hexapdf 0.1.0

data/test/hexapdf/encryption/test_security_handler.rb

@@ -0,0 +1,356 @@
+# -*- encoding: utf-8 -*-
+
+require 'test_helper'
+require 'hexapdf/encryption/security_handler'
+require 'hexapdf/document'
+require 'hexapdf/stream'
+
+describe HexaPDF::Encryption::EncryptionDictionary do
+  before do
+    @document = HexaPDF::Document.new
+    @dict = HexaPDF::Encryption::EncryptionDictionary.new({}, document: @document)
+    @dict[:Filter] = :Standard
+    @dict[:V] = 1
+  end
+
+  it "validates the /V value" do
+    @dict[:V] = 1
+    assert(@dict.validate)
+    @dict[:V] = 3
+    refute(@dict.validate)
+  end
+
+  it "validates the /Length field when /V=2" do
+    @dict[:V] = 2
+    refute(@dict.validate)
+
+    @dict[:Length] = 32
+    refute(@dict.validate)
+    @dict[:Length] = 136
+    refute(@dict.validate)
+    @dict[:Length] = 55
+    refute(@dict.validate)
+
+    @dict[:Length] = 120
+    assert(@dict.validate)
+  end
+end
+
+describe HexaPDF::Encryption::SecurityHandler do
+  class TestHandler < HexaPDF::Encryption::SecurityHandler
+
+    attr_accessor :strf, :myopt
+    public :dict
+
+    def prepare_encryption(**_options)
+      dict[:Filter] = :Test
+      @key = "a" * key_length
+      @strf ||= :aes
+      @stmf ||= :arc4
+      @eff ||= :identity
+      [@key, @strf, @stmf, @eff]
+    end
+
+    def prepare_decryption(myopt: nil)
+      @myopt = myopt
+      @key = "a" * key_length
+    end
+
+  end
+
+
+  before do
+    @document = HexaPDF::Document.new
+    @obj = @document.add({})
+    @handler = TestHandler.new(@document)
+  end
+
+  describe "class methods" do
+    before do
+      HexaPDF::GlobalConfiguration['encryption.filter_map'][:Test] = TestHandler
+    end
+
+    after do
+      HexaPDF::GlobalConfiguration['encryption.filter_map'].delete(:Test)
+    end
+
+    describe "class set_up_encryption" do
+      it "fails if the requested security handler cannot be found" do
+        assert_raises(HexaPDF::EncryptionError) do
+          HexaPDF::Encryption::SecurityHandler.set_up_encryption(@document, :non_standard)
+        end
+      end
+
+      it "updates the trailer's /Encrypt entry to be wrapped by an encryption dictionary" do
+        HexaPDF::Encryption::SecurityHandler.set_up_encryption(@document, :Test)
+        assert_kind_of(HexaPDF::Encryption::EncryptionDictionary, @document.trailer[:Encrypt])
+      end
+
+      it "returns the frozen security handler" do
+        handler = HexaPDF::Encryption::SecurityHandler.set_up_encryption(@document, :Test)
+        assert(handler.frozen?)
+      end
+    end
+
+    describe "set_up_decryption" do
+      it "fails if the document has no /Encrypt dictionary" do
+        exp = assert_raises(HexaPDF::EncryptionError) do
+          HexaPDF::Encryption::SecurityHandler.set_up_decryption(@document)
+        end
+        assert_match(/No \/Encrypt/i, exp.message)
+      end
+
+      it "fails if the requested security handler cannot be found" do
+        @document.trailer[:Encrypt] = {Filter: :NonStandard}
+        assert_raises(HexaPDF::EncryptionError) do
+          HexaPDF::Encryption::SecurityHandler.set_up_decryption(@document)
+        end
+      end
+
+      it "updates the trailer's /Encrypt entry to be wrapped by an encryption dictionary" do
+        @document.trailer[:Encrypt] = {Filter: :Test, V: 1}
+        HexaPDF::Encryption::SecurityHandler.set_up_decryption(@document)
+        assert_kind_of(HexaPDF::Encryption::EncryptionDictionary, @document.trailer[:Encrypt])
+      end
+
+      it "returns the frozen security handler" do
+        @document.trailer[:Encrypt] = {Filter: :Test, V: 1}
+        handler = HexaPDF::Encryption::SecurityHandler.set_up_decryption(@document)
+        assert(handler.frozen?)
+      end
+    end
+  end
+
+  it "doesn't have a valid encryption key directly after creation" do
+    refute(@handler.encryption_key_valid?)
+  end
+
+  describe "set_up_encryption" do
+    it "sets the correct /V value for the given key length and algorithm" do
+      [[40, :arc4, 1], [128, :arc4, 2], [128, :arc4, 4],
+       [128, :aes, 4], [256, :aes, 5]].each do |length, algorithm, version|
+        @handler.set_up_encryption(key_length: length, algorithm: algorithm, force_V4: version == 4)
+        assert_equal(version, @handler.dict[:V])
+      end
+    end
+
+    it "sets the correct /Length value for the given key length" do
+      [[40, nil], [48, 48], [128, 128], [256, nil]].each do |key_length, result|
+        algorithm = (key_length == 256 ? :aes : :arc4)
+        @handler.set_up_encryption(key_length: key_length, algorithm: algorithm)
+        assert_equal(result, @handler.dict[:Length])
+      end
+    end
+
+    it "calls the prepare_encryption method" do
+      @handler.set_up_encryption
+      assert_equal(:Test, @handler.dict[:Filter])
+    end
+
+    it "returns the generated encryption dictionary wrapped in an encryption class" do
+      dict = @handler.set_up_encryption
+      assert_kind_of(HexaPDF::Encryption::EncryptionDictionary, dict)
+    end
+
+    it "set's up the handler for encryption" do
+      [:arc4, :aes].each do |algorithm|
+        @handler.set_up_encryption(key_length: 128, algorithm: algorithm)
+        @obj[:X] = @handler.encrypt_string('data', @obj)
+        assert_equal('data', @handler.decrypt(@obj)[:X])
+      end
+    end
+
+    it "generates a valid encryption key" do
+      @document.trailer[:Encrypt] = @handler.set_up_encryption
+      assert(@handler.encryption_key_valid?)
+    end
+
+    it "provides correct encryption details" do
+      @handler.set_up_encryption
+      assert_equal({version: 4, string_algorithm: :aes, stream_algorithm: :arc4,
+                    embedded_file_algorithm: :identity, key_length: 128},
+                   @handler.encryption_details)
+      assert_equal(HexaPDF::Encryption::Identity, @handler.send(:embedded_file_algorithm))
+      assert_equal(HexaPDF::Encryption::FastAES, @handler.send(:string_algorithm))
+      assert_equal(HexaPDF::Encryption::FastARC4, @handler.send(:stream_algorithm))
+    end
+
+    it "fails for unsupported encryption key lengths" do
+      exp = assert_raises(HexaPDF::UnsupportedEncryptionError) do
+        @handler.set_up_encryption(key_length: 43)
+      end
+      assert_match(/Invalid key length/i, exp.message)
+    end
+
+    it "fails for unsupported encryption algorithms" do
+      exp = assert_raises(HexaPDF::UnsupportedEncryptionError) do
+        @handler.set_up_encryption(algorithm: :test)
+      end
+      assert_match(/Unsupported encryption algorithm/i, exp.message)
+    end
+
+    it "fails for the aes algorithm with key lengths != 128 or 256" do
+      exp = assert_raises(HexaPDF::UnsupportedEncryptionError) do
+        @handler.set_up_encryption(algorithm: :aes, key_length: 40)
+      end
+      assert_match(/AES algorithm.*key length/i, exp.message)
+    end
+
+    it "fails for the arc4 algorithm with a key length of 256" do
+      exp = assert_raises(HexaPDF::UnsupportedEncryptionError) do
+        @handler.set_up_encryption(algorithm: :arc4, key_length: 256)
+      end
+      assert_match(/ARC4 algorithm.*key length/i, exp.message)
+    end
+  end
+
+
+  describe "set_up_decryption" do
+    it "sets the handlers's dictionary to the encryption dictionary wrapped in a custom class and returns it" do
+      dict = @handler.set_up_decryption(Filter: :test, V: 1)
+      assert_equal(dict, @handler.dict)
+      assert_kind_of(HexaPDF::Encryption::EncryptionDictionary, @handler.dict)
+      assert_equal({Filter: :test, V: 1}, @handler.dict.value)
+    end
+
+    it "doesn't modify the trailer's /Encrypt dictionary" do
+      @handler.set_up_decryption(Filter: :test, V: 4, Length: 128)
+      assert_nil(@document.trailer[:Encrypt])
+    end
+
+    it "calls prepare_decryption" do
+      @handler.set_up_decryption({Filter: :test, V: 4, Length: 128}, myopt: 5)
+      assert_equal(5, @handler.myopt)
+    end
+
+    it "selects the correct algorithm based on the /V and /CF values" do
+      @enc = @handler.dup
+
+      [[:arc4, 40, {V: 1}],
+       [:arc4, 80, {V: 2, Length: 80}],
+       [:arc4, 128, {V: 4, StrF: :Mine, CF: {Mine: {CFM: :V2}}}],
+       [:aes, 128, {V: 4, StrF: :Mine, CF: {Mine: {CFM: :AESV2}}}],
+       [:aes, 256, {V: 5, StrF: :Mine, CF: {Mine: {CFM: :AESV3}}}],
+       [:identity, 128, {V: 4, StrF: :Mine, CF: {Mine: {CFM: :None}}}],
+       [:identity, 128, {V: 4, CF: {Mine: {CFM: :AESV2}}}],
+      ].each do |alg, length, dict|
+        @enc.strf = alg
+        @enc.set_up_encryption(key_length: length, algorithm: (alg == :identity ? :aes : alg))
+        @obj[:X] = @enc.encrypt_string('data', @obj)
+        @handler.set_up_decryption(dict)
+        assert_equal('data', @handler.decrypt(@obj)[:X])
+      end
+    end
+
+    it "selects the correct algorithm for string, stream and embedded file decryption" do
+      @handler.set_up_decryption({V: 4, StrF: :Mine, StmF: :Mine, EFF: :Mine,
+                                  CF: {Mine: {CFM: :V2}}})
+      assert_equal(HexaPDF::Encryption::FastARC4, @handler.send(:embedded_file_algorithm))
+      assert_equal(HexaPDF::Encryption::FastARC4, @handler.send(:string_algorithm))
+      assert_equal(HexaPDF::Encryption::FastARC4, @handler.send(:stream_algorithm))
+    end
+
+    it "provides correct encryption details" do
+      @handler.set_up_decryption({Filter: :test, V: 2, Length: 128}, myopt: 5)
+      assert_equal({version: 2, string_algorithm: :arc4, stream_algorithm: :arc4,
+                    embedded_file_algorithm: :arc4, key_length: 128},
+                   @handler.encryption_details)
+    end
+
+    it "fails for unsupported /V values in the dict" do
+      exp = assert_raises(HexaPDF::UnsupportedEncryptionError) do
+        @handler.set_up_decryption(V: 3)
+      end
+      assert_match(/Unsupported encryption version/i, exp.message)
+    end
+
+    it "fails for unsupported crypt filter encryption methods" do
+      exp = assert_raises(HexaPDF::UnsupportedEncryptionError) do
+        @handler.set_up_decryption(V: 4, StrF: :Mine, CF: {Mine: {CFM: :Unknown}})
+      end
+      assert_match(/Unsupported encryption method/i, exp.message)
+    end
+  end
+
+
+  describe "decrypt" do
+    before do
+      @handler.set_up_decryption(V: 1)
+      @encrypted = @handler.encrypt_string('string', @obj)
+      @obj.value = {Key: @encrypted.dup, Array: [@encrypted.dup], Hash: {Another: @encrypted.dup}}
+    end
+
+    it "decrypts all strings in an object" do
+      @handler.decrypt(@obj)
+      assert_equal('string', @obj[:Key])
+      assert_equal('string', @obj[:Array][0])
+      assert_equal('string', @obj[:Hash][:Another])
+    end
+
+    it "decrypts the content of a stream object" do
+      data = HexaPDF::StreamData.new(proc { @encrypted })
+      obj = @document.wrap({}, oid: @obj.oid, stream: data)
+      @handler.decrypt(obj)
+      assert_equal('string', obj.stream)
+    end
+
+    it "doesn't decrypt a document's Encrypt dictionary" do
+      @document.trailer[:Encrypt] = @obj
+      assert_equal(@encrypted, @handler.decrypt(@obj)[:Key])
+    end
+
+    it "doesn't decrypt XRef streams" do
+      @obj[:Type] = :XRef
+      assert_equal(@encrypted, @handler.decrypt(@obj)[:Key])
+    end
+
+    it "fails if V < 5 and the object number changes" do
+      @obj.oid = 55
+      @handler.decrypt(@obj)
+      refute_equal('string', @obj[:Key])
+    end
+  end
+
+
+  describe "encryption" do
+    before do
+      @handler.set_up_encryption(key_length: 128, algorithm: :arc4)
+      @stream = @document.wrap({}, oid: 1, stream: HexaPDF::StreamData.new(proc { "string" }))
+    end
+
+    it "encrypts strings of indirect objects" do
+      @obj[:Key] = @handler.encrypt_string('string', @obj)
+      assert_equal('string', @handler.decrypt(@obj)[:Key])
+    end
+
+    it "encrypts streams" do
+      result = TestHelper.collector(@handler.encrypt_stream(@stream))
+      @stream.stream = HexaPDF::StreamData.new(proc { result })
+      assert_equal('string', @handler.decrypt(@stream).stream)
+    end
+
+    it "doesn't encrypt strings in a document's Encrypt dictionary" do
+      @document.trailer[:Encrypt] = @handler.dict
+      @document.trailer[:Encrypt][:Mine] = 'string'
+      assert_equal('string', @handler.encrypt_string('string', @document.trailer[:Encrypt]))
+    end
+
+    it "doesn't encrypt XRef streams" do
+      @stream[:Type] = :XRef
+      assert_equal('string', @handler.encrypt_stream(@stream).resume)
+    end
+  end
+
+
+  it "works correctly with different decryption and encryption handlers" do
+    test_file = File.join(TEST_DATA_DIR, 'standard-security-handler', 'nopwd-arc4-40bit-V1.pdf')
+    doc = HexaPDF::Document.new(io: StringIO.new(File.read(test_file)))
+    doc.encrypt(algorithm: :aes, password: 'test')
+    out = StringIO.new(''.b)
+    doc.write(out, update_fields: false)
+
+    assert_raises(HexaPDF::EncryptionError) { HexaPDF::Document.new(io: out) }
+    doc = HexaPDF::Document.new(io: out, decryption_opts: {password: 'test'})
+    assert_equal('D:20150409164600', doc.trailer[:Info].value[:ModDate])
+  end
+end

data/test/hexapdf/encryption/test_standard_security_handler.rb

@@ -0,0 +1,274 @@
+# -*- encoding: utf-8 -*-
+
+require 'test_helper'
+require 'hexapdf/encryption/standard_security_handler'
+require 'hexapdf/document'
+require 'hexapdf/writer'
+require 'stringio'
+
+describe HexaPDF::Encryption::StandardEncryptionDictionary do
+  before do
+    @document = HexaPDF::Document.new
+    @dict = HexaPDF::Encryption::StandardEncryptionDictionary.new({}, document: @document)
+    @dict[:Filter] = :Standard
+    @dict[:V] = 1
+    @dict[:R] = 2
+    @dict[:U] = 'test' * 8
+    @dict[:O] = 'test' * 8
+    @dict[:P] = -5
+    @dict[:UE] = 'test' * 8
+    @dict[:OE] = 'test' * 8
+    @dict[:Perms] = 'test' * 8
+  end
+
+  it "validates the /R value" do
+    @dict[:R] = 2
+    assert(@dict.validate)
+    @dict[:R] = 5
+    refute(@dict.validate)
+  end
+
+  [:U, :O].each do |field|
+    it "validates the length of /#{field} field for R <= 4" do
+      @dict[field] = 'test'
+      refute(@dict.validate)
+    end
+  end
+
+  [:U, :O, :UE, :OE, :Perms].each do |field|
+    it "validates the length of /#{field} field for R=6" do
+      @dict[:R] = 6
+      @dict[field] = 'test'
+      refute(@dict.validate)
+    end
+  end
+
+  [:UE, :OE, :Perms].each do |field|
+    it "validates the existence of the /#{field} field for R=6" do
+      @dict[:R] = 6
+      @dict.delete(field)
+      refute(@dict.validate)
+    end
+  end
+end
+
+describe HexaPDF::Encryption::StandardSecurityHandler do
+  TEST_FILES = Dir[File.join(TEST_DATA_DIR, 'standard-security-handler', '*.pdf')].sort
+  USER_PASSWORD = 'uhexapdf'
+  OWNER_PASSWORD = 'ohexapdf'
+
+  MINIMAL_DOC = HexaPDF::Document.new(io: StringIO.new(MINIMAL_PDF))
+
+  TEST_FILES.each do |file|
+    basename = File.basename(file)
+    it "can decrypt, encrypt and decrypt the encrypted file #{basename} with the user password" do
+      begin
+        doc = HexaPDF::Document.new(io: StringIO.new(File.binread(file)),
+                                    decryption_opts: {password: USER_PASSWORD})
+        assert_equal(MINIMAL_DOC.trailer[:Info][:ModDate], doc.trailer[:Info][:ModDate])
+
+        out = StringIO.new(''.b)
+        HexaPDF::Writer.new(doc, out).write
+        doc = HexaPDF::Document.new(io: out, decryption_opts: {password: USER_PASSWORD})
+        assert_equal(MINIMAL_DOC.trailer[:Info][:ModDate], doc.trailer[:Info][:ModDate])
+      rescue HexaPDF::EncryptionError => e
+        flunk("Error processing #{basename}: #{e}")
+      end
+    end
+
+    if basename !~ /\Auserpwd/
+      it "can decrypt the encrypted file #{basename} with the owner password" do
+        begin
+          doc = HexaPDF::Document.new(io: StringIO.new(File.binread(file)),
+                                      decryption_opts: {password: OWNER_PASSWORD})
+          assert_equal(MINIMAL_DOC.trailer[:Info][:ModDate], doc.trailer[:Info][:ModDate])
+        rescue HexaPDF::EncryptionError => e
+          flunk("Error processing #{basename}: #{e}")
+        end
+      end
+    end
+  end
+
+
+  before do
+    @document = HexaPDF::Document.new
+    @handler = HexaPDF::Encryption::StandardSecurityHandler.new(@document)
+  end
+
+  describe "prepare_encryption" do
+    it "returns the encryption dictionary wrapped with a custom class" do
+      dict = @handler.set_up_encryption
+      assert_kind_of(HexaPDF::Encryption::StandardEncryptionDictionary, dict)
+    end
+
+    it "sets the correct revision independent /Filter value" do
+      dict = @handler.set_up_encryption
+      assert_equal(:Standard, dict[:Filter])
+    end
+
+    it "sets the correct revision independent /P value" do
+      dict = @handler.set_up_encryption
+      assert_equal(@handler.class::Permissions::ALL | @handler.class::Permissions::RESERVED,
+                   dict[:P])
+      dict = @handler.set_up_encryption(permissions: @handler.class::Permissions::COPY_CONTENT)
+      assert_equal(@handler.class::Permissions::COPY_CONTENT | @handler.class::Permissions::RESERVED,
+                   dict[:P])
+      dict = @handler.set_up_encryption(permissions: [:modify_content, :modify_annotation])
+      assert_equal(@handler.class::Permissions::MODIFY_CONTENT | @handler.class::Permissions::MODIFY_ANNOTATION | @handler.class::Permissions::RESERVED,
+                   dict[:P])
+    end
+
+    it "sets the correct revision independent /EncryptMetadata value" do
+      dict = @handler.set_up_encryption
+      assert(dict[:EncryptMetadata])
+      dict = @handler.set_up_encryption(encrypt_metadata: false)
+      refute(dict[:EncryptMetadata])
+    end
+
+    it "sets the correct encryption dictionary values for revision 2 and 3" do
+      arc4_assertions = lambda do |d|
+        assert_equal(32, d[:U].length)
+        assert_equal(32, d[:O].length)
+        refute(d.value.key?(:UE))
+        refute(d.value.key?(:OE))
+        refute(d.value.key?(:Perms))
+      end
+      dict = @handler.set_up_encryption(key_length: 40, algorithm: :arc4)
+      assert_equal(2, dict[:R])
+      arc4_assertions.call(dict)
+
+      dict = @handler.set_up_encryption(key_length: 128, algorithm: :arc4)
+      assert_equal(3, dict[:R])
+      arc4_assertions.call(dict)
+    end
+
+    it "sets the correct encryption dictionary values for revisions 4 and 6" do
+      crypt_filter = lambda do |d, r, alg, length|
+        assert_equal(r, d[:R])
+        assert_equal(alg == :AESV3 ? 48 : 32, d[:U].length)
+        assert_equal(alg == :AESV3 ? 48 : 32, d[:O].length)
+        assert_equal({CFM: alg, Length: length, AuthEvent: :DocOpen}, d[:CF][:StdCF])
+        assert_equal(:StdCF, d[:StrF])
+        assert_equal(:StdCF, d[:StmF])
+        assert_equal(:StdCF, d[:EFF])
+      end
+
+      dict = @handler.set_up_encryption(key_length: 128, algorithm: :arc4, force_V4: true)
+      refute(dict.value.key?(:UE))
+      refute(dict.value.key?(:OE))
+      refute(dict.value.key?(:Perms))
+      crypt_filter.call(dict, 4, :V2, 16)
+
+      dict = @handler.set_up_encryption(key_length: 128, algorithm: :aes)
+      refute(dict.value.key?(:UE))
+      refute(dict.value.key?(:OE))
+      refute(dict.value.key?(:Perms))
+      crypt_filter.call(dict, 4, :AESV2, 16)
+
+      dict = @handler.set_up_encryption(key_length: 256, algorithm: :aes)
+      assert_equal(32, dict[:UE].length)
+      assert_equal(32, dict[:OE].length)
+      assert_equal(16, dict[:Perms].length)
+      crypt_filter.call(dict, 6, :AESV3, 32)
+    end
+
+    it "uses the password keyword as fallback for the user and owner passwords" do
+      dict1 = @document.unwrap(@handler.set_up_encryption(password: 'user', owner_password: 'owner'))
+      dict2 = @document.unwrap(@handler.set_up_encryption(password: 'owner', user_password: 'user'))
+      dict3 = @document.unwrap(@handler.set_up_encryption(user_password: 'user', owner_password: 'owner'))
+
+      assert_equal(dict1[:U], dict2[:U])
+      assert_equal(dict2[:U], dict3[:U])
+      assert_equal(dict1[:O], dict2[:O])
+      assert_equal(dict2[:O], dict3[:O])
+    end
+
+    it "fails if the password contains invalid characters" do
+      assert_raises(HexaPDF::EncryptionError) { @handler.set_up_encryption(password: 'œ test') }
+    end
+
+    it "fails for unknown keywords" do
+      assert_raises(ArgumentError) { @handler.set_up_encryption(unknown: 'test') }
+    end
+  end
+
+
+  describe "prepare_decryption" do
+    it "fails if the /Filter value is incorrect" do
+      exp = assert_raises(HexaPDF::UnsupportedEncryptionError) do
+        @handler.set_up_decryption(Filter: :NonStandard, V: 2)
+      end
+      assert_match(/Invalid \/Filter/i, exp.message)
+    end
+
+    it "fails if the /R value is incorrect" do
+      exp = assert_raises(HexaPDF::UnsupportedEncryptionError) do
+        @handler.set_up_decryption(Filter: :Standard, V: 2, R: 5)
+      end
+      assert_match(/Invalid \/R/i, exp.message)
+    end
+
+    it "fails if the ID in the document's trailer is missing although it is needed" do
+      exp = assert_raises(HexaPDF::EncryptionError) do
+        @handler.set_up_decryption(Filter: :Standard, V: 2, R: 2)
+      end
+      assert_match(/Document ID/i, exp.message)
+    end
+
+    it "fails if the supplied password is invalid" do
+      exp = assert_raises(HexaPDF::EncryptionError) do
+        @handler.set_up_decryption(Filter: :Standard, V: 2, R: 6, U: 'a' * 48, O: 'a' * 48,
+                                     UE: 'a' * 32, OE: 'a' * 32)
+      end
+      assert_match(/Invalid password/i, exp.message)
+    end
+
+    describe "/Perms field checking" do
+      before do
+        @dict = @handler.set_up_encryption(key_length: 256, algorithm: :aes)
+      end
+
+      it "fails if the field cannot be decrypted" do
+        @dict[:Perms].succ!
+        exp = assert_raises(HexaPDF::EncryptionError) { @handler.set_up_decryption(@dict) }
+        assert_match(/cannot be decrypted/, exp.message)
+      end
+
+      it "fails if the /P field doesn't match" do
+        @dict[:P] = 500
+        exp = assert_raises(HexaPDF::EncryptionError) { @handler.set_up_decryption(@dict) }
+        assert_match(/\/P/, exp.message)
+      end
+
+      it "fails if the /EncryptMetadata field doesn't match" do
+        @dict[:EncryptMetadata] = false
+        exp = assert_raises(HexaPDF::EncryptionError) { @handler.set_up_decryption(@dict) }
+        assert_match(/\/EncryptMetadata/, exp.message)
+      end
+
+      it "ignores the /Perms when requested" do
+        obj = HexaPDF::Object.new(nil, oid: 1)
+        obj.value = @handler.encrypt_string('test', obj)
+
+        @dict[:P] = 500
+        @handler.set_up_decryption(@dict, check_permissions: false)
+        assert_equal('test', @handler.decrypt(obj).value)
+      end
+    end
+  end
+
+  it "encryption key stays valid even if default dictionary values are set while setting up decryption" do
+    @document.encrypt(key_length: 128, algorithm: :aes)
+    assert(@document.security_handler.encryption_key_valid?)
+
+    @document.trailer[:Encrypt].delete(:EncryptMetadata)
+    handler = HexaPDF::Encryption::SecurityHandler.set_up_decryption(@document)
+    assert(handler.encryption_key_valid?)
+  end
+
+  it "returns an array of permission symbols" do
+    perms = @handler.class::Permissions::MODIFY_CONTENT | @handler.class::Permissions::COPY_CONTENT
+    @handler.set_up_encryption(permissions: perms)
+    assert_equal([:copy_content, :modify_content], @handler.permissions.sort)
+  end
+end

data/test/hexapdf/filter/common.rb

@@ -0,0 +1,53 @@
+# -*- encoding: utf-8 -*-
+
+require 'test_helper'
+
+# Provides common tests for all filter implementations.
+#
+# The filter object needs to be available in the @obj variable and the @all_test_cases variable
+# needs to hold an array of test cases, i.e. [decoded, encoded] objects.
+module CommonFilterTests
+  include TestHelper
+
+  TEST_BIG_STR = ''.b
+  TEST_BIG_STR << [rand(2**32)].pack('N') while TEST_BIG_STR.length < 2**16
+  TEST_BIG_STR.freeze
+
+  def test_decodes_correctly
+    @all_test_cases.each_with_index do |(result, str), index|
+      assert_equal(result, collector(@obj.decoder(feeder(str.dup))), "testcase #{index}")
+    end
+  end
+
+  def test_encodes_correctly
+    @all_test_cases.each_with_index do |(str, result), index|
+      assert_equal(result, collector(@obj.encoder(feeder(str.dup))), "testcase #{index}")
+    end
+  end
+
+  def test_works_with_big_data
+    assert_equal(TEST_BIG_STR, collector(@obj.decoder(@obj.encoder(feeder(TEST_BIG_STR.dup)))))
+  end
+
+  def test_decoder_returns_strings_in_binary_encoding
+    assert_encodings(@obj.decoder(@obj.encoder(feeder('some test data', 1))), "decoder")
+  end
+
+  def test_encoder_returns_strings_in_binary_encoding
+    assert_encodings(@obj.encoder(feeder('some test data', 1)), "encoder")
+  end
+
+  def assert_encodings(source, type)
+    while source.alive? && (data = source.resume)
+      assert_equal(Encoding::BINARY, data.encoding, "encoding problem in #{type}")
+    end
+  end
+
+  def test_decoder_works_with_single_byte_input
+    assert_equal(@decoded, collector(@obj.decoder(feeder(@encoded.dup, 1))))
+  end
+
+  def test_encoder_works_with_single_byte_input
+    assert_equal(@encoded, collector(@obj.encoder(feeder(@decoded.dup, 1))))
+  end
+end