pyHanko: ValueError("Invalid padding bytes.") when trying to decrypt Adobe.PubSec encrypted pdf file

Describe the bug

Crash when trying to decrypt Adobe.PubSec encrypted file

To Reproduce

I’m afraid this will be very hard to reproduce, since I can’t share the files used to reproduce this. This is the output:

(venv) $ pyhanko --verbose decrypt pkcs12 --force encrypted.pdf decrypted.pdf key.p12
2024-03-25 10:25:57,582 - root - DEBUG - Running with --verbose
2024-03-25 10:25:57,582 - root - DEBUG - There was no configuration to parse.
Key passphrase: 
2024-03-25 10:26:03,349 - cli - ERROR - Generic processing error.
Traceback (most recent call last):
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 772, in _import_object
    return reference_map[obj.reference]
KeyError: Reference(idnum=26, generation=0)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 772, in _import_object
    return reference_map[obj.reference]
KeyError: Reference(idnum=27, generation=0)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 772, in _import_object
    return reference_map[obj.reference]
KeyError: Reference(idnum=34, generation=0)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 772, in _import_object
    return reference_map[obj.reference]
KeyError: Reference(idnum=168, generation=0)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 772, in _import_object
    return reference_map[obj.reference]
KeyError: Reference(idnum=296, generation=0)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 772, in _import_object
    return reference_map[obj.reference]
KeyError: Reference(idnum=300, generation=0)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/cli/runtime.py", line 50, in pyhanko_exception_manager
    yield
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/cli/commands/crypt.py", line 187, in _decrypt_pubkey
    w = copy_into_new_writer(r)
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 1262, in copy_into_new_writer
    new_root_dict = w._import_object(
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 793, in _import_object
    raw_dict = {
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 794, in <dictcomp>
    k: self._import_object(v, reference_map, obj_stream)
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 780, in _import_object
    imported = self._import_object(refd, reference_map, obj_stream)
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 793, in _import_object
    raw_dict = {
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 794, in <dictcomp>
    k: self._import_object(v, reference_map, obj_stream)
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 780, in _import_object
    imported = self._import_object(refd, reference_map, obj_stream)
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 793, in _import_object
    raw_dict = {
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 794, in <dictcomp>
    k: self._import_object(v, reference_map, obj_stream)
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 780, in _import_object
    imported = self._import_object(refd, reference_map, obj_stream)
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 793, in _import_object
    raw_dict = {
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 794, in <dictcomp>
    k: self._import_object(v, reference_map, obj_stream)
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 835, in _import_object
    return generic.ArrayObject(
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 836, in <genexpr>
    self._import_object(v, reference_map, obj_stream) for v in obj
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 780, in _import_object
    imported = self._import_object(refd, reference_map, obj_stream)
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 793, in _import_object
    raw_dict = {
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 794, in <dictcomp>
    k: self._import_object(v, reference_map, obj_stream)
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 835, in _import_object
    return generic.ArrayObject(
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 836, in <genexpr>
    self._import_object(v, reference_map, obj_stream) for v in obj
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 780, in _import_object
    imported = self._import_object(refd, reference_map, obj_stream)
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 793, in _import_object
    raw_dict = {
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 794, in <dictcomp>
    k: self._import_object(v, reference_map, obj_stream)
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 780, in _import_object
    imported = self._import_object(refd, reference_map, obj_stream)
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 793, in _import_object
    raw_dict = {
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 794, in <dictcomp>
    k: self._import_object(v, reference_map, obj_stream)
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 835, in _import_object
    return generic.ArrayObject(
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 836, in <genexpr>
    self._import_object(v, reference_map, obj_stream) for v in obj
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 793, in _import_object
    raw_dict = {
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 794, in <dictcomp>
    k: self._import_object(v, reference_map, obj_stream)
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/writer.py", line 769, in _import_object
    obj = obj.decrypted
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/generic.py", line 2067, in decrypted
    decrypted = pdf_string(cf.decrypt(local_key, obj.original_bytes))
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/crypt/filter_mixins.py", line 134, in decrypt
    return aes_cbc_decrypt(key, data, iv)
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/pyhanko/pdf_utils/crypt/_util.py", line 20, in aes_cbc_decrypt
    return unpadder.update(plaintext) + unpadder.finalize()
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/cryptography/hazmat/primitives/padding.py", line 160, in finalize
    result = _byte_unpadding_check(
  File "/home/user/Documents/secure/venv/lib/python3.10/site-packages/cryptography/hazmat/primitives/padding.py", line 97, in _byte_unpadding_check
    raise ValueError("Invalid padding bytes.")
ValueError: Invalid padding bytes.
Error: Generic processing error.

Expected behavior

The document decrypts.

Environment (please complete the following information):

  • OS: Ubuntu 22.04
  • Version;
$ pip3 freeze
asn1crypto==1.5.1
certifi==2024.2.2
cffi==1.16.0
charset-normalizer==3.3.2
click==8.1.7
cryptography==42.0.5
idna==3.6
oscrypto==1.3.0
pycparser==2.21
pyHanko==0.23.2
pyhanko-certvalidator==0.26.3
pypng==0.20220715.0
PyYAML==6.0.1
qrcode==7.4.2
requests==2.31.0
typing_extensions==4.10.0
tzlocal==5.2
uritools==4.0.2
urllib3==2.2.1

Python 3.10.12

Additional context

$ openssl pkcs12 -legacy -info -in key.p12 -noout                                                     
Enter Import Password:
MAC: sha1, Iteration 100000
MAC length: 20, salt length: 20
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 50000
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 50000
Certificate bag
Certificate bag

I’ve had problems with the 40 bit RC2 in the past, so I upgraded the key by following https://www.docuseal.co/docs/convert-legacy-p12-pfx-files-to-support-openssl-3, but I still have the same problem.

$ openssl pkcs12 -legacy -info -in key_new.p12 -noout
Enter Import Password:
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
Certificate bag
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256

About this issue

  • Original URL
  • State: closed
  • Created 3 months ago
  • Comments: 15 (7 by maintainers)

Commits related to this issue

Most upvoted comments

Werkt perfect, bedankt om dit op te lossen!