security

package
v0.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 21, 2025 License: MIT Imports: 19 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func BuildAES256Encryption 

func BuildAES256Encryption(userPwd, ownerPwd string, permissions raw.Permissions, fileID []byte, encryptMetadata bool) (*raw.DictObj, []byte, error)

BuildAES256Encryption constructs an Encrypt dictionary and keys for AES-256 (PDF 2.0) security.

func BuildStandardEncryption 

func BuildStandardEncryption(userPwd, ownerPwd string, permissions raw.Permissions, fileID []byte, encryptMetadata bool) (*raw.DictObj, []byte, error)

BuildStandardEncryption constructs an Encrypt dictionary and primary key for the Standard security handler.

func PermissionsValue 

func PermissionsValue(p raw.Permissions) int32

PermissionsValue builds the Standard security permissions flags for a document.

Types

type DataClass 

type DataClass int

DataClass identifies the kind of payload being encrypted or decrypted. 

const (
	DataClassStream DataClass = iota
	DataClassString
	DataClassMetadataStream
)

type Handler 

type Handler interface {
	IsEncrypted() bool
	Authenticate(password string) error
	DecryptWithFilter(objNum, gen int, data []byte, class DataClass, cryptFilter string) ([]byte, error)
	Decrypt(objNum, gen int, data []byte, class DataClass) ([]byte, error)
	EncryptWithFilter(objNum, gen int, data []byte, class DataClass, cryptFilter string) ([]byte, error)
	Encrypt(objNum, gen int, data []byte, class DataClass) ([]byte, error)
	Permissions() Permissions
	EncryptMetadata() bool
}

func NoopHandler 

func NoopHandler() Handler

NoopHandler returns a reusable pass-through encryption handler.

type HandlerBuilder 

type HandlerBuilder struct {
	// contains filtered or unexported fields
}

func (*HandlerBuilder) Build 

func (b *HandlerBuilder) Build() (Handler, error)

func (*HandlerBuilder) WithEncryptDict 

func (b *HandlerBuilder) WithEncryptDict(d raw.Dictionary) *HandlerBuilder

func (*HandlerBuilder) WithFileID 

func (b *HandlerBuilder) WithFileID(id []byte) *HandlerBuilder

func (*HandlerBuilder) WithTrailer 

func (b *HandlerBuilder) WithTrailer(d raw.Dictionary) *HandlerBuilder

type LTVData 

type LTVData struct {
	Certs [][]byte // DER encoded certificates
	OCSPs [][]byte // DER encoded OCSP responses
	CRLs  [][]byte // DER encoded CRLs
}

LTVData contains validation data for Long Term Validation (LTV).

type Limits 

type Limits struct {
	// Maximum decompressed stream size (prevent zip bombs). Default: 100 MB.
	MaxDecompressedSize int64

	// Maximum indirect reference depth (prevent stack overflow). Default: 100.
	MaxIndirectDepth int

	// Maximum XRef chain depth (Prev entries). Default: 50.
	MaxXRefDepth int

	// Maximum XObject nesting depth. Default: 20.
	MaxXObjectDepth int

	// Maximum array size (number of elements). Default: 100,000.
	MaxArraySize int

	// Maximum dictionary size (number of entries). Default: 10,000.
	MaxDictSize int

	// Maximum string length (bytes). Default: 10 MB.
	MaxStringLength int64

	// Maximum raw stream length (bytes). Default: 50 MB.
	MaxStreamLength int64

	// Maximum decode time per stream. Default: 30s.
	MaxDecodeTime time.Duration

	// Maximum total parse time. Default: 5m.
	MaxParseTime time.Duration
}

Limits defines security boundaries for parsing and processing PDFs. These limits help prevent resource exhaustion attacks (e.g., zip bombs, stack overflows).

func DefaultLimits 

func DefaultLimits() Limits

DefaultLimits returns a Limits struct with safe default values.

type MockSigner 

type MockSigner struct{}

MockSigner for testing without keys

func (*MockSigner) Certificate 

func (m *MockSigner) Certificate() []*x509.Certificate

func (*MockSigner) Sign 

func (m *MockSigner) Sign(data []byte) ([]byte, error)

type Permissions 

type Permissions struct{ Print, Modify, Copy, ModifyAnnotations, FillForms, ExtractAccessible, Assemble, PrintHighQuality bool }

type RSASigner 

type RSASigner struct {
	// contains filtered or unexported fields
}

RSASigner implements Signer using an RSA private key.

func NewRSASigner 

func NewRSASigner(priv *rsa.PrivateKey, chain []*x509.Certificate) *RSASigner

NewRSASigner creates a new RSA signer.

func (*RSASigner) Certificate 

func (s *RSASigner) Certificate() []*x509.Certificate

func (*RSASigner) SetPAdES 

func (s *RSASigner) SetPAdES(enable bool)

SetPAdES enables or disables PAdES (ETSI.CAdES.detached) support. When enabled, the signing-certificate-v2 attribute is included.

func (*RSASigner) Sign 

func (s *RSASigner) Sign(data []byte) ([]byte, error)

type Signer 

type Signer interface {
	// Sign signs the given data and returns the signature bytes (PKCS#7/CMS).
	Sign(data []byte) ([]byte, error)

	// Certificate returns the signer's certificate chain.
	Certificate() []*x509.Certificate
}

Signer represents an entity capable of signing data.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.