Document protection
The Toolbox web service with the security operations allows you to protect PDF documents in various ways.
These can be digital encryption in the form of passwords or certificates or digital signatures. These mechanisms protect the PDF documents from changes, restrict the possible changes or make these changes recognizable.
While encryption and digital signatures provide physical protection for the document, (ISO) standards provide logical protection for the PDF document. By saving PDF documents in certain standards (e.g. with the pdfa web service), it is ensured that a PDF document corresponds to a defined structure and complies with the specified standard.
You can use the Toolbox web services of webPDF to set the PDF protection measures described above or to change or remove existing protection. In addition, the various security settings (e.g. digital signatures) and (ISO) standards (e.g. PDF/A) of a PDF document are taken into account when the web services are executed, so that these are not damaged or canceled by changes to the PDF document.
Encrypting and decrypting documents
Using the web service Toolbox with the operation security, you can digitally encrypt and decrypt PDF documents or restrict access from these documents.
There are two methods available for protecting or restricting documents:
The respective protection is controlled via the parameter of the Toolbox web service. With the parameter encrypt you can use passwords, while with encryptCertificate digital X509 certificates are used for protection.
The decrypt parameter for the toolbox web service and the security operation can be used to permanently remove document protection.
In order for the encryption to be removed, the PDF document must first be successfully read, i.e. the corresponding information must be provided via password in order to be able to access the document. If a document cannot be unlocked, the encryption or restriction cannot be removed.
The individual options for protecting PDF documents can be found in the descriptions security in the API.
Passwords
Passwords provide basic protection for PDF documents. The so-called "owner password" and the adjustable options can be used to define which operations are permitted with the PDF document. With the "user password", the document can be encrypted and protected against unauthorized opening, as it is mandatory when opening.
Passwords are no longer considered "state of the art" and are (in some cases) no longer considered secure for PDF documents. As there is only ever one password, no fine-tuned access authorization is possible for PDF documents. Certificates offer better protection.
Certificates
Certificates offer secure protection for PDF documents. They enable the asymmetric encryption of PDF documents and detailed, customizable access protection. The permitted operations with the PDF document can be set for each certificate. However, certificates require a more complex structure (topic "Public Key Infrastructure") in order to be used in connection with PDF documents.
Digital signatures and PDF/A
PDF documents can be protected or signed with digital signatures. This is intended to protect documents from changes in their entirety (digital certification) or their current state (digital signature) at a specific point in time.
In addition, PDF documents can be in a state that corresponds to an (ISO) standard (such as PDF/A). Such a PDF document was transferred to this state at a certain point in time so that the structure of the document adheres to the rules of the standard and thus reflects them.
The web services of webPDF recognize the status of such PDF documents and prevent these documents from being edited or changed by default. This prevents PDF documents from being changed unintentionally and thus the above-mentioned statuses from being changed or invalidated. If, on the other hand, webPDF were to allow changes, the digital signature would lose its validity or a PDF/A document would no longer comply with the standard.
This protection is particularly important for the web service toolbox, as it can be used to modify an existing PDF document. This is the case, for example, with the operations merge, rotate or delete, as these change an existing PDF document. When such operations are performed, the web service usually responds with an error code if a document is digitally signed (error code -5038) or is a PDF/A document (error code -5040), for example. This prevents PDF documents from losing their status and becoming "corrupted".
This restriction only applies to web service operations that change a PDF document. A call that only accesses the document in read-only mode is not affected (e.g., web service toolbox with the operation image).
Remove protection
The document protection described above can be removed when calling up the web services. If the caller of a web service is aware of the fact that a document is, for example, a PDF/A or is digitally signed and the document is still to be changed or edited, this can be enforced.
The parameters of the web services can be used to set the document protection for each call. This defines whether the protection is active or should be deactivated.
Please note that if you unprotect the document, any existing digital signatures will lose their validity or PDF/A documents will no longer comply with the PDF/A standard (the ISO standard). If the status is to be restored after processing, the corresponding web service must be called again (signature or pdfa).