Hi Apache PDFBox Team,
I hope you're doing well.
We are currently using Apache PDFBox in our software stack and have
encountered an issue when deploying it in environments that enforce *FIPS
140-3 compliance.*
Specifically, in the *COSWriter class*, PDFBox uses the
*MessageDigest.getInstance("MD5")* call to generate document IDs. Under a
FIPS-enabled JVM, MD5 is not allowed as it is not a FIPS-approved
algorithm, leading to a `NoSuchAlgorithmException` during PDF generation.
Is there any workaround or configuration to avoid MD5 in such environments?
Alternatively, would the PDFBox team consider supporting a configurable or
FIPS-compatible digest algorithm (like SHA-256) for the document ID
generation?
We’d greatly appreciate any guidance or future roadmap considerations in
this regard. Thanks again for maintaining this excellent open-source
library.
Best regards,
Srujith
