Apply password normalisation using ICU4J

MatthiasValvekens · MatthiasValvekens · commit 09f081232787 · 2021-09-20T10:32:29.000+02:00
RES-465
diff --git a/NOTICE.txt b/NOTICE.txt
@@ -92,4 +92,45 @@ Are you using this icon set? Send me an email
 mjames at gmail dot com
 
 Any other questions about this icon set please
-contact mjames at gmail dot com
+contact mjames at gmail dot com
+
+--------------------------------------------
+
+ICU4J under the following license:
+
+
+COPYRIGHT AND PERMISSION NOTICE (ICU 58 and later)
+
+Copyright © 1991-2020 Unicode, Inc. All rights reserved.
+Distributed under the Terms of Use in https://www.unicode.org/copyright.html.
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of the Unicode data files and any associated documentation
+(the "Data Files") or Unicode software and any associated documentation
+(the "Software") to deal in the Data Files or Software
+without restriction, including without limitation the rights to use,
+copy, modify, merge, publish, distribute, and/or sell copies of
+the Data Files or Software, and to permit persons to whom the Data Files
+or Software are furnished to do so, provided that either
+(a) this copyright and permission notice appear with all copies
+of the Data Files or Software, or
+(b) this copyright and permission notice appear in associated
+Documentation.
+
+THE DATA FILES AND SOFTWARE ARE PROVIDED "AS IS", WITHOUT WARRANTY OF
+ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
+WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT OF THIRD PARTY RIGHTS.
+IN NO EVENT SHALL THE COPYRIGHT HOLDER OR HOLDERS INCLUDED IN THIS
+NOTICE BE LIABLE FOR ANY CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL
+DAMAGES, OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE,
+DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER
+TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+PERFORMANCE OF THE DATA FILES OR SOFTWARE.
+
+Except as contained in this notice, the name of a copyright holder
+shall not be used in advertising or otherwise to promote the sale,
+use or other dealings in these Data Files or Software without prior
+written authorization of the copyright holder.
+
+For transitive 3rd-party dependencies through ICU4J, see https://raw.githubusercontent.com/unicode-org/icu/46861a5c78367f7c720559243d6bf96146ee070f/icu4c/LICENSE
diff --git a/pom.xml b/pom.xml
@@ -86,6 +86,11 @@
       <artifactId>dom4j</artifactId>
       <version>${dom4j.version}</version>
     </dependency>
+    <dependency>
+      <groupId>com.ibm.icu</groupId>
+      <artifactId>icu4j</artifactId>
+      <version>69.1</version>
+    </dependency>
     <dependency>
       <groupId>com.itextpdf</groupId>
       <artifactId>pdftest</artifactId>
diff --git a/src/main/java/com/itextpdf/rups/model/PdfFile.java b/src/main/java/com/itextpdf/rups/model/PdfFile.java
@@ -49,6 +49,8 @@ This file is part of the iText (R) project.
 import com.itextpdf.kernel.pdf.PdfWriter;
 import com.itextpdf.kernel.pdf.ReaderProperties;
 
+import com.ibm.icu.text.StringPrepParseException;
+import com.ibm.icu.text.StringPrep;
 import javax.swing.*;
 import java.io.*;
 import java.nio.charset.StandardCharsets;
@@ -88,6 +90,8 @@ public class PdfFile {
 
     protected boolean readOnly = false;
 
+    public static final int MAX_PASSWORD_BYTE_LENGTH = 127;
+
     /**
      * Constructs a PdfFile object.
      *
@@ -125,6 +129,25 @@ public PdfFile(byte[] file, boolean readOnly) throws IOException, PdfException {
         }
     }
 
+    private static byte[] preparePasswordForOpen(String inputPassword) {
+        StringPrep prep = StringPrep.getInstance(StringPrep.RFC4013_SASLPREP);
+        String prepped;
+        try {
+            // we're invoking StringPrep to open a document -> pass ALLOW_UNASSIGNED
+            prepped = prep.prepare(inputPassword, StringPrep.ALLOW_UNASSIGNED);
+        } catch (StringPrepParseException e) {
+            throw new PdfException("Failed to process password", e);
+        }
+        byte[] resultingBytes = prepped.getBytes(StandardCharsets.UTF_8);
+        if (resultingBytes.length <= MAX_PASSWORD_BYTE_LENGTH) {
+            return resultingBytes;
+        } else {
+            byte[] trimmed = new byte[MAX_PASSWORD_BYTE_LENGTH];
+            System.arraycopy(resultingBytes, 0, trimmed, 0, trimmed.length);
+            return trimmed;
+        }
+    }
+
     private static byte[] requestPassword() {
         final JPasswordField passwordField = new JPasswordField(32);
 
@@ -137,8 +160,8 @@ public void selectInitialValue() {
 
         pane.createDialog(null, "Enter the User or Owner Password of this PDF file").setVisible(true);
 
-        // TODO RES-427: SASLprep & truncate this
-        return new String(passwordField.getPassword()).getBytes(StandardCharsets.UTF_8);
+        String passwordString = new String(passwordField.getPassword());
+        return preparePasswordForOpen(passwordString);
     }
 
     /**
