Password Protect PDF (with Blank Admin Password)

sdiamond · November 6, 2017, 3:03pm

If I encrypt an Aspose PDF document, with a ‘userPassword’, but without specifying an ‘ownerPassword’, I am able to read the contents of the PDF without specifying any password. I would expect this not to be the case.

string path = @“c:\SamplePDF.pdf”;
string pathOutput = path.Replace(“.pdf”, “_encryptedCopy.pdf”);

        using (System.IO.Stream dataStream = System.IO.File.OpenRead(path))
        {
            Aspose.Pdf.Document pdf1 = new Aspose.Pdf.Document(dataStream);
            Aspose.Pdf.Facades.DocumentPrivilege privi = Aspose.Pdf.Facades.DocumentPrivilege.AllowAll; //Want to allow all functions once the file is opened
            pdf1.Encrypt("Hello", string.Empty, privi, Aspose.Pdf.CryptoAlgorithm.AESx256, false); //The documentation makes it appear as though owner password is optional
            pdf1.Save(pathOutput);

            //At this point, if I try to open the file using Adobe Acrobat, it does indeed ask for a password (which is good)
        }

        //Now, try and read it without a pasword,
        try
        {
            //I can read the text in the PDF document. I would not expect to be able to read the text here because I'm not specifying the password to open the file.
            Aspose.Pdf.Document pdf1 = new Aspose.Pdf.Document(pathOutput);
            Aspose.Pdf.Text.TextAbsorber textAbsorber = new Aspose.Pdf.Text.TextAbsorber();
            pdf1.Pages.Accept(textAbsorber);
            string extractedText = textAbsorber.Text;
        }
        catch (Exception ex)
        {

        }

The api documentation says ownerPassword is optional, in the text on this page it says "The Owner password, if set, ". This leads me to believe it’s optional.

So, my question is: If we leave the ownerPassword blank, does encryption occur? Because I can read the contents just fine without a password.

Farhan.Raza · November 6, 2017, 8:30pm

@sdiamond

I would like to share with you that the user password and the owner password can be null or empty. The owner password will be replaced with a random string if the input owner password is null or empty. So the answer to your question is: Yes, encryption does occur using that random string as owner password.

However, I am afraid this random string is not being generated at the moment and staying as an empty string instead. So, I have logged an investigation ticket with ID PDFNET-43663 for further investigation on this issue. This thread has been linked with the ticket and we will keep you posted as soon as some significant progress is made in this regard.

We are sorry for the inconvenience.

sdiamond · November 6, 2017, 11:30pm

Hi Farhan,
Ok, thank you for the reply and confirming the issue. As a work around, I am simply putting the same password for both the userPassword and the ownerPassword. This does indeed prevent me from extracting text without a password.
Thank you,
Sean

Farhan.Raza · November 7, 2017, 4:50am

@sdiamond

You are doing it the right way. Until the issue is investigated and resolved on our end, you may encrypt the files by explicitly passing the owner and user password to the Encrypt method. We will share a notification with you once the issue will be fixed.