Tuesday, February 8, 2011

Encryption in PDF document with iText API


 Make PDF password protected with iText API.

1)      Encrypt existing PDF document:-
To encrypt existing document one need to create object of PdfEncryptor class.
The encrypt method of PDFEncryptor class take following parameters

Reader            : the read PDF
Output stream     : the output destination
Type              : the type of encryption. It can be one of  
  STANDARD_ENCRYPTION_40,    
  STANDARD_ENCRYPTION_128 or ENCRYPTION_AES128.
User Password     : the user password.
Owner Password    : the owner password.
Permissions       : the user permissions


      public void encryptPDFFile(String sourceFilePath
, String destinationFilePath
, String userPassword
, String ownerPassword){
        try{
     PdfEncryptor.encrypt(new PdfReader(sourceFilePath)
, new FileOutputStream(destinationFilePath)
            , PdfWriter.STANDARD_ENCRYPTION_128
            , userPassword
            , ownerPassword
            , PdfWriter.ALLOW_DEGRADED_PRINTING);

  } catch (FileNotFoundException e) {
    e.printStackTrace();
  } catch (DocumentException e) {
    e.printStackTrace();
  } catch (IOException e) {
    e.printStackTrace();
  } catch (Exception e){
    e.printStackTrace();
  }

1)      Encrypt PDF document generated form scratch:-
To encrypt generated document one have to create PdfWriter object.
Parameters required by setEncryption method of PdfWriter are

User Password     : the user password.
Owner Password    : the owner password.
Permissions       : the user permissions
Type              : the type of encryption. It can be one of 
  STANDARD_ENCRYPTION_40,   
  STANDARD_ENCRYPTION_128 or ENCRYPTION_AES128.

           Note: Need to call this method before open() method of Document object is called.

      public void encryptGeneratedPDFDocument(PdfWriter writer
                        , String userPassword, String ownerPassword)
      {
        try{
             writer.setEncryption(userPassword.getBytes()
                        ,ownerPassword.getBytes()
                        , PdfWriter.ALLOW_DEGRADED_PRINTING
                        , PdfWriter.STANDARD_ENCRYPTION_128);
        } catch (DocumentException e) {
            e.printStackTrace();
        } catch (Exception e) {
            e.printStackTrace();
        }
      }
         
How to read PDF documents if documents are password protected
            1) Need to decrypt pdf
2) Read pdf document.

For that one has to use constructor of PdfReader which will take byte array of owner    
password as parameter.

      public void readEncryptedPDF(List<File> fileList
, String actualPath
, String ownerPassword){
         PdfReader reader = null;
         try{
              // If PDF document is not encrypted
              reader = new PdfReader(ff.getAbsolutePath());
         }catch (IOException io) {
              System.err.println("BAD PASSWORD EXCEPTION");

  // If PDF document is encrypted
  reader = new PdfReader(ff.getAbsolutePath()
, ownerPassword.getBytes());
         }
      }

Posted by at No comments:

Wednesday, January 12, 2011

OPENSSL

Openssl basics
  •       OpenSSL is an open source implementation of the SSL and TLS protocols.
  •       OpenSSL includes a command line utility that can be used to perform a variety of       cryptographic functions like digital certificates, digital signatures etc.
  •       OpenSSL is available from the OpenSSL Project at     http://www.openssl.org/

Installation and configuration
  •       Download and install latest version of openssl.
             http://www.brothersoft.com/openssl-27429.html
  •       Set PATH environmental variable to bin directory or open ‘openssl.exe’ from bin directory.
  •       Then go to the bin directory and create folder suppose name “mycerts” used to store all the created certificates.
  •       Copy ‘bin/openssl.cfg’ in ‘mycerts’ directory and rename with name suppose openssl.myca.cfg.

Steps to create digital certificates with openssl:
           
  1. create Certificate Authority’s (CA) certificate
We will use this to sign other certificate signing requests.

openssl req -config mycerts/openssl.myca.cfg -new -x509 -extensions v3_ca -keyout mycerts/myca.key -out mycerts/myca.crt -days 365

This creates a self-signed certificate with the default CA extensions which is valid for 1 year. You will be prompted for a passphrase for your CA’s private key.
And then need to provide some information about CA

            
  1. Now create user certificate and private key
             openssl req -config mycerts/openssl.myca.cfg -new -nodes -keyout mycerts/usercert1.key -out mycerts/usercert1.csr -days 365

-nodes option is needed so that private key is not protected with passphrase
Then need to provide some information about user
  1. To sign user certificate request with CA certificate
 A) Configuration required in OpenSSL to sign certificate request

Create following files in ‘bin/mycerts’ directory
    •  index.txt
    •  ca.srl  edit this file and write serial number as ‘01’
    •  Some modifications to ‘mycerts/openssl.myca.cfg’ are mandatory. Change the part underlined with red.
Default openssl.myca.cfg looks like.

 Modified openssl. myca.cfg. looks like
           
Then sign the user certificate request using modified openssl.myca.cfg with following command.

openssl ca -config mycerts/openssl.myca.cfg -policy policy_anything -out mycerts/usercert1.crt -infiles mycerts/usercert1.csr

  1. To convert .crt  format to PKCS12 (.p12)format
To include the entire certificate chain of the certificate include -chain option and provide path for CA certificate file.

openssl pkcs12 -export -chain -in mycerts/usercert1.crt -inkey mycerts/usercert1.key -out mycerts/usercert1.p12 -CAfile mycerts/myca.crt

  1. To add certificate chaining in  java .keystore
JKS conversion using jetty
A)    Download jetty.jar from
http://oss.sonatype.org/content/groups/jetty/org/mortbay/jetty/jetty/6.1.26/jetty-6.1.26.jar

B)     Save it on drive suppose C:\conversion

C)    Place your PKCS12 format file in same folder

D)    Now open command prompt for that directory

E)     Run following command to import certificate chaining in jks
Enter the password for containing file and output the keystore as requested

java -classpath .;org.mortbay.jetty.jar org.mortbay.util.PKCS12Import usercert1.p12 mynewjks.jks

  1. To revoke user certificate
 A.     Configuration required in OpenSSL to revoke user
       Create file crl.srl under mycerts directory.
       crl.srl edit this file and write serial number as ‘01’
                                                       Some modifications in openssl.myca.cfg are mandatory 

         B.     Revoke user certificate 
       openssl ca -config mycerts/openssl.myca.cfg -revoke 
       mycerts/usercert1.crt
   

        C.     Then generate CRL
      openssl ca -config mycerts/openssl.myca.cfg -gencrl -out 
      mycerts/myca.crl
   
Reference :
http://jetty.codehaus.org/jetty/
http://www.openssl.org/
Posted by at 1 comment:
Subscribe to: Posts (Atom)