Uploaded image for project: 'PDFBox'
  1. PDFBox
  2. PDFBOX-5249

AES128 PK decryption failure for documents with exposed metadata.



    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • 2.0.24
    • None
    • Parsing, Writing
    • None
    • Patch


      I attempted to decrypt a AES128-PK secured document with exposed metadata and encountered an Exception, even though the decryption should have worked.
      I tried to fix the cause and tried to implement an improved handling for "EncryptMetadata" during AES en-/decryption on the way.

      Initial Issue:
      When creating a PDF document (for example using Adobe Document Creator) and selecting AES128 Public Key ("Certificate Security") encryption, one can select to expose the metadata by excluding it from encryption.
      (Via setting the encryption dictionary "EncryptMetadata" to false and so forth.)

      If it is attempted to decrypt such a document using PDFBox, an error is encountered - indicating the failure to use the given Material (Private Key/Certificate) to identify a recipient of that document. This exception is encountered even if the material is verifably usable to decrypt the document in other tools.

      The AES128 (V4) encryption leads to changes to the actual encryption key, when metadata is exposed. As is documented in PDF 7 reference manual " Public-Key Encryption Algorithm" such a encryption key shall contain 4bytes with content 0xFF, that shall indicate the exposed metadata. (Which is then included in the SHA-1 message digest and truncated to a given key length.)
      As far as I could see in class PublicKeySecurityHandler#prepareForDecryption() those bytes were not included in the message digest.
      Therefore I had to assume, that the given decryption material was failing for that reason - as the document's strings and streams would most likely be encrypted with a key, that was including those bytes.
      Hence I altered the method as follows:

      Also: The PDFBox implementation claims (rightly so and according to specification), that the document's encryption dictionary shall hold a field "EncryptMetadata", that shall easily identify whether metadata is exposed in a given document.
      But the document I produced, instead contained said Field as part of the "DefaultCryptFilter":

      I was unable to find this behaviour documented in the reference manual, but decided that I would prefer if it was supported anyway. Resulting in further changes:

      **I succeeded - The document could now be decrypted using the given Material.

      Follow-up Questions:
      While examining the classes "StandardSecurityHandler" and the "PublicKeySecurityHandler" I found comments mentioning or solving some issues concerning the "EncryptMetadata" flag and it's consequences for other structures.
      The question was, whether I could implement that feature for V4 and V5 encryption - and so I did, resulting in the patch you will find in the attachments.
      I'm aware that some of the changes hereby made could be problematic for some reason, that I can not see yet. (especially those made to "COSBase" and "PDCryptFilterDictionary") Those changes are naive and are made under the premise to reach the given goal most directly and as fast as possible.
      I would assume, that this patch is rather a mere suggestion, than something that can or should be merged directly and without inspection.


        1. unencrypted.pdf
          13 kB
          Christian Appl
        2. screenshot-2.png
          108 kB
          Tilman Hausherr
        3. screenshot-1.png
          221 kB
          Tilman Hausherr
        4. image-2021-09-10-15-19-27-942.png
          71 kB
          Christian Appl
        5. image-2021-08-03-10-17-14-965.png
          9 kB
          Christian Appl
        6. image-2021-07-30-09-21-37-707.png
          17 kB
          Christian Appl
        7. image-2021-07-30-09-13-49-394.png
          294 kB
          Christian Appl
        8. image-2021-07-29-15-31-14-097.png
          29 kB
          Christian Appl
        9. image-2021-07-29-15-30-35-928.png
          37 kB
          Christian Appl
        10. image-2021-07-29-15-28-15-341.png
          17 kB
          Christian Appl
        11. Exposing_metadata_during_document_encryption_.zip
          813 kB
          Christian Appl
        12. exposedmeta.zip
          29 kB
          Christian Appl
        13. Encrypt_with_exposed_metadata_(09-13-2021).zip
          817 kB
          Christian Appl
        14. AdobeDCCertAES128exposedMetadata.zip
          787 kB
          Christian Appl



            Unassigned Unassigned
            capSVD Christian Appl
            0 Vote for this issue
            3 Start watching this issue

