Skip to content

Criptografia e Segurança

O PDF Oxide permite criptografar PDFs com senhas e permissões usando algoritmos padrão do setor. Você pode definir uma senha de usuário (necessária para abrir o documento), uma senha de proprietário (necessária para acesso total) e permissões detalhadas que controlam impressão, cópia e modificação.

Cobertura de bindings. Abrir PDFs criptografados funciona em todos os bindings (password= no Python, PdfDocument.open_with_password no Rust, authenticate() no WASM, Authenticate no PdfDocument do Go/C#, OpenWithPassword no C#). Gerar saída criptografada (save_encrypted / saveEncryptedToBytes) está disponível em Python, Rust, WASM e Go (DocumentEditor.SaveEncrypted). O DocumentEditor do C# ainda não expõe SaveEncrypted — use o CLI Rust (pdf-oxide encrypt) ou uma etapa em Go/Python para gerar saída criptografada em fluxos de trabalho C#.

Suporte a algoritmos

Algoritmo Leitura Escrita Observações
RC4 (40/128 bits) Sim Sim Legado; use apenas para compatibilidade
AES-128 (V=4, R=4) Sim Sim Padrão para PDF 1.6+
AES-256 (V=5, R=6) Sim Sim PDF 2.0; inclui descriptografia de strings em objetos não comprimidos, legendas de widget de botão /MK /CA e encerramento correto do Algorithm 2.B

O suporte a AES-256 é completo de ponta a ponta: abertura, autenticação, leitura de valores de formulário e salvamento de saída criptografada. Streams ObjStm / XRef não são criptografados conforme ISO 32000-2 §7.6.3. O cache de objetos é invalidado corretamente após uma chamada tardia de authenticate(), de modo que qualquer conteúdo lido antes da autenticação é reparado com a chave correta.

Início rápido: salvar com criptografia

Python

from pdf_oxide import PdfDocument

doc = PdfDocument("input.pdf")
doc.set_title("Confidential Report")

# Encrypt with user and owner passwords
doc.save_encrypted("protected.pdf", "user123", "owner456")

WASM

import { WasmPdfDocument } from "pdf-oxide-wasm";

const doc = new WasmPdfDocument(bytes);
doc.setTitle("Confidential Report");

// Encrypt with user and owner passwords (all permissions enabled)
const output = doc.saveEncryptedToBytes(
  "user123", "owner456", true, true, true, true
);
doc.free();

Rust

use pdf_oxide::api::Pdf;

let mut doc = Pdf::open("input.pdf")?;

// Simple encryption with user and owner passwords
doc.save_encrypted("protected.pdf", "user123", "owner456")?;

Go

package main

import (
    "log"
    pdfoxide "github.com/yfedoseev/pdf_oxide/go"
)

func main() {
    editor, err := pdfoxide.OpenEditor("input.pdf")
    if err != nil { log.Fatal(err) }
    defer editor.Close()

    _ = editor.SetTitle("Confidential Report")

    // Encrypt with user and owner passwords (AES-256)
    if err := editor.SaveEncrypted("protected.pdf", "user123", "owner456"); err != nil {
        log.Fatal(err)
    }
}

C++

#include <pdf_oxide/pdf_oxide.hpp>

auto editor = pdf_oxide::DocumentEditor::open("input.pdf");

// Encrypt with user and owner passwords (AES-256)
editor.save_encrypted("protected.pdf", "user123", "owner456");

Swift

import PdfOxide

let editor = try DocumentEditor.openEditor("input.pdf")

// Encrypt with user and owner passwords (AES-256)
try editor.saveEncrypted("protected.pdf", userPassword: "user123", ownerPassword: "owner456")

Dart

import 'package:pdf_oxide/pdf_oxide.dart';

final editor = DocumentEditor.open('input.pdf');

// Encrypt with user and owner passwords (AES-256)
editor.saveEncrypted('protected.pdf', 'user123', 'owner456');
editor.close();

R

library(pdfoxide)

editor <- pdf_editor_open("input.pdf")

# Encrypt with user and owner passwords (AES-256)
pdf_editor_save_encrypted(editor, "protected.pdf", "user123", "owner456")

Julia

using PdfOxide

editor = open_editor("input.pdf")

# Encrypt with user and owner passwords (AES-256)
save_encrypted(editor, "protected.pdf", "user123", "owner456")

Zig

const pdf_oxide = @import("pdf_oxide");

var editor = try pdf_oxide.DocumentEditor.openEditor("input.pdf");
defer editor.deinit();

// Encrypt with user and owner passwords (AES-256)
try editor.saveEncrypted("protected.pdf", "user123", "owner456");

Objective-C

#import "POXPdfOxide.h"
NSError *err = nil;

POXDocumentEditor *editor = [POXDocumentEditor openEditor:@"input.pdf" error:&err];

// Encrypt with user and owner passwords (AES-256)
[editor saveEncryptedToPath:@"protected.pdf"
               userPassword:@"user123"
              ownerPassword:@"owner456"
                      error:&err];

Elixir

{:ok, editor} = PdfOxide.open_editor("input.pdf")

# Encrypt with user and owner passwords (AES-256)
:ok = PdfOxide.editor_save_encrypted(editor, "protected.pdf", "user123", "owner456")

Criptografia com permissões personalizadas

Python

O método save_encrypted aceita flags de permissão como argumentos nomeados.

from pdf_oxide import PdfDocument

doc = PdfDocument("input.pdf")

# View-only: no printing, copying, or modifying
doc.save_encrypted(
    "readonly.pdf",
    "viewpass",
    "adminpass",
    allow_print=False,
    allow_copy=False,
    allow_modify=False,
    allow_annotate=False,
)

# Allow only printing
doc.save_encrypted(
    "print-only.pdf",
    "",            # No open password required
    "adminpass",
    allow_print=True,
    allow_copy=False,
    allow_modify=False,
    allow_annotate=False,
)

Parâmetros do Python save_encrypted

Parâmetro Tipo Padrão Descrição
path str obrigatório Caminho do arquivo de saída
user_password str obrigatório Senha para abrir (vazia = sem senha)
owner_password str None Senha de acesso total (padrão: igual à senha do usuário)
allow_print bool True Permitir impressão
allow_copy bool True Permitir cópia de texto/gráficos
allow_modify bool True Permitir modificação do documento
allow_annotate bool True Permitir adição de anotações

WASM

import { WasmPdfDocument } from "pdf-oxide-wasm";

const doc = new WasmPdfDocument(bytes);

// View-only: no printing, copying, or modifying
const readonly = doc.saveEncryptedToBytes(
  "viewpass", "adminpass", false, false, false, false
);

// Allow only printing (empty user password = no open password)
const printOnly = doc.saveEncryptedToBytes(
  "", "adminpass", true, false, false, false
);
doc.free();

Rust

Para controle total sobre as configurações de criptografia, use EncryptionConfig e SaveOptions.

use pdf_oxide::api::Pdf;
use pdf_oxide::editor::{
    EncryptionConfig, EncryptionAlgorithm, Permissions, SaveOptions,
};

let mut doc = Pdf::open("input.pdf")?;

// Build permissions
let mut perms = Permissions::read_only();
perms.print = true;  // Allow printing only

// Build encryption config
let config = EncryptionConfig::new("user123", "owner456")
    .with_algorithm(EncryptionAlgorithm::Aes256)
    .with_permissions(perms);

// Save with encryption
doc.save_with_encryption("protected.pdf", config)?;

EncryptionConfig

A struct EncryptionConfig controla todos os parâmetros de criptografia.

use pdf_oxide::editor::{EncryptionConfig, EncryptionAlgorithm, Permissions};

let config = EncryptionConfig {
    user_password: "user123".to_string(),
    owner_password: "owner456".to_string(),
    algorithm: EncryptionAlgorithm::Aes256,
    permissions: Permissions::all(),
};

Ou usando o padrão builder:

let config = EncryptionConfig::new("user123", "owner456")
    .with_algorithm(EncryptionAlgorithm::Aes128)
    .with_permissions(Permissions::read_only());

Campos de EncryptionConfig

Campo Tipo Descrição
user_password String Senha necessária para abrir o documento
owner_password String Senha para acesso total e alteração de segurança
algorithm EncryptionAlgorithm Algoritmo de criptografia a ser usado
permissions Permissions Flags de controle de acesso

Algoritmos de criptografia

Algoritmo Descrição
EncryptionAlgorithm::Aes256 AES-256 (mais forte, recomendado)
EncryptionAlgorithm::Aes128 AES-128
EncryptionAlgorithm::Rc4_128 RC4 128 bits (compatibilidade legada)
EncryptionAlgorithm::Rc4_40 RC4 40 bits (legado, fraco)

AES-256 é o padrão ao usar save_encrypted() no Python ou a API Pdf.

Permissões (Permissions)

A struct Permissions controla quais operações são permitidas quando o documento é aberto com a senha de usuário.

use pdf_oxide::editor::Permissions;

// Allow everything
let all = Permissions::all();

// Restrict everything
let readonly = Permissions::read_only();

Campos de Permissions

Campo Tipo Padrão (all) Padrão (read_only) Descrição
print bool true false Permitir impressão
print_high_quality bool true false Permitir impressão de alta qualidade
modify bool true false Permitir modificação de conteúdo
copy bool true false Permitir cópia de texto/gráficos
annotate bool true false Permitir adição de anotações
fill_forms bool true false Permitir preenchimento de campos de formulário
accessibility bool true true Permitir extração para acessibilidade
assemble bool true false Permitir operações de montagem de páginas

Permissões personalizadas

let mut perms = Permissions::read_only();
perms.print = true;          // Allow printing
perms.fill_forms = true;     // Allow filling forms
perms.accessibility = true;  // Always allow for compliance

SaveOptions

Use SaveOptions para controle total sobre como o documento é gravado.

use pdf_oxide::editor::{SaveOptions, EncryptionConfig};

// Full rewrite (default)
let opts = SaveOptions::full_rewrite();

// Incremental update (faster, preserves structure)
let opts = SaveOptions::incremental();

// With encryption
let config = EncryptionConfig::new("user", "owner");
let opts = SaveOptions::with_encryption(config);

Abrindo PDFs criptografados

Python

Passe a senha ao abrir o documento.

from pdf_oxide import PdfDocument

doc = PdfDocument("protected.pdf", password="user123")
text = doc.extract_text(0)
print(text)

Rust

use pdf_oxide::PdfDocument;

let doc = PdfDocument::open_with_password("protected.pdf", "user123")?;
let text = doc.extract_text(0)?;
println!("{}", text);

Go

doc, _ := pdfoxide.Open("protected.pdf")
defer doc.Close()
if _, err := doc.Authenticate("user123"); err != nil { log.Fatal(err) }
text, _ := doc.ExtractText(0)
fmt.Println(text)

C#

using var doc = PdfDocument.OpenWithPassword("protected.pdf", "user123");
Console.WriteLine(doc.ExtractText(0));

C++

#include <pdf_oxide/pdf_oxide.hpp>
#include <iostream>

auto doc = pdf_oxide::Document::open_with_password("protected.pdf", "user123");
std::cout << doc.extract_text(0) << std::endl;

Swift

import PdfOxide

let doc = try Document.openWithPassword("protected.pdf", password: "user123")
print(try doc.extractText(0))

Dart

import 'package:pdf_oxide/pdf_oxide.dart';

final doc = PdfDocument.openWithPassword('protected.pdf', 'user123');
print(doc.extractText(0));
doc.close();

R

library(pdfoxide)

doc <- pdf_open_with_password("protected.pdf", "user123")
cat(pdf_extract_text(doc, 0))

Julia

using PdfOxide

doc = open_with_password("protected.pdf", "user123")
println(extract_text(doc, 0))

Zig

const std = @import("std");
const pdf_oxide = @import("pdf_oxide");
const a = std.heap.page_allocator;

var doc = try pdf_oxide.Document.openWithPassword("protected.pdf", "user123");
defer doc.deinit();
const text = try doc.extractText(a, 0);
std.debug.print("{s}\n", .{text});

Objective-C

#import "POXPdfOxide.h"
NSError *err = nil;

POXDocument *doc = [POXDocument openWithPassword:@"protected.pdf" password:@"user123" error:&err];
NSLog(@"%@", [doc extractText:0 error:&err]);

Elixir

{:ok, doc} = PdfOxide.open_with_password("protected.pdf", "user123")
{:ok, text} = PdfOxide.extract_text(doc, 0)
IO.puts(text)

Fluxo de trabalho completo de criptografia

Python

from pdf_oxide import PdfDocument

# Open and modify
doc = PdfDocument("report.pdf")
doc.set_title("Confidential Report")
doc.set_author("Finance Team")

# Save with view-only restrictions
doc.save_encrypted(
    "report-protected.pdf",
    "",            # No password to open
    "admin2025",   # Owner password for full access
    allow_print=True,
    allow_copy=False,
    allow_modify=False,
)

WASM

import { WasmPdfDocument } from "pdf-oxide-wasm";

const doc = new WasmPdfDocument(bytes);
doc.setTitle("Confidential Report");
doc.setAuthor("Finance Team");

// Save with view-only restrictions (no open password, print allowed)
const output = doc.saveEncryptedToBytes(
  "", "admin2025", true, false, false, false
);
doc.free();

Rust

use pdf_oxide::api::Pdf;
use pdf_oxide::editor::{
    DocumentEditor, EditableDocument,
    EncryptionConfig, EncryptionAlgorithm, Permissions, SaveOptions,
};

// Open and modify
let mut doc = Pdf::open("report.pdf")?;
{
    let editor = doc.editor().unwrap();
    editor.set_title("Confidential Report");
    editor.set_author("Finance Team");
}

// Configure encryption
let permissions = Permissions {
    print: true,
    print_high_quality: true,
    modify: false,
    copy: false,
    annotate: false,
    fill_forms: true,
    accessibility: true,
    assemble: false,
};

let config = EncryptionConfig::new("", "admin2025")
    .with_algorithm(EncryptionAlgorithm::Aes256)
    .with_permissions(permissions);

doc.save_with_encryption("report-protected.pdf", config)?;

Os bindings de superfície completa abaixo salvam a saída com AES-256 e permissões totais; eles não expõem o controle por flag disponível em Python/WASM/Rust. Configure os metadados /Info via set_producer do editor antes de salvar.

C++

#include <pdf_oxide/pdf_oxide.hpp>

auto editor = pdf_oxide::DocumentEditor::open("report.pdf");
editor.set_producer("Finance Team");

// Save with AES-256 encryption (no open password, owner password for full access)
editor.save_encrypted("report-protected.pdf", "", "admin2025");

Swift

import PdfOxide

let editor = try DocumentEditor.openEditor("report.pdf")
try editor.setProducer("Finance Team")

// Save with AES-256 encryption (no open password, owner password for full access)
try editor.saveEncrypted("report-protected.pdf", userPassword: "", ownerPassword: "admin2025")

Dart

import 'package:pdf_oxide/pdf_oxide.dart';

final editor = DocumentEditor.open('report.pdf');
editor.setProducer('Finance Team');

// Save with AES-256 encryption (no open password, owner password for full access)
editor.saveEncrypted('report-protected.pdf', '', 'admin2025');
editor.close();

R

library(pdfoxide)

editor <- pdf_editor_open("report.pdf")
pdf_editor_set_producer(editor, "Finance Team")

# Save with AES-256 encryption (no open password, owner password for full access)
pdf_editor_save_encrypted(editor, "report-protected.pdf", "", "admin2025")

Julia

using PdfOxide

editor = open_editor("report.pdf")
set_producer(editor, "Finance Team")

# Save with AES-256 encryption (no open password, owner password for full access)
save_encrypted(editor, "report-protected.pdf", "", "admin2025")

Zig

const pdf_oxide = @import("pdf_oxide");

var editor = try pdf_oxide.DocumentEditor.openEditor("report.pdf");
defer editor.deinit();
try editor.setProducer("Finance Team");

// Save with AES-256 encryption (no open password, owner password for full access)
try editor.saveEncrypted("report-protected.pdf", "", "admin2025");

Objective-C

#import "POXPdfOxide.h"
NSError *err = nil;

POXDocumentEditor *editor = [POXDocumentEditor openEditor:@"report.pdf" error:&err];
[editor setProducer:@"Finance Team" error:&err];

// Save with AES-256 encryption (no open password, owner password for full access)
[editor saveEncryptedToPath:@"report-protected.pdf"
               userPassword:@""
              ownerPassword:@"admin2025"
                      error:&err];

Elixir

{:ok, editor} = PdfOxide.open_editor("report.pdf")
:ok = PdfOxide.set_producer(editor, "Finance Team")

# Save with AES-256 encryption (no open password, owner password for full access)
:ok = PdfOxide.editor_save_encrypted(editor, "report-protected.pdf", "", "admin2025")

Re-criptografar com configurações diferentes

Rust

use pdf_oxide::editor::{DocumentEditor, EditableDocument, EncryptionConfig, SaveOptions};

// Open with current password
let mut editor = DocumentEditor::open("old-protected.pdf")?;

// Save with new encryption
let config = EncryptionConfig::new("newuser", "newowner");
let options = SaveOptions::with_encryption(config);
editor.save_with_options("re-encrypted.pdf", options)?;

Referência completa da API

Métodos de Pdf

Método Retorno Descrição
save_encrypted(path, user_pw, owner_pw) Result<()> Salvar com AES-256 e permissões totais
save_with_encryption(path, config) Result<()> Salvar com configuração de criptografia personalizada

Métodos de DocumentEditor / EditableDocument

Método Retorno Descrição
save(path) Result<()> Salvar com reescrita total (sem criptografia)
save_with_options(path, options) Result<()> Salvar com opções personalizadas

Tipos de configuração

Tipo Descrição
EncryptionConfig Senhas de usuário/proprietário, algoritmo, permissões
EncryptionAlgorithm Aes256, Aes128, Rc4_128, Rc4_40
Permissions Flags de controle de acesso detalhadas
SaveOptions Reescrita total, atualização incremental ou salvamento criptografado

Páginas relacionadas