PDF Security

The 1099/W-2 PDFs contain PII (Personally Identifiable Information) data of the recipients/employees. To make sure that the PII data involved is completely secured, TaxBandits has added additional security to the form PDFs.

The PDF links you get in the Response of RequestDraftPdfUrl and RequestPDFURLs are encrypted, and you will have to decrypt them before downloading.

Decrypt the PDF URLs​

To decrypt the URL, you will need the following parameters.

1. AWS AccessKey
2. AWS SecretKey
3. Base64Key
4. S3 Bucket Name

All the above values will be available on your TaxBandits console site. Log in to the console site and navigate to Settings >> PDF Credentials

5. S3 file path - This is the file path you received in the RequestPdfUrls endpoint Response.

   Sample PDF Path you will get in the Response -> https://expressirsforms.s3.us-east-1.amazonaws.com/pdfs/ac5df30c-6b81-49ab-b85e-8122128d227f/6c36e3fa-5d6f-4c21-81df-2e1e0c27305c/1099/36253545/m/copy1_1up_36253545.pdf

   info

   In the above example, remove the main domain from the file path and include part that starts with “pdfs/ac5df3…..”

Sample Code:

NodeJs

Send the above-listed parameters using a code to decrypt the PDF URL for download. Here is a sample code for NodeJs.

{
    const AWS = require("aws-sdk");//  reference library
    AWS.config.update({region:"us-east-1"}); // don't change this US-East-01
    const s3 = new AWS.S3({
    accessKeyId: "<<AWS AccessKey>>",
    secretAccessKey: "<<AWS SecretKey>>"
    });
    const ssecKey = Buffer.alloc(32, "<<Base64Key>>",'base64') // you can get the key from Taxbandits API Console
    var params = {
        Key: "<<S3 file path>>",// File path without main domain URL.
        Bucket: "<<Bucket Name>>",// Get the Bucket Name from the URL given in the response
        SSECustomerAlgorithm: "AES256",
        SSECustomerKey: ssecKey
        }
    var file = require('fs').createWriteStream('<<samplepdfname.pdf>>');// save the pdf in local
    s3.getObject(params).createReadStream().pipe(file);
}

C#

{
using Amazon;
using Amazon.S3;
using Amazon.S3.Model;
class Program
{
    static async System.Threading.Tasks.Task Main(string[] args)
    {
        string accessKeyId = "AWS_ACCESS_KEY";  //AWS Access Key provided by TaxBandits in Console Site
        string secretAccessKey = "AWS_SECRET_KEY"; //AWS Secret Key provided by TaxBandits in Console Site
        string s3BucketName = "AWS_S3_BUCKET_NAME"; //AWS S3 Bucket Name provided by TaxBandits in Console Site
        // Provide the S3 Bucket file path from 'pdfs/88fb.../copy1_1up_1521965.pdf'.
        // File path without main domain URL
        string s3FilePath = "file/path/provided-by/TaxBandits/encrypted.pdf"; 
        string ssecKeyBase64 = "PDF_KEY";// Replace with the Base64Key provided by TaxBandits in Console site
        string localFilePath = "DecryptedPdf.pdf"; // Path to save the PDF locally. Default will be stored in bin of the project folder
        AmazonS3Config s3Config = new AmazonS3Config
        {
            RegionEndpoint = RegionEndpoint.USEast1
        };
        using (IAmazonS3 s3Client = new AmazonS3Client(accessKeyId, secretAccessKey, s3Config))
        {
            // Define parameters for the S3 getObject operation
            GetObjectRequest request = new GetObjectRequest
            {
                BucketName = s3BucketName,
                Key = s3FilePath,
                ServerSideEncryptionCustomerMethod = ServerSideEncryptionCustomerMethod.AES256,
                ServerSideEncryptionCustomerProvidedKey = ssecKeyBase64
            };
            using (GetObjectResponse response = await s3Client.GetObjectAsync(request))
            using (Stream responseStream = response.ResponseStream)
            // Download the encrypted PDF from S3 using SSE-C and save it locally.
            using (FileStream fileStream = File.Create(localFilePath))
            {
                await responseStream.CopyToAsync(fileStream);
            }
        }
    }
}
}

Ruby

{
  require 'aws-sdk-s3'
  require 'base64'
   # Set AWS configuration
    Aws.config.update({
    region: 'us-east-1', # Don't change this (US-East-01)
    credentials: Aws::Credentials.new(
       'AWS_ACCESS_KEY', #AWS Access Key provided by TaxBandits in Console Site
       'AWS_SECRET_KEY') #AWS Secret Key provided by TaxBandits in Console Site
  })
    s3 = Aws::S3::Resource.new
    # Specify the S3 bucket and object (PDF) details
    bucket_name = 'AWS_S3_BUCKET_NAME' # AWS S3 Bucket Name provided by TaxBandits in Console Site
    # Provide the S3 Bucket file path from 'pdfs/88fb.../copy1_1up_1521965.pdf'.
    object_key = 'file/path/provided-by/TaxBandits/encrypted.pdf'
    #  You can get PDF Key from Taxbandits API Console site
    sse_c_key = Base64.strict_decode64('PDF_KEY')
    # Accessing S3 Bucket using the bucket_name, object_key and sse_c_key. The Decrypted file will be downloaded.pdf.
    s3.bucket(bucket_name).object(object_key).get(
    response_target: 'downloaded.pdf', #Replace with the file name you needed.
    sse_customer_algorithm: 'AES256', 
    sse_customer_key: sse_c_key)
 puts "TaxBandits - Encrypted PDF (SSE-C) downloaded to 'downloaded.pdf'"
}

Java

import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.client.builder.AwsClientBuilder;
import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3ClientBuilder;
import com.amazonaws.services.s3.model.*;
import org.apache.commons.io.FileUtils;
import java.io.File;
import java.io.IOException;
public class TbsDecryptPdfUrl {
   public static void main(String[] args) {
        String accessKeyId = "<<AWS AccessKey>>";
        String secretAccessKey = "<<AWS SecretKey>>";
        String s3BucketName = "<<Bucket Name>>";
        String s3FilePath = "<<S3 file path>>";
        String ssecKeyBase64 = "<<Base64Key>>";
        String localFilePath = "<<samplepdfname.pdf>>";
        // Create AWS credentials
        BasicAWSCredentials awsCredentials = new BasicAWSCredentials(accessKeyId, secretAccessKey);
        // Create S3 client
        AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
                .withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
                .withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration("https://s3.amazonaws.com", "us-east-1"))
                .build();
        // Decode Base64 key
        byte[] ssecKeyBytes = java.util.Base64.getDecoder().decode(ssecKeyBase64);
        // Create S3ObjectRequest
        GetObjectRequest getObjectRequest = new GetObjectRequest(s3BucketName, s3FilePath)
                .withSSECustomerAlgorithm("AES256")
                .withSSECustomerKey(ssecKeyBytes);
        // Download object and save to a local file
        try (S3Object s3Object = s3Client.getObject(getObjectRequest);
             S3ObjectInputStream objectInputStream = s3Object.getObjectContent()) {
              FileUtils.copyInputStreamToFile(objectInputStream, new File(localFilePath));
              System.out.println("File downloaded successfully.");
       } catch (IOException e) {
            e.printStackTrace();
        }
    }
}

Python

import boto3
import base64, os
def get_file_from_aws_bucket(bucket_name, access_key_id, secret_access_key, sse_c_key, e_customer_alg, file_key=False):
    #Initializing Client
    s3 = boto3.client(
        service_name = 's3',
        aws_access_key_id = access_key_id,
        aws_secret_access_key = secret_access_key,
        region_name = "us-east-1"
    )
    # Define parameters for the S3 getObject operation
    response = s3.get_object(
        Bucket = bucket_name,
        Key = file_key,
        SSECustomerKey = sse_c_key,
        SSECustomerAlgorithm = e_customer_alg
    )
    read_content = response['Body'].read()
    # Save the file locally
    file_name = os.path.basename(file_key)
    with open(f'./{file_name}', 'wb') as f:
        f.write(read_content)
get_file_from_aws_bucket(
    bucket_name = 'AWS_S3_BUCKET_NAME', #AWS S3 Bucket Name provided by TaxBandits in Console Site
    access_key_id = 'AWS_ACCESS_KEY', #AWS Access Key provided by TaxBandits in Console Site
    secret_access_key = 'AWS_SECRET_KEY',  #AWS Secret Key provided by TaxBandits in Console Site
    sse_c_key = base64.b64decode('PDF_KEY'), #Replace with the Base64Key provided by TaxBandits in Console site
    e_customer_alg = 'AES256',
    # File path without main domain URL
    file_key = 'file/path/provided-by/TaxBandits/encrypted.pdf'  # Provide the S3 Bucket file path from 'pdfs/88fb.../copy1_1up_1521965.pdf'.     
)

PHP

<?php
require 'vendor/autoload.php'; // Make sure to include the AWS SDK for PHP autoload file
use AwsS3S3Client;
//Replace with AWS Access Key & AWS Secret Key provided by TaxBandits in Console Site
$credentials = new AwsCredentialsCredentials('AWS_ACCESS_KEY', 'AWS_SECRET_KEY');
$region = 'us-east-1'; // US East (N. Virginia)
// Create an S3 client
$s3Client = new S3Client([
    'version' => 'latest',
    'region' => $region,
    'credentials' => $credentials,
]);
// Replace with the Base64Key provided by TaxBandits in Console site
$ssecKey = base64_decode('PDF_KEY'); // Base64 key, decoded to binary
# AWS S3 Bucket Name provided by TaxBandits in Console Site
$bucketName = 'AWS_S3_BUCKET_NAME'; 
# Provide the S3 Bucket file path from 'pdfs/88fb.../copy1_1up_1521965.pdf'.
// File path without main domain URL
$objectKey = 'file/path/provided-by/TaxBandits/encrypted.pdf'; 
// Define parameters for the S3 getObject operation
$params = [
    'Bucket' => $bucketName,
    'Key' => $objectKey,
    'SSECustomerAlgorithm' => 'AES256',
    'SSECustomerKey' => $ssecKey,
];
// Download the encrypted PDF from S3 using SSE-C and save it locally
$localFilePath = 'samplepdfname.pdf'; // Path to save the PDF locally
try {
    $result = $s3Client->getObject($params);
    file_put_contents($localFilePath, $result['Body']);
    echo "TaxBandits - Encrypted PDF (SSE-C) downloaded to '$localFilePath'
";
} catch (AwsS3ExceptionS3Exception $e) {
    echo 'Error: ' . $e->getMessage() . "
";
}

Go

 package main
 import (
	"encoding/base64"
	"fmt"
	"io"
	"os"
	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/credentials"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/s3"
)
func main() {
	// Set AWS credentials and region
	awsRegion := "us-east-1"
	awsAccessKey := "AWS_ACCESS_KEY" //AWS Access Key provided by TaxBandits in Console Site
	awsSecretKey := "AWS_SECRET_KEY" //AWS Secret Key provided by TaxBandits in Console Site
  sess, err := session.NewSession(&aws.Config{
		Region:      aws.String(awsRegion),
		Credentials: credentials.NewStaticCredentials(awsAccessKey, awsSecretKey, ""),
	})
	if err != nil {
		fmt.Println("Error creating AWS session:", err)
		return
	}
  // Create an S3 client
	s3Client := s3.New(sess)
  // Replace "PDF_KEY" with the actual Base64Key provided by TaxBandits in Console site
	ssecKey, err := base64.StdEncoding.DecodeString("PDF_KEY")
	if err != nil {
		fmt.Println("Error decoding Base64Key:", err)
		return
	}
  ssecKeyString := string(ssecKey)
  // Set S3 parameters
	params := &s3.GetObjectInput{
		// Provide the S3 Bucket file path from 'pdfs/88fb.../copy1_1up_1521965.pdf'.
		// File path without main domain URL
		Key:                  aws.String("file/path/provided-by/TaxBandits/encrypted.pdf"),
		Bucket:               aws.String("AWS_S3_BUCKET_NAME"), //AWS S3 Bucket Name provided by TaxBandits in Console Site
		SSECustomerAlgorithm: aws.String("AES256"),
		SSECustomerKey:       &ssecKeyString,
	}
  // Download the encrypted PDF from S3 using SSE-C and save it locally
	file, err := os.Create("DecryptedPdf.pdf")
	if err != nil {
		fmt.Println("Error creating file:", err)
		return
	}
	defer file.Close()
  result, err := s3Client.GetObject(params)
	if err != nil {
		fmt.Println("Error getting object from S3:", err)
		return
	}
  // Download the encrypted PDF from S3 using SSE-C and save it locally.
	_, err = io.Copy(file, result.Body)
	if err != nil {
		fmt.Println("Error copying content to file:", err)
		return
	}
 fmt.Println("Decrypted PDF downloaded successfully.")
}