hexapdf 0.17.1 → 0.17.2

data/test/hexapdf/encryption/test_aes.rb

@@ -0,0 +1,129 @@
+# -*- encoding: utf-8 -*-
+
+require_relative 'common'
+require 'hexapdf/encryption/aes'
+
+describe HexaPDF::Encryption::AES do
+  include EncryptionAlgorithmInterfaceTests
+
+  before do
+    @algorithm_class = Class.new do
+      prepend HexaPDF::Encryption::AES
+
+      attr_reader :key, :iv, :mode
+
+      def initialize(key, iv, mode)
+        @key, @iv, @mode = key, iv, mode
+      end
+
+      def process(data)
+        raise "invalid data" if data.empty? || data.length % 16 != 0
+        data
+      end
+    end
+
+    @padding_data = (0..15).map do |length|
+      {
+        plain: '5' * length,
+        cipher_padding: '5' * length + (16 - length).chr * (16 - length),
+        length: 32,
+      }
+    end
+    @padding_data << {plain: '5' * 16, cipher_padding: '5' * 16 + 16.chr * 16, length: 48}
+  end
+
+  describe "klass.encrypt/.decrypt" do
+    it "returns the padded result with IV on klass.encrypt" do
+      @padding_data.each do |data|
+        result = @algorithm_class.encrypt('some key' * 2, data[:plain])
+        assert_equal(data[:length], result.length)
+        assert_equal(data[:cipher_padding][-16, 16], result[-16, 16])
+      end
+    end
+
+    it "returns the decrypted result without padding and with IV removed on klass.decrypt" do
+      @padding_data.each do |data|
+        result = @algorithm_class.decrypt('some key' * 2, 'iv' * 8 + data[:cipher_padding])
+        assert_equal(data[:plain], result)
+      end
+    end
+
+    it "fails on decryption if not enough bytes are provided" do
+      assert_raises(HexaPDF::EncryptionError) do
+        @algorithm_class.decrypt('some' * 4, 'no iv')
+      end
+    end
+  end
+
+  describe "klass.encryption_fiber/.decryption_fiber" do
+    before do
+      @fiber = Fiber.new { Fiber.yield('first'); 'second' }
+    end
+
+    it "returns the padded result with IV on encryption_fiber" do
+      @padding_data.each do |data|
+        result = @algorithm_class.encryption_fiber('some key' * 2, Fiber.new { data[:plain] })
+        result = TestHelper.collector(result)
+        assert_equal(data[:length], result.length)
+        assert_equal(data[:cipher_padding][-16, 16], result[-16, 16])
+      end
+    end
+
+    it "returns the decrypted result without padding and with IV removed on decryption_fiber" do
+      @padding_data.each do |data|
+        result = @algorithm_class.decryption_fiber('some key' * 2,
+                                                   Fiber.new { 'iv' * 8 + data[:cipher_padding] })
+        result = TestHelper.collector(result)
+        assert_equal(data[:plain], result)
+      end
+    end
+
+    it "encryption works with multiple yielded strings" do
+      f = Fiber.new { Fiber.yield('a' * 40); Fiber.yield('test'); "b" * 20 }
+      result = TestHelper.collector(@algorithm_class.encryption_fiber('some key' * 2, f))
+      assert_equal('a' * 40 << 'test' << 'b' * 20, result[16..-17])
+    end
+
+    it "decryption works with multiple yielded strings" do
+      f = Fiber.new do
+        Fiber.yield('iv' * 4)
+        Fiber.yield('iv' * 4)
+        Fiber.yield('a' * 20)
+        Fiber.yield('a' * 20)
+        8.chr * 8
+      end
+      result = TestHelper.collector(@algorithm_class.decryption_fiber('some key' * 2, f))
+      assert_equal('a' * 40, result)
+    end
+
+    it "decryption works if the padding is invalid" do
+      f = Fiber.new { 'a' * 32 }
+      result = TestHelper.collector(@algorithm_class.decryption_fiber('some' * 4, f))
+      assert_equal('a' * 16, result)
+
+      f = Fiber.new { 'a' * 31 << "\x00" }
+      result = TestHelper.collector(@algorithm_class.decryption_fiber('some' * 4, f))
+      assert_equal('a' * 15 << "\x00", result)
+
+      f = Fiber.new { 'a' * 29 << "\x00\x01\x03" }
+      result = TestHelper.collector(@algorithm_class.decryption_fiber('some' * 4, f))
+      assert_equal('a' * 13 << "\x00\x01\x03", result)
+    end
+
+    it "fails on decryption if not enough bytes are provided" do
+      [4, 20, 40].each do |length|
+        assert_raises(HexaPDF::EncryptionError) do
+          TestHelper.collector(@algorithm_class.decryption_fiber('some' * 4,
+                                                                 Fiber.new { 'a' * length }))
+        end
+      end
+    end
+  end
+
+  it "does basic validation on initialization" do
+    assert_raises(HexaPDF::EncryptionError) { @algorithm_class.new('t' * 7, '0' * 16, :encrypt) }
+    assert_raises(HexaPDF::EncryptionError) { @algorithm_class.new('t' * 16, '0' * 7, :encrypt) }
+    obj = @algorithm_class.new('t' * 16, 'i' * 16, 'encrypt')
+    assert_equal(:encrypt, obj.mode)
+  end
+end

data/test/hexapdf/encryption/test_arc4.rb

@@ -0,0 +1,39 @@
+# -*- encoding: utf-8 -*-
+
+require_relative 'common'
+require 'hexapdf/encryption/arc4'
+
+describe HexaPDF::Encryption::ARC4 do
+  include EncryptionAlgorithmInterfaceTests
+
+  before do
+    @algorithm_class = Class.new do
+      prepend HexaPDF::Encryption::ARC4
+
+      def initialize(key)
+        @data = key
+      end
+
+      def process(data)
+        raise if data.empty?
+        result = @data << data
+        @data = ''
+        result
+      end
+    end
+  end
+
+  it "correctly uses klass.encrypt and klass.decrypt" do
+    assert_equal('mykeydata', @algorithm_class.encrypt('mykey', 'data'))
+    assert_equal('mykeydata', @algorithm_class.decrypt('mykey', 'data'))
+  end
+
+  it "correctly uses klass.encryption_fiber and klass.decryption_fiber" do
+    f = Fiber.new { Fiber.yield('first'); Fiber.yield(''); 'second' }
+    assert_equal('mykeyfirstsecond',
+                 TestHelper.collector(@algorithm_class.encryption_fiber('mykey', f)))
+    f = Fiber.new { Fiber.yield('first'); 'second' }
+    assert_equal('mykeyfirstsecond',
+                 TestHelper.collector(@algorithm_class.decryption_fiber('mykey', f)))
+  end
+end

data/test/hexapdf/encryption/test_fast_aes.rb

@@ -0,0 +1,17 @@
+# -*- encoding: utf-8 -*-
+
+require_relative 'common'
+require 'hexapdf/encryption/fast_aes'
+
+describe HexaPDF::Encryption::FastAES do
+  include AESEncryptionTests
+
+  before do
+    @algorithm_class = HexaPDF::Encryption::FastAES
+  end
+
+  it "uses a better random bytes generator" do
+    assert_equal(@algorithm_class.singleton_class, @algorithm_class.method(:random_bytes).owner)
+    assert_equal(16, @algorithm_class.random_bytes(16).length)
+  end
+end

data/test/hexapdf/encryption/test_fast_arc4.rb

@@ -0,0 +1,12 @@
+# -*- encoding: utf-8 -*-
+
+require_relative 'common'
+require 'hexapdf/encryption/fast_arc4'
+
+describe HexaPDF::Encryption::FastARC4 do
+  include ARC4EncryptionTests
+
+  before do
+    @algorithm_class = HexaPDF::Encryption::FastARC4
+  end
+end

data/test/hexapdf/encryption/test_identity.rb

@@ -0,0 +1,21 @@
+# -*- encoding: utf-8 -*-
+
+require_relative 'common'
+require 'hexapdf/encryption/identity'
+
+describe HexaPDF::Encryption::Identity do
+  include EncryptionAlgorithmInterfaceTests
+
+  before do
+    @algorithm_class = HexaPDF::Encryption::Identity
+  end
+
+  it "returns the data unmodified for encrypt/decrypt" do
+    assert_equal('data', @algorithm_class.encrypt('key', 'data'))
+  end
+
+  it "returns the source Fiber unmodified for encryption_fiber/decryption_fiber" do
+    f = Fiber.new { 'data' }
+    assert_equal(f, @algorithm_class.encryption_fiber('key', f))
+  end
+end

data/test/hexapdf/encryption/test_ruby_aes.rb

@@ -0,0 +1,23 @@
+# -*- encoding: utf-8 -*-
+
+require_relative 'common'
+require 'hexapdf/encryption/ruby_aes'
+require 'hexapdf/encryption/fast_aes'
+
+describe HexaPDF::Encryption::RubyAES do
+  include AESEncryptionTests
+
+  before do
+    @algorithm_class = HexaPDF::Encryption::RubyAES
+  end
+
+  it "is compatible with the OpenSSL based FastAES implementation" do
+    sample = Random.new.bytes(1024)
+    key = Random.new.bytes(16)
+    iv = Random.new.bytes(16)
+    assert_equal(sample, HexaPDF::Encryption::FastAES.new(key, iv, :encrypt).
+                 process(HexaPDF::Encryption::RubyAES.new(key, iv, :decrypt).process(sample)))
+    assert_equal(sample, HexaPDF::Encryption::FastAES.new(key, iv, :decrypt).
+                 process(HexaPDF::Encryption::RubyAES.new(key, iv, :encrypt).process(sample)))
+  end
+end

data/test/hexapdf/encryption/test_ruby_arc4.rb

@@ -0,0 +1,20 @@
+# -*- encoding: utf-8 -*-
+
+require_relative 'common'
+require 'hexapdf/encryption/ruby_arc4'
+require 'hexapdf/encryption/fast_arc4'
+
+describe HexaPDF::Encryption::RubyARC4 do
+  include ARC4EncryptionTests
+
+  before do
+    @algorithm_class = HexaPDF::Encryption::RubyARC4
+  end
+
+  it "is compatible with the OpenSSL based FastARC4 implementation" do
+    @keys.each_with_index do |key, i|
+      assert_equal(@plain[i], HexaPDF::Encryption::FastARC4.new(key).
+                   process(HexaPDF::Encryption::RubyARC4.new(key).process(@plain[i])))
+    end
+  end
+end

data/test/hexapdf/encryption/test_security_handler.rb

@@ -0,0 +1,380 @@
+# -*- encoding: utf-8 -*-
+
+require 'test_helper'
+require 'hexapdf/encryption/security_handler'
+require 'hexapdf/document'
+require 'hexapdf/stream'
+
+describe HexaPDF::Encryption::EncryptionDictionary do
+  before do
+    @document = HexaPDF::Document.new
+    @dict = HexaPDF::Encryption::EncryptionDictionary.new({}, document: @document)
+    @dict[:Filter] = :Standard
+    @dict[:V] = 1
+  end
+
+  it "must be an indirect object" do
+    assert(@dict.must_be_indirect?)
+  end
+
+  it "validates the /V value" do
+    @dict[:V] = 1
+    assert(@dict.validate)
+    @dict[:V] = 3
+    refute(@dict.validate)
+  end
+
+  it "validates the /Length field when /V=2" do
+    @dict[:V] = 2
+    refute(@dict.validate)
+
+    @dict[:Length] = 32
+    refute(@dict.validate)
+    @dict[:Length] = 136
+    refute(@dict.validate)
+    @dict[:Length] = 55
+    refute(@dict.validate)
+
+    @dict[:Length] = 120
+    assert(@dict.validate)
+  end
+end
+
+describe HexaPDF::Encryption::SecurityHandler do
+  class TestHandler < HexaPDF::Encryption::SecurityHandler
+
+    attr_accessor :strf, :myopt
+    public :dict
+
+    def prepare_encryption(**_options)
+      dict[:Filter] = :Test
+      @key = "a" * key_length
+      @strf ||= :aes
+      @stmf ||= :arc4
+      @eff ||= :identity
+      [@key, @strf, @stmf, @eff]
+    end
+
+    def prepare_decryption(myopt: nil)
+      @myopt = myopt
+      @key = "a" * key_length
+    end
+
+  end
+
+  before do
+    @document = HexaPDF::Document.new
+    @obj = @document.add({})
+    @handler = TestHandler.new(@document)
+  end
+
+  describe "class methods" do
+    before do
+      @document.config['encryption.filter_map'][:Test] = TestHandler
+    end
+
+    describe "set_up_encryption" do
+      it "fails if the requested security handler cannot be found" do
+        assert_raises(HexaPDF::EncryptionError) do
+          HexaPDF::Encryption::SecurityHandler.set_up_encryption(@document, :non_standard)
+        end
+      end
+
+      it "updates the trailer's /Encrypt entry to be wrapped by an encryption dictionary" do
+        HexaPDF::Encryption::SecurityHandler.set_up_encryption(@document, :Test)
+        assert_kind_of(HexaPDF::Encryption::EncryptionDictionary, @document.trailer[:Encrypt])
+      end
+
+      it "returns the frozen security handler" do
+        handler = HexaPDF::Encryption::SecurityHandler.set_up_encryption(@document, :Test)
+        assert(handler.frozen?)
+      end
+    end
+
+    describe "set_up_decryption" do
+      it "fails if the document has no /Encrypt dictionary" do
+        exp = assert_raises(HexaPDF::EncryptionError) do
+          HexaPDF::Encryption::SecurityHandler.set_up_decryption(@document)
+        end
+        assert_match(/No \/Encrypt/i, exp.message)
+      end
+
+      it "fails if the requested security handler cannot be found" do
+        @document.trailer[:Encrypt] = {Filter: :NonStandard}
+        assert_raises(HexaPDF::EncryptionError) do
+          HexaPDF::Encryption::SecurityHandler.set_up_decryption(@document)
+        end
+      end
+
+      it "updates the trailer's /Encrypt entry to be wrapped by an encryption dictionary" do
+        @document.trailer[:Encrypt] = {Filter: :Test, V: 1}
+        HexaPDF::Encryption::SecurityHandler.set_up_decryption(@document)
+        assert_kind_of(HexaPDF::Encryption::EncryptionDictionary, @document.trailer[:Encrypt])
+      end
+
+      it "returns the frozen security handler" do
+        @document.trailer[:Encrypt] = {Filter: :Test, V: 1}
+        handler = HexaPDF::Encryption::SecurityHandler.set_up_decryption(@document)
+        assert(handler.frozen?)
+      end
+    end
+  end
+
+  it "doesn't have a valid encryption key directly after creation" do
+    refute(@handler.encryption_key_valid?)
+  end
+
+  describe "set_up_encryption" do
+    it "sets the correct /V value for the given key length and algorithm" do
+      [[40, :arc4, 1], [128, :arc4, 2], [128, :arc4, 4],
+       [128, :aes, 4], [256, :aes, 5]].each do |length, algorithm, version|
+        @handler.set_up_encryption(key_length: length, algorithm: algorithm, force_v4: version == 4)
+        assert_equal(version, @handler.dict[:V])
+      end
+    end
+
+    it "sets the correct /Length value for the given key length" do
+      [[40, nil], [48, 48], [128, 128], [256, nil]].each do |key_length, result|
+        algorithm = (key_length == 256 ? :aes : :arc4)
+        @handler.set_up_encryption(key_length: key_length, algorithm: algorithm)
+        assert(result == @handler.dict[:Length])
+      end
+    end
+
+    it "calls the prepare_encryption method" do
+      @handler.set_up_encryption
+      assert_equal(:Test, @handler.dict[:Filter])
+    end
+
+    it "returns the generated encryption dictionary wrapped in an encryption class" do
+      dict = @handler.set_up_encryption
+      assert_kind_of(HexaPDF::Encryption::EncryptionDictionary, dict)
+    end
+
+    it "set's up the handler for encryption" do
+      [:arc4, :aes].each do |algorithm|
+        @handler.set_up_encryption(key_length: 128, algorithm: algorithm)
+        @obj[:X] = @handler.encrypt_string('data', @obj)
+        assert_equal('data', @handler.decrypt(@obj)[:X])
+      end
+    end
+
+    it "generates a valid encryption key" do
+      @document.trailer[:Encrypt] = @handler.set_up_encryption
+      assert(@handler.encryption_key_valid?)
+    end
+
+    it "provides correct encryption details" do
+      @handler.set_up_encryption
+      assert_equal({version: 4, string_algorithm: :aes, stream_algorithm: :arc4,
+                    embedded_file_algorithm: :identity, key_length: 128},
+                   @handler.encryption_details)
+      assert_equal(HexaPDF::Encryption::Identity, @handler.send(:embedded_file_algorithm))
+      assert_equal(HexaPDF::Encryption::FastAES, @handler.send(:string_algorithm))
+      assert_equal(HexaPDF::Encryption::FastARC4, @handler.send(:stream_algorithm))
+    end
+
+    it "fails for unsupported encryption key lengths" do
+      exp = assert_raises(HexaPDF::UnsupportedEncryptionError) do
+        @handler.set_up_encryption(key_length: 43)
+      end
+      assert_match(/Invalid key length/i, exp.message)
+    end
+
+    it "fails for unsupported encryption algorithms" do
+      exp = assert_raises(HexaPDF::UnsupportedEncryptionError) do
+        @handler.set_up_encryption(algorithm: :test)
+      end
+      assert_match(/Unsupported encryption algorithm/i, exp.message)
+    end
+
+    it "fails for the aes algorithm with key lengths != 128 or 256" do
+      exp = assert_raises(HexaPDF::UnsupportedEncryptionError) do
+        @handler.set_up_encryption(algorithm: :aes, key_length: 40)
+      end
+      assert_match(/AES algorithm.*key length/i, exp.message)
+    end
+
+    it "fails for the arc4 algorithm with a key length of 256" do
+      exp = assert_raises(HexaPDF::UnsupportedEncryptionError) do
+        @handler.set_up_encryption(algorithm: :arc4, key_length: 256)
+      end
+      assert_match(/ARC4 algorithm.*key length/i, exp.message)
+    end
+  end
+
+  describe "set_up_decryption" do
+    it "wraps the given hash in an encryption dictionary class, uses it for its dict, returns it" do
+      dict = @handler.set_up_decryption({Filter: :test, V: 1})
+      assert_equal(dict, @handler.dict)
+      assert_kind_of(HexaPDF::Encryption::EncryptionDictionary, @handler.dict)
+      assert_equal({Filter: :test, V: 1}, @handler.dict.value)
+    end
+
+    it "doesn't modify the trailer's /Encrypt dictionary" do
+      @handler.set_up_decryption({Filter: :test, V: 4, Length: 128})
+      assert_nil(@document.trailer[:Encrypt])
+    end
+
+    it "calls prepare_decryption" do
+      @handler.set_up_decryption({Filter: :test, V: 4, Length: 128}, myopt: 5)
+      assert_equal(5, @handler.myopt)
+    end
+
+    it "selects the correct algorithm based on the /V and /CF values" do
+      @enc = @handler.dup
+
+      [
+        [:arc4, 40, {V: 1}],
+        [:arc4, 80, {V: 2, Length: 80}],
+        [:arc4, 128, {V: 4, StrF: :Mine, CF: {Mine: {CFM: :V2}}}],
+        [:aes, 128, {V: 4, StrF: :Mine, CF: {Mine: {CFM: :AESV2}}}],
+        [:aes, 256, {V: 5, StrF: :Mine, CF: {Mine: {CFM: :AESV3}}}],
+        [:identity, 128, {V: 4, StrF: :Mine, CF: {Mine: {CFM: :None}}}],
+        [:identity, 128, {V: 4, CF: {Mine: {CFM: :AESV2}}}],
+      ].each do |alg, length, dict|
+        @enc.strf = alg
+        @enc.set_up_encryption(key_length: length, algorithm: (alg == :identity ? :aes : alg))
+        @obj[:X] = @enc.encrypt_string('data', @obj)
+        @handler.set_up_decryption(dict)
+        assert_equal('data', @handler.decrypt(@obj)[:X])
+      end
+    end
+
+    it "selects the correct algorithm for string, stream and embedded file decryption" do
+      @handler.set_up_decryption({V: 4, StrF: :Mine, StmF: :Mine, EFF: :Mine,
+                                  CF: {Mine: {CFM: :V2}}})
+      assert_equal(HexaPDF::Encryption::FastARC4, @handler.send(:embedded_file_algorithm))
+      assert_equal(HexaPDF::Encryption::FastARC4, @handler.send(:string_algorithm))
+      assert_equal(HexaPDF::Encryption::FastARC4, @handler.send(:stream_algorithm))
+    end
+
+    it "provides correct encryption details" do
+      @handler.set_up_decryption({Filter: :test, V: 2, Length: 128}, myopt: 5)
+      assert_equal({version: 2, string_algorithm: :arc4, stream_algorithm: :arc4,
+                    embedded_file_algorithm: :arc4, key_length: 128},
+                   @handler.encryption_details)
+    end
+
+    it "fails for unsupported /V values in the dict" do
+      exp = assert_raises(HexaPDF::UnsupportedEncryptionError) do
+        @handler.set_up_decryption({V: 3})
+      end
+      assert_match(/Unsupported encryption version/i, exp.message)
+    end
+
+    it "fails for unsupported crypt filter encryption methods" do
+      exp = assert_raises(HexaPDF::UnsupportedEncryptionError) do
+        @handler.set_up_decryption({V: 4, StrF: :Mine, CF: {Mine: {CFM: :Unknown}}})
+      end
+      assert_match(/Unsupported encryption method/i, exp.message)
+    end
+  end
+
+  describe "decrypt" do
+    before do
+      @handler.set_up_decryption({V: 1})
+      @encrypted = @handler.encrypt_string('string', @obj)
+      @obj.value = {Key: @encrypted.dup, Array: [@encrypted.dup], Hash: {Another: @encrypted.dup}}
+    end
+
+    it "decrypts all strings in an object" do
+      @handler.decrypt(@obj)
+      assert_equal('string', @obj[:Key])
+      assert_equal('string', @obj[:Array][0])
+      assert_equal('string', @obj[:Hash][:Another])
+    end
+
+    it "decrypts the content of a stream object" do
+      data = HexaPDF::StreamData.new(proc { @encrypted })
+      obj = @document.wrap({}, oid: @obj.oid, stream: data)
+      @handler.decrypt(obj)
+      assert_equal('string', obj.stream)
+    end
+
+    it "doesn't decrypt a document's Encrypt dictionary" do
+      @document.trailer[:Encrypt] = @obj
+      assert_equal(@encrypted, @handler.decrypt(@obj)[:Key])
+    end
+
+    it "defers handling encryption to a Crypt filter is specified" do
+      data = HexaPDF::StreamData.new(proc { 'mydata' }, filter: :Crypt)
+      obj = @document.wrap({}, oid: 1, stream: data)
+      @handler.decrypt(obj)
+      assert_equal('mydata', obj.stream)
+    end
+
+    it "doesn't decrypt XRef streams" do
+      @obj[:Type] = :XRef
+      assert_equal(@encrypted, @handler.decrypt(@obj)[:Key])
+    end
+
+    it "doesn't decrypt the /Contents of a signature dictionary" do
+      @obj[:Type] = :Sig
+      @obj[:Contents] = "test"
+      assert_equal("test", @handler.decrypt(@obj)[:Contents])
+    end
+
+    it "fails if V < 5 and the object number changes" do
+      @obj.oid = 55
+      @handler.decrypt(@obj)
+      refute_equal('string', @obj[:Key])
+    end
+  end
+
+  describe "encryption" do
+    before do
+      @handler.set_up_encryption(key_length: 128, algorithm: :arc4)
+      @stream = @document.wrap({}, oid: 1, stream: HexaPDF::StreamData.new(proc { "string" }))
+    end
+
+    it "encrypts strings of indirect objects" do
+      @obj[:Key] = @handler.encrypt_string('string', @obj)
+      assert_equal('string', @handler.decrypt(@obj)[:Key])
+    end
+
+    it "encrypts streams" do
+      result = TestHelper.collector(@handler.encrypt_stream(@stream))
+      @stream.stream = HexaPDF::StreamData.new(proc { result })
+      assert_equal('string', @handler.decrypt(@stream).stream)
+    end
+
+    it "doesn't encrypt strings in a document's Encrypt dictionary" do
+      @document.trailer[:Encrypt] = @handler.dict
+      @document.trailer[:Encrypt][:Mine] = 'string'
+      assert_equal('string', @handler.encrypt_string('string', @document.trailer[:Encrypt]))
+    end
+
+    it "doesn't encrypt XRef streams" do
+      @stream[:Type] = :XRef
+      assert_equal('string', @handler.encrypt_stream(@stream).resume)
+    end
+
+    it "defers encrypting to a Crypt filter if specified" do
+      @stream.set_filter(:Crypt)
+      assert_equal('string', @handler.encrypt_stream(@stream).resume)
+
+      @stream.set_filter([:Crypt])
+      assert_equal('string', @handler.encrypt_stream(@stream).resume)
+    end
+
+    it "doesn't encrypt the /Contents key of signature dictionaries" do
+      @obj[:Type] = :Sig
+      @obj[:Contents] = "test"
+      refute_equal('test', @handler.encrypt_string("test", @obj))
+      assert_equal('test', @handler.encrypt_string(@obj[:Contents], @obj))
+    end
+  end
+
+  it "works correctly with different decryption and encryption handlers" do
+    test_file = File.join(TEST_DATA_DIR, 'standard-security-handler', 'nopwd-arc4-40bit-V1.pdf')
+    doc = HexaPDF::Document.new(io: StringIO.new(File.read(test_file)))
+    doc.encrypt(algorithm: :aes, password: 'test')
+    out = StringIO.new(''.b)
+    doc.write(out, update_fields: false)
+
+    assert_raises(HexaPDF::EncryptionError) { HexaPDF::Document.new(io: out) }
+    doc = HexaPDF::Document.new(io: out, decryption_opts: {password: 'test'})
+    assert_equal('D:20150409164600', doc.trailer[:Info].value[:ModDate])
+  end
+end