% Copyright (C) 2001-2019 Artifex Software, Inc.
% All Rights Reserved.
%
% This software is provided AS-IS with no warranty, either express or
% implied.
%
% This software is distributed under license and may not be copied,
% modified or distributed except as expressly authorized under the terms
% of the license contained in the file LICENSE in this distribution.
%
% Refer to licensing information at http://www.artifex.com or contact
% Artifex Software, Inc., 1305 Grant Avenue - Suite 200, Novato,
% CA 94945, U.S.A., +1(415)492-9861, for further information.
%
% Copyright (C) 1996-1998 Geoffrey Keating.
% Copyright (C) 2001-2008 Artifex Software, Inc.
% This file may be freely distributed with or without modifications,
% so long as modified versions are marked as such and copyright notices are
% not removed.
% Implementation of security hooks for PDF reader.
% This file contains the procedures that have to take encryption into
% account when reading a PDF file. It was originally distributed
% separately by Geoffrey Keating as an add-on to version 6 and earlier.
% Modified by Alex Cherepanov to work with GS 6.60 and higher.
% New versions of GS require explicit checks for /true, /false, and /null
% in .decpdfrun. This fix is backward-compatible.
% Modified by Raph Levien and Ralph Giles to use the new C
% implementations of md5 and arcfour in ghostscript 7.01, and to
% be compatible with PDF 1.4 128-bit encryption.
% Modified by Ralph Giles for PDF 1.6 AES encryption.
% Modified by Michael Constant for PDF 1.7 ExtensionLevel 3
% AES-256 encryption.
/.setlanguagelevel where { pop 2 .setlanguagelevel } if
.currentglobal //true .setglobal
pdfdict begin
% Older ghostscript versions do not have .pdftoken, so we use 'token' instead.
/.pdftoken where { pop } { /.pdftoken /token load def } ifelse
% take a stream and arc4 decrypt it.
% <stream> <key> arc4decodefilter <stream>
/arc4decodefilter {
1 dict begin
/Key exch def
currentdict end /ArcfourDecode filter
} bind executeonly def
% <ciphertext> <key> arc4decode <plaintext>
/arc4decode {
1 index length 0 eq {
pop
} {
1 index length string 3 1 roll arc4decodefilter exch readstring pop
} ifelse
} bind executeonly def
% take a stream and aes decrypt it.
% <stream> <key> aesdecodefilter <stream>
/aesdecodefilter {
1 dict begin
/Key exch def
currentdict end
/AESDecode filter
} bind executeonly def
% AES decrypt a string, returning a string. The second argument can
% be a dictionary of the form << /Key key /Padding false >>, which
% specifies the key and any options for the AESDecode filter, or it
% can just be a string (the key).
%
% <ciphertext> <dict> aesdecode <plaintext>
% <ciphertext> <key> aesdecode <plaintext>
/aesdecode {
1 index length 0 eq {
pop
} {
1 index length string 3 1 roll
% If our second argument is a dictionary, it's the full set
% of decoding options (including the key); pass it directly
% to the AESDecode filter. Otherwise, it's just the key, so
% call aesdecodefilter to construct the dictionary.
dup type /dicttype eq { /AESDecode filter } { aesdecodefilter } ifelse
exch readstring pop
} ifelse
} bind executeonly def
/md5 {
16 string dup /MD5Encode filter dup 4 3 roll writestring closefile
} bind executeonly def
/md5_trunk {
md5 0 pdf_key_length getinterval
} bind executeonly def
/sha256 {
32 string dup /SHA256Encode filter dup 4 3 roll writestring closefile
} bind executeonly def
% <string> contains_non_ascii <bool>
/contains_non_ascii {
//false exch { 128 ge { pop //true exit } if } forall
} bind executeonly def
/pdf_padding_string
<28bf4e5e4e758a41 64004e56fffa0108
2e2e00b6d0683e80 2f0ca9fe6453697a>
def
% Pad a key out to 32 bytes.
/pdf_pad_key { % <key> pdf_pad_key <padded key>
dup length 32 gt { 0 32 getinterval } if
pdf_padding_string
0 32 3 index length sub getinterval
concatstrings
} bind executeonly def
/pdf_xorbytes { % <iter-num> <key> pdf_xorbytes <xored-key>
dup length dup string
exch 1 sub 0 1 3 2 roll {
% <iter-num> <key> <new-key> <byte-num>
dup 3 index exch get 4 index xor
% <iter-num> <key> <new-key> <byte-num> <byte>
3 copy put pop pop
} for
3 1 roll pop pop
} bind executeonly def
% Get length of encryption key in bytes
/pdf_key_length { % pdf_key_length <key_length>
Trailer /Encrypt oget
dup /V knownoget not { 0 } if 1 eq
{ pop 5 } % If V == 1 then always use 40 bits
{ /Length knownoget { -3 bitshift } { 5 } ifelse }
ifelse
} bind executeonly def
% Algorithm 3.2
/pdf_compute_encryption_key { % <password> pdf_compute_encryption_key <key>
% Step 1.
pdf_pad_key
% Step 2, 3.
Trailer /Encrypt oget dup /O oget
% <padded-key> <encrypt> <O>
% Step 4.
exch /P oget 4 string exch
2 copy 255 and 0 exch put
2 copy -8 bitshift 255 and 1 exch put
2 copy -16 bitshift 255 and 2 exch put
2 copy -24 bitshift 255 and 3 exch put pop
% <padded-key> <O> <P>
% Step 5.
Trailer /ID knownoget { 0 oget } {
()
( **** Error: ID key in the trailer is required for encrypted files.\n) pdfformaterror
( File may not be possible to decrypt.\n) pdfformaterror
} ifelse
3 { concatstrings } repeat
% We will finish step 5 after possibly including step 6.
% The following only executed for /R equal to 3 or more
Trailer /Encrypt oget dup /R oget dup 3 ge {
% Step 6. If EncryptMetadata is false, pass 0xFFFFFFFF to md5 function
% The PDF 1.5 Spec says that EncryptMetadata is an undocumented
% feature of PDF 1.4. That implies that this piece of logic should
% be executed if R >= 3. However testing with Acrobat 5.0 and 6.0 shows
% that this step is not executed if R equal to 3. Thus we have a test for
% R being >= 4.
4 ge {
/EncryptMetadata knownoget % Get EncryptMetadata (if present)
not { //true } if % Default is true
not { % If EncryptMetadata is false
<ff ff ff ff> concatstrings % Add 0xFFFFFFFF to working string
} if
} {
pop % Remove Encrypt dict
} ifelse
md5_trunk % Finish step 5 and 6.
% Step 7. Executed as part of step 6
% Step 8. (This step is defintely a part of PDF 1.4.)
50 { md5_trunk } repeat
} {
pop pop md5_trunk % Remove R, Encrypt dict, finish step 5
} ifelse
% Step 9 - Done in md5_trunk.
} bind executeonly def
% Algorithm 3.4
/pdf_gen_user_password_R2 { % <filekey> pdf_gen_user_password_R2 <U>
% Step 2.
pdf_padding_string exch arc4decode
} bind executeonly def
% Algorithm 3.5
/pdf_gen_user_password_R3 { % <filekey> pdf_gen_user_password_R3 <U>
% Step 2.
pdf_padding_string
% Step 3.
Trailer /ID knownoget { 0 oget } {
()
( **** Error: ID key in the trailer is required for encrypted files.\n) pdfformaterror
( File may not be possible to decrypt.\n) pdfformaterror
} ifelse
concatstrings md5
% Step 4.
1 index arc4decode
% Step 5.
1 1 19 {
2 index pdf_xorbytes arc4decode
} for
exch pop
} bind executeonly def
/pdf_gen_user_password { % <password> pdf_gen_user_password <filekey> <U>
% common Step 1 of Algorithms 3.4 and 3.5.
pdf_compute_encryption_key dup
Trailer /Encrypt oget
/R oget dup 2 eq {
pop pdf_gen_user_password_R2
} {
dup 3 eq {
pop pdf_gen_user_password_R3
} {
dup 4 eq { % 4 uses the algorithm as 3
pop pdf_gen_user_password_R3
} {
% This procedure is only used if R is between 2 and 4,
% so we should never get here.
/pdf_gen_user_password cvx /undefined signalerror
} ifelse
} ifelse
} ifelse
} bind executeonly def
% Algorithm 3.6
% <password> pdf_check_pre_r5_user_password <filekey> true
% <password> pdf_check_pre_r5_user_password false
/pdf_check_pre_r5_user_password {
pdf_gen_user_password
Trailer /Encrypt oget /U oget
0 2 index length getinterval eq {
//true
} {
pop //false
} ifelse
} bind executeonly def
% Compute an owner key, ie the result of step 4 of Algorithm 3.3
/pdf_owner_key % <password> pdf_owner_key <owner-key>
{
% Step 1.
pdf_pad_key
% Step 2.
md5_trunk
% 3.3 Step 3. Only executed for /R equal to 3 or more
Trailer /Encrypt oget /R oget 3 ge {
50 { md5_trunk } repeat
} if
% Step 4 - Done in md5_trunk.
} bind executeonly def
% Algorithm 3.7
% <password> pdf_check_pre_r5_owner_password <filekey> true
% <password> pdf_check_pre_r5_owner_password false
/pdf_check_pre_r5_owner_password {
% Step 1.
pdf_owner_key
% Step 2.
Trailer /Encrypt oget dup /O oget 2 index arc4decode
% <encryption-key> <encrypt-dict> <decrypted-O>
% Step 3. Only executed for /R equal to 3 or more
exch /R oget 3 ge {
1 1 19 {
2 index pdf_xorbytes arc4decode
} for
} if
exch pop
% <result-of-step-3>
pdf_check_pre_r5_user_password
} bind executeonly def
% Algorithm 3.2a
% <password> pdf_check_r5_password <filekey> true
% <password> pdf_check_r5_password false
/pdf_check_r5_password {
10 dict begin % temporary dict for local variables
% Step 1.
% If the .saslprep operator isn't available (because ghostscript
% wasn't built with libidn support), just skip this step. ASCII
% passwords will still work fine, and even most non-ASCII passwords
% will be okay; any non-ASCII passwords that fail will produce a
% warning from pdf_process_Encrypt.
/.saslprep where { pop .saslprep } if
% Step 2.
dup length 127 gt { 0 127 getinterval } if
/Password exch def
% Step 3.
/O Trailer /Encrypt oget /O oget def
/U Trailer /Encrypt oget /U oget def
Password O 32 8 getinterval concatstrings
U 0 48 getinterval concatstrings sha256
O 0 32 getinterval eq {
% Step 3, second paragraph.
Password O 40 8 getinterval concatstrings
U 0 48 getinterval concatstrings sha256
16 string Trailer /Encrypt oget /OE oget concatstrings
<< /Key 4 -1 roll /Padding //false >> aesdecode //true
} {
% Step 4.
Password U 32 8 getinterval concatstrings sha256
U 0 32 getinterval eq {
% Step 4, second paragraph.
Password U 40 8 getinterval concatstrings sha256
16 string Trailer /Encrypt oget /UE oget concatstrings
<< /Key 4 -1 roll /Padding //false >> aesdecode //true
} {
//false
} ifelse
} ifelse
% Step 5.
dup {
% Adobe says to decrypt the Perms string using "ECB mode with
% an initialization vector of zero", which must be a mistake --
% ECB mode doesn't use initialization vectors. It looks like
% they meant "ECB mode, or CBC mode with an initialization
% vector of zero", since the two are equivalent for a single-
% block message. We use the latter.
16 string Trailer /Encrypt oget /Perms oget concatstrings
<< /Key 4 index /Padding //false >> aesdecode
9 3 getinterval (adb) eq not {
( **** Error: Failed to decrypt Perms string.\n) pdfformaterror
( Cannot decrypt PDF file.\n) pdfformaterror
printProducer
/pdf_check_r5_password cvx /rangecheck signalerror
} if
} if
end
} bind executeonly def
% <password> pdf_check_password <filekey> true
% <password> pdf_check_password false
/pdf_check_password {
% If R is 2, 3, or 4, use Algorithms 3.6 and 3.7 to see if this is
% a valid user or owner password. Following historical practice,
% we treat the password as an arbitrary string of bytes and don't
% interpret it in any way. (If the password fails, it would be
% nice to try some plausible character set conversions, but this
% gets complicated. Even Adobe products don't seem to handle it
% consistently.)
%
% If R is 5, use Algorithm 3.2a. The password should be text, in
% either UTF-8 or the current locale's charset.
Trailer /Encrypt oget /R oget
dup dup 2 ge exch 4 le and {
pop
dup pdf_check_pre_r5_user_password {
exch pop //true
} {
pdf_check_pre_r5_owner_password
} ifelse
} {
dup 5 eq {
pop
% First, try the password as UTF-8.
dup pdf_check_r5_password {
exch pop //true
} {
% The password didn't work as UTF-8, so maybe it's in the
% locale character set instead. If possible, convert it to
% UTF-8 and try again.
/.locale_to_utf8 where {
pop .locale_to_utf8 pdf_check_r5_password
} {
pop //false
} ifelse
} ifelse
} {
dup 6 eq {
pop
% First, try the password as UTF-8.
dup Trailer /Encrypt oget //check_r6_password exec {
exch pop //true
} {
% The password didn't work as UTF-8, so maybe it's in the
% locale character set instead. If possible, convert it to
% UTF-8 and try again.
/.locale_to_utf8 where {
pop .locale_to_utf8 Trailer /Encrypt oget //check_r6_password exec
} {
pop //false
} ifelse
} ifelse
} {
( **** Warning: This file uses an unknown standard security handler revision: )
exch =string cvs concatstrings (\n) concatstrings pdfformatwarning
( Cannot decrypt PDF file.\n) pdfformaterror
printProducer
/pdf_check_password cvx /undefined signalerror
} ifelse
} ifelse
} ifelse
} bind executeonly def
systemdict /check_r6_password .forceundef
% Process the encryption information in the Trailer.
/pdf_process_Encrypt {
Trailer /Encrypt oget
/Filter oget /Standard eq not {
( **** Warning: This file uses an unknown security handler.\n) pdfformatwarning
( Cannot decrypt PDF file.\n) pdfformaterror
printProducer
/pdf_process_Encrypt cvx /undefined signalerror
} if
() pdf_check_password
{
/FileKey exch def
} {
/PDFPassword where {
pop PDFPassword pdf_check_password
{
/FileKey exch def
} {
( **** Error: Password did not work.\n) pdfformaterror
( Cannot decrypt PDF file.\n) pdfformaterror
% If ghostscript was built without libidn, it's missing the
% .saslprep operator and thus can't do proper Unicode password
% normalization. Similarly, if the system provides neither
% iconv nor the Windows MultiByteToWideChar function, then we
% won't have the .locale_to_utf8 operator to convert passwords
% from the locale character set to UTF-8.
%
% It's not a huge problem if you're missing either or both of
% these. ASCII passwords will work fine regardless, and even
% Unicode passwords will often be okay.
%
% However, if .saslprep or .locale_to_utf8 is missing, and the
% user enters a non-ASCII password that doesn't work, we give
% a warning message.
PDFPassword contains_non_ascii {
/.saslprep where not {
( **** WARNING: Ghostscript was configured without libidn,\n)
( **** so non-ASCII passwords aren't supported!\n)
concatstrings pdfformaterror
} {
pop
/.locale_to_utf8 where not {
( **** WARNING: Ghostscript was configured without iconv,\n)
( **** so non-ASCII passwords aren't supported!\n)
concatstrings pdfformaterror
} {
pop
} ifelse
} ifelse
} if
/pdf_process_Encrypt cvx /invalidfileaccess signalerror
} ifelse
} {
( **** This file requires a password for access.\n) pdfformaterror
/pdf_process_Encrypt cvx /invalidfileaccess signalerror
} ifelse
} ifelse
% Trailer /Encrypt oget /P oget 4 and 0 eq #? and
% { ( ****This owner of this file has requested you do not print it.\n)
% pdfformaterror printProducer
% /pdf_process_Encrypt cvx /invalidfileaccess signalerror
% }
% if
} bind executeonly def
% Calculate the key used to decrypt an object (to pass to .decpdfrun or
% put into a stream dictionary).
/computeobjkey % <object#> <generation#> computeobjkey <keystring>
{
Trailer /Encrypt oget /V oget 5 eq {
% Encrypt version 5 doesn't use object keys; everything is
% encrypted with the file key.
pop pop FileKey
} {
exch
FileKey length 5 add string
dup 0 FileKey putinterval
exch
% stack: gen# string obj#
2 copy 255 and FileKey length exch put
2 copy -8 bitshift 255 and FileKey length 1 add exch put
2 copy -16 bitshift 255 and FileKey length 2 add exch put
pop exch
2 copy 255 and FileKey length 3 add exch put
2 copy -8 bitshift 255 and FileKey length 4 add exch put
pop
% this step is for the AES cipher only
Trailer /Encrypt oget
dup /StmF knownoget {
%% Treat StmF of 'Identity' the same as if it is missing.
dup /Identity eq {
pop pop
} {
exch /CF knownoget {
exch oget /CFM oget /AESV2 eq {
(sAlT) concatstrings
} if
} {
pop
} ifelse
} ifelse
} {
pop
} ifelse
md5 0 FileKey length 5 add 2 index length .min getinterval
} ifelse
} bind executeonly def
% As .pdfrun, but decrypt strings with key <key>.
/PDFScanRules_true << /PDFScanRules //true >> def
/PDFScanRules_null << /PDFScanRules //null >> def
/.decpdfrun % <file> <keystring> <opdict> .decpdfrun -
{ % Construct a procedure with the file, opdict and key bound into it.
2 index cvlit mark
/PDFScanRules .getuserparam //null eq {
//PDFScanRules_true { setuserparams } 0 get % force PDF scanning mode
mark 7 4 roll
} {
mark 5 2 roll
} ifelse
{ .pdftoken not { (%%EOF) cvn cvx } if
dup xcheck
{ PDFDEBUG { dup //== exec flush } if
3 -1 roll pop
2 copy .knownget
{ exch pop exch pop exec
}
{ exch pop
dup /true eq
{ pop //true
}
{ dup /false eq
{ pop //false
}
{ dup /null eq
{ pop //null
}
{ ( **** Error: Unknown operator: )
exch =string cvs concatstrings (\n) concatstrings
pdfformaterror
( Output may be incorrect.\n) pdfformaterror
}
ifelse
}
ifelse
}
ifelse
}
ifelse
}
{ exch pop PDFDEBUG { dup ==only ( ) print flush } if
dup type /stringtype eq
{
% Check if we have encrypted strings R>=4 allows for
% selection of encryption on streams and strings
Trailer /Encrypt oget % Get encryption dictionary
dup /R oget 4 lt % only >=4 has selectable
{ % R < 4 --> arc4 strings
pop 1 index arc4decode % Decrypt string
PDFDEBUG { (%Decrypted: ) print dup //== exec flush } if
} { % Else R >= 4
/StrF knownoget % Get StrF (if present)
{ % If StrF is present ...
dup /Identity eq not % Check if StrF != Identity
{ /StdCF eq
{ Trailer /Encrypt oget /CF knownoget {
/StdCF oget /CFM oget
dup /AESV2 eq exch /AESV3 eq or
} {
//false
} ifelse { % Decrypt string
1 index aesdecode
} {
1 index arc4decode
} ifelse
}
{ 1 index arc4decode }
ifelse % If StrF != StdCF
PDFDEBUG { (%Decrypted: ) print dup //== exec flush } if
}
{ pop }
ifelse % If StrF != identity
}
if % If StrF is known
}
ifelse % Ifelse R < 4
} {
dup type /nametype eq {
.pdffixname
} if
}
ifelse
exch pop
}
ifelse
}
aload pop //.packtomark exec cvx
{ loop } 0 get 2 packedarray cvx
{ stopped } 0 get
/PDFScanRules .getuserparam //null eq {
//PDFScanRules_null { setuserparams } 0 get % reset PDF scannig mode if it was off
} if
/PDFsource PDFsource
{ store { stop } if } aload pop //.packtomark exec cvx
/PDFsource 3 -1 roll store exec
} bind executeonly def
currentdict /PDFScanRules_true undef
currentdict /PDFScanRules_null undef
% Run the code to resolve an object reference.
/pdf_run_resolve
{ /FileKey where % Check if the file is encrypted
{ pop % File is encrypted
2 copy computeobjkey dup 4 1 roll
PDFfile exch resolveopdict .decpdfrun
dup dup dup 5 2 roll
% stack: object object key object object
{ % Use loop to provide an exitable context.
xcheck exch type /dicttype eq and % Check if executable dictionary
not { % If object is not ...
pop pop % ignore object
exit % Exit 'loop' context
} if % If not possible stream
% Starting with PDF 1.4 (R = 3), there are some extra features
% which control encryption of streams. The EncryptMetadata entry
% in the Encrypt dict controls the encryption of metadata streams.
Trailer /Encrypt oget % Get encryption dictionary
dup /R oget dup 3 lt % Only PDF 1.4 and higher has options
{ % R < 3 --> all streams encrypted
pop pop /StreamKey exch put % Insert StreamKey in dictionary
exit % Exit 'loop' context
} if
% Check EncryptMeta. stack: object object key Encrypt R
exch dup /EncryptMetadata knownoget % Get EncryptMetadata (if present)
not { //true } if % If not present default = true
not % Check if EncryptMetadata = false
{ % if false we need to check the stream type
3 index /Type knownoget % Get stream type (if present)
not { //null } if % If type not present use fake name
/Metadata eq % Check if the type is Metadata
{ pop pop pop pop % Type == Metadata --> no encryption
exit % Exit 'loop' context
} if
} if
% PDF 1.5 encryption (R == 4) has selectable encryption handlers. If
% this is not PDF 1.5 encryption (R < 4) then we are done checking and
% we need to decrypt the stream. stack: object object key R Encrypt
exch 4 lt % Check for less than PDF 1.5
{ pop /StreamKey exch put % Insert StreamKey in dictionary
exit % Exit 'loop' context
} if
% Check if the stream encryption handler (StmF) == Identity.
PDFDEBUG {
Trailer /Encrypt oget /CF knownoget {
/StdCF oget /CFM oget
(Encrypt StmF is StdCF with CFM ) print =
} if
} if
/StmF knownoget % Get StmF (if present)
not { /Identity } if % If StmF not present default = Identity
/Identity eq % Check if StmF == Identity
{ pop pop % Identity --> no encryption
exit % Exit 'loop' context
} if
% If we get here then we need to decrypt the stream.
/StreamKey exch put % Insert StreamKey into dictionary
exit % Exit 'loop' context, never loop
} loop % End of loop exitable context
} { % Else file is not encrypted
PDFfile resolveopdict .pdfrun
} ifelse % Ifelse encrypted
} bind executeonly def
% Prefix a decryption filter to a stream if needed.
% Stack: readdata? dict parms file/string filternames
% (both before and after).
/pdf_decrypt_stream
{ 3 index /StreamKey known % Check if the file is encrypted
{
exch
% Stack: readdata? dict parms filternames file/string
3 index /StreamKey get
Trailer /Encrypt oget
dup /StmF knownoget
{ % stack: key Encrypt StmF
exch /CF knownoget {
exch oget /CFM oget % stack: key StmF-CFM
dup /AESV2 eq exch /AESV3 eq or
} { pop //false } ifelse
{ aesdecodefilter } % install the requested filter
{ arc4decodefilter }
ifelse
}
{ pop arc4decodefilter } % fallback for no StmF
ifelse
exch
} if
} bind executeonly def
end % pdfdict
systemdict /pdfdict .forceundef % hide pdfdict
.setglobal