FIPS Compliance

[prasanthKK1996]

Is your feature request related to a problem? Please describe. We are trying to achieve FIPS compliance in our product. we are using open pdf 1.3.30. But open-pdf was using md5 for creating document id (file id) link. And md5 is not FIPS compliant. We can set the document id manually. But is there any other good way to achieve it?

Describe the solution you'd like IText has built-in support for FIPS mode. ref

[prasanthKK1996]

any update on this?

[mkl-public]

You formulated this as a question, "is there any other good way to achieve it?" Well, obviously another good way would be to change the OpenPDF code in this regard. Thus, how about providing a PR with an alternative createDocumentId that doesn't use MD5 but still creates some similarly unique ID, e.g. using some SHA2 hash algorithm instead? That might persuade the project maintainers more easily...

[prasanthKK1996]

open pdf depends on bcprov and bcpkix jars for password-enabled pdf. But it should use bc-fips, bcpkix-fips jars instead of using bcprov, bcpkix jars for fips compliance.

[prasanthKK1996]

And I think there is no good way to achieve sha512 in createDocumentId. Because this is a static method. And It was called on the PDFEncryption class constructor. So we can't extend this method in our product itself. Only PR will help.

[mkl-public]

It is unlikely that OpenPDF will switch completely from regular BC to BC-FIPS. Making the BC variant used switchable is the way iText went in version 8. It is doable but has some consequences. I guess Andreas would say that pull requests are welcome... ;)

[andreasrosdal]

Pull requests welcome.

[asturio]

@andreasrosdal what was wrong with your PRs?

[andreasrosdal]

There were test failures and I didn't fully understand if it was correct, so I rejected the proposal.