2
1
mirror of https://github.com/qpdf/qpdf.git synced 2025-01-23 15:18:33 +00:00
qpdf/libqpdf/QPDF_encryption.cc
Jay Berkenbilt 4f24617e1e Code clean up: use range-style for loops wherever possible
Where not possible, use "auto" to get the iterator type.

Editorial note: I have avoid this change for a long time because of
not wanting to make gratuitous changes to version history, which can
obscure when certain changes were made, but with having recently
touched every single file to apply automatic code formatting and with
making several broad changes to the API, I decided it was time to take
the plunge and get rid of the older (pre-C++11) verbose iterator
syntax. The new code is just easier to read and understand, and in
many cases, it will be more effecient as fewer temporary copies are
being made.

m-holger, if you're reading, you can see that I've finally come
around. :-)
2022-04-30 13:27:18 -04:00

1564 lines
47 KiB
C++

// This file implements methods from the QPDF class that involve
// encryption.
#include <qpdf/QPDF.hh>
#include <qpdf/QPDFExc.hh>
#include <qpdf/MD5.hh>
#include <qpdf/Pl_AES_PDF.hh>
#include <qpdf/Pl_Buffer.hh>
#include <qpdf/Pl_RC4.hh>
#include <qpdf/Pl_SHA2.hh>
#include <qpdf/QTC.hh>
#include <qpdf/QUtil.hh>
#include <qpdf/RC4.hh>
#include <algorithm>
#include <assert.h>
#include <string.h>
static unsigned char const padding_string[] = {
0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41, 0x64, 0x00, 0x4e,
0x56, 0xff, 0xfa, 0x01, 0x08, 0x2e, 0x2e, 0x00, 0xb6, 0xd0, 0x68,
0x3e, 0x80, 0x2f, 0x0c, 0xa9, 0xfe, 0x64, 0x53, 0x69, 0x7a};
static unsigned int const key_bytes = 32;
// V4 key lengths apply to V <= 4
static unsigned int const OU_key_bytes_V4 = sizeof(MD5::Digest);
static unsigned int const OU_key_bytes_V5 = 48;
static unsigned int const OUE_key_bytes_V5 = 32;
static unsigned int const Perms_key_bytes_V5 = 16;
int
QPDF::EncryptionData::getV() const
{
return this->V;
}
int
QPDF::EncryptionData::getR() const
{
return this->R;
}
int
QPDF::EncryptionData::getLengthBytes() const
{
return this->Length_bytes;
}
int
QPDF::EncryptionData::getP() const
{
return this->P;
}
std::string const&
QPDF::EncryptionData::getO() const
{
return this->O;
}
std::string const&
QPDF::EncryptionData::getU() const
{
return this->U;
}
std::string const&
QPDF::EncryptionData::getOE() const
{
return this->OE;
}
std::string const&
QPDF::EncryptionData::getUE() const
{
return this->UE;
}
std::string const&
QPDF::EncryptionData::getPerms() const
{
return this->Perms;
}
std::string const&
QPDF::EncryptionData::getId1() const
{
return this->id1;
}
bool
QPDF::EncryptionData::getEncryptMetadata() const
{
return this->encrypt_metadata;
}
void
QPDF::EncryptionData::setO(std::string const& O)
{
this->O = O;
}
void
QPDF::EncryptionData::setU(std::string const& U)
{
this->U = U;
}
void
QPDF::EncryptionData::setV5EncryptionParameters(
std::string const& O,
std::string const& OE,
std::string const& U,
std::string const& UE,
std::string const& Perms)
{
this->O = O;
this->OE = OE;
this->U = U;
this->UE = UE;
this->Perms = Perms;
}
static void
pad_or_truncate_password_V4(std::string const& password, char k1[key_bytes])
{
size_t password_bytes =
std::min(QIntC::to_size(key_bytes), password.length());
size_t pad_bytes = key_bytes - password_bytes;
memcpy(k1, password.c_str(), password_bytes);
memcpy(k1 + password_bytes, padding_string, pad_bytes);
}
void
QPDF::trim_user_password(std::string& user_password)
{
// Although unnecessary, this routine trims the padding string
// from the end of a user password. Its only purpose is for
// recovery of user passwords which is done in the test suite.
char const* cstr = user_password.c_str();
size_t len = user_password.length();
if (len < key_bytes) {
return;
}
char const* p1 = cstr;
char const* p2 = 0;
while ((p2 = strchr(p1, '\x28')) != 0) {
size_t idx = toS(p2 - cstr);
if (memcmp(p2, padding_string, len - idx) == 0) {
user_password = user_password.substr(0, idx);
return;
} else {
QTC::TC("qpdf", "QPDF_encryption skip 0x28");
p1 = p2 + 1;
}
}
}
static std::string
pad_or_truncate_password_V4(std::string const& password)
{
char k1[key_bytes];
pad_or_truncate_password_V4(password, k1);
return std::string(k1, key_bytes);
}
static std::string
truncate_password_V5(std::string const& password)
{
return password.substr(
0, std::min(static_cast<size_t>(127), password.length()));
}
static void
iterate_md5_digest(MD5& md5, MD5::Digest& digest, int iterations, int key_len)
{
md5.digest(digest);
for (int i = 0; i < iterations; ++i) {
MD5 m;
m.encodeDataIncrementally(
reinterpret_cast<char*>(digest), QIntC::to_size(key_len));
m.digest(digest);
}
}
static void
iterate_rc4(
unsigned char* data,
size_t data_len,
unsigned char* okey,
int key_len,
int iterations,
bool reverse)
{
auto key_ph = std::make_unique<unsigned char[]>(QIntC::to_size(key_len));
unsigned char* key = key_ph.get();
for (int i = 0; i < iterations; ++i) {
int const xor_value = (reverse ? iterations - 1 - i : i);
for (int j = 0; j < key_len; ++j) {
key[j] = static_cast<unsigned char>(okey[j] ^ xor_value);
}
RC4 rc4(key, QIntC::to_int(key_len));
rc4.process(data, data_len);
}
}
static std::string
process_with_aes(
std::string const& key,
bool encrypt,
std::string const& data,
size_t outlength = 0,
unsigned int repetitions = 1,
unsigned char const* iv = 0,
size_t iv_length = 0)
{
Pl_Buffer buffer("buffer");
Pl_AES_PDF aes(
"aes",
&buffer,
encrypt,
QUtil::unsigned_char_pointer(key),
QIntC::to_uint(key.length()));
if (iv) {
aes.setIV(iv, iv_length);
} else {
aes.useZeroIV();
}
aes.disablePadding();
for (unsigned int i = 0; i < repetitions; ++i) {
aes.write(QUtil::unsigned_char_pointer(data), data.length());
}
aes.finish();
auto bufp = buffer.getBufferSharedPointer();
if (outlength == 0) {
outlength = bufp->getSize();
} else {
outlength = std::min(outlength, bufp->getSize());
}
return std::string(reinterpret_cast<char*>(bufp->getBuffer()), outlength);
}
static std::string
hash_V5(
std::string const& password,
std::string const& salt,
std::string const& udata,
QPDF::EncryptionData const& data)
{
Pl_SHA2 hash(256);
hash.write(QUtil::unsigned_char_pointer(password), password.length());
hash.write(QUtil::unsigned_char_pointer(salt), salt.length());
hash.write(QUtil::unsigned_char_pointer(udata), udata.length());
hash.finish();
std::string K = hash.getRawDigest();
std::string result;
if (data.getR() < 6) {
result = K;
} else {
// Algorithm 2.B from ISO 32000-1 chapter 7: Computing a hash
int round_number = 0;
bool done = false;
while (!done) {
// The hash algorithm has us setting K initially to the R5
// value and then repeating a series of steps 64 times
// before starting with the termination case testing. The
// wording of the specification is very unclear as to the
// exact number of times it should be run since the
// wording about whether the initial setup counts as round
// 0 or not is ambiguous. This code counts the initial
// setup (R5) value as round 0, which appears to be
// correct. This was determined to be correct by
// increasing or decreasing the number of rounds by 1 or 2
// from this value and generating 20 test files. In this
// interpretation, all the test files worked with Adobe
// Reader X. In the other configurations, many of the
// files did not work, and we were accurately able to
// predict which files didn't work by looking at the
// conditions under which we terminated repetition.
++round_number;
std::string K1 = password + K + udata;
assert(K.length() >= 32);
std::string E = process_with_aes(
K.substr(0, 16),
true,
K1,
0,
64,
QUtil::unsigned_char_pointer(K.substr(16, 16)),
16);
// E_mod_3 is supposed to be mod 3 of the first 16 bytes
// of E taken as as a (128-bit) big-endian number. Since
// (xy mod n) is equal to ((x mod n) + (y mod n)) mod n
// and since 256 mod n is 1, we can just take the sums of
// the the mod 3s of each byte to get the same result.
int E_mod_3 = 0;
for (unsigned int i = 0; i < 16; ++i) {
E_mod_3 += static_cast<unsigned char>(E.at(i));
}
E_mod_3 %= 3;
int next_hash = ((E_mod_3 == 0) ? 256 : (E_mod_3 == 1) ? 384 : 512);
Pl_SHA2 sha2(next_hash);
sha2.write(QUtil::unsigned_char_pointer(E), E.length());
sha2.finish();
K = sha2.getRawDigest();
if (round_number >= 64) {
unsigned int ch = static_cast<unsigned char>(*(E.rbegin()));
if (ch <= QIntC::to_uint(round_number - 32)) {
done = true;
}
}
}
result = K.substr(0, 32);
}
return result;
}
static void
pad_short_parameter(std::string& param, size_t max_len)
{
if (param.length() < max_len) {
QTC::TC("qpdf", "QPDF_encryption pad short parameter");
param.append(max_len - param.length(), '\0');
}
}
std::string
QPDF::compute_data_key(
std::string const& encryption_key,
int objid,
int generation,
bool use_aes,
int encryption_V,
int encryption_R)
{
// Algorithm 3.1 from the PDF 1.7 Reference Manual
std::string result = encryption_key;
if (encryption_V >= 5) {
// Algorithm 3.1a (PDF 1.7 extension level 3): just use
// encryption key straight.
return result;
}
// Append low three bytes of object ID and low two bytes of generation
result.append(1, static_cast<char>(objid & 0xff));
result.append(1, static_cast<char>((objid >> 8) & 0xff));
result.append(1, static_cast<char>((objid >> 16) & 0xff));
result.append(1, static_cast<char>(generation & 0xff));
result.append(1, static_cast<char>((generation >> 8) & 0xff));
if (use_aes) {
result += "sAlT";
}
MD5 md5;
md5.encodeDataIncrementally(result.c_str(), result.length());
MD5::Digest digest;
md5.digest(digest);
return std::string(
reinterpret_cast<char*>(digest), std::min(result.length(), toS(16)));
}
std::string
QPDF::compute_encryption_key(
std::string const& password, EncryptionData const& data)
{
if (data.getV() >= 5) {
// For V >= 5, the encryption key is generated and stored in
// the file, encrypted separately with both user and owner
// passwords.
return recover_encryption_key_with_password(password, data);
} else {
// For V < 5, the encryption key is derived from the user
// password.
return compute_encryption_key_from_password(password, data);
}
}
std::string
QPDF::compute_encryption_key_from_password(
std::string const& password, EncryptionData const& data)
{
// Algorithm 3.2 from the PDF 1.7 Reference Manual
// This code does not properly handle Unicode passwords.
// Passwords are supposed to be converted from OS codepage
// characters to PDFDocEncoding. Unicode passwords are supposed
// to be converted to OS codepage before converting to
// PDFDocEncoding. We instead require the password to be
// presented in its final form.
MD5 md5;
md5.encodeDataIncrementally(
pad_or_truncate_password_V4(password).c_str(), key_bytes);
md5.encodeDataIncrementally(data.getO().c_str(), key_bytes);
char pbytes[4];
int P = data.getP();
pbytes[0] = static_cast<char>(P & 0xff);
pbytes[1] = static_cast<char>((P >> 8) & 0xff);
pbytes[2] = static_cast<char>((P >> 16) & 0xff);
pbytes[3] = static_cast<char>((P >> 24) & 0xff);
md5.encodeDataIncrementally(pbytes, 4);
md5.encodeDataIncrementally(data.getId1().c_str(), data.getId1().length());
if ((data.getR() >= 4) && (!data.getEncryptMetadata())) {
char bytes[4];
memset(bytes, 0xff, 4);
md5.encodeDataIncrementally(bytes, 4);
}
MD5::Digest digest;
int key_len =
std::min(QIntC::to_int(sizeof(digest)), data.getLengthBytes());
iterate_md5_digest(md5, digest, ((data.getR() >= 3) ? 50 : 0), key_len);
return std::string(
reinterpret_cast<char*>(digest), QIntC::to_size(key_len));
}
static void
compute_O_rc4_key(
std::string const& user_password,
std::string const& owner_password,
QPDF::EncryptionData const& data,
unsigned char key[OU_key_bytes_V4])
{
if (data.getV() >= 5) {
throw std::logic_error("compute_O_rc4_key called for file with V >= 5");
}
std::string password = owner_password;
if (password.empty()) {
password = user_password;
}
MD5 md5;
md5.encodeDataIncrementally(
pad_or_truncate_password_V4(password).c_str(), key_bytes);
MD5::Digest digest;
int key_len =
std::min(QIntC::to_int(sizeof(digest)), data.getLengthBytes());
iterate_md5_digest(md5, digest, ((data.getR() >= 3) ? 50 : 0), key_len);
memcpy(key, digest, OU_key_bytes_V4);
}
static std::string
compute_O_value(
std::string const& user_password,
std::string const& owner_password,
QPDF::EncryptionData const& data)
{
// Algorithm 3.3 from the PDF 1.7 Reference Manual
unsigned char O_key[OU_key_bytes_V4];
compute_O_rc4_key(user_password, owner_password, data, O_key);
char upass[key_bytes];
pad_or_truncate_password_V4(user_password, upass);
std::string k1(reinterpret_cast<char*>(O_key), OU_key_bytes_V4);
pad_short_parameter(k1, QIntC::to_size(data.getLengthBytes()));
iterate_rc4(
QUtil::unsigned_char_pointer(upass),
key_bytes,
O_key,
data.getLengthBytes(),
(data.getR() >= 3) ? 20 : 1,
false);
return std::string(upass, key_bytes);
}
static std::string
compute_U_value_R2(
std::string const& user_password, QPDF::EncryptionData const& data)
{
// Algorithm 3.4 from the PDF 1.7 Reference Manual
std::string k1 = QPDF::compute_encryption_key(user_password, data);
char udata[key_bytes];
pad_or_truncate_password_V4("", udata);
pad_short_parameter(k1, QIntC::to_size(data.getLengthBytes()));
iterate_rc4(
QUtil::unsigned_char_pointer(udata),
key_bytes,
QUtil::unsigned_char_pointer(k1),
data.getLengthBytes(),
1,
false);
return std::string(udata, key_bytes);
}
static std::string
compute_U_value_R3(
std::string const& user_password, QPDF::EncryptionData const& data)
{
// Algorithm 3.5 from the PDF 1.7 Reference Manual
std::string k1 = QPDF::compute_encryption_key(user_password, data);
MD5 md5;
md5.encodeDataIncrementally(
pad_or_truncate_password_V4("").c_str(), key_bytes);
md5.encodeDataIncrementally(data.getId1().c_str(), data.getId1().length());
MD5::Digest digest;
md5.digest(digest);
pad_short_parameter(k1, QIntC::to_size(data.getLengthBytes()));
iterate_rc4(
digest,
sizeof(MD5::Digest),
QUtil::unsigned_char_pointer(k1),
data.getLengthBytes(),
20,
false);
char result[key_bytes];
memcpy(result, digest, sizeof(MD5::Digest));
// pad with arbitrary data -- make it consistent for the sake of
// testing
for (unsigned int i = sizeof(MD5::Digest); i < key_bytes; ++i) {
result[i] = static_cast<char>((i * i) % 0xff);
}
return std::string(result, key_bytes);
}
static std::string
compute_U_value(
std::string const& user_password, QPDF::EncryptionData const& data)
{
if (data.getR() >= 3) {
return compute_U_value_R3(user_password, data);
}
return compute_U_value_R2(user_password, data);
}
static bool
check_user_password_V4(
std::string const& user_password, QPDF::EncryptionData const& data)
{
// Algorithm 3.6 from the PDF 1.7 Reference Manual
std::string u_value = compute_U_value(user_password, data);
size_t to_compare = ((data.getR() >= 3) ? sizeof(MD5::Digest) : key_bytes);
return (memcmp(data.getU().c_str(), u_value.c_str(), to_compare) == 0);
}
static bool
check_user_password_V5(
std::string const& user_password, QPDF::EncryptionData const& data)
{
// Algorithm 3.11 from the PDF 1.7 extension level 3
std::string user_data = data.getU().substr(0, 32);
std::string validation_salt = data.getU().substr(32, 8);
std::string password = truncate_password_V5(user_password);
return (hash_V5(password, validation_salt, "", data) == user_data);
}
static bool
check_user_password(
std::string const& user_password, QPDF::EncryptionData const& data)
{
if (data.getV() < 5) {
return check_user_password_V4(user_password, data);
} else {
return check_user_password_V5(user_password, data);
}
}
static bool
check_owner_password_V4(
std::string& user_password,
std::string const& owner_password,
QPDF::EncryptionData const& data)
{
// Algorithm 3.7 from the PDF 1.7 Reference Manual
unsigned char key[OU_key_bytes_V4];
compute_O_rc4_key(user_password, owner_password, data, key);
unsigned char O_data[key_bytes];
memcpy(O_data, QUtil::unsigned_char_pointer(data.getO()), key_bytes);
std::string k1(reinterpret_cast<char*>(key), OU_key_bytes_V4);
pad_short_parameter(k1, QIntC::to_size(data.getLengthBytes()));
iterate_rc4(
O_data,
key_bytes,
QUtil::unsigned_char_pointer(k1),
data.getLengthBytes(),
(data.getR() >= 3) ? 20 : 1,
true);
std::string new_user_password =
std::string(reinterpret_cast<char*>(O_data), key_bytes);
bool result = false;
if (check_user_password(new_user_password, data)) {
result = true;
user_password = new_user_password;
}
return result;
}
static bool
check_owner_password_V5(
std::string const& owner_password, QPDF::EncryptionData const& data)
{
// Algorithm 3.12 from the PDF 1.7 extension level 3
std::string user_data = data.getU().substr(0, 48);
std::string owner_data = data.getO().substr(0, 32);
std::string validation_salt = data.getO().substr(32, 8);
std::string password = truncate_password_V5(owner_password);
return (hash_V5(password, validation_salt, user_data, data) == owner_data);
}
static bool
check_owner_password(
std::string& user_password,
std::string const& owner_password,
QPDF::EncryptionData const& data)
{
if (data.getV() < 5) {
return check_owner_password_V4(user_password, owner_password, data);
} else {
return check_owner_password_V5(owner_password, data);
}
}
std::string
QPDF::recover_encryption_key_with_password(
std::string const& password, EncryptionData const& data)
{
// Disregard whether Perms is valid.
bool disregard;
return recover_encryption_key_with_password(password, data, disregard);
}
static void
compute_U_UE_value_V5(
std::string const& user_password,
std::string const& encryption_key,
QPDF::EncryptionData const& data,
std::string& U,
std::string& UE)
{
// Algorithm 3.8 from the PDF 1.7 extension level 3
char k[16];
QUtil::initializeWithRandomBytes(
reinterpret_cast<unsigned char*>(k), sizeof(k));
std::string validation_salt(k, 8);
std::string key_salt(k + 8, 8);
U = hash_V5(user_password, validation_salt, "", data) + validation_salt +
key_salt;
std::string intermediate_key = hash_V5(user_password, key_salt, "", data);
UE = process_with_aes(intermediate_key, true, encryption_key);
}
static void
compute_O_OE_value_V5(
std::string const& owner_password,
std::string const& encryption_key,
QPDF::EncryptionData const& data,
std::string const& U,
std::string& O,
std::string& OE)
{
// Algorithm 3.9 from the PDF 1.7 extension level 3
char k[16];
QUtil::initializeWithRandomBytes(
reinterpret_cast<unsigned char*>(k), sizeof(k));
std::string validation_salt(k, 8);
std::string key_salt(k + 8, 8);
O = hash_V5(owner_password, validation_salt, U, data) + validation_salt +
key_salt;
std::string intermediate_key = hash_V5(owner_password, key_salt, U, data);
OE = process_with_aes(intermediate_key, true, encryption_key);
}
void
compute_Perms_value_V5_clear(
std::string const& encryption_key,
QPDF::EncryptionData const& data,
unsigned char k[16])
{
// From algorithm 3.10 from the PDF 1.7 extension level 3
unsigned long long extended_perms =
0xffffffff00000000LL | static_cast<unsigned long long>(data.getP());
for (int i = 0; i < 8; ++i) {
k[i] = static_cast<unsigned char>(extended_perms & 0xff);
extended_perms >>= 8;
}
k[8] = data.getEncryptMetadata() ? 'T' : 'F';
k[9] = 'a';
k[10] = 'd';
k[11] = 'b';
QUtil::initializeWithRandomBytes(k + 12, 4);
}
static std::string
compute_Perms_value_V5(
std::string const& encryption_key, QPDF::EncryptionData const& data)
{
// Algorithm 3.10 from the PDF 1.7 extension level 3
unsigned char k[16];
compute_Perms_value_V5_clear(encryption_key, data, k);
return process_with_aes(
encryption_key,
true,
std::string(reinterpret_cast<char*>(k), sizeof(k)));
}
std::string
QPDF::recover_encryption_key_with_password(
std::string const& password, EncryptionData const& data, bool& perms_valid)
{
// Algorithm 3.2a from the PDF 1.7 extension level 3
// This code does not handle Unicode passwords correctly.
// Empirical evidence suggests that most viewers don't. We are
// supposed to process the input string with the SASLprep (RFC
// 4013) profile of stringprep (RFC 3454) and then convert the
// result to UTF-8.
perms_valid = false;
std::string key_password = truncate_password_V5(password);
std::string key_salt;
std::string user_data;
std::string encrypted_file_key;
if (check_owner_password_V5(key_password, data)) {
key_salt = data.getO().substr(40, 8);
user_data = data.getU().substr(0, 48);
encrypted_file_key = data.getOE().substr(0, 32);
} else if (check_user_password_V5(key_password, data)) {
key_salt = data.getU().substr(40, 8);
encrypted_file_key = data.getUE().substr(0, 32);
}
std::string intermediate_key =
hash_V5(key_password, key_salt, user_data, data);
std::string file_key =
process_with_aes(intermediate_key, false, encrypted_file_key);
// Decrypt Perms and check against expected value
std::string perms_check =
process_with_aes(file_key, false, data.getPerms(), 12);
unsigned char k[16];
compute_Perms_value_V5_clear(file_key, data, k);
perms_valid = (memcmp(perms_check.c_str(), k, 12) == 0);
return file_key;
}
QPDF::encryption_method_e
QPDF::interpretCF(
std::shared_ptr<EncryptionParameters> encp, QPDFObjectHandle cf)
{
if (cf.isName()) {
std::string filter = cf.getName();
if (encp->crypt_filters.count(filter) != 0) {
return encp->crypt_filters[filter];
} else if (filter == "/Identity") {
return e_none;
} else {
return e_unknown;
}
} else {
// Default: /Identity
return e_none;
}
}
void
QPDF::initializeEncryption()
{
if (this->m->encp->encryption_initialized) {
return;
}
this->m->encp->encryption_initialized = true;
// After we initialize encryption parameters, we must used stored
// key information and never look at /Encrypt again. Otherwise,
// things could go wrong if someone mutates the encryption
// dictionary.
if (!this->m->trailer.hasKey("/Encrypt")) {
return;
}
// Go ahead and set this->m->encrypted here. That way, isEncrypted
// will return true even if there were errors reading the
// encryption dictionary.
this->m->encp->encrypted = true;
std::string id1;
QPDFObjectHandle id_obj = this->m->trailer.getKey("/ID");
if ((id_obj.isArray() && (id_obj.getArrayNItems() == 2) &&
id_obj.getArrayItem(0).isString())) {
id1 = id_obj.getArrayItem(0).getStringValue();
} else {
// Treating a missing ID as the empty string enables qpdf to
// decrypt some invalid encrypted files with no /ID that
// poppler can read but Adobe Reader can't.
warn(
qpdf_e_damaged_pdf,
"trailer",
this->m->file->getLastOffset(),
"invalid /ID in trailer dictionary");
}
QPDFObjectHandle encryption_dict = this->m->trailer.getKey("/Encrypt");
if (!encryption_dict.isDictionary()) {
throw QPDFExc(
qpdf_e_damaged_pdf,
this->m->file->getName(),
this->m->last_object_description,
this->m->file->getLastOffset(),
"/Encrypt in trailer dictionary is not a dictionary");
}
if (!(encryption_dict.getKey("/Filter").isName() &&
(encryption_dict.getKey("/Filter").getName() == "/Standard"))) {
throw QPDFExc(
qpdf_e_unsupported,
this->m->file->getName(),
"encryption dictionary",
this->m->file->getLastOffset(),
"unsupported encryption filter");
}
if (!encryption_dict.getKey("/SubFilter").isNull()) {
warn(
qpdf_e_unsupported,
"encryption dictionary",
this->m->file->getLastOffset(),
"file uses encryption SubFilters,"
" which qpdf does not support");
}
if (!(encryption_dict.getKey("/V").isInteger() &&
encryption_dict.getKey("/R").isInteger() &&
encryption_dict.getKey("/O").isString() &&
encryption_dict.getKey("/U").isString() &&
encryption_dict.getKey("/P").isInteger())) {
throw QPDFExc(
qpdf_e_damaged_pdf,
this->m->file->getName(),
"encryption dictionary",
this->m->file->getLastOffset(),
"some encryption dictionary parameters are missing "
"or the wrong type");
}
int V = encryption_dict.getKey("/V").getIntValueAsInt();
int R = encryption_dict.getKey("/R").getIntValueAsInt();
std::string O = encryption_dict.getKey("/O").getStringValue();
std::string U = encryption_dict.getKey("/U").getStringValue();
int P = static_cast<int>(encryption_dict.getKey("/P").getIntValue());
// If supporting new encryption R/V values, remember to update
// error message inside this if statement.
if (!(((R >= 2) && (R <= 6)) &&
((V == 1) || (V == 2) || (V == 4) || (V == 5)))) {
throw QPDFExc(
qpdf_e_unsupported,
this->m->file->getName(),
"encryption dictionary",
this->m->file->getLastOffset(),
"Unsupported /R or /V in encryption dictionary; R = " +
QUtil::int_to_string(R) +
" (max 6), V = " + QUtil::int_to_string(V) + " (max 5)");
}
this->m->encp->encryption_V = V;
this->m->encp->encryption_R = R;
// OE, UE, and Perms are only present if V >= 5.
std::string OE;
std::string UE;
std::string Perms;
if (V < 5) {
// These must be exactly the right number of bytes.
pad_short_parameter(O, key_bytes);
pad_short_parameter(U, key_bytes);
if (!((O.length() == key_bytes) && (U.length() == key_bytes))) {
throw QPDFExc(
qpdf_e_damaged_pdf,
this->m->file->getName(),
"encryption dictionary",
this->m->file->getLastOffset(),
"incorrect length for /O and/or /U in "
"encryption dictionary");
}
} else {
if (!(encryption_dict.getKey("/OE").isString() &&
encryption_dict.getKey("/UE").isString() &&
encryption_dict.getKey("/Perms").isString())) {
throw QPDFExc(
qpdf_e_damaged_pdf,
this->m->file->getName(),
"encryption dictionary",
this->m->file->getLastOffset(),
"some V=5 encryption dictionary parameters are "
"missing or the wrong type");
}
OE = encryption_dict.getKey("/OE").getStringValue();
UE = encryption_dict.getKey("/UE").getStringValue();
Perms = encryption_dict.getKey("/Perms").getStringValue();
// These may be longer than the minimum number of bytes.
pad_short_parameter(O, OU_key_bytes_V5);
pad_short_parameter(U, OU_key_bytes_V5);
pad_short_parameter(OE, OUE_key_bytes_V5);
pad_short_parameter(UE, OUE_key_bytes_V5);
pad_short_parameter(Perms, Perms_key_bytes_V5);
}
int Length = 0;
if (V <= 1) {
Length = 40;
} else if (V == 4) {
Length = 128;
} else if (V == 5) {
Length = 256;
} else {
if (encryption_dict.getKey("/Length").isInteger()) {
Length = encryption_dict.getKey("/Length").getIntValueAsInt();
if ((Length % 8) || (Length < 40) || (Length > 128)) {
Length = 0;
}
}
}
if (Length == 0) {
// Still no Length? Just take a guess.
Length = 128;
}
this->m->encp->encrypt_metadata = true;
if ((V >= 4) && (encryption_dict.getKey("/EncryptMetadata").isBool())) {
this->m->encp->encrypt_metadata =
encryption_dict.getKey("/EncryptMetadata").getBoolValue();
}
if ((V == 4) || (V == 5)) {
QPDFObjectHandle CF = encryption_dict.getKey("/CF");
for (auto const& filter: CF.getKeys()) {
QPDFObjectHandle cdict = CF.getKey(filter);
if (cdict.isDictionary()) {
encryption_method_e method = e_none;
if (cdict.getKey("/CFM").isName()) {
std::string method_name = cdict.getKey("/CFM").getName();
if (method_name == "/V2") {
QTC::TC("qpdf", "QPDF_encryption CFM V2");
method = e_rc4;
} else if (method_name == "/AESV2") {
QTC::TC("qpdf", "QPDF_encryption CFM AESV2");
method = e_aes;
} else if (method_name == "/AESV3") {
QTC::TC("qpdf", "QPDF_encryption CFM AESV3");
method = e_aesv3;
} else {
// Don't complain now -- maybe we won't need
// to reference this type.
method = e_unknown;
}
}
this->m->encp->crypt_filters[filter] = method;
}
}
QPDFObjectHandle StmF = encryption_dict.getKey("/StmF");
QPDFObjectHandle StrF = encryption_dict.getKey("/StrF");
QPDFObjectHandle EFF = encryption_dict.getKey("/EFF");
this->m->encp->cf_stream = interpretCF(this->m->encp, StmF);
this->m->encp->cf_string = interpretCF(this->m->encp, StrF);
if (EFF.isName()) {
// qpdf does not use this for anything other than
// informational purposes. This is intended to instruct
// conforming writers on which crypt filter should be used
// when new file attachments are added to a PDF file, but
// qpdf never generates encrypted files with non-default
// crypt filters. Prior to 10.2, I was under the mistaken
// impression that this was supposed to be used for
// decrypting attachments, but the code was wrong in a way
// that turns out not to have mattered because no writers
// were generating files the way I was imagining. Still,
// providing this information could be useful when looking
// at a file generated by something else, such as Acrobat
// when specifying that only attachments should be
// encrypted.
this->m->encp->cf_file = interpretCF(this->m->encp, EFF);
} else {
this->m->encp->cf_file = this->m->encp->cf_stream;
}
}
EncryptionData data(
V,
R,
Length / 8,
P,
O,
U,
OE,
UE,
Perms,
id1,
this->m->encp->encrypt_metadata);
if (this->m->provided_password_is_hex_key) {
// ignore passwords in file
} else {
this->m->encp->owner_password_matched = check_owner_password(
this->m->encp->user_password,
this->m->encp->provided_password,
data);
if (this->m->encp->owner_password_matched && (V < 5)) {
// password supplied was owner password; user_password has
// been initialized for V < 5
if (getTrimmedUserPassword() == this->m->encp->provided_password) {
this->m->encp->user_password_matched = true;
QTC::TC("qpdf", "QPDF_encryption user matches owner V < 5");
}
} else {
this->m->encp->user_password_matched =
check_user_password(this->m->encp->provided_password, data);
if (this->m->encp->user_password_matched) {
this->m->encp->user_password = this->m->encp->provided_password;
}
}
if (this->m->encp->user_password_matched &&
this->m->encp->owner_password_matched) {
QTC::TC("qpdf", "QPDF_encryption same password", (V < 5) ? 0 : 1);
}
if (!(this->m->encp->owner_password_matched ||
this->m->encp->user_password_matched)) {
throw QPDFExc(
qpdf_e_password,
this->m->file->getName(),
"",
0,
"invalid password");
}
}
if (this->m->provided_password_is_hex_key) {
this->m->encp->encryption_key =
QUtil::hex_decode(this->m->encp->provided_password);
} else if (V < 5) {
// For V < 5, the user password is encrypted with the owner
// password, and the user password is always used for
// computing the encryption key.
this->m->encp->encryption_key =
compute_encryption_key(this->m->encp->user_password, data);
} else {
// For V >= 5, either password can be used independently to
// compute the encryption key, and neither password can be
// used to recover the other.
bool perms_valid;
this->m->encp->encryption_key = recover_encryption_key_with_password(
this->m->encp->provided_password, data, perms_valid);
if (!perms_valid) {
warn(
qpdf_e_damaged_pdf,
"encryption dictionary",
this->m->file->getLastOffset(),
"/Perms field in encryption dictionary"
" doesn't match expected value");
}
}
}
std::string
QPDF::getKeyForObject(
std::shared_ptr<EncryptionParameters> encp,
int objid,
int generation,
bool use_aes)
{
if (!encp->encrypted) {
throw std::logic_error(
"request for encryption key in non-encrypted PDF");
}
if (!((objid == encp->cached_key_objid) &&
(generation == encp->cached_key_generation))) {
encp->cached_object_encryption_key = compute_data_key(
encp->encryption_key,
objid,
generation,
use_aes,
encp->encryption_V,
encp->encryption_R);
encp->cached_key_objid = objid;
encp->cached_key_generation = generation;
}
return encp->cached_object_encryption_key;
}
void
QPDF::decryptString(std::string& str, int objid, int generation)
{
if (objid == 0) {
return;
}
bool use_aes = false;
if (this->m->encp->encryption_V >= 4) {
switch (this->m->encp->cf_string) {
case e_none:
return;
case e_aes:
use_aes = true;
break;
case e_aesv3:
use_aes = true;
break;
case e_rc4:
break;
default:
warn(
qpdf_e_damaged_pdf,
this->m->last_object_description,
this->m->file->getLastOffset(),
"unknown encryption filter for strings"
" (check /StrF in /Encrypt dictionary);"
" strings may be decrypted improperly");
// To avoid repeated warnings, reset cf_string. Assume
// we'd want to use AES if V == 4.
this->m->encp->cf_string = e_aes;
use_aes = true;
break;
}
}
std::string key =
getKeyForObject(this->m->encp, objid, generation, use_aes);
try {
if (use_aes) {
QTC::TC("qpdf", "QPDF_encryption aes decode string");
Pl_Buffer bufpl("decrypted string");
Pl_AES_PDF pl(
"aes decrypt string",
&bufpl,
false,
QUtil::unsigned_char_pointer(key),
key.length());
pl.write(QUtil::unsigned_char_pointer(str), str.length());
pl.finish();
auto buf = bufpl.getBufferSharedPointer();
str = std::string(
reinterpret_cast<char*>(buf->getBuffer()), buf->getSize());
} else {
QTC::TC("qpdf", "QPDF_encryption rc4 decode string");
size_t vlen = str.length();
// Using std::shared_ptr guarantees that tmp will
// be freed even if rc4.process throws an exception.
auto tmp = QUtil::make_unique_cstr(str);
RC4 rc4(QUtil::unsigned_char_pointer(key), toI(key.length()));
rc4.process(QUtil::unsigned_char_pointer(tmp.get()), vlen);
str = std::string(tmp.get(), vlen);
}
} catch (QPDFExc&) {
throw;
} catch (std::runtime_error& e) {
throw QPDFExc(
qpdf_e_damaged_pdf,
this->m->file->getName(),
this->m->last_object_description,
this->m->file->getLastOffset(),
"error decrypting string for object " +
QUtil::int_to_string(objid) + " " +
QUtil::int_to_string(generation) + ": " + e.what());
}
}
void
QPDF::decryptStream(
std::shared_ptr<EncryptionParameters> encp,
std::shared_ptr<InputSource> file,
QPDF& qpdf_for_warning,
Pipeline*& pipeline,
int objid,
int generation,
QPDFObjectHandle& stream_dict,
std::vector<std::shared_ptr<Pipeline>>& heap)
{
std::string type;
if (stream_dict.getKey("/Type").isName()) {
type = stream_dict.getKey("/Type").getName();
}
if (type == "/XRef") {
QTC::TC("qpdf", "QPDF_encryption xref stream from encrypted file");
return;
}
bool use_aes = false;
if (encp->encryption_V >= 4) {
encryption_method_e method = e_unknown;
std::string method_source = "/StmF from /Encrypt dictionary";
if (stream_dict.getKey("/Filter").isOrHasName("/Crypt")) {
if (stream_dict.getKey("/DecodeParms").isDictionary()) {
QPDFObjectHandle decode_parms =
stream_dict.getKey("/DecodeParms");
if (decode_parms.isDictionaryOfType(
"/CryptFilterDecodeParms")) {
QTC::TC("qpdf", "QPDF_encryption stream crypt filter");
method = interpretCF(encp, decode_parms.getKey("/Name"));
method_source = "stream's Crypt decode parameters";
}
} else if (
stream_dict.getKey("/DecodeParms").isArray() &&
stream_dict.getKey("/Filter").isArray()) {
QPDFObjectHandle filter = stream_dict.getKey("/Filter");
QPDFObjectHandle decode = stream_dict.getKey("/DecodeParms");
if (filter.getArrayNItems() == decode.getArrayNItems()) {
for (int i = 0; i < filter.getArrayNItems(); ++i) {
if (filter.getArrayItem(i).isNameAndEquals("/Crypt")) {
QPDFObjectHandle crypt_params =
decode.getArrayItem(i);
if (crypt_params.isDictionary() &&
crypt_params.getKey("/Name").isName()) {
QTC::TC("qpdf", "QPDF_encrypt crypt array");
method = interpretCF(
encp, crypt_params.getKey("/Name"));
method_source = "stream's Crypt "
"decode parameters (array)";
}
}
}
}
}
}
if (method == e_unknown) {
if ((!encp->encrypt_metadata) && (type == "/Metadata")) {
QTC::TC("qpdf", "QPDF_encryption cleartext metadata");
method = e_none;
} else {
method = encp->cf_stream;
}
}
use_aes = false;
switch (method) {
case e_none:
return;
break;
case e_aes:
use_aes = true;
break;
case e_aesv3:
use_aes = true;
break;
case e_rc4:
break;
default:
// filter local to this stream.
qpdf_for_warning.warn(QPDFExc(
qpdf_e_damaged_pdf,
file->getName(),
"",
file->getLastOffset(),
"unknown encryption filter for streams"
" (check " +
method_source +
");"
" streams may be decrypted improperly"));
// To avoid repeated warnings, reset cf_stream. Assume
// we'd want to use AES if V == 4.
encp->cf_stream = e_aes;
use_aes = true;
break;
}
}
std::string key = getKeyForObject(encp, objid, generation, use_aes);
std::shared_ptr<Pipeline> new_pipeline;
if (use_aes) {
QTC::TC("qpdf", "QPDF_encryption aes decode stream");
new_pipeline = std::make_shared<Pl_AES_PDF>(
"AES stream decryption",
pipeline,
false,
QUtil::unsigned_char_pointer(key),
key.length());
} else {
QTC::TC("qpdf", "QPDF_encryption rc4 decode stream");
new_pipeline = std::make_shared<Pl_RC4>(
"RC4 stream decryption",
pipeline,
QUtil::unsigned_char_pointer(key),
toI(key.length()));
}
pipeline = new_pipeline.get();
heap.push_back(new_pipeline);
}
void
QPDF::compute_encryption_O_U(
char const* user_password,
char const* owner_password,
int V,
int R,
int key_len,
int P,
bool encrypt_metadata,
std::string const& id1,
std::string& O,
std::string& U)
{
if (V >= 5) {
throw std::logic_error(
"compute_encryption_O_U called for file with V >= 5");
}
EncryptionData data(
V, R, key_len, P, "", "", "", "", "", id1, encrypt_metadata);
data.setO(compute_O_value(user_password, owner_password, data));
O = data.getO();
data.setU(compute_U_value(user_password, data));
U = data.getU();
}
void
QPDF::compute_encryption_parameters_V5(
char const* user_password,
char const* owner_password,
int V,
int R,
int key_len,
int P,
bool encrypt_metadata,
std::string const& id1,
std::string& encryption_key,
std::string& O,
std::string& U,
std::string& OE,
std::string& UE,
std::string& Perms)
{
EncryptionData data(
V, R, key_len, P, "", "", "", "", "", id1, encrypt_metadata);
unsigned char k[key_bytes];
QUtil::initializeWithRandomBytes(k, key_bytes);
encryption_key = std::string(reinterpret_cast<char*>(k), key_bytes);
compute_U_UE_value_V5(user_password, encryption_key, data, U, UE);
compute_O_OE_value_V5(owner_password, encryption_key, data, U, O, OE);
Perms = compute_Perms_value_V5(encryption_key, data);
data.setV5EncryptionParameters(O, OE, U, UE, Perms);
}
std::string const&
QPDF::getPaddedUserPassword() const
{
return this->m->encp->user_password;
}
std::string
QPDF::getTrimmedUserPassword() const
{
std::string result = this->m->encp->user_password;
trim_user_password(result);
return result;
}
std::string
QPDF::getEncryptionKey() const
{
return this->m->encp->encryption_key;
}
bool
QPDF::isEncrypted() const
{
return this->m->encp->encrypted;
}
bool
QPDF::isEncrypted(int& R, int& P)
{
int V;
encryption_method_e stream, string, file;
return isEncrypted(R, P, V, stream, string, file);
}
bool
QPDF::isEncrypted(
int& R,
int& P,
int& V,
encryption_method_e& stream_method,
encryption_method_e& string_method,
encryption_method_e& file_method)
{
if (this->m->encp->encrypted) {
QPDFObjectHandle trailer = getTrailer();
QPDFObjectHandle encrypt = trailer.getKey("/Encrypt");
QPDFObjectHandle Pkey = encrypt.getKey("/P");
QPDFObjectHandle Rkey = encrypt.getKey("/R");
QPDFObjectHandle Vkey = encrypt.getKey("/V");
P = static_cast<int>(Pkey.getIntValue());
R = Rkey.getIntValueAsInt();
V = Vkey.getIntValueAsInt();
stream_method = this->m->encp->cf_stream;
string_method = this->m->encp->cf_string;
file_method = this->m->encp->cf_file;
return true;
} else {
return false;
}
}
bool
QPDF::ownerPasswordMatched() const
{
return this->m->encp->owner_password_matched;
}
bool
QPDF::userPasswordMatched() const
{
return this->m->encp->user_password_matched;
}
static bool
is_bit_set(int P, int bit)
{
// Bits in P are numbered from 1 in the spec
return ((P & (1 << (bit - 1))) != 0);
}
bool
QPDF::allowAccessibility()
{
int R = 0;
int P = 0;
bool status = true;
if (isEncrypted(R, P)) {
if (R < 3) {
status = is_bit_set(P, 5);
} else {
status = is_bit_set(P, 10);
}
}
return status;
}
bool
QPDF::allowExtractAll()
{
int R = 0;
int P = 0;
bool status = true;
if (isEncrypted(R, P)) {
status = is_bit_set(P, 5);
}
return status;
}
bool
QPDF::allowPrintLowRes()
{
int R = 0;
int P = 0;
bool status = true;
if (isEncrypted(R, P)) {
status = is_bit_set(P, 3);
}
return status;
}
bool
QPDF::allowPrintHighRes()
{
int R = 0;
int P = 0;
bool status = true;
if (isEncrypted(R, P)) {
status = is_bit_set(P, 3);
if ((R >= 3) && (!is_bit_set(P, 12))) {
status = false;
}
}
return status;
}
bool
QPDF::allowModifyAssembly()
{
int R = 0;
int P = 0;
bool status = true;
if (isEncrypted(R, P)) {
if (R < 3) {
status = is_bit_set(P, 4);
} else {
status = is_bit_set(P, 11);
}
}
return status;
}
bool
QPDF::allowModifyForm()
{
int R = 0;
int P = 0;
bool status = true;
if (isEncrypted(R, P)) {
if (R < 3) {
status = is_bit_set(P, 6);
} else {
status = is_bit_set(P, 9);
}
}
return status;
}
bool
QPDF::allowModifyAnnotation()
{
int R = 0;
int P = 0;
bool status = true;
if (isEncrypted(R, P)) {
status = is_bit_set(P, 6);
}
return status;
}
bool
QPDF::allowModifyOther()
{
int R = 0;
int P = 0;
bool status = true;
if (isEncrypted(R, P)) {
status = is_bit_set(P, 4);
}
return status;
}
bool
QPDF::allowModifyAll()
{
int R = 0;
int P = 0;
bool status = true;
if (isEncrypted(R, P)) {
status = (is_bit_set(P, 4) && is_bit_set(P, 6));
if (R >= 3) {
status = status && (is_bit_set(P, 9) && is_bit_set(P, 11));
}
}
return status;
}