMetadata;
     }
@@ -87,8 +92,52 @@ public IDecryptor getDecryptor() {
         return new AesDecryptor(nextObjectKey, 0, nextObjectKeySize);
     }
 
+    void setAES256DicEntries(PdfDictionary encryptionDictionary, byte[] oeKey, byte[] ueKey, byte[] aes256Perms,
+                                     boolean encryptMetadata, boolean embeddedFilesOnly) {
+        int version = 5;
+        int rAes256 = 5;
+        int rAes256Pdf2 = 6;
+        int revision = isPdf2 ? rAes256Pdf2 : rAes256;
+        PdfName cryptoFilter = PdfName.AESV3;
+        setEncryptionDictionaryEntries(encryptionDictionary, oeKey, ueKey, aes256Perms, encryptMetadata,
+                embeddedFilesOnly, version, revision, cryptoFilter);
+    }
+
+    void setEncryptionDictionaryEntries(PdfDictionary encryptionDictionary, byte[] oeKey, byte[] ueKey,
+                                        byte[] aes256Perms, boolean encryptMetadata, boolean embeddedFilesOnly,
+                                        int version, int revision, PdfName cryptoFilter) {
+        encryptionDictionary.put(PdfName.OE, new PdfLiteral(StreamUtil.createEscapedString(oeKey)));
+        encryptionDictionary.put(PdfName.UE, new PdfLiteral(StreamUtil.createEscapedString(ueKey)));
+        encryptionDictionary.put(PdfName.Perms, new PdfLiteral(StreamUtil.createEscapedString(aes256Perms)));
+        encryptionDictionary.put(PdfName.R, new PdfNumber(revision));
+        encryptionDictionary.put(PdfName.V, new PdfNumber(version));
+        PdfDictionary stdcf = new PdfDictionary();
+        stdcf.put(PdfName.Length, new PdfNumber(32));
+        if (!encryptMetadata) {
+            encryptionDictionary.put(PdfName.EncryptMetadata, PdfBoolean.FALSE);
+        }
+        if (embeddedFilesOnly) {
+            stdcf.put(PdfName.AuthEvent, PdfName.EFOpen);
+            encryptionDictionary.put(PdfName.EFF, PdfName.StdCF);
+            encryptionDictionary.put(PdfName.StrF, PdfName.Identity);
+            encryptionDictionary.put(PdfName.StmF, PdfName.Identity);
+        } else {
+            stdcf.put(PdfName.AuthEvent, PdfName.DocOpen);
+            encryptionDictionary.put(PdfName.StrF, PdfName.StdCF);
+            encryptionDictionary.put(PdfName.StmF, PdfName.StdCF);
+        }
+        stdcf.put(PdfName.CFM, cryptoFilter);
+        PdfDictionary cf = new PdfDictionary();
+        cf.put(PdfName.StdCF, stdcf);
+        encryptionDictionary.put(PdfName.CF, cf);
+    }
+
+    boolean isPdf2(PdfDictionary encryptionDictionary) {
+        return encryptionDictionary.getAsNumber(PdfName.R).getValue() == 6;
+    }
+
     private void initKeyAndFillDictionary(PdfDictionary encryptionDictionary, byte[] userPassword, byte[] ownerPassword,
-            int permissions, boolean encryptMetadata, boolean embeddedFilesOnly) {
+                                          int permissions, boolean encryptMetadata, boolean embeddedFilesOnly) {
         ownerPassword = generateOwnerPasswordIfNullOrEmpty(ownerPassword);
         permissions |= PERMS_MASK_1_FOR_REVISION_3_OR_GREATER;
         permissions &= PERMS_MASK_2;
@@ -167,37 +216,6 @@ private void initKeyAndFillDictionary(PdfDictionary encryptionDictionary, byte[]
         }
     }
 
-    protected void setAES256DicEntries(PdfDictionary encryptionDictionary, byte[] oeKey, byte[] ueKey, byte[] aes256Perms,
-                                     boolean encryptMetadata, boolean embeddedFilesOnly) {
-        int vAes256 = 5;
-        int rAes256 = 5;
-        int rAes256Pdf2 = 6;
-        encryptionDictionary.put(PdfName.OE, new PdfLiteral(StreamUtil.createEscapedString(oeKey)));
-        encryptionDictionary.put(PdfName.UE, new PdfLiteral(StreamUtil.createEscapedString(ueKey)));
-        encryptionDictionary.put(PdfName.Perms, new PdfLiteral(StreamUtil.createEscapedString(aes256Perms)));
-        encryptionDictionary.put(PdfName.R, new PdfNumber(isPdf2 ? rAes256Pdf2 : rAes256));
-        encryptionDictionary.put(PdfName.V, new PdfNumber(vAes256));
-        PdfDictionary stdcf = new PdfDictionary();
-        stdcf.put(PdfName.Length, new PdfNumber(32));
-        if (!encryptMetadata) {
-            encryptionDictionary.put(PdfName.EncryptMetadata, PdfBoolean.FALSE);
-        }
-        if (embeddedFilesOnly) {
-            stdcf.put(PdfName.AuthEvent, PdfName.EFOpen);
-            encryptionDictionary.put(PdfName.EFF, PdfName.StdCF);
-            encryptionDictionary.put(PdfName.StrF, PdfName.Identity);
-            encryptionDictionary.put(PdfName.StmF, PdfName.Identity);
-        } else {
-            stdcf.put(PdfName.AuthEvent, PdfName.DocOpen);
-            encryptionDictionary.put(PdfName.StrF, PdfName.StdCF);
-            encryptionDictionary.put(PdfName.StmF, PdfName.StdCF);
-        }
-        stdcf.put(PdfName.CFM, PdfName.AESV3);
-        PdfDictionary cf = new PdfDictionary();
-        cf.put(PdfName.StdCF, stdcf);
-        encryptionDictionary.put(PdfName.CF, cf);
-    }
-
     private void initKeyAndReadDictionary(PdfDictionary encryptionDictionary, byte[] password) {
         try {
             if (password == null) {
@@ -206,11 +224,10 @@ private void initKeyAndReadDictionary(PdfDictionary encryptionDictionary, byte[]
                 password = Arrays.copyOf(password, 127);
             }
 
-            isPdf2 = encryptionDictionary.getAsNumber(PdfName.R).getValue() == 6
-                    || encryptionDictionary.getAsNumber(PdfName.R).getValue() == 7;
+            isPdf2 = isPdf2(encryptionDictionary);
 
-            //truncate user and owner passwords to 48 bytes where the first 32 bytes
-            //are a hash value, next 8 bytes are validation salt and final 8 bytes are the key salt
+            // Truncate user and owner passwords to 48 bytes where the first 32 bytes
+            // are a hash value, next 8 bytes are validation salt and final 8 bytes are the key salt
             byte[] oValue = truncateArray(getIsoBytes(encryptionDictionary.getAsString(PdfName.O)));
             byte[] uValue = truncateArray(getIsoBytes(encryptionDictionary.getAsString(PdfName.U)));
             byte[] oeValue = getIsoBytes(encryptionDictionary.getAsString(PdfName.OE));
@@ -250,7 +267,8 @@ private void initKeyAndReadDictionary(PdfDictionary encryptionDictionary, byte[]
             boolean encryptMetadata = decPerms[8] == (byte) 'T';
 
             Boolean encryptMetadataEntry = encryptionDictionary.getAsBool(PdfName.EncryptMetadata);
-            if (permissionsDecoded != permissions || encryptMetadataEntry != null && encryptMetadata != encryptMetadataEntry) {
+            if (permissionsDecoded != permissions || encryptMetadataEntry != null &&
+                    encryptMetadata != encryptMetadataEntry) {
                 Logger logger = LoggerFactory.getLogger(StandardHandlerUsingAes256.class);
                 logger.error(IoLogMessageConstant.ENCRYPTION_ENTRIES_P_AND_ENCRYPT_METADATA_NOT_CORRESPOND_PERMS_ENTRY);
             }
@@ -263,11 +281,13 @@ private void initKeyAndReadDictionary(PdfDictionary encryptionDictionary, byte[]
         }
     }
 
-    private byte[] computeHash(byte[] password, byte[] salt, int saltOffset, int saltLen) throws NoSuchAlgorithmException {
+    private byte[] computeHash(byte[] password, byte[] salt, int saltOffset, int saltLen)
+            throws NoSuchAlgorithmException {
         return computeHash(password, salt, saltOffset, saltLen, null);
     }
 
-    private byte[] computeHash(byte[] password, byte[] salt, int saltOffset, int saltLen, byte[] userKey) throws NoSuchAlgorithmException {
+    private byte[] computeHash(byte[] password, byte[] salt, int saltOffset, int saltLen, byte[] userKey)
+            throws NoSuchAlgorithmException {
         MessageDigest mdSha256 = MessageDigest.getInstance("SHA-256");
 
         mdSha256.update(password);
@@ -303,7 +323,8 @@ private byte[] computeHash(byte[] password, byte[] salt, int saltOffset, int sal
                 }
 
                 // b)
-                AESCipherCBCnoPad cipher = new AESCipherCBCnoPad(true, Arrays.copyOf(k, 16), Arrays.copyOfRange(k, 16, 32));
+                AESCipherCBCnoPad cipher =
+                        new AESCipherCBCnoPad(true, Arrays.copyOf(k, 16), Arrays.copyOfRange(k, 16, 32));
                 byte[] e = cipher.processBlock(k1, 0, k1.length);
 
                 // c)
@@ -323,6 +344,7 @@ private byte[] computeHash(byte[] password, byte[] salt, int saltOffset, int sal
                 }
 
                 // d)
+                assert md != null;
                 k = md.digest(e);
 
                 ++roundNum;

kernel/src/main/java/com/itextpdf/kernel/crypto/securityhandler/StandardHandlerUsingAesGcm.java

@@ -28,7 +28,6 @@ This file is part of the iText (R) project.
 import com.itextpdf.kernel.crypto.OutputStreamEncryption;
 import com.itextpdf.kernel.pdf.PdfDictionary;
 import com.itextpdf.kernel.pdf.PdfName;
-import com.itextpdf.kernel.pdf.PdfNumber;
 import com.itextpdf.kernel.pdf.PdfVersion;
 
 import java.io.OutputStream;
@@ -66,25 +65,14 @@ public StandardHandlerUsingAesGcm(PdfDictionary encryptionDictionary, byte[] pas
         super(encryptionDictionary, password);
     }
 
-    /**
-     * Checks whether the document-level metadata stream will be encrypted.
-     *
-     * @return {@code true} if the document-level metadata stream shall be encrypted, {@code false} otherwise
-     */
-    public boolean isEncryptMetadata() {
-        return encryptMetadata;
-    }
-
     @Override
     public void setHashKeyForNextObject(int objNumber, int objGeneration) {
-        // make sure the same IV is never used twice in the same file
-        // we do this by turning the objId/objGen into a 5-byte nonce (with generation restricted
-        // to 1 byte instead of 2) plus an in-object 2-byte counter that increments each time
-        // a new string is encrypted within the same object.
-        // The remaining 5 bytes will be generated randomly using a strong PRNG.
-        // This is *very different* from the situation with AES-CBC, where randomness is paramount.
-        // GCM uses a variation of counter mode, so making sure the IV is unique is more important
-        // than randomness.
+        // Make sure the same IV is never used twice in the same file. We do this by turning the objId/objGen into a
+        // 5-byte nonce (with generation restricted to 1 byte instead of 2) plus an in-object 2-byte counter that
+        // increments each time a new string is encrypted within the same object. The remaining 5 bytes will be
+        // generated randomly using a strong PRNG.
+        // This is very different from the situation with AES-CBC, where randomness is paramount. GCM uses a variation
+        // of counter mode, so making sure the IV is unique is more important than randomness.
         this.inObjectNonceCounter = 0;
         this.noncePart = new byte[]{
                 0, 0,
@@ -110,10 +98,17 @@ public IDecryptor getDecryptor() {
     }
 
     @Override
-    protected void setAES256DicEntries(PdfDictionary encryptionDictionary, byte[] oeKey, byte[] ueKey, byte[] aes256Perms,
+    void setAES256DicEntries(PdfDictionary encryptionDictionary, byte[] oeKey, byte[] ueKey, byte[] aes256Perms,
                                      boolean encryptMetadata, boolean embeddedFilesOnly) {
-        super.setAES256DicEntries(encryptionDictionary, oeKey, ueKey, aes256Perms, encryptMetadata, embeddedFilesOnly);
-        encryptionDictionary.put(PdfName.R, new PdfNumber(7));
-        encryptionDictionary.put(PdfName.V, new PdfNumber(6));
+        int version = 6;
+        int revision = 7;
+        PdfName cryptoFilter = PdfName.AESV4;
+        setEncryptionDictionaryEntries(encryptionDictionary, oeKey, ueKey, aes256Perms, encryptMetadata, embeddedFilesOnly,
+                version, revision, cryptoFilter);
+    }
+
+    @Override
+    boolean isPdf2(PdfDictionary encryptionDictionary) {
+        return true;
     }
 }

kernel/src/main/java/com/itextpdf/kernel/pdf/PdfEncryption.java

@@ -712,7 +712,23 @@ private int readAndSetCryptoModeForStdHandler(PdfDictionary encDict) {
                 }
                 break;
             case 7:
-                cryptoMode = EncryptionConstants.ENCRYPTION_AES_GCM;
+                // (ISO/TS 32003) The security handler defines the use of encryption
+                // and decryption in the same way as when the value of R is 6, and declares at least
+                // one crypt filter using the AESV4 method.
+                PdfDictionary cfDic = encDict.getAsDictionary(PdfName.CF);
+                if (cfDic == null) {
+                    throw new PdfException(KernelExceptionMessageConstant.CF_NOT_FOUND_ENCRYPTION);
+                }
+                cfDic = (PdfDictionary) cfDic.get(PdfName.StdCF);
+                if (cfDic == null) {
+                    throw new PdfException(KernelExceptionMessageConstant.STDCF_NOT_FOUND_ENCRYPTION);
+                }
+                if (PdfName.AESV4.equals(cfDic.get(PdfName.CFM))) {
+                    cryptoMode = EncryptionConstants.ENCRYPTION_AES_GCM;
+                    length = 256;
+                } else {
+                    throw new PdfException(KernelExceptionMessageConstant.NO_COMPATIBLE_ENCRYPTION_FOUND);
+                }
                 PdfBoolean em7 = encDict.getAsBoolean(PdfName.EncryptMetadata);
                 if (em7 != null && !em7.getValue()) {
                     cryptoMode |= EncryptionConstants.DO_NOT_ENCRYPT_METADATA;