Skip to content

Cifrado y Seguridad

PDF Oxide permite cifrar PDFs con contraseñas y permisos usando algoritmos estándar del sector. Puedes establecer una contraseña de usuario (necesaria para abrir el documento), una contraseña de propietario (necesaria para el acceso completo) y permisos granulares que controlan la impresión, la copia y la modificación.

Cobertura de bindings. Abrir PDFs cifrados funciona en todos los bindings (password= en Python, PdfDocument.open_with_password en Rust, authenticate() en WASM, Authenticate en PdfDocument de Go/C#, OpenWithPassword en C#). Generar salida cifrada (save_encrypted / saveEncryptedToBytes) está disponible en Python, Rust, WASM y Go (DocumentEditor.SaveEncrypted). El DocumentEditor de C# no expone SaveEncrypted por el momento — usa el CLI de Rust (pdf-oxide encrypt) o un paso en Go/Python para generar salida cifrada en flujos de trabajo C#.

Soporte de algoritmos

Algoritmo Lectura Escritura Notas
RC4 (40/128 bits) Heredado; usar solo para compatibilidad
AES-128 (V=4, R=4) Estándar para PDF 1.6+
AES-256 (V=5, R=6) PDF 2.0; incluye descifrado de strings en objetos no comprimidos, leyendas de widget de botón /MK /CA y terminación correcta de Algorithm 2.B

La cobertura de AES-256 es completa de extremo a extremo: apertura, autenticación, lectura de valores de formulario y guardado de salida cifrada. Los streams ObjStm / XRef no se cifran según ISO 32000-2 §7.6.3. La caché de objetos se invalida correctamente tras una llamada tardía a authenticate(), por lo que cualquier contenido leído antes de la autenticación se vuelve a parsear con la clave correcta.

Inicio rápido: guardar con cifrado

Python

from pdf_oxide import PdfDocument

doc = PdfDocument("input.pdf")
doc.set_title("Confidential Report")

# Encrypt with user and owner passwords
doc.save_encrypted("protected.pdf", "user123", "owner456")

WASM

import { WasmPdfDocument } from "pdf-oxide-wasm";

const doc = new WasmPdfDocument(bytes);
doc.setTitle("Confidential Report");

// Encrypt with user and owner passwords (all permissions enabled)
const output = doc.saveEncryptedToBytes(
  "user123", "owner456", true, true, true, true
);
doc.free();

Rust

use pdf_oxide::api::Pdf;

let mut doc = Pdf::open("input.pdf")?;

// Simple encryption with user and owner passwords
doc.save_encrypted("protected.pdf", "user123", "owner456")?;

Go

package main

import (
    "log"
    pdfoxide "github.com/yfedoseev/pdf_oxide/go"
)

func main() {
    editor, err := pdfoxide.OpenEditor("input.pdf")
    if err != nil { log.Fatal(err) }
    defer editor.Close()

    _ = editor.SetTitle("Confidential Report")

    // Encrypt with user and owner passwords (AES-256)
    if err := editor.SaveEncrypted("protected.pdf", "user123", "owner456"); err != nil {
        log.Fatal(err)
    }
}

C++

#include <pdf_oxide/pdf_oxide.hpp>

auto editor = pdf_oxide::DocumentEditor::open("input.pdf");

// Encrypt with user and owner passwords (AES-256)
editor.save_encrypted("protected.pdf", "user123", "owner456");

Swift

import PdfOxide

let editor = try DocumentEditor.openEditor("input.pdf")

// Encrypt with user and owner passwords (AES-256)
try editor.saveEncrypted("protected.pdf", userPassword: "user123", ownerPassword: "owner456")

Dart

import 'package:pdf_oxide/pdf_oxide.dart';

final editor = DocumentEditor.open('input.pdf');

// Encrypt with user and owner passwords (AES-256)
editor.saveEncrypted('protected.pdf', 'user123', 'owner456');
editor.close();

R

library(pdfoxide)

editor <- pdf_editor_open("input.pdf")

# Encrypt with user and owner passwords (AES-256)
pdf_editor_save_encrypted(editor, "protected.pdf", "user123", "owner456")

Julia

using PdfOxide

editor = open_editor("input.pdf")

# Encrypt with user and owner passwords (AES-256)
save_encrypted(editor, "protected.pdf", "user123", "owner456")

Zig

const pdf_oxide = @import("pdf_oxide");

var editor = try pdf_oxide.DocumentEditor.openEditor("input.pdf");
defer editor.deinit();

// Encrypt with user and owner passwords (AES-256)
try editor.saveEncrypted("protected.pdf", "user123", "owner456");

Objective-C

#import "POXPdfOxide.h"
NSError *err = nil;

POXDocumentEditor *editor = [POXDocumentEditor openEditor:@"input.pdf" error:&err];

// Encrypt with user and owner passwords (AES-256)
[editor saveEncryptedToPath:@"protected.pdf"
               userPassword:@"user123"
              ownerPassword:@"owner456"
                      error:&err];

Elixir

{:ok, editor} = PdfOxide.open_editor("input.pdf")

# Encrypt with user and owner passwords (AES-256)
:ok = PdfOxide.editor_save_encrypted(editor, "protected.pdf", "user123", "owner456")

Cifrado con permisos personalizados

Python

El método save_encrypted acepta flags de permisos como argumentos con nombre.

from pdf_oxide import PdfDocument

doc = PdfDocument("input.pdf")

# View-only: no printing, copying, or modifying
doc.save_encrypted(
    "readonly.pdf",
    "viewpass",
    "adminpass",
    allow_print=False,
    allow_copy=False,
    allow_modify=False,
    allow_annotate=False,
)

# Allow only printing
doc.save_encrypted(
    "print-only.pdf",
    "",            # No open password required
    "adminpass",
    allow_print=True,
    allow_copy=False,
    allow_modify=False,
    allow_annotate=False,
)

Parámetros de Python save_encrypted

Parámetro Tipo Valor por defecto Descripción
path str obligatorio Ruta del archivo de salida
user_password str obligatorio Contraseña para abrir (vacía = sin contraseña)
owner_password str None Contraseña de acceso completo (por defecto: igual a la contraseña de usuario)
allow_print bool True Permitir impresión
allow_copy bool True Permitir copiar texto/gráficos
allow_modify bool True Permitir modificar el documento
allow_annotate bool True Permitir añadir anotaciones

WASM

import { WasmPdfDocument } from "pdf-oxide-wasm";

const doc = new WasmPdfDocument(bytes);

// View-only: no printing, copying, or modifying
const readonly = doc.saveEncryptedToBytes(
  "viewpass", "adminpass", false, false, false, false
);

// Allow only printing (empty user password = no open password)
const printOnly = doc.saveEncryptedToBytes(
  "", "adminpass", true, false, false, false
);
doc.free();

Rust

Para control total sobre la configuración de cifrado, usa EncryptionConfig y SaveOptions.

use pdf_oxide::api::Pdf;
use pdf_oxide::editor::{
    EncryptionConfig, EncryptionAlgorithm, Permissions, SaveOptions,
};

let mut doc = Pdf::open("input.pdf")?;

// Build permissions
let mut perms = Permissions::read_only();
perms.print = true;  // Allow printing only

// Build encryption config
let config = EncryptionConfig::new("user123", "owner456")
    .with_algorithm(EncryptionAlgorithm::Aes256)
    .with_permissions(perms);

// Save with encryption
doc.save_with_encryption("protected.pdf", config)?;

EncryptionConfig

El struct EncryptionConfig controla todos los parámetros de cifrado.

use pdf_oxide::editor::{EncryptionConfig, EncryptionAlgorithm, Permissions};

let config = EncryptionConfig {
    user_password: "user123".to_string(),
    owner_password: "owner456".to_string(),
    algorithm: EncryptionAlgorithm::Aes256,
    permissions: Permissions::all(),
};

O usando el patrón builder:

let config = EncryptionConfig::new("user123", "owner456")
    .with_algorithm(EncryptionAlgorithm::Aes128)
    .with_permissions(Permissions::read_only());

Campos de EncryptionConfig

Campo Tipo Descripción
user_password String Contraseña requerida para abrir el documento
owner_password String Contraseña para acceso completo y cambio de seguridad
algorithm EncryptionAlgorithm Algoritmo de cifrado a utilizar
permissions Permissions Flags de control de acceso

Algoritmos de cifrado

Algoritmo Descripción
EncryptionAlgorithm::Aes256 AES-256 (el más fuerte, recomendado)
EncryptionAlgorithm::Aes128 AES-128
EncryptionAlgorithm::Rc4_128 RC4 128 bits (compatibilidad heredada)
EncryptionAlgorithm::Rc4_40 RC4 40 bits (heredado, débil)

AES-256 es el valor predeterminado al usar save_encrypted() en Python o la API Pdf.

Permisos (Permissions)

El struct Permissions controla qué operaciones están permitidas cuando el documento se abre con la contraseña de usuario.

use pdf_oxide::editor::Permissions;

// Allow everything
let all = Permissions::all();

// Restrict everything
let readonly = Permissions::read_only();

Campos de Permissions

Campo Tipo Predeterminado (all) Predeterminado (read_only) Descripción
print bool true false Permitir impresión
print_high_quality bool true false Permitir impresión de alta calidad
modify bool true false Permitir modificar el contenido
copy bool true false Permitir copiar texto/gráficos
annotate bool true false Permitir añadir anotaciones
fill_forms bool true false Permitir rellenar campos de formulario
accessibility bool true true Permitir extracción de accesibilidad
assemble bool true false Permitir operaciones de ensamblado de páginas

Permisos personalizados

let mut perms = Permissions::read_only();
perms.print = true;          // Allow printing
perms.fill_forms = true;     // Allow filling forms
perms.accessibility = true;  // Always allow for compliance

SaveOptions

Usa SaveOptions para control total sobre cómo se escribe el documento.

use pdf_oxide::editor::{SaveOptions, EncryptionConfig};

// Full rewrite (default)
let opts = SaveOptions::full_rewrite();

// Incremental update (faster, preserves structure)
let opts = SaveOptions::incremental();

// With encryption
let config = EncryptionConfig::new("user", "owner");
let opts = SaveOptions::with_encryption(config);

Abrir PDFs cifrados

Python

Pasa la contraseña al abrir el documento.

from pdf_oxide import PdfDocument

doc = PdfDocument("protected.pdf", password="user123")
text = doc.extract_text(0)
print(text)

Rust

use pdf_oxide::PdfDocument;

let doc = PdfDocument::open_with_password("protected.pdf", "user123")?;
let text = doc.extract_text(0)?;
println!("{}", text);

Go

doc, _ := pdfoxide.Open("protected.pdf")
defer doc.Close()
if _, err := doc.Authenticate("user123"); err != nil { log.Fatal(err) }
text, _ := doc.ExtractText(0)
fmt.Println(text)

C#

using var doc = PdfDocument.OpenWithPassword("protected.pdf", "user123");
Console.WriteLine(doc.ExtractText(0));

C++

#include <pdf_oxide/pdf_oxide.hpp>
#include <iostream>

auto doc = pdf_oxide::Document::open_with_password("protected.pdf", "user123");
std::cout << doc.extract_text(0) << std::endl;

Swift

import PdfOxide

let doc = try Document.openWithPassword("protected.pdf", password: "user123")
print(try doc.extractText(0))

Dart

import 'package:pdf_oxide/pdf_oxide.dart';

final doc = PdfDocument.openWithPassword('protected.pdf', 'user123');
print(doc.extractText(0));
doc.close();

R

library(pdfoxide)

doc <- pdf_open_with_password("protected.pdf", "user123")
cat(pdf_extract_text(doc, 0))

Julia

using PdfOxide

doc = open_with_password("protected.pdf", "user123")
println(extract_text(doc, 0))

Zig

const std = @import("std");
const pdf_oxide = @import("pdf_oxide");
const a = std.heap.page_allocator;

var doc = try pdf_oxide.Document.openWithPassword("protected.pdf", "user123");
defer doc.deinit();
const text = try doc.extractText(a, 0);
std.debug.print("{s}\n", .{text});

Objective-C

#import "POXPdfOxide.h"
NSError *err = nil;

POXDocument *doc = [POXDocument openWithPassword:@"protected.pdf" password:@"user123" error:&err];
NSLog(@"%@", [doc extractText:0 error:&err]);

Elixir

{:ok, doc} = PdfOxide.open_with_password("protected.pdf", "user123")
{:ok, text} = PdfOxide.extract_text(doc, 0)
IO.puts(text)

Flujo de trabajo completo de cifrado

Python

from pdf_oxide import PdfDocument

# Open and modify
doc = PdfDocument("report.pdf")
doc.set_title("Confidential Report")
doc.set_author("Finance Team")

# Save with view-only restrictions
doc.save_encrypted(
    "report-protected.pdf",
    "",            # No password to open
    "admin2025",   # Owner password for full access
    allow_print=True,
    allow_copy=False,
    allow_modify=False,
)

WASM

import { WasmPdfDocument } from "pdf-oxide-wasm";

const doc = new WasmPdfDocument(bytes);
doc.setTitle("Confidential Report");
doc.setAuthor("Finance Team");

// Save with view-only restrictions (no open password, print allowed)
const output = doc.saveEncryptedToBytes(
  "", "admin2025", true, false, false, false
);
doc.free();

Rust

use pdf_oxide::api::Pdf;
use pdf_oxide::editor::{
    DocumentEditor, EditableDocument,
    EncryptionConfig, EncryptionAlgorithm, Permissions, SaveOptions,
};

// Open and modify
let mut doc = Pdf::open("report.pdf")?;
{
    let editor = doc.editor().unwrap();
    editor.set_title("Confidential Report");
    editor.set_author("Finance Team");
}

// Configure encryption
let permissions = Permissions {
    print: true,
    print_high_quality: true,
    modify: false,
    copy: false,
    annotate: false,
    fill_forms: true,
    accessibility: true,
    assemble: false,
};

let config = EncryptionConfig::new("", "admin2025")
    .with_algorithm(EncryptionAlgorithm::Aes256)
    .with_permissions(permissions);

doc.save_with_encryption("report-protected.pdf", config)?;

Los bindings de superficie completa que se muestran a continuación guardan la salida con AES-256 y permisos totales; no exponen el control de permisos por flag disponible en Python/WASM/Rust. Establece los metadatos /Info mediante set_producer del editor antes de guardar.

C++

#include <pdf_oxide/pdf_oxide.hpp>

auto editor = pdf_oxide::DocumentEditor::open("report.pdf");
editor.set_producer("Finance Team");

// Save with AES-256 encryption (no open password, owner password for full access)
editor.save_encrypted("report-protected.pdf", "", "admin2025");

Swift

import PdfOxide

let editor = try DocumentEditor.openEditor("report.pdf")
try editor.setProducer("Finance Team")

// Save with AES-256 encryption (no open password, owner password for full access)
try editor.saveEncrypted("report-protected.pdf", userPassword: "", ownerPassword: "admin2025")

Dart

import 'package:pdf_oxide/pdf_oxide.dart';

final editor = DocumentEditor.open('report.pdf');
editor.setProducer('Finance Team');

// Save with AES-256 encryption (no open password, owner password for full access)
editor.saveEncrypted('report-protected.pdf', '', 'admin2025');
editor.close();

R

library(pdfoxide)

editor <- pdf_editor_open("report.pdf")
pdf_editor_set_producer(editor, "Finance Team")

# Save with AES-256 encryption (no open password, owner password for full access)
pdf_editor_save_encrypted(editor, "report-protected.pdf", "", "admin2025")

Julia

using PdfOxide

editor = open_editor("report.pdf")
set_producer(editor, "Finance Team")

# Save with AES-256 encryption (no open password, owner password for full access)
save_encrypted(editor, "report-protected.pdf", "", "admin2025")

Zig

const pdf_oxide = @import("pdf_oxide");

var editor = try pdf_oxide.DocumentEditor.openEditor("report.pdf");
defer editor.deinit();
try editor.setProducer("Finance Team");

// Save with AES-256 encryption (no open password, owner password for full access)
try editor.saveEncrypted("report-protected.pdf", "", "admin2025");

Objective-C

#import "POXPdfOxide.h"
NSError *err = nil;

POXDocumentEditor *editor = [POXDocumentEditor openEditor:@"report.pdf" error:&err];
[editor setProducer:@"Finance Team" error:&err];

// Save with AES-256 encryption (no open password, owner password for full access)
[editor saveEncryptedToPath:@"report-protected.pdf"
               userPassword:@""
              ownerPassword:@"admin2025"
                      error:&err];

Elixir

{:ok, editor} = PdfOxide.open_editor("report.pdf")
:ok = PdfOxide.set_producer(editor, "Finance Team")

# Save with AES-256 encryption (no open password, owner password for full access)
:ok = PdfOxide.editor_save_encrypted(editor, "report-protected.pdf", "", "admin2025")

Re-cifrar con configuración diferente

Rust

use pdf_oxide::editor::{DocumentEditor, EditableDocument, EncryptionConfig, SaveOptions};

// Open with current password
let mut editor = DocumentEditor::open("old-protected.pdf")?;

// Save with new encryption
let config = EncryptionConfig::new("newuser", "newowner");
let options = SaveOptions::with_encryption(config);
editor.save_with_options("re-encrypted.pdf", options)?;

Referencia completa de la API

Métodos de Pdf

Método Retorno Descripción
save_encrypted(path, user_pw, owner_pw) Result<()> Guardar con AES-256 y permisos completos
save_with_encryption(path, config) Result<()> Guardar con configuración de cifrado personalizada

Métodos de DocumentEditor / EditableDocument

Método Retorno Descripción
save(path) Result<()> Guardar con reescritura completa (sin cifrado)
save_with_options(path, options) Result<()> Guardar con opciones personalizadas

Tipos de configuración

Tipo Descripción
EncryptionConfig Contraseñas de usuario/propietario, algoritmo, permisos
EncryptionAlgorithm Aes256, Aes128, Rc4_128, Rc4_40
Permissions Flags de control de acceso granulares
SaveOptions Reescritura completa, actualización incremental o guardado cifrado

Páginas relacionadas