LibrePDF
diff --git a/‎openpdf-core/src/main/java/org/openpdf/text/pdf/PdfEncryption.java‎
Lines changed: 3 additions & 2 deletions b/‎openpdf-core/src/main/java/org/openpdf/text/pdf/PdfEncryption.java‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎openpdf-core/src/main/java/org/openpdf/text/pdf/PdfName.java‎
Lines changed: 12 additions & 12 deletions b/‎openpdf-core/src/main/java/org/openpdf/text/pdf/PdfName.java‎
Lines changed: 12 additions & 12 deletions
diff --git a/‎openpdf-core/src/main/java/org/openpdf/text/pdf/security/DocumentTimestamp.java‎
Lines changed: 13 additions & 5 deletions b/‎openpdf-core/src/main/java/org/openpdf/text/pdf/security/DocumentTimestamp.java‎
Lines changed: 13 additions & 5 deletions
diff --git a/‎openpdf-core/src/test/java/org/openpdf/text/pdf/encryption/PubSecV5Test.java‎
Lines changed: 127 additions & 0 deletions b/‎openpdf-core/src/test/java/org/openpdf/text/pdf/encryption/PubSecV5Test.java‎
Lines changed: 127 additions & 0 deletions
diff --git a/‎openpdf-core/src/test/java/org/openpdf/text/pdf/security/DocumentSecurityStoreTest.java‎
Lines changed: 124 additions & 0 deletions b/‎openpdf-core/src/test/java/org/openpdf/text/pdf/security/DocumentSecurityStoreTest.java‎
Lines changed: 124 additions & 0 deletions
@@ -59,6 +59,7 @@
 import java.math.BigInteger;
 import java.security.GeneralSecurityException;
 import java.security.MessageDigest;
+import java.security.PublicKey;
 import java.security.cert.Certificate;
 import java.util.Arrays;
 import javax.crypto.Cipher;
@@ -686,7 +687,7 @@ public PdfDictionary getEncryptionDictionary() {
 
             if (revision == AES_256_V3) {
                 // For V=5 the entire 32-byte SHA-256 digest is the file encryption key.
-                key = mdResult;
+                key = mdResult.clone();
                 keySize = 32;
             } else {
                 setupByEncryptionKey(mdResult, keyLength);
@@ -833,7 +834,7 @@ public void addRecipient(Certificate cert, int permission) {
      * @param permission     the PDF permission bitmask
      * @since 3.0.5
      */
-    public void addRecipient(Certificate cert, java.security.PublicKey pqcPublicKey, int permission) {
+    public void addRecipient(Certificate cert, PublicKey pqcPublicKey, int permission) {
         documentID = createDocumentId();
         PdfPublicKeyRecipient recipient = new PdfPublicKeyRecipient(cert, permission);
         recipient.setPqcPublicKey(pqcPublicKey);
 
@@ -142,18 +142,6 @@ public class PdfName extends PdfObject implements Comparable<PdfName> {
      * A name
      */
     public static final PdfName ADBE_PKCS7_SHA1 = new PdfName("adbe.pkcs7.sha1");
-    /**
-     * (PDF 2.0) SubFilter for CAdES detached signatures (ISO 32000-2 §12.8.3.4, ETSI EN 319 142-1).
-     */
-    public static final PdfName ETSI_CADES_DETACHED = new PdfName("ETSI.CAdES.detached");
-    /**
-     * (PDF 2.0) SubFilter for document timestamp signatures (ISO 32000-2 §12.8.5, RFC 3161).
-     */
-    public static final PdfName ETSI_RFC3161 = new PdfName("ETSI.RFC3161");
-    /**
-     * (PDF 2.0) Document timestamp signature type (ISO 32000-2 §12.8.5).
-     */
-    public static final PdfName DOC_TIME_STAMP = new PdfName("DocTimeStamp");
     /**
      * A name
      */
@@ -856,6 +844,10 @@ public class PdfName extends PdfObject implements Comparable<PdfName> {
      * A name
      */
     public static final PdfName DOCOPEN = new PdfName("DocOpen");
+    /**
+     * (PDF 2.0) Document timestamp signature type (ISO 32000-2 §12.8.5).
+     */
+    public static final PdfName DOC_TIME_STAMP = new PdfName("DocTimeStamp");
     /**
      * A name.
      *
@@ -988,6 +980,14 @@ public class PdfName extends PdfObject implements Comparable<PdfName> {
      * Extension supplied by ETSI TS 102 778-4 V1.1.2 (2009-12)
      */
     public static final PdfName ESIC = new PdfName("ESIC");
+    /**
+     * (PDF 2.0) SubFilter for CAdES detached signatures (ISO 32000-2 §12.8.3.4, ETSI EN 319 142-1).
+     */
+    public static final PdfName ETSI_CADES_DETACHED = new PdfName("ETSI.CAdES.detached");
+    /**
+     * (PDF 2.0) SubFilter for document timestamp signatures (ISO 32000-2 §12.8.5, RFC 3161).
+     */
+    public static final PdfName ETSI_RFC3161 = new PdfName("ETSI.RFC3161");
 
     /**
      * Stands for "Exclude all fields except those specified in Fields array" which is one possible value of the Action
 
@@ -7,6 +7,7 @@
  */
 package org.openpdf.text.pdf.security;
 
+import java.security.GeneralSecurityException;
 import java.security.MessageDigest;
 import org.openpdf.text.pdf.PdfDate;
 import org.openpdf.text.pdf.PdfDictionary;
@@ -76,15 +77,22 @@ public static PdfSignature newDictionary(java.util.Calendar signDate) {
      * @param tsa  the time-stamp authority client
      * @param data the data to be timestamped (typically the digest of the byte range)
      * @return the encoded time-stamp token, or {@code null} if the TSA refused to issue one
-     * @throws Exception if the TSA request fails for any reason
+     * @throws GeneralSecurityException if the message digest cannot be computed
+     * @throws java.io.IOException if the TSA request fails
      */
-    public static byte[] timestamp(TSAClient tsa, byte[] data) throws Exception {
+    public static byte[] timestamp(TSAClient tsa, byte[] data) throws GeneralSecurityException, java.io.IOException {
         if (tsa == null || data == null) {
             return null;
         }
-        MessageDigest md = tsa.getMessageDigest();
-        byte[] imprint = md.digest(data);
-        return tsa.getTimeStampToken(null, imprint);
+        try {
+            MessageDigest md = tsa.getMessageDigest();
+            byte[] imprint = md.digest(data);
+            return tsa.getTimeStampToken(null, imprint);
+        } catch (GeneralSecurityException | java.io.IOException e) {
+            throw e;
+        } catch (Exception e) {
+            throw new java.io.IOException("TSA request failed: " + e.getMessage(), e);
+        }
     }
 }
 
 
@@ -0,0 +1,127 @@
+package org.openpdf.text.pdf.encryption;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import org.openpdf.text.Document;
+import org.openpdf.text.Paragraph;
+import org.openpdf.text.pdf.PdfReader;
+import org.openpdf.text.pdf.PdfWriter;
+import org.openpdf.text.pdf.parser.PdfTextExtractor;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.IOException;
+import java.math.BigInteger;
+import java.nio.file.Files;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.NoSuchProviderException;
+import java.security.Security;
+import java.security.cert.X509Certificate;
+import java.util.Date;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.cert.X509v3CertificateBuilder;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.io.TempDir;
+
+/**
+ * Round-trip tests for PDF 2.0 public-key encryption (V=5 / R=6, AES-256-CBC)
+ * as specified in ISO 32000-2 §7.6.5.
+ */
+class PubSecV5Test {
+
+    @TempDir
+    File tempDir;
+
+    @BeforeAll
+    static void installBc() {
+        if (Security.getProvider("BC") == null) {
+            Security.addProvider(new BouncyCastleProvider());
+        }
+    }
+
+    @Test
+    void pubSecV5EncryptAndDecryptRoundTrip() throws Exception {
+        KeyPair kp = generateRsaKeyPair();
+        X509Certificate cert = selfSignedCert(kp);
+
+        byte[] pdfBytes = createEncryptedPdf(cert);
+
+        File tmp = new File(tempDir, "pubsec_v5.pdf");
+        Files.write(tmp.toPath(), pdfBytes);
+
+        try (PdfReader reader = new PdfReader(tmp.getAbsolutePath(), cert, kp.getPrivate(), "BC")) {
+            assertTrue(reader.isEncrypted(), "Document should be marked encrypted");
+            assertEquals(
+                    "PDF 2.0 PUBSEC test",
+                    new PdfTextExtractor(reader).getTextFromPage(1),
+                    "Decrypted text must match what was written");
+        }
+    }
+
+    @Test
+    void pubSecV5EncryptionDictionaryHasCorrectVersion() throws Exception {
+        KeyPair kp = generateRsaKeyPair();
+        X509Certificate cert = selfSignedCert(kp);
+        byte[] pdfBytes = createEncryptedPdf(cert);
+
+        // Open without decrypting to inspect the encryption dictionary
+        File tmp = new File(tempDir, "pubsec_v5_dict.pdf");
+        Files.write(tmp.toPath(), pdfBytes);
+
+        try (PdfReader reader = new PdfReader(tmp.getAbsolutePath(), cert, kp.getPrivate(), "BC")) {
+            assertTrue(reader.isEncrypted());
+            // V=5 / R=6 maps to crypto mode 4 (ENCRYPTION_AES_256_V3)
+            int mode = reader.getCryptoMode() & 0x0F;
+            assertEquals(PdfWriter.ENCRYPTION_AES_256_V3, mode,
+                    "Crypto mode should be AES_256_V3 (V=5)");
+        }
+    }
+
+    // ---- helpers ----
+
+    private static byte[] createEncryptedPdf(X509Certificate cert) throws IOException {
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        Document doc = new Document();
+        PdfWriter writer = PdfWriter.getInstance(doc, baos);
+        writer.setEncryption(
+                new java.security.cert.Certificate[]{cert},
+                new int[]{PdfWriter.ALLOW_PRINTING},
+                PdfWriter.ENCRYPTION_AES_256_V3);
+        doc.open();
+        doc.add(new Paragraph("PDF 2.0 PUBSEC test"));
+        doc.close();
+        return baos.toByteArray();
+    }
+
+    private static KeyPair generateRsaKeyPair() throws Exception {
+        KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA");
+        gen.initialize(2048);
+        return gen.generateKeyPair();
+    }
+
+    private static X509Certificate selfSignedCert(KeyPair kp)
+            throws Exception {
+        X500Name subject = new X500Name("CN=OpenPDF Test, O=Test, C=NO");
+        BigInteger serial = BigInteger.valueOf(System.currentTimeMillis());
+        Date notBefore = new Date();
+        Date notAfter = new Date(notBefore.getTime() + 365L * 24 * 60 * 60 * 1000);
+
+        X509v3CertificateBuilder builder = new JcaX509v3CertificateBuilder(
+                subject, serial, notBefore, notAfter, subject, kp.getPublic());
+
+        ContentSigner signer = new JcaContentSignerBuilder("SHA256withRSA")
+                .setProvider("BC")
+                .build(kp.getPrivate());
+
+        return new JcaX509CertificateConverter()
+                .setProvider("BC")
+                .getCertificate(builder.build(signer));
+    }
+}
@@ -0,0 +1,124 @@
+package org.openpdf.text.pdf.security;
+
+import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.assertNull;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import org.openpdf.text.Document;
+import org.openpdf.text.Paragraph;
+import org.openpdf.text.pdf.PdfArray;
+import org.openpdf.text.pdf.PdfDictionary;
+import org.openpdf.text.pdf.PdfName;
+import org.openpdf.text.pdf.PdfWriter;
+import java.io.ByteArrayOutputStream;
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.Security;
+import java.security.cert.X509Certificate;
+import java.util.Date;
+import org.bouncycastle.asn1.x500.X500Name;
+import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
+import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
+import org.bouncycastle.jce.provider.BouncyCastleProvider;
+import org.bouncycastle.operator.ContentSigner;
+import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
+class DocumentSecurityStoreTest {
+
+    @BeforeAll
+    static void installBc() {
+        if (Security.getProvider("BC") == null) {
+            Security.addProvider(new BouncyCastleProvider());
+        }
+    }
+
+    @Test
+    void buildEmptyDssHasNoArrays() throws Exception {
+        PdfWriter writer = createWriter();
+        PdfDictionary dss = new DocumentSecurityStore().build(writer);
+        assertNotNull(dss);
+        // empty store should produce a Type=DSS dict with no Certs/CRLs/OCSPs entries
+        assertNull(dss.get(PdfName.CERTS), "Empty DSS should have no /Certs");
+        assertNull(dss.get(PdfName.CRLS), "Empty DSS should have no /CRLs");
+        assertNull(dss.get(PdfName.OCSPS), "Empty DSS should have no /OCSPs");
+    }
+
+    @Test
+    void buildDssWithCertHasCertsArray() throws Exception {
+        X509Certificate cert = selfSignedCert();
+        DocumentSecurityStore dss = new DocumentSecurityStore();
+        dss.addCertificate(cert);
+
+        PdfWriter writer = createWriter();
+        PdfDictionary result = dss.build(writer);
+
+        PdfArray certs = result.getAsArray(PdfName.CERTS);
+        assertNotNull(certs, "DSS with a certificate must have /Certs");
+        assertTrue(certs.size() > 0);
+    }
+
+    @Test
+    void buildDssWithOcspHasOcspsArray() throws Exception {
+        DocumentSecurityStore dss = new DocumentSecurityStore();
+        dss.addOcsp(new byte[]{0x30, 0x00}); // minimal placeholder DER
+
+        PdfWriter writer = createWriter();
+        PdfDictionary result = dss.build(writer);
+
+        PdfArray ocsps = result.getAsArray(PdfName.OCSPS);
+        assertNotNull(ocsps, "DSS with an OCSP response must have /OCSPs");
+        assertTrue(ocsps.size() > 0);
+    }
+
+    @Test
+    void buildDssWithCrlBytesHasCrlsArray() throws Exception {
+        DocumentSecurityStore dss = new DocumentSecurityStore();
+        dss.addCrl(new byte[]{0x30, 0x00}); // minimal placeholder DER
+
+        PdfWriter writer = createWriter();
+        PdfDictionary result = dss.build(writer);
+
+        PdfArray crls = result.getAsArray(PdfName.CRLS);
+        assertNotNull(crls, "DSS with a CRL must have /CRLs");
+        assertTrue(crls.size() > 0);
+    }
+
+    @Test
+    void addNullCertIsIgnored() throws Exception {
+        DocumentSecurityStore dss = new DocumentSecurityStore();
+        dss.addCertificate(null); // must not throw
+
+        PdfWriter writer = createWriter();
+        PdfDictionary result = dss.build(writer);
+        assertNull(result.get(PdfName.CERTS));
+    }
+
+    // ---- helpers ----
+
+    private static PdfWriter createWriter() throws Exception {
+        Document doc = new Document();
+        ByteArrayOutputStream baos = new ByteArrayOutputStream();
+        return PdfWriter.getInstance(doc, baos);
+    }
+
+    private static X509Certificate selfSignedCert() throws Exception {
+        KeyPairGenerator gen = KeyPairGenerator.getInstance("RSA");
+        gen.initialize(1024);
+        KeyPair kp = gen.generateKeyPair();
+
+        X500Name subject = new X500Name("CN=DSS Test");
+        BigInteger serial = BigInteger.ONE;
+        Date now = new Date();
+        Date later = new Date(now.getTime() + 86400_000L);
+
+        ContentSigner signer = new JcaContentSignerBuilder("SHA256withRSA")
+                .setProvider("BC").build(kp.getPrivate());
+
+        return new JcaX509CertificateConverter().setProvider("BC")
+                .getCertificate(new JcaX509v3CertificateBuilder(
+                        subject, serial, now, later, subject, kp.getPublic()).build(signer));
+    }
+}