Merge branch 'develop' into devsecops

aleks-ivanov · Aug 25, 2024 · f7a3de2 · f7a3de2
2 parents 6e4c5dc + 9329e5c
commit f7a3de2
Show file tree

Hide file tree

Showing 34 changed files with 1,669 additions and 64 deletions.
diff --git a/itext.tests/itext.kernel.tests/itext/kernel/mac/MacIntegrityProtectorTest.cs b/itext.tests/itext.kernel.tests/itext/kernel/mac/MacIntegrityProtectorTest.cs
diff --git a/...kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorTest/certs/SHA256withRSA.cer b/...kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorTest/certs/SHA256withRSA.cer
diff --git a/...kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorTest/certs/SHA256withRSA.key b/...kernel.tests/resources/itext/kernel/mac/MacIntegrityProtectorTest/certs/SHA256withRSA.key
@@ -0,0 +1,51 @@
+-----BEGIN ENCRYPTED PRIVATE KEY-----
+MIIFNTBfBgkqhkiG9w0BBQ0wUjAxBgkqhkiG9w0BBQwwJAQQdOaEUfD0sZWtUR11
+xwgn0gICCAAwDAYIKoZIhvcNAgkFADAdBglghkgBZQMEASoEEBaNXSfwUjF5SS7n
+ce1JFoUEggTQ6eV+IsckiVP7I9VTldLkpP5OKB8brmw5t20fO11HyCnqkkhooR2b
+t2fBj4fWv0IRUe266L+fVs7AOngjkWfezEvGR6nte4pNXEFrOwt/U8A6IYZXBdA5
+dvqs6VMPHbjQ8CufVLGvksuYFQVRcGy0rk1DH2Of44GU4X0GtROlFFJnkmfZhVPS
+Hx2MXXGQ02Ko1i1eKoEGgvmSAsDcPijiX96DKlQZJ4YMtI/8rRsdvNJsJ2beyZDa
+T3aJMmSSBF92mS2dtS21DwjzEu8utquguYA0KYzjZM9onOuBEEUifam8Fjnvlui6
+beQJya4zldoA6QZPSd2PUAP6l1U/d8UXqcisjzArDZDmRu58dPxn4rs0NgTOIO8h
+fEUIvfS+wuknff1b/wdGnwXkXoeSrrjS9dhP9KVU1SJ/FWKc6BY+P+JmE5vLjAtn
+AmbyZhXY0jX7ZHFh0z0y1y1fTIXL1aj4iB+cUwhJ1ZdlGkT5HdG4ts/oTGCnpB6O
+F1GvGyhprmtjp/dspLH5ha0I+4aTn46yFpnBNyg8w9c2+xj8Jiqy9J/ppVtPdhxt
+wrE1/ThUGIWUTsbGbLW87WIrZq6IlSGtztbxAMYxXoe4solYueE3pI3eYFzgnBcq
+T6Byktr71gt9AGD/N/p+Kk5RM4JT8XpQjLjz9TlmsGpJzUoBGeG6KFLsqqLLSD+0
+c5lAGWsFhec3uCu4fCyBqxpQc0y5j2bgUiTRGYn1NOdyZg+ERO/aWGfkDOAtlL1i
+B79NGIBxIXgt508g83UeaQC6KjuG/8hPY6UHmU5mlgRT9H5jvkSX3mEtl1Gdk2y0
+M5pZTTrhbG4p66GhBi8vM5tQfiBoLUKEM/kgiGXPC6Kob42nb3ufP0rmnKklcDGC
++898hW5ge+VNmOkHpVuV5ZD9aWUSVEU4+8QNZj8pcyL0GXFyEL/HxNxUESdz3k0S
+bInuxO49mgGPjBqtx5ZvaxyWFnzOp6rmHZUHymejxxdnlnTnSnXKkJFjcm7n0sKO
+575ofHtk0OdqIK6YiPgfeF6nZkIg3C0PbReZ05kTplrW182ZWuQQyJgv+RPzF4+9
+5rCe67nJhJrt7hXFRsUScHXNj+HF9Av8WR2RnHTRbpQBJszijM+Xgl+VeYcY5ckB
+fk+AfcR9r0Jud4O9795OOWVxWqGVu/b1RGonfjMkGW+JdnZL0vkOYYcHt4iMZmzW
+M0ZowZPGO5dFBV7/ZkVzb0fexw+f+E0lUBEK1cx0gxnzjmcGJO+C9if1uIEfwpon
+3wBOTDsU7XKDx9v6ibcDMOXrZa+rcJWxgNkXt5nRpozZkddYctBkehGu+snV2g4n
+SdOwr0eIVv/L+v4IywZmeWWEVnbSAvB0p7nB89bgLMr9tV0ly7MWxPH+gPnNJ1gE
+7Mp3AgN5BxEmLfW3+ou3QLoqnOS2MCw/xcgLP0nJACSPI7/nWy95iKXKgkCkAgF9
+4Ztk7uBG4tiK14KcKq8ToCW2YNliT3g0CWjBLtVPUS6qboudMiuedxTxE8WEirpT
+A77nfDNg4MVjl4kP9jhV0Phpn9rDMJ2jw0BqFc1Vou4aNDXYandAFJea44Wce9H+
+qAowcrfsWehD01HBQ2KwWVg3sLnwwBHw0nvbATS41hdxsP2OmCnxWkc=
+-----END ENCRYPTED PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIIDfzCCAmegAwIBAgIEUFic9zANBgkqhkiG9w0BAQsFADBvMQswCQYDVQQGEwJU
+UzETMBEGA1UECBMKVGVzdCBTdGF0ZTESMBAGA1UEBxMJVGVzdCBUb3duMREwDwYD
+VQQKEwhUZXN0IG9yZzEQMA4GA1UECxMHVGVzdCBPVTESMBAGA1UEAxMJVGVzdCBV
+c2VyMCAXDTE0MDkyMjA5MTExMVoYDzIxMTQwODI5MDkxMTExWjBvMQswCQYDVQQG
+EwJUUzETMBEGA1UECBMKVGVzdCBTdGF0ZTESMBAGA1UEBxMJVGVzdCBUb3duMREw
+DwYDVQQKEwhUZXN0IG9yZzEQMA4GA1UECxMHVGVzdCBPVTESMBAGA1UEAxMJVGVz
+dCBVc2VyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+6g5sYzXiNOA
+hR7C8wc8buxU/JgcbdHpHIR44iuXjpepBYAE7hRsWM7H4cuXrKiRxS9UMOadqkGF
+Qqb5sG6lo2UUhcj4qlN6hKDc/+AMZMIW1mvQldiygCAkqgM8iso+kw56dpVuerG/
+k1nd8f+X9rjXN6/DIMznZcMy2d9ByIFuixFKElPvOWx9q9N4aiueOd5FM5eHxp+3
+F4uCTrpM5zkS7Rmf5GVtCofc8KgaTLLp4D0Ge5VUJm7yW8fuU3eIpin4ivjk+Gye
+Q3t0BsrmNyQy3CmKGOBP/vX0+wEMvGN2xqNgAFP9dxA+AbJMiAfsmoWvxXaPktqC
+DOspTCFqbwIDAQABoyEwHzAdBgNVHQ4EFgQUILviRCmSrhuLDmF0nus4pv2uu7gw
+DQYJKoZIhvcNAQELBQADggEBAGnfGYL7nDm5taDPRxuGGMqUPwRnH2bXwef6S2Xb
+/nIEFtNheVFQFtKNn5Ikq68DTFMP06yXLnI7F40+ZiQezRBB1EPPmDL2fYKc9fL1
+SHntu6HLgP/Y5nnCVegtL8l9745gQZnnXlMtkTs2HFwffznIHW/3STO0Bcj0+KMa
+p8vebMjmvV7bZEGvrcrVXL55QPZXJwRuQMXJB3f5XhAEH1VqAhTW6DrvBUnuESwo
+9fxxA5gmblt80SQYdKr2I08OTk0qmyF8zNuffTOiSS8/V6Cf7CntuPWjSuVf1EVP
+MH6KkSjceLZ99Y7bvl7KKvQ4Kj5Bp27PwlRvtYbfCUmQEG8=
+-----END CERTIFICATE-----
diff --git a/...s/itext/kernel/mac/MacIntegrityProtectorTest/cmp_standaloneMacPublicKeyEncryptionTest.pdf b/...s/itext/kernel/mac/MacIntegrityProtectorTest/cmp_standaloneMacPublicKeyEncryptionTest.pdf
diff --git a/...es/itext/kernel/mac/MacIntegrityProtectorTest/cmp_standaloneMacStandardEncryptionTest.pdf b/...es/itext/kernel/mac/MacIntegrityProtectorTest/cmp_standaloneMacStandardEncryptionTest.pdf
diff --git a/...text/kernel/mac/MacIntegrityProtectorTest/cmp_standaloneMacWithAllHashAlgorithmsTest1.pdf b/...text/kernel/mac/MacIntegrityProtectorTest/cmp_standaloneMacWithAllHashAlgorithmsTest1.pdf
diff --git a/...text/kernel/mac/MacIntegrityProtectorTest/cmp_standaloneMacWithAllHashAlgorithmsTest2.pdf b/...text/kernel/mac/MacIntegrityProtectorTest/cmp_standaloneMacWithAllHashAlgorithmsTest2.pdf
diff --git a/...text/kernel/mac/MacIntegrityProtectorTest/cmp_standaloneMacWithAllHashAlgorithmsTest3.pdf b/...text/kernel/mac/MacIntegrityProtectorTest/cmp_standaloneMacWithAllHashAlgorithmsTest3.pdf
diff --git a/...text/kernel/mac/MacIntegrityProtectorTest/cmp_standaloneMacWithAllHashAlgorithmsTest4.pdf b/...text/kernel/mac/MacIntegrityProtectorTest/cmp_standaloneMacWithAllHashAlgorithmsTest4.pdf
diff --git a/...text/kernel/mac/MacIntegrityProtectorTest/cmp_standaloneMacWithAllHashAlgorithmsTest5.pdf b/...text/kernel/mac/MacIntegrityProtectorTest/cmp_standaloneMacWithAllHashAlgorithmsTest5.pdf
diff --git a/...text/kernel/mac/MacIntegrityProtectorTest/cmp_standaloneMacWithAllHashAlgorithmsTest6.pdf b/...text/kernel/mac/MacIntegrityProtectorTest/cmp_standaloneMacWithAllHashAlgorithmsTest6.pdf
diff --git a/itext/itext.bouncy-castle-adapter/itext/bouncycastle/BouncyCastleFactory.cs b/itext/itext.bouncy-castle-adapter/itext/bouncycastle/BouncyCastleFactory.cs
@@ -24,6 +24,7 @@ You should have received a copy of the GNU Affero General Public License
 using System.Collections;
 using System.Collections.Generic;
 using System.IO;
+using System.Security.Cryptography;
 using Org.BouncyCastle.Asn1;
 using Org.BouncyCastle.Asn1.Esf;
 using Org.BouncyCastle.Asn1.Ess;
@@ -79,7 +80,11 @@ You should have received a copy of the GNU Affero General Public License
 using iText.Commons.Bouncycastle.X509;
 using Org.BouncyCastle.Asn1.Pkcs;
 using Org.BouncyCastle.Asn1.Tsp;
+using Org.BouncyCastle.Crypto.Digests;
+using Org.BouncyCastle.Crypto.Engines;
+using Org.BouncyCastle.Crypto.Generators;
 using Org.BouncyCastle.Crypto.Operators;
+using Org.BouncyCastle.Crypto.Parameters;
 using Org.BouncyCastle.OpenSsl;
 using Org.BouncyCastle.Security;
 using Org.BouncyCastle.Security.Certificates;
@@ -1127,6 +1132,11 @@ public bool IsNullExtension(IX509Extension ext) {
         public bool IsNull(IAsn1Encodable encodable) {
             return ((Asn1EncodableBC)encodable).GetEncodable() == null;
         }
+
+        /// <summary><inheritDoc/></summary>
+        public RNGCryptoServiceProvider GetSecureRandom() {
+            return new RNGCryptoServiceProvider();
+        }
 
         /// <summary><inheritDoc/></summary>
         public IX509Extension CreateExtension(bool b, IDerOctetString octetString) {
@@ -1170,6 +1180,30 @@ public string CreateEndDate(IX509Certificate certificate) {
             return certificate.GetEndDateTime();
         }
 
+        /// <summary><inheritDoc/></summary>
+        public byte[] GenerateHKDF(byte[] inputKey, byte[] salt, byte[] info) {
+            HkdfBytesGenerator hkdfBytesGenerator = new HkdfBytesGenerator(new Sha256Digest());
+            HkdfParameters hkdfParameters = new HkdfParameters(inputKey, salt, info);
+            hkdfBytesGenerator.Init(hkdfParameters);
+            byte[] hkdf = new byte[32];
+            hkdfBytesGenerator.GenerateBytes(hkdf, 0, 32);
+
+            return hkdf;
+        }
+
+        /// <summary><inheritDoc/></summary>
+        public byte[] GenerateHMACSHA256Token(byte[] key, byte[] data) {
+            HMACSHA256 mac = new HMACSHA256(key);
+            return mac.ComputeHash(data);
+        }
+
+        /// <summary><inheritDoc/></summary>
+        public byte[] GenerateEncryptedKeyWithAES256NoPad(byte[] key, byte[] kek) {
+            IWrapper wrapper = new AesWrapEngine();
+            wrapper.Init(true, new KeyParameter(kek));
+            return wrapper.Wrap(key, 0, key.Length);
+        }
+
         //\cond DO_NOT_DOCUMENT
         internal class BouncyCastlePasswordFinder : IPasswordFinder {
             private readonly char[] password;

diff --git a/...t/itext.bouncy-castle-connector/itext/bouncycastleconnector/BouncyCastleDefaultFactory.cs b/...t/itext.bouncy-castle-connector/itext/bouncycastleconnector/BouncyCastleDefaultFactory.cs
@@ -24,6 +24,7 @@ You should have received a copy of the GNU Affero General Public License
 using System.Collections;
 using System.Collections.Generic;
 using System.IO;
+using System.Security.Cryptography;
 using iText.Bouncycastleconnector.Logs;
 using iText.Commons.Bouncycastle;
 using iText.Commons.Bouncycastle.Asn1;
@@ -702,6 +703,10 @@ public bool IsNull(IAsn1Encodable encodable) {
             throw new NotSupportedException(BouncyCastleLogMessageConstant.BOUNCY_CASTLE_DEPENDENCY_MUST_PRESENT);
         }
 
+        public RNGCryptoServiceProvider GetSecureRandom() {
+            throw new NotSupportedException(BouncyCastleLogMessageConstant.BOUNCY_CASTLE_DEPENDENCY_MUST_PRESENT);
+        }
+
         public byte[] CreateCipherBytes(IX509Certificate x509Certificate, byte[] abyte0, IAlgorithmIdentifier algorithmidentifier) {
             throw new NotSupportedException(BouncyCastleLogMessageConstant.BOUNCY_CASTLE_DEPENDENCY_MUST_PRESENT);
         }
@@ -721,5 +726,17 @@ public IBouncyCastleUtil GetBouncyCastleUtil() {
         public string CreateEndDate(IX509Certificate certificate) {
             throw new NotSupportedException(BouncyCastleLogMessageConstant.BOUNCY_CASTLE_DEPENDENCY_MUST_PRESENT);
         }
+
+        public byte[] GenerateHKDF(byte[] inputKey, byte[] salt, byte[] info) {
+            throw new NotSupportedException(BouncyCastleLogMessageConstant.BOUNCY_CASTLE_DEPENDENCY_MUST_PRESENT);
+        }
+
+        public byte[] GenerateHMACSHA256Token(byte[] key, byte[] data) {
+            throw new NotSupportedException(BouncyCastleLogMessageConstant.BOUNCY_CASTLE_DEPENDENCY_MUST_PRESENT);
+        }
+
+        public byte[] GenerateEncryptedKeyWithAES256NoPad(byte[] key, byte[] kek) {
+            throw new NotSupportedException(BouncyCastleLogMessageConstant.BOUNCY_CASTLE_DEPENDENCY_MUST_PRESENT);
+        }
     }
 }
diff --git a/itext/itext.bouncy-castle-fips-adapter/itext/bouncycastlefips/BouncyCastleFipsFactory.cs b/itext/itext.bouncy-castle-fips-adapter/itext/bouncycastlefips/BouncyCastleFipsFactory.cs
@@ -24,6 +24,7 @@ You should have received a copy of the GNU Affero General Public License
 using System.Collections;
 using System.Collections.Generic;
 using System.IO;
+using System.Security.Cryptography;
 using iText.Bouncycastle.Security;
 using Org.BouncyCastle.Asn1;
 using Org.BouncyCastle.Asn1.Esf;
@@ -1187,6 +1188,11 @@ public bool IsNullExtension(IX509Extension ext) {
         public bool IsNull(IAsn1Encodable encodable) {
             return ((Asn1EncodableBCFips)encodable).GetEncodable() == null;
         }
+
+        /// <summary><inheritDoc/></summary>
+        public RNGCryptoServiceProvider GetSecureRandom() {
+            return new RNGCryptoServiceProvider();
+        }
 
         /// <summary><inheritDoc/></summary>
         public IX509Extension CreateExtension(bool b, IDerOctetString octetString) {
@@ -1216,17 +1222,6 @@ public void IsEncryptionFeatureSupported(int encryptionType, bool withCertificat
             }            
         }
 
-        /// <summary><inheritDoc/></summary>
-        public SecureRandom GetSecureRandom() {
-            byte[] personalizationString = Strings.ToUtf8ByteArray("some personalization string");
-            SecureRandom entropySource = new SecureRandom();
-            return CryptoServicesRegistrar.CreateService(FipsDrbg.Sha512)
-                .FromEntropySource(entropySource,true)
-                .SetPersonalizationString(personalizationString).Build(
-                    entropySource.GenerateSeed(256 / (2 * 8)), true, 
-                    Strings.ToByteArray("number only used once"));
-        }
-
         /// <summary><inheritDoc/></summary>
         public IBouncyCastleUtil GetBouncyCastleUtil() {
             return BOUNCY_CASTLE_UTIL;
@@ -1236,6 +1231,22 @@ public IBouncyCastleUtil GetBouncyCastleUtil() {
         public string CreateEndDate(IX509Certificate certificate) {
             return certificate.GetEndDateTime();
         }
+
+        /// <summary><inheritDoc/></summary>
+        public byte[] GenerateHKDF(byte[] inputKey, byte[] salt, byte[] info) {
+            throw new NotSupportedException("HKDF algorithm is not supported in bouncy-castle FIPS mode.");
+        }
+
+        /// <summary><inheritDoc/></summary>
+        public byte[] GenerateHMACSHA256Token(byte[] key, byte[] data) {
+            HMACSHA256 mac = new HMACSHA256(key);
+            return mac.ComputeHash(data);
+        }
+
+        /// <summary><inheritDoc/></summary>
+        public byte[] GenerateEncryptedKeyWithAES256NoPad(byte[] key, byte[] kek) {
+            throw new NotSupportedException("Encrypted key generation with AES256 is not supported in bouncy-castle FIPS mode.");
+        }
 
         private IX509Certificate ReadPemCertificate(PushbackStream pushbackStream) {
             using (TextReader file = new StreamReader(pushbackStream)) {

diff --git a/itext/itext.bouncy-castle-fips-adapter/itext/bouncycastlefips/BouncyCastleFipsUtil.cs b/itext/itext.bouncy-castle-fips-adapter/itext/bouncycastlefips/BouncyCastleFipsUtil.cs
@@ -20,7 +20,7 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     You should have received a copy of the GNU Affero General Public License
     along with this program.  If not, see <https://www.gnu.org/licenses/>.
  */
-using System.Collections.Generic;
+using System.Collections.Generic;
 using System.IO;
 using iText.Bouncycastlefips.Cert;
 using iText.Commons.Bouncycastle;

diff --git a/...ouncy-castle-fips-adapter/itext/bouncycastlefips/UnsupportedEncryptionFeatureException.cs b/...ouncy-castle-fips-adapter/itext/bouncycastlefips/UnsupportedEncryptionFeatureException.cs
@@ -20,18 +20,16 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     You should have received a copy of the GNU Affero General Public License
     along with this program.  If not, see <https://www.gnu.org/licenses/>.
  */
-using System;
+using System;
 using iText.Commons.Exceptions;
 
 namespace iText.Bouncycastlefips
 {
-    public class UnsupportedEncryptionFeatureException : ITextException
-    {
+    public class UnsupportedEncryptionFeatureException : ITextException {
         public const String ENCRYPTION_WITH_CERTIFICATE_ISNT_SUPPORTED_IN_FIPS =
             "Encryption with certificated is currently not supported in Bouncy Castle FIPS mode.";
 
-        public UnsupportedEncryptionFeatureException(string msg): base(msg)
-        {
+        public UnsupportedEncryptionFeatureException(string msg): base(msg) {
         }
     }
 }
diff --git a/...castle-fips-adapter/itext/bouncycastlefips/crypto/generators/RsaKeyPairGeneratorBCFips.cs b/...castle-fips-adapter/itext/bouncycastlefips/crypto/generators/RsaKeyPairGeneratorBCFips.cs
@@ -27,6 +27,8 @@ You should have received a copy of the GNU Affero General Public License
 using Org.BouncyCastle.Crypto;
 using Org.BouncyCastle.Crypto.Fips;
 using Org.BouncyCastle.Math;
+using Org.BouncyCastle.Security;
+using Org.BouncyCastle.Utilities;
 
 namespace iText.Bouncycastlefips.Crypto.Generators {
     /// <summary>
@@ -40,9 +42,16 @@ public class RsaKeyPairGeneratorBCFips : IRsaKeyPairGenerator {
         /// <see cref="FipsRsa.KeyPairGenerator"/>.
         /// </summary>
         public RsaKeyPairGeneratorBCFips() {
+            byte[] personalizationString = Strings.ToUtf8ByteArray("some personalization string");
+            SecureRandom entropySource = new SecureRandom();
+            SecureRandom secureRandomForGenerator = CryptoServicesRegistrar.CreateService(FipsDrbg.Sha512)
+                .FromEntropySource(entropySource,true)
+                .SetPersonalizationString(personalizationString).Build(
+                    entropySource.GenerateSeed(256 / (2 * 8)), true, 
+                    Strings.ToByteArray("number only used once"));
             this.generator = CryptoServicesRegistrar.CreateGenerator(
                 new FipsRsa.KeyGenerationParameters(BigInteger.ValueOf(0x10001), 2048), 
-                new BouncyCastleFipsFactory().GetSecureRandom());
+                secureRandomForGenerator);
         }
 
         /// <summary>

diff --git a/itext/itext.commons/itext/commons/bouncycastle/IBouncyCastleFactory.cs b/itext/itext.commons/itext/commons/bouncycastle/IBouncyCastleFactory.cs
@@ -24,6 +24,7 @@ You should have received a copy of the GNU Affero General Public License
 using System.Collections;
 using System.Collections.Generic;
 using System.IO;
+using System.Security.Cryptography;
 using iText.Commons.Bouncycastle.Asn1;
 using iText.Commons.Bouncycastle.Asn1.Cms;
 using iText.Commons.Bouncycastle.Asn1.Esf;
@@ -1580,7 +1581,18 @@ IX509V3CertificateGenerator CreateJcaX509v3CertificateBuilder(IX509Certificate s
         /// </returns>
         bool IsNullExtension(IX509Extension extNonce);
 
+        /// <summary>
+        /// Check if provided encodable wrapper wraps null.
+        /// </summary>
+        /// <param name="encodable">encodable wrapper to be checked</param>
+        /// <returns>true if provided encodable wrapper wraps null, false otherwise</returns>
         bool IsNull(IAsn1Encodable encodable);
+
+        /// <summary>
+        /// Get SecureRandom implementation from the factory.
+        /// </summary>
+        /// <returns>SecureRandom implementation</returns>
+        RNGCryptoServiceProvider GetSecureRandom();
 
         /// <summary>
         /// Create
@@ -1635,5 +1647,30 @@ IX509V3CertificateGenerator CreateJcaX509v3CertificateBuilder(IX509Certificate s
         /// <param name="certificate">certificate to get end date</param>
         /// <returns>The end date of the certificate</returns>
         string CreateEndDate(IX509Certificate certificate);
+
+        /// <summary>
+        /// Generates byte array based on extract-and-expand key derivation function, using provided parameters.
+        /// </summary>
+        /// <param name="inputKey">byte[] input key material</param>
+        /// <param name="salt">byte[] salt</param>
+        /// <param name="info">byte[] info</param>
+        /// <returns>byte[] key derivation function result.</returns>
+        byte[] GenerateHKDF(byte[] inputKey, byte[] salt, byte[] info);
+
+        /// <summary>
+        /// Generates byte array based MAC token according to HMACSHA256 algorithm.
+        /// </summary>
+        /// <param name="key">MAC key</param>
+        /// <param name="data">data to be encrypted</param>
+        /// <returns>byte array based MAC token.</returns>
+        byte[] GenerateHMACSHA256Token(byte[] key, byte[] data);
+
+        /// <summary>
+        /// Generates encrypted key based on AES256 without padding wrapping algorithm.
+        /// </summary>
+        /// <param name="key">key to be encrypted</param>
+        /// <param name="kek">key encryption key to be used</param>
+        /// <returns>encrypted key.</returns>
+        byte[] GenerateEncryptedKeyWithAES256NoPad(byte[] key, byte[] kek);
     }
 }
diff --git a/itext/itext.commons/itext/commons/bouncycastle/IBouncyCastleUtil.cs b/itext/itext.commons/itext/commons/bouncycastle/IBouncyCastleUtil.cs
@@ -20,7 +20,7 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
     You should have received a copy of the GNU Affero General Public License
     along with this program.  If not, see <https://www.gnu.org/licenses/>.
  */
-using System.Collections.Generic;
+using System.Collections.Generic;
 using System.IO;
 using iText.Commons.Bouncycastle.Cert;
 

diff --git a/itext/itext.kernel/itext/kernel/crypto/securityhandler/SecurityHandler.cs b/itext/itext.kernel/itext/kernel/crypto/securityhandler/SecurityHandler.cs
@@ -27,6 +27,7 @@ You should have received a copy of the GNU Affero General Public License
 using iText.Commons;
 using iText.Commons.Bouncycastle;
 using iText.Commons.Bouncycastle.Crypto;
+using iText.Commons.Utils;
 using iText.Kernel.Exceptions;
 using iText.Kernel.Logs;
 
@@ -94,6 +95,22 @@ public virtual void SetHashKeyForNextObject(int objNumber, int objGeneration) {
         public abstract OutputStreamEncryption GetEncryptionStream(Stream os);
 
         public abstract IDecryptor GetDecryptor();
+
+        /// <summary>
+        /// Gets encryption key for a particular object/generation.
+        /// </summary>
+        /// <returns>encryption key for a particular object/generation.</returns>
+        public byte[] GetNextObjectKey() {
+            return JavaUtil.ArraysCopyOf(nextObjectKey, nextObjectKey.Length);
+        }
+
+        /// <summary>
+        /// Gets global encryption key.
+        /// </summary>
+        /// <returns>global encryption key.</returns>
+        public byte[] GetMkey() {
+            return JavaUtil.ArraysCopyOf(mkey, mkey.Length);
+        }
 
         private void SafeInitMessageDigest() {
             try {

diff --git a/itext/itext.kernel/itext/kernel/events/PdfDocumentEvent.cs b/itext/itext.kernel/itext/kernel/events/PdfDocumentEvent.cs
@@ -43,6 +43,12 @@ public class PdfDocumentEvent : Event {
         /// </remarks>
         public const String END_PAGE = "EndPdfPage";
 
+        /// <summary>Dispatched before writer is flushed to a document.</summary>
+        public const String END_WRITER_FLUSH = "EndWriterFlush";
+
+        /// <summary>Dispatched after writer is flushed to a document.</summary>
+        public const String START_DOCUMENT_CLOSING = "StartDocumentClosing";
+
         /// <summary>The PdfPage associated with this event.</summary>
         protected internal PdfPage page;