Apache™ FOP: PDF encryption.

Overview

Apache™ FOP supports encryption of PDF output, thanks to Patrick C. Lankswert. This feature is commonly used to prevent unauthorized viewing, printing, editing, copying text from the document and doing annotations. It is also possible to ask the user for a password in order to view the contents. Note that there already exist third party applications which can decrypt an encrypted PDF without effort and allow the aforementioned operations, therefore the degree of protection is limited.

Apache™ FOP supports encryption of PDF output, thanks to Patrick C. Lankswert and others. This feature is commonly used to prevent unauthorized viewing, printing, editing, copying text from the document and doing annotations. It is also possible to ask the user for a password in order to view the contents. Note that there already exist third party applications which can decrypt an encrypted PDF without effort and allow the aforementioned operations, therefore the degree of protection is limited.

For further information about features and restrictions regarding PDF encryption, look at the documentation coming with Adobe Acrobat or the technical documentation on the Adobe web site.

Usage (fop.xconf)

<renderer mime="application/pdf">
@@ -365,6 +365,7 @@ $(document).ready(function () {
         <noedit/>
         <noannotations/>
         <encryption-length>128</encryption-length>
+        <encrypt-metadata>false</encrypt-metadata>
     </encryption-params>
 </renderer>

@@ -433,8 +434,8 @@ $(document).ready(function () { encryption-length The encryption length in bit -Any multiple of 8 between 40 and 128 -40 +Any multiple of 8 between 40 and 128, or 256 +128 ownerPassword @@ -496,6 +497,12 @@ $(document).ready(function () { "TRUE" or "FALSE" "TRUE" + +encrypt-metadata +Whether to encrypt the Metadata stream +"TRUE" or "FALSE" +"TRUE" +

Encryption is enabled as soon as one of these options is set.

@@ -506,7 +513,7 @@ $(document).ready(function () { FOUserAgent userAgent = fopFactory.newFOUserAgent(); useragent.getRendererOptions().put("encryption-params", new PDFEncryptionParams( - null, "password", false, false, true, true)); + null, "password", false, false, true, true, true)); Fop fop = fopFactory.newFop(MimeConstants.MIME_PDF, userAgent); [..]

Alternatively, you can set each value separately in the Map provided by FOUserAgent.getRendererOptions() by using the following keys:

Environment

In order to use PDF encryption, FOP has to be compiled with cryptography support. Currently, only JCE is supported. JCE is part of JDK 1.4. For earlier JDKs, it can be installed separately. The build process automatically detects JCE presence and installs PDF encryption support if possible, otherwise a stub is compiled in.

Cryptography support must also be present at run time. In particular, a provider for the RC4 cipher is needed. Unfortunately, the sample JCE provider in Sun's JDK 1.4 does not provide RC4. If you get a message saying -"Cannot find any provider supporting RC4" -then you don't have the needed infrastructure.

There are several commercial and a few Open Source packages which provide RC4. A pure Java implementation is produced by The Legion of the Bouncy Castle. Mozilla JSS is an interface to a native implementation.

Installing a crypto provider

If you have any experience with Mozilla JSS or any other cryptography provider, please post it to the fop-user list.

Environment

The PDF encryption implemented in FOP does not need external libraries to perform encryption. A recent JDK (1.5+) is sufficient. However, encryption using keys with 256 bits requires the installation of the JCE Unlimited Strength Jurisdiction Policy files from Oracle.