origami 2.0.0 → 2.0.1

data/bin/pdfmetadata

@@ -47,15 +47,15 @@ USAGE
         OptionParser.new do |opts|
             opts.banner = BANNER
 
-            opts.on("-i", "Extracts document info metadata") do |i|
+            opts.on("-i", "--info", "Extracts document info metadata") do
                 options[:doc_info] = true
             end
 
-            opts.on("-x", "Extracts XMP document metadata stream") do |i|
+            opts.on("-x", "--xmp", "Extracts XMP document metadata stream") do
                 options[:doc_stream] = true
             end
 
-            opts.on("-n", "Turn off colorized output.") do
+            opts.on("-n", "--no-color", "Turn off colorized output.") do
                 options[:disable_colors] = true
             end
 

data/bin/shell/console.rb

@@ -77,20 +77,20 @@ module Origami
         class Revision
             def to_s
                 puts "----------  Body  ----------".white.bold
-                @body.each_value { |obj|
+                @body.each_value do |obj|
                     print "#{obj.reference.to_s.rjust(8,' ')}".ljust(10).magenta
                     puts "#{obj.type}".yellow
-                }
+                end
 
                 puts "---------- Trailer ---------".white.bold
                 if not @trailer.dictionary
                     puts "  [x] No trailer found.".blue
                 else
-                    @trailer.dictionary.each_pair { |entry, value|
+                    @trailer.dictionary.each_pair do |entry, value|
                         print "  [*] ".magenta
-                        print "#{entry.to_s}: ".yellow
-                        puts "#{value.to_s}".red
-                    }
+                        print "#{entry}: ".yellow
+                        puts "#{value}".red
+                    end
 
                     print "  [+] ".magenta
                     print "startxref: ".yellow
@@ -111,9 +111,9 @@ module Origami
             print "Version: ".yellow
             puts "#{@header.major_version}.#{@header.minor_version}".red
 
-            @revisions.each { |revision|
+            @revisions.each do |revision|
                 revision.to_s
-            }
+            end
             puts
         end
 

data/bin/shell/hexdump.rb

@@ -26,14 +26,14 @@ class String #:nodoc:
         dump = ""
         counter = 0
     
-        while counter < length
+        while counter < self.length
             offset = sprintf("%010X", counter + delta)
       
-            linelen = (counter < length - bytesperline) ? bytesperline : (length - counter)
+            linelen = [ self.length - counter, bytesperline ].min
             bytes = ""
             linelen.times do |i|
-                byte = self[counter + i].ord.to_s(16)
-                byte.insert(0, "0") if byte.size < 2
+                byte = self[counter + i].ord.to_s(16).rjust(2, '0')
+
                 bytes << byte
                 bytes << " " unless i == bytesperline - 1
             end

data/examples/attachments/nested_document.rb

@@ -18,7 +18,7 @@ EMBEDDED_NAME = "#{('a'..'z').to_a.sample(8).join}.pdf"
 # A simple document displaying a message box.
 #
 output_str = StringIO.new
-nested_doc = PDF.write(output_str) do |pdf|
+PDF.write(output_str) do |pdf|
     pdf.onDocumentOpen Action::JavaScript "app.alert('Hello world!');" 
 end
 

data/examples/javascript/hello_world.rb

@@ -15,8 +15,8 @@ include Origami
 OUTPUT_FILE = "#{File.basename(__FILE__, ".rb")}.pdf"
 
 # Creating a new file
-pdf = PDF.new
-         .onDocumentOpen(Action::JavaScript 'app.alert("Hello world");')
-         .save(OUTPUT_FILE)
+PDF.new
+   .onDocumentOpen(Action::JavaScript 'app.alert("Hello world");')
+   .save(OUTPUT_FILE)
 
 puts "PDF file saved as #{OUTPUT_FILE}."

data/lib/origami.rb

@@ -28,7 +28,6 @@ module Origami
         enable_type_checking: true,      # set to false to disable type consistency checks during compilation.
         enable_type_guessing: true,      # set to false to prevent the parser to guess the type of special dictionary and streams (not recommended).
         enable_type_propagation: true,   # set to false to prevent the parser to propagate type from parents to children.
-        use_openssl: true,               # set to false to use Origami crypto backend.
         ignore_bad_references: false,    # set to interpret invalid references as Null objects, instead of raising an exception.
         ignore_zlib_errors: false,       # set to true to ignore exceptions on invalid Flate streams.
         ignore_png_errors: false,        # set to true to ignore exceptions on invalid PNG predictors.

data/lib/origami/acroform.rb

@@ -26,7 +26,7 @@ module Origami
         # Returns true if the document contains an acrobat form.
         #
         def form?
-            (not self.Catalog.nil?) and self.Catalog.has_key? :AcroForm
+            self.Catalog.key? :AcroForm
         end
 
         #
@@ -101,8 +101,8 @@ module Origami
         # Flags relative to signature fields.
         #
         module SigFlags
-            SIGNATURESEXIST = 1 << 0
-            APPENDONLY      = 1 << 1
+            SIGNATURES_EXIST = 1 << 0
+            APPEND_ONLY      = 1 << 1
         end
 
         field   :Fields,            :Type => Array, :Required => true, :Default => []

data/lib/origami/array.rb

@@ -170,7 +170,7 @@ module Origami
         def cast_to(type, parser = nil)
             super(type)
 
-            cast = type.new(self, parser)
+            cast = type.new(self.copy, parser)
             cast.parent = self.parent
             cast.no, cast.generation = self.no, self.generation
             if self.indirect?
@@ -182,8 +182,6 @@ module Origami
             cast
         end
 
-        def self.native_type ; Origami::Array end
-
         #
         # Parameterized Array class with additional typing information.
         # Example: Array.of(Integer)

data/lib/origami/boolean.rb

@@ -51,7 +51,7 @@ module Origami
             super(@value.to_s)
         end
 
-        def self.parse(stream, parser = nil) #:nodoc:
+        def self.parse(stream, _parser = nil) #:nodoc:
             offset = stream.pos
 
             if stream.scan(@@regexp).nil?
@@ -73,8 +73,6 @@ module Origami
             @value
         end
 
-        def self.native_type ; Boolean end
-
         def false?
             @value == false
         end

data/lib/origami/catalog.rb

@@ -39,22 +39,16 @@ module Origami
         #
         def Catalog
             cat = trailer_key(:Root)
+            raise InvalidPDFError, "Broken catalog" unless cat.is_a?(Catalog)
 
-            case cat
-            when Catalog then
-                cat
-            when Dictionary then
-                cat.cast_to(Catalog)
-            else
-                raise InvalidPDFError, "Broken catalog"
-            end
+            cat
         end
 
         #
         # Sets the current Catalog Dictionary.
         #
         def Catalog=(cat)
-            cat = cat.cast_to(Catalog) unless cat.is_a? Catalog
+            raise TypeError, "Must be a Catalog object" unless cat.is_a?(Catalog)
 
             delete_object(@revisions.last.trailer[:Root]) if @revisions.last.trailer[:Root]
 

data/lib/origami/destinations.rb

@@ -157,7 +157,7 @@ module Origami
             # _left_, _bottom_, _right_, _top_:: The rectangle to fit in.
             #
             def self.[](page, left: 0, bottom: 0, right: 0, top: 0)
-                self.new([pageref, :FitR, left, bottom, right, top])
+                self.new([page, :FitR, left, bottom, right, top])
             end
         end
 
@@ -231,7 +231,7 @@ module Origami
             # _left_:: The horizontal coord.
             #
             def self.[](page, left: 0)
-                self.new([pageref, :FitBV, left])
+                self.new([page, :FitBV, left])
             end
         end
 

data/lib/origami/dictionary.rb

@@ -29,14 +29,15 @@ module Origami
     #
     class Dictionary < Hash
         include Origami::Object
+        include FieldAccessor
         using TypeConversion
 
         TOKENS = %w{ << >> } #:nodoc:
         @@regexp_open = Regexp.new(WHITESPACES + TOKENS.first + WHITESPACES)
         @@regexp_close = Regexp.new(WHITESPACES + TOKENS.last + WHITESPACES)
 
-        @@cast_fingerprints = {}
-        @@cast_keys = []
+        @@type_signatures = {}
+        @@type_keys = []
 
         attr_reader :strings_cache, :names_cache, :xref_cache
 
@@ -92,13 +93,13 @@ module Origami
                 key = Name.parse(stream, parser)
 
                 type = Object.typeof(stream)
-                raise InvalidDictionaryObjectError, "Invalid object for field #{key.to_s}" if type.nil?
+                raise InvalidDictionaryObjectError, "Invalid object for field #{key}" if type.nil?
 
                 value = type.parse(stream, parser)
                 hash[key] = value
             end
 
-            if Origami::OPTIONS[:enable_type_guessing] and not (@@cast_keys & hash.keys).empty?
+            if Origami::OPTIONS[:enable_type_guessing] and not (@@type_keys & hash.keys).empty?
                 dict_type = self.guess_type(hash)
             else
                 dict_type = self
@@ -124,7 +125,7 @@ module Origami
             else
                 content = TOKENS.first.dup
                 self.each_pair do |key,value|
-                    content << "#{key.to_s} #{value.is_a?(Dictionary) ? value.to_s(indent: 0) : value.to_s}"
+                    content << "#{key} #{value.is_a?(Dictionary) ? value.to_s(indent: 0) : value.to_s}"
                 end
                 content << TOKENS.last
             end
@@ -179,7 +180,7 @@ module Origami
         def cast_to(type, parser = nil)
             super(type)
 
-            cast = type.new(self, parser)
+            cast = type.new(self.copy, parser)
             cast.parent = self.parent
             cast.no, cast.generation = self.no, self.generation
             if self.indirect?
@@ -198,17 +199,6 @@ module Origami
         end
         alias value to_h
 
-        def method_missing(field, *args) #:nodoc:
-            raise NoMethodError, "No method `#{field}' for #{self.class}" unless field.to_s[0,1] =~ /[A-Z]/
-
-            if field.to_s[-1,1] == '='
-                self[field.to_s[0..-2].to_sym] = args.first
-            else
-                obj = self[field];
-                obj.is_a?(Reference) ? obj.solve : obj
-            end
-        end
-
         def copy
             copy = self.class.new
             self.each_pair do |k,v|
@@ -223,28 +213,24 @@ module Origami
             copy
         end
 
-        def self.native_type; Dictionary end
-
-        def self.add_type_info(klass, key, value) #:nodoc:
-            raise TypeError, "Invalid class #{klass}" unless klass.is_a?(Class) and klass < Dictionary
-
+        def self.add_type_signature(key, value) #:nodoc:
             key, value = key.to_o, value.to_o
 
             # Inherit the superclass type information.
-            if not @@cast_fingerprints.key?(klass) and @@cast_fingerprints.key?(klass.superclass)
-                @@cast_fingerprints[klass] = @@cast_fingerprints[klass.superclass].dup
+            if not @@type_signatures.key?(self) and @@type_signatures.key?(self.superclass)
+                @@type_signatures[self] = @@type_signatures[self.superclass].dup
             end
 
-            @@cast_fingerprints[klass] ||= {}
-            @@cast_fingerprints[klass][key] = value
+            @@type_signatures[self] ||= {}
+            @@type_signatures[self][key] = value
 
-            @@cast_keys.push(key) unless @@cast_keys.include?(key)
+            @@type_keys.push(key) unless @@type_keys.include?(key)
         end
 
         def self.guess_type(hash) #:nodoc:
             best_type = self
 
-            @@cast_fingerprints.each_pair do |klass, keys|
+            @@type_signatures.each_pair do |klass, keys|
                 next unless klass < best_type
 
                 best_type = klass if keys.all? { |k,v| hash[k] == v }
@@ -253,7 +239,7 @@ module Origami
             best_type
         end
 
-        def self.hint_type(name); nil end #:nodoc:
+        def self.hint_type(_name); nil end #:nodoc:
 
         private
 

data/lib/origami/encryption.rb

@@ -18,12 +18,7 @@
 
 =end
 
-begin
-    require 'openssl' if Origami::OPTIONS[:use_openssl]
-rescue LoadError
-    Origami::OPTIONS[:use_openssl] = false
-end
-
+require 'openssl'
 require 'securerandom'
 require 'digest/md5'
 require 'digest/sha2'
@@ -55,11 +50,12 @@ module Origami
         def decrypt(passwd = "")
             raise EncryptionError, "PDF is not encrypted" unless self.encrypted?
 
-            encrypt_dict = trailer_key(:Encrypt)
-            handler = Encryption::Standard::Dictionary.new(encrypt_dict.dup)
+            # Turn the encryption dictionary into a standard encryption dictionary.
+            handler = trailer_key(:Encrypt)
+            handler = self.cast_object(handler.reference, Encryption::Standard::Dictionary)
 
             unless handler.Filter == :Standard
-                raise EncryptionNotSupportedError, "Unknown security handler : '#{handler.Filter.to_s}'"
+                raise EncryptionNotSupportedError, "Unknown security handler : '#{handler.Filter}'"
             end
 
             crypt_filters = {
@@ -124,47 +120,13 @@ module Origami
                 raise EncryptionInvalidPasswordError
             end
 
-            encrypt_metadata = (handler.EncryptMetadata != false)
-
             self.extend(Encryption::EncryptedDocument)
             self.encryption_handler = handler
             self.crypt_filters = crypt_filters
             self.encryption_key = encryption_key
             self.stm_filter, self.str_filter = stream_filter, string_filter
 
-            #
-            # Should be fixed to exclude only the active XRefStream
-            #
-            metadata = self.Catalog.Metadata
-
-            self.indirect_objects.each do |indobj|
-                encrypted_objects = []
-                case indobj
-                when String,Stream then encrypted_objects << indobj
-                when Dictionary,Array then encrypted_objects |= indobj.strings_cache
-                end
-
-                encrypted_objects.each do |obj|
-                    case obj
-                    when String
-                        next if obj.equal?(encrypt_dict[:U]) or
-                                obj.equal?(encrypt_dict[:O]) or
-                                obj.equal?(encrypt_dict[:UE]) or
-                                obj.equal?(encrypt_dict[:OE]) or
-                                obj.equal?(encrypt_dict[:Perms]) or
-                                (obj.parent.is_a?(Signature::DigitalSignature) and
-                                 obj.equal?(obj.parent[:Contents]))
-
-                        obj.extend(Encryption::EncryptedString) unless obj.is_a?(Encryption::EncryptedString)
-                        obj.decrypt!
-
-                    when Stream
-                        next if obj.is_a?(XRefStream) or (not encrypt_metadata and obj.equal?(metadata))
-
-                        obj.extend(Encryption::EncryptedStream) unless obj.is_a?(Encryption::EncryptedStream)
-                    end
-                end
-            end
+            decrypt_objects
 
             self
         end
@@ -186,98 +148,145 @@ module Origami
             {
                 :user_passwd => '',
                 :owner_passwd => '',
-                :cipher => 'rc4',            # :RC4 or :AES
+                :cipher => 'aes',            # :RC4 or :AES
                 :key_size => 128,            # Key size in bits
                 :hardened => false,          # Use newer password validation (since Reader X)
                 :encrypt_metadata => true,   # Metadata shall be encrypted?
                 :permissions => Encryption::Standard::Permissions::ALL    # Document permissions
             }.update(options)
 
-            userpasswd, ownerpasswd = params[:user_passwd], params[:owner_passwd]
+            # Get the cryptographic parameters.
+            version, revision, crypt_filters = crypto_revision_from_options(params)
 
-            case params[:cipher].upcase
-            when 'RC4'
-                algorithm = Encryption::RC4
-                if (40..128) === params[:key_size] and params[:key_size] % 8 == 0
-                    if params[:key_size] > 40
-                        version = 2
-                        revision = 3
-                    else
-                        version = 1
-                        revision = 2
-                    end
-                else
-                    raise EncryptionError, "Invalid RC4 key length"
-                end
+            # Create the security handler.
+            handler, encryption_key = create_security_handler(version, revision, params)
 
-                crypt_filters = Hash.new(algorithm)
-                string_filter = stream_filter = nil
+            # Turn this document into an EncryptedDocument instance.
+            self.extend(Encryption::EncryptedDocument)
+            self.encryption_handler = handler
+            self.encryption_key = encryption_key
+            self.crypt_filters = crypt_filters
+            self.stm_filter = self.str_filter = :StdCF
 
-            when 'AES'
-                algorithm = Encryption::AES
-                if params[:key_size] == 128
-                    version = revision = 4
-                elsif params[:key_size] == 256
-                    version = 5
-                    if params[:hardened]
-                        revision = 6
-                    else
-                        revision = 5
-                    end
-                else
-                    raise EncryptionError, "Invalid AES key length (Only 128 and 256 bits keys are supported)"
-                end
+            self
+        end
 
-                crypt_filters = {
-                    Identity: Encryption::Identity,
-                    StdCF: algorithm
-                }
-                string_filter = stream_filter = :StdCF
+        private
 
-            else
-                raise EncryptionNotSupportedError, "Cipher not supported : #{params[:cipher]}"
-            end
+        #
+        # Installs the standard security dictionary, marking the document as being encrypted.
+        # Returns the handler and the encryption key used for protecting contents.
+        #
+        def create_security_handler(version, revision, params)
 
+            # Ensure the document has an ID.
             doc_id = (trailer_key(:ID) || generate_id).first
 
+            # Create the standard encryption dictionary.
             handler = Encryption::Standard::Dictionary.new
-            handler.Filter = :Standard #:nodoc:
+            handler.Filter = :Standard
             handler.V = version
             handler.R = revision
             handler.Length = params[:key_size]
             handler.P = -1 # params[:Permissions]
 
+            # Build the crypt filter dictionary.
             if revision >= 4
                 handler.EncryptMetadata = params[:encrypt_metadata]
                 handler.CF = Dictionary.new
-                cryptfilter = Encryption::CryptFilterDictionary.new
-                cryptfilter.AuthEvent = :DocOpen
+                crypt_filter = Encryption::CryptFilterDictionary.new
+                crypt_filter.AuthEvent = :DocOpen
 
                 if revision == 4
-                    cryptfilter.CFM = :AESV2
+                    crypt_filter.CFM = :AESV2
                 else
-                    cryptfilter.CFM = :AESV3
+                    crypt_filter.CFM = :AESV3
                 end
 
-                cryptfilter.Length = params[:key_size] >> 3
+                crypt_filter.Length = params[:key_size] >> 3
 
-                handler.CF[:StdCF] = cryptfilter
+                handler.CF[:StdCF] = crypt_filter
                 handler.StmF = handler.StrF = :StdCF
             end
 
-            handler.set_passwords(ownerpasswd, userpasswd, doc_id)
-            encryption_key = handler.compute_user_encryption_key(userpasswd, doc_id)
+            user_passwd, owner_passwd = params[:user_passwd], params[:owner_passwd]
 
-            file_info = get_trailer_info
-            file_info[:Encrypt] = self << handler
+            # Setup keys.
+            handler.set_passwords(owner_passwd, user_passwd, doc_id)
+            encryption_key = handler.compute_user_encryption_key(user_passwd, doc_id)
 
-            self.extend(Encryption::EncryptedDocument)
-            self.encryption_handler = handler
-            self.encryption_key = encryption_key
-            self.crypt_filters = crypt_filters
-            self.stm_filter = self.str_filter = :StdCF
+            # Install the encryption dictionary to the document.
+            self.trailer.Encrypt = self << handler
 
-            self
+            [ handler, encryption_key ]
+        end
+
+        #
+        # Converts the parameters passed to PDF#encrypt.
+        # Returns [ version, revision, crypt_filters ]
+        #
+        def crypto_revision_from_options(params)
+            case params[:cipher].upcase
+            when 'RC4'
+                algorithm = Encryption::RC4
+                version, revision = crypto_revision_from_rc4_key(params[:key_size])
+                crypt_filters = Hash.new(algorithm)
+
+            when 'AES'
+                algorithm = Encryption::AES
+                version, revision = crypto_revision_from_aes_key(params[:key_size], params[:hardened])
+
+                crypt_filters = {
+                    Identity: Encryption::Identity,
+                    StdCF: algorithm
+                }
+            else
+                raise EncryptionNotSupportedError, "Cipher not supported : #{params[:cipher]}"
+            end
+
+            [ version, revision, crypt_filters ]
+        end
+
+        #
+        # Compute the required standard security handler version based on the RC4 key size.
+        # _key_size_:: Key size in bits.
+        # Returns [ version, revision ].
+        #
+        def crypto_revision_from_rc4_key(key_size)
+            raise EncryptionError, "Invalid RC4 key length" unless (40..128) === key_size and key_size % 8 == 0
+
+            if key_size > 40
+                version = 2
+                revision = 3
+            else
+                version = 1
+                revision = 2
+            end
+
+            [ version, revision ]
+        end
+
+        #
+        # Compute the required standard security handler version based on the AES key size.
+        # _key_size_:: Key size in bits.
+        # _hardened_:: Use the extension level 8 hardened derivation algorithm.
+        # Returns [ version, revision ].
+        #
+        def crypto_revision_from_aes_key(key_size, hardened)
+            if key_size == 128
+                version = revision = 4
+            elsif key_size == 256
+                version = 5
+                if hardened
+                    revision = 6
+                else
+                    revision = 5
+                end
+            else
+                raise EncryptionError, "Invalid AES key length (Only 128 and 256 bits keys are supported)"
+            end
+
+            [ version, revision ]
         end
     end
 
@@ -297,11 +306,7 @@ module Origami
         # Generates _n_ random bytes from a crypto PRNG.
         #
         def self.strong_rand_bytes(n)
-            if Origami::OPTIONS[:use_openssl]
-                OpenSSL::Random.random_bytes(n)
-            else
-                SecureRandom.random_bytes(n)
-            end
+            SecureRandom.random_bytes(n)
         end
 
         module EncryptedDocument
@@ -327,90 +332,91 @@ module Origami
 
             private
 
-            def physicalize(options = {})
-
-                build = -> (obj, revision) do
-                    if obj.is_a?(EncryptedObject)
-                        if options[:decrypt] == true
-                            obj.pre_build
-                            obj.decrypt!
-                            obj.decrypted = false # makes it believe no encryption pass is required
-                            obj.post_build
-
-                            return
-                        end
-                    end
+            #
+            # For each object subject to encryption, convert it to an EncryptedObject and decrypt it if necessary.
+            #
+            def decrypt_objects
+                each_encryptable_object do |object|
+                    case object
+                    when String
+                        object.extend(EncryptedString) unless object.is_a?(EncryptedString)
+                        object.decrypt!
 
-                    if obj.is_a?(ObjectStream)
-                        obj.each do |subobj|
-                            build.call(subobj, revision)
-                        end
+                    when Stream
+                        object.extend(EncryptedStream) unless object.is_a?(EncryptedStream)
                     end
+                end
+            end
 
-                    obj.pre_build
-
-                    case obj
+            #
+            # For each object subject to encryption, convert it to an EncryptedObject and mark it as not encrypted yet.
+            #
+            def encrypt_objects
+                each_encryptable_object do |object|
+                    case object
                     when String
-                        if not obj.equal?(@encryption_handler[:U]) and
-                           not obj.equal?(@encryption_handler[:O]) and
-                           not obj.equal?(@encryption_handler[:UE]) and
-                           not obj.equal?(@encryption_handler[:OE]) and
-                           not obj.equal?(@encryption_handler[:Perms]) and
-                           not (obj.parent.is_a?(Signature::DigitalSignature) and
-                               obj.equal?(obj.parent[:Contents])) and
-                           not obj.indirect_parent.parent.is_a?(ObjectStream)
-
-                            unless obj.is_a?(EncryptedString)
-                                obj.extend(EncryptedString)
-                                obj.decrypted = true
-                            end
+                        unless object.is_a?(EncryptedString)
+                            object.extend(EncryptedString)
+                            object.decrypted = true
                         end
 
                     when Stream
-                        return if obj.is_a?(XRefStream)
-                        return if obj.equal?(self.Catalog.Metadata) and not @encryption_handler.EncryptMetadata
-
-                        unless obj.is_a?(EncryptedStream)
-                            obj.extend(EncryptedStream)
-                            obj.decrypted = true
-                        end
-
-                    when Dictionary, Array
-                        obj.map! do |subobj|
-                            if subobj.indirect?
-                                if get_object(subobj.reference)
-                                    subobj.reference
-                                else
-                                    ref = add_to_revision(subobj, revision)
-                                    build.call(subobj, revision)
-                                    ref
-                                end
-                            else
-                                subobj
-                            end
+                        unless object.is_a?(EncryptedStream)
+                            object.extend(EncryptedStream)
+                            object.decrypted = true
                         end
+                    end
+                end
+            end
 
-                        obj.each do |subobj|
-                            build.call(subobj, revision)
+            #
+            # Iterates over each encryptable objects in the document.
+            #
+            def each_encryptable_object(&b)
+
+                # Metadata may not be encrypted depending on the security handler configuration.
+                encrypt_metadata = (@encryption_handler.EncryptMetadata != false)
+                metadata = self.Catalog.Metadata
+
+                self.each_object(recursive: true)
+                    .lazy
+                    .select { |object|
+                        case object
+                        when Stream
+                            not object.is_a?(XRefStream) or (encrypt_metadata and object.equal?(metadata))
+                        when String
+                            not object.parent.equal?(@encryption_handler)
                         end
-                    end
+                    }
+                    .each(&b)
+            end
 
-                    obj.post_build
-                end
+            def physicalize(options = {})
+                encrypt_objects
 
-                # stack up every root objects
-                indirect_objects_by_rev.each do |obj, revision|
-                    build.call(obj, revision)
-                end
+                super
 
                 # remove encrypt dictionary if requested
                 if options[:decrypt]
-                    delete_object(get_trailer_info[:Encrypt])
-                    get_trailer_info[:Encrypt] = nil
+                    delete_object(self.trailer[:Encrypt])
+                    self.trailer[:Encrypt] = nil
                 end
 
                 self
             end
+
+            def build_object(object, revision, options)
+                if object.is_a?(EncryptedObject) and options[:decrypt]
+                    object.pre_build
+                    object.decrypt!
+                    object.decrypted = false # makes it believe no encryption pass is required
+                    object.post_build
+
+                    return
+                end
+
+                super
+            end
         end
 
         #
@@ -438,7 +444,7 @@ module Origami
                     no, gen = parent.no, parent.generation
                     k = encryption_key + [no].pack("I")[0..2] + [gen].pack("I")[0..1]
 
-                    key_len = (k.length > 16) ? 16 : k.length
+                    key_len = [k.length, 16].min
                     k << "sAlT" if cipher == Encryption::AES
 
                     Digest::MD5.digest(k)[0, key_len]
@@ -512,21 +518,7 @@ module Origami
 
                 encode!
 
-                if self.filters.first == :Crypt
-                    params = decode_params.first
-
-                    if params.is_a?(Dictionary) and params.Name.is_a?(Name)
-                        crypt_filter = params.Name.value
-                    else
-                        crypt_filter = :Identity
-                    end
-
-                    cipher = self.document.encryption_cipher(crypt_filter)
-                else
-                    cipher = self.document.stream_encryption_cipher
-                end
-                raise EncryptionError, "Cannot find stream encryption filter" if cipher.nil?
-
+                cipher = get_encryption_cipher
                 key = compute_object_key(cipher)
 
                 @encoded_data =
@@ -548,6 +540,22 @@ module Origami
             def decrypt!
                 return self if @decrypted
 
+                cipher = get_encryption_cipher
+                key = compute_object_key(cipher)
+
+                self.encoded_data = cipher.decrypt(key, @encoded_data)
+                @decrypted = true
+
+                self
+            end
+
+            private
+
+            #
+            # Get the stream encryption cipher.
+            # The cipher used may depend on the presence of a Crypt filter.
+            #
+            def get_encryption_cipher
                 if self.filters.first == :Crypt
                     params = decode_params.first
 
@@ -561,14 +569,10 @@ module Origami
                 else
                     cipher = self.document.stream_encryption_cipher
                 end
-                raise EncryptionError, "Cannot find stream encryption filter" if cipher.nil?
-
-                key = compute_object_key(cipher)
 
-                self.encoded_data = cipher.decrypt(key, @encoded_data)
-                @decrypted = true
+                raise EncryptionError, "Cannot find stream encryption filter" if cipher.nil?
 
-                self
+                cipher
             end
         end
 
@@ -576,17 +580,17 @@ module Origami
         # Identity transformation.
         #
         module Identity
-            def Identity.encrypt(key, data)
+            def Identity.encrypt(_key, data)
                 data
             end
 
-            def Identity.decrypt(key, data)
+            def Identity.decrypt(_key, data)
                 data
             end
         end
 
         #
-        # Pure Ruby implementation of the RC4 symmetric algorithm
+        # Class wrapper for the RC4 algorithm.
         #
         class RC4
 
@@ -608,140 +612,31 @@ module Origami
             # Creates and initialises a new RC4 generator using given key
             #
             def initialize(key)
-                if Origami::OPTIONS[:use_openssl]
-                    @key = key
-                else
-                    @state = init(key)
-                end
+                @key = key
             end
 
             #
             # Encrypt/decrypt data with the RC4 encryption algorithm
             #
             def cipher(data)
-                return "" if data.empty?
-
-                if Origami::OPTIONS[:use_openssl]
-                    rc4 = OpenSSL::Cipher::RC4.new.encrypt
-                    rc4.key_len = @key.length
-                    rc4.key = @key
-
-                    output = rc4.update(data) << rc4.final
-                else
-                    output = ""
-                    i, j = 0, 0
-                    data.each_byte do |byte|
-                        i = i.succ & 0xFF
-                        j = (j + @state[i]) & 0xFF
+                return '' if data.empty?
 
-                        @state[i], @state[j] = @state[j], @state[i]
+                rc4 = OpenSSL::Cipher::RC4.new.encrypt
+                rc4.key_len = @key.length
+                rc4.key = @key
 
-                        output << (@state[@state[i] + @state[j] & 0xFF] ^ byte).chr
-                    end
-                end
-
-                output
+                rc4.update(data) + rc4.final
             end
 
             alias encrypt cipher
             alias decrypt cipher
-
-            private
-
-            def init(key) #:nodoc:
-                state = (0..255).to_a
-
-                j = 0
-                256.times do |i|
-                    j = ( j + state[i] + key[i % key.size].ord ) & 0xFF
-                    state[i], state[j] = state[j], state[i]
-                end
-
-                state
-            end
         end
 
         #
-        # Pure Ruby implementation of the AES symmetric algorithm.
-        # Using mode CBC.
+        # Class wrapper for AES mode CBC.
         #
         class AES
-            NROWS = 4
-            NCOLS = 4
-            BLOCKSIZE = NROWS * NCOLS
-
-            ROUNDS =
-            {
-                16 => 10,
-                24 => 12,
-                32 => 14
-            }
-
-            #
-            # Rijndael S-box
-            #
-            SBOX =
-            [
-                0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
-                0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
-                0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
-                0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
-                0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
-                0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
-                0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
-                0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
-                0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
-                0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
-                0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
-                0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
-                0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
-                0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
-                0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
-                0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
-            ]
-
-            #
-            # Inverse of the Rijndael S-box
-            #
-            RSBOX =
-            [
-                0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38, 0xbf, 0x40, 0xa3, 0x9e, 0x81, 0xf3, 0xd7, 0xfb,
-                0x7c, 0xe3, 0x39, 0x82, 0x9b, 0x2f, 0xff, 0x87, 0x34, 0x8e, 0x43, 0x44, 0xc4, 0xde, 0xe9, 0xcb,
-                0x54, 0x7b, 0x94, 0x32, 0xa6, 0xc2, 0x23, 0x3d, 0xee, 0x4c, 0x95, 0x0b, 0x42, 0xfa, 0xc3, 0x4e,
-                0x08, 0x2e, 0xa1, 0x66, 0x28, 0xd9, 0x24, 0xb2, 0x76, 0x5b, 0xa2, 0x49, 0x6d, 0x8b, 0xd1, 0x25,
-                0x72, 0xf8, 0xf6, 0x64, 0x86, 0x68, 0x98, 0x16, 0xd4, 0xa4, 0x5c, 0xcc, 0x5d, 0x65, 0xb6, 0x92,
-                0x6c, 0x70, 0x48, 0x50, 0xfd, 0xed, 0xb9, 0xda, 0x5e, 0x15, 0x46, 0x57, 0xa7, 0x8d, 0x9d, 0x84,
-                0x90, 0xd8, 0xab, 0x00, 0x8c, 0xbc, 0xd3, 0x0a, 0xf7, 0xe4, 0x58, 0x05, 0xb8, 0xb3, 0x45, 0x06,
-                0xd0, 0x2c, 0x1e, 0x8f, 0xca, 0x3f, 0x0f, 0x02, 0xc1, 0xaf, 0xbd, 0x03, 0x01, 0x13, 0x8a, 0x6b,
-                0x3a, 0x91, 0x11, 0x41, 0x4f, 0x67, 0xdc, 0xea, 0x97, 0xf2, 0xcf, 0xce, 0xf0, 0xb4, 0xe6, 0x73,
-                0x96, 0xac, 0x74, 0x22, 0xe7, 0xad, 0x35, 0x85, 0xe2, 0xf9, 0x37, 0xe8, 0x1c, 0x75, 0xdf, 0x6e,
-                0x47, 0xf1, 0x1a, 0x71, 0x1d, 0x29, 0xc5, 0x89, 0x6f, 0xb7, 0x62, 0x0e, 0xaa, 0x18, 0xbe, 0x1b,
-                0xfc, 0x56, 0x3e, 0x4b, 0xc6, 0xd2, 0x79, 0x20, 0x9a, 0xdb, 0xc0, 0xfe, 0x78, 0xcd, 0x5a, 0xf4,
-                0x1f, 0xdd, 0xa8, 0x33, 0x88, 0x07, 0xc7, 0x31, 0xb1, 0x12, 0x10, 0x59, 0x27, 0x80, 0xec, 0x5f,
-                0x60, 0x51, 0x7f, 0xa9, 0x19, 0xb5, 0x4a, 0x0d, 0x2d, 0xe5, 0x7a, 0x9f, 0x93, 0xc9, 0x9c, 0xef,
-                0xa0, 0xe0, 0x3b, 0x4d, 0xae, 0x2a, 0xf5, 0xb0, 0xc8, 0xeb, 0xbb, 0x3c, 0x83, 0x53, 0x99, 0x61,
-                0x17, 0x2b, 0x04, 0x7e, 0xba, 0x77, 0xd6, 0x26, 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d
-            ]
-
-            RCON =
-            [
-                0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a,
-                0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39,
-                0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a,
-                0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8,
-                0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef,
-                0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc,
-                0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b,
-                0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3,
-                0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94,
-                0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20,
-                0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35,
-                0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd, 0x61, 0xc2, 0x9f,
-                0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb, 0x8d, 0x01, 0x02, 0x04,
-                0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63,
-                0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91, 0x39, 0x72, 0xe4, 0xd3, 0xbd,
-                0x61, 0xc2, 0x9f, 0x25, 0x4a, 0x94, 0x33, 0x66, 0xcc, 0x83, 0x1d, 0x3a, 0x74, 0xe8, 0xcb
-            ]
+            BLOCKSIZE = 16
 
             attr_writer :iv
 
@@ -754,7 +649,7 @@ module Origami
             end
 
             def initialize(key, iv, use_padding = true)
-                unless key.size == 16 or key.size == 24 or key.size == 32
+                unless [16, 24, 32].include?(key.size)
                     raise EncryptionError, "Key must have a length of 128, 192 or 256 bits."
                 end
 
@@ -777,35 +672,12 @@ module Origami
                     data << (padlen.chr * padlen)
                 end
 
-                if Origami::OPTIONS[:use_openssl]
-                    aes = OpenSSL::Cipher::Cipher.new("aes-#{@key.length << 3}-cbc").encrypt
-                    aes.iv = @iv
-                    aes.key = @key
-                    aes.padding = 0
+                aes = OpenSSL::Cipher.new("aes-#{@key.length << 3}-cbc").encrypt
+                aes.iv = @iv
+                aes.key = @key
+                aes.padding = 0
 
-                    @iv + aes.update(data) + aes.final
-                else
-                    cipher = []
-                    cipherblock = []
-                    nblocks = data.size / BLOCKSIZE
-
-                    first_round = true
-                    nblocks.times do |n|
-                        plainblock = data[n * BLOCKSIZE, BLOCKSIZE].unpack("C*")
-
-                        if first_round
-                            BLOCKSIZE.times do |i| plainblock[i] ^= @iv[i].ord end
-                        else
-                            BLOCKSIZE.times do |i| plainblock[i] ^= cipherblock[i] end
-                        end
-
-                        first_round = false
-                        cipherblock = aes_encrypt(plainblock)
-                        cipher.concat(cipherblock)
-                    end
-
-                    @iv + cipher.pack("C*")
-                end
+                @iv + aes.update(data) + aes.final
             end
 
             def decrypt(data)
@@ -815,36 +687,12 @@ module Origami
 
                 @iv = data.slice!(0, BLOCKSIZE)
 
-                if Origami::OPTIONS[:use_openssl]
-                    aes = OpenSSL::Cipher::Cipher.new("aes-#{@key.length << 3}-cbc").decrypt
-                    aes.iv = @iv
-                    aes.key = @key
-                    aes.padding = 0
-
-                    plain = (aes.update(data) + aes.final).unpack("C*")
-                else
-                    plain = []
-                    plainblock = []
-                    prev_cipherblock = []
-                    nblocks = data.size / BLOCKSIZE
-
-                    first_round = true
-                    nblocks.times do |n|
-                        cipherblock = data[n * BLOCKSIZE, BLOCKSIZE].unpack("C*")
-
-                        plainblock = aes_decrypt(cipherblock)
+                aes = OpenSSL::Cipher.new("aes-#{@key.length << 3}-cbc").decrypt
+                aes.iv = @iv
+                aes.key = @key
+                aes.padding = 0
 
-                        if first_round
-                            BLOCKSIZE.times do |i| plainblock[i] ^= @iv[i].ord end
-                        else
-                            BLOCKSIZE.times do |i| plainblock[i] ^= prev_cipherblock[i] end
-                        end
-
-                        first_round = false
-                        prev_cipherblock = cipherblock
-                        plain.concat(plainblock)
-                    end
-                end
+                plain = (aes.update(data) + aes.final).unpack("C*")
 
                 if @use_padding
                     padlen = plain[-1]
@@ -860,223 +708,6 @@ module Origami
 
                 plain.pack("C*")
             end
-
-            private
-
-            def rol(row, n = 1) #:nodoc
-                n.times do row.push row.shift end ; row
-            end
-
-            def ror(row, n = 1) #:nodoc:
-                n.times do row.unshift row.pop end ; row
-            end
-
-            def galois_mult(a, b) #:nodoc:
-                p = 0
-
-                8.times do
-                    p ^= a if b[0] == 1
-                    highBit = a[7]
-                    a <<= 1
-                    a ^= 0x1b if highBit == 1
-                    b >>= 1
-                end
-
-                p % 256
-            end
-
-            def schedule_core(word, iter) #:nodoc:
-                rol(word)
-                word.map! do |byte| SBOX[byte] end
-                word[0] ^= RCON[iter]
-
-                word
-            end
-
-            def transpose(m) #:nodoc:
-                [
-                    m[NROWS * 0, NROWS],
-                    m[NROWS * 1, NROWS],
-                    m[NROWS * 2, NROWS],
-                    m[NROWS * 3, NROWS]
-                ].transpose.flatten
-            end
-
-            #
-            # AES round methods.
-            #
-
-            def create_round_key(expanded_key, round = 0) #:nodoc:
-                transpose(expanded_key[round * BLOCKSIZE, BLOCKSIZE])
-            end
-
-            def add_round_key(roundKey) #:nodoc:
-                BLOCKSIZE.times do |i| @state[i] ^= roundKey[i] end
-            end
-
-            def sub_bytes #:nodoc:
-                BLOCKSIZE.times do |i| @state[i] = SBOX[ @state[i] ] end
-            end
-
-            def r_sub_bytes #:nodoc:
-                BLOCKSIZE.times do |i| @state[i] = RSBOX[ @state[i] ] end
-            end
-
-            def shift_rows #:nodoc:
-                NROWS.times do |i|
-                    @state[i * NCOLS, NCOLS] = rol(@state[i * NCOLS, NCOLS], i)
-                end
-            end
-
-            def r_shift_rows #:nodoc:
-                NROWS.times do |i|
-                    @state[i * NCOLS, NCOLS] = ror(@state[i * NCOLS, NCOLS], i)
-                end
-            end
-
-            def mix_column_with_field(column, field) #:nodoc:
-                p = field
-
-                column[0], column[1], column[2], column[3] =
-                    galois_mult(column[0], p[0]) ^
-                    galois_mult(column[3], p[1]) ^
-                    galois_mult(column[2], p[2]) ^
-                    galois_mult(column[1], p[3]),
-
-                    galois_mult(column[1], p[0]) ^
-                    galois_mult(column[0], p[1]) ^
-                    galois_mult(column[3], p[2]) ^
-                    galois_mult(column[2], p[3]),
-
-                    galois_mult(column[2], p[0]) ^
-                    galois_mult(column[1], p[1]) ^
-                    galois_mult(column[0], p[2]) ^
-                    galois_mult(column[3], p[3]),
-
-                    galois_mult(column[3], p[0]) ^
-                    galois_mult(column[2], p[1]) ^
-                    galois_mult(column[1], p[2]) ^
-                    galois_mult(column[0], p[3])
-            end
-
-            def mix_column(column) #:nodoc:
-                mix_column_with_field(column, [ 2, 1, 1, 3 ])
-            end
-
-            def r_mix_column_(column) #:nodoc:
-                mix_column_with_field(column, [ 14, 9, 13, 11 ])
-            end
-
-            def mix_columns #:nodoc:
-                NCOLS.times do |c|
-                    column = []
-                    NROWS.times do |r| column << @state[c + r * NCOLS] end
-                    mix_column(column)
-                    NROWS.times do |r| @state[c + r * NCOLS] = column[r] end
-                end
-            end
-
-            def r_mix_columns #:nodoc:
-                NCOLS.times do |c|
-                    column = []
-                    NROWS.times do |r| column << @state[c + r * NCOLS] end
-                    r_mix_column_(column)
-                    NROWS.times do |r| @state[c + r * NCOLS] = column[r] end
-                end
-            end
-
-            def expand_key(key) #:nodoc:
-                key = key.unpack("C*")
-                size = key.size
-                expanded_size = 16 * (ROUNDS[key.size] + 1)
-                rcon_iter = 1
-                expanded_key = key[0, size]
-
-                while expanded_key.size < expanded_size
-                    temp = expanded_key[-4, 4]
-
-                    if expanded_key.size % size == 0
-                        schedule_core(temp, rcon_iter)
-                        rcon_iter = rcon_iter.succ
-                    end
-
-                    temp.map! do |b| SBOX[b] end if size == 32 and expanded_key.size % size == 16
-
-                    temp.each do |b| expanded_key << (expanded_key[-size] ^ b) end
-                end
-
-                expanded_key
-            end
-
-            def aes_round(round_key) #:nodoc:
-                sub_bytes
-                #puts "after sub_bytes: #{@state.inspect}"
-                shift_rows
-                #puts "after shift_rows: #{@state.inspect}"
-                mix_columns
-                #puts "after mix_columns: #{@state.inspect}"
-                add_round_key(round_key)
-                #puts "roundKey = #{roundKey.inspect}"
-                #puts "after add_round_key: #{@state.inspect}"
-            end
-
-            def r_aes_round(round_key) #:nodoc:
-                add_round_key(round_key)
-                r_mix_columns
-                r_shift_rows
-                r_sub_bytes
-            end
-
-            def aes_encrypt(block) #:nodoc:
-                @state = transpose(block)
-                expanded_key = expand_key(@key)
-                rounds = ROUNDS[@key.size]
-
-                aes_main(expanded_key, rounds)
-            end
-
-            def aes_decrypt(block) #:nodoc:
-                @state = transpose(block)
-                expanded_key = expand_key(@key)
-                rounds = ROUNDS[@key.size]
-
-                r_aes_main(expanded_key, rounds)
-            end
-
-            def aes_main(expanded_key, rounds) #:nodoc:
-                #puts "expandedKey: #{expandedKey.inspect}"
-                round_key = create_round_key(expanded_key)
-                add_round_key(round_key)
-
-                for i in 1..rounds-1
-                    round_key = create_round_key(expanded_key, i)
-                    aes_round(round_key)
-                end
-
-                round_key = create_round_key(expanded_key, rounds)
-                sub_bytes
-                shift_rows
-                add_round_key(round_key)
-
-                transpose(@state)
-            end
-
-            def r_aes_main(expanded_key, rounds) #:nodoc:
-                round_key = create_round_key(expanded_key, rounds)
-                add_round_key(round_key)
-                r_shift_rows
-                r_sub_bytes
-
-                (rounds - 1).downto(1) do |i|
-                    round_key = create_round_key(expanded_key, i)
-                    r_aes_round(round_key)
-                end
-
-                round_key = create_round_key(expanded_key)
-                add_round_key(round_key)
-
-                transpose(@state)
-            end
         end
 
         #
@@ -1156,127 +787,134 @@ module Origami
 
                 #
                 # Computes the key that will be used to encrypt/decrypt the document contents with user password.
+                # Called at all revisions.
                 #
-                def compute_user_encryption_key(userpassword, fileid)
-                    if self.R < 5
-                        padded = pad_password(userpassword)
-                        padded.force_encoding('binary')
+                def compute_user_encryption_key(user_password, file_id)
+                    return compute_legacy_user_encryption_key(user_password, file_id) if self.R < 5
 
-                        padded << self.O
-                        padded << [ self.P ].pack("i")
+                    passwd = password_to_utf8(user_password)
 
-                        padded << fileid
+                    uks = self.U[40, 8]
 
-                        encrypt_metadata = self.EncryptMetadata != false
-                        padded << [ -1 ].pack("i") if self.R >= 4 and not encrypt_metadata
+                    if self.R == 5
+                        ukey = Digest::SHA256.digest(passwd + uks)
+                    else
+                        ukey = compute_hardened_hash(passwd, uks)
+                    end
 
-                        key = Digest::MD5.digest(padded)
+                    iv = ::Array.new(AES::BLOCKSIZE, 0).pack("C*")
+                    AES.new(ukey, nil, false).decrypt(iv + self.UE.value)
+                end
 
-                        50.times { key = Digest::MD5.digest(key[0, self.Length / 8]) } if self.R >= 3
+                #
+                # Computes the key that will be used to encrypt/decrypt the document contents.
+                # Only for Revision 4 and less.
+                #
+                def compute_legacy_user_encryption_key(user_password, file_id)
+                    padded = pad_password(user_password)
+                    padded.force_encoding('binary')
 
-                        if self.R == 2
-                            key[0, 5]
-                        elsif self.R >= 3
-                            key[0, self.Length / 8]
-                        end
-                    else
-                        passwd = password_to_utf8(userpassword)
+                    padded << self.O
+                    padded << [ self.P ].pack("i")
 
-                        uks = self.U[40, 8]
+                    padded << file_id
 
-                        if self.R == 5
-                            ukey = Digest::SHA256.digest(passwd + uks)
-                        else
-                            ukey = compute_hardened_hash(passwd, uks)
-                        end
+                    encrypt_metadata = self.EncryptMetadata != false
+                    padded << [ -1 ].pack("i") if self.R >= 4 and not encrypt_metadata
 
-                        iv = ::Array.new(AES::BLOCKSIZE, 0).pack("C*")
-                        AES.new(ukey, nil, false).decrypt(iv + self.UE.value)
-                    end
+                    key = Digest::MD5.digest(padded)
+
+                    50.times { key = Digest::MD5.digest(key[0, self.Length / 8]) } if self.R >= 3
+
+                    truncate_key(key)
                 end
 
                 #
                 # Computes the key that will be used to encrypt/decrypt the document contents with owner password.
                 # Revision 5 and above.
                 #
-                def compute_owner_encryption_key(ownerpassword)
-                    if self.R >= 5
-                        passwd = password_to_utf8(ownerpassword)
+                def compute_owner_encryption_key(owner_password)
+                    return if self.R < 5
 
-                        oks = self.O[40, 8]
+                    passwd = password_to_utf8(owner_password)
+                    oks = self.O[40, 8]
 
-                        if self.R == 5
-                            okey = Digest::SHA256.digest(passwd + oks + self.U)
-                        else
-                            okey = compute_hardened_hash(passwd, oks, self.U)
-                        end
-
-                        iv = ::Array.new(AES::BLOCKSIZE, 0).pack("C*")
-                        AES.new(okey, nil, false).decrypt(iv + self.OE.value)
+                    if self.R == 5
+                        okey = Digest::SHA256.digest(passwd + oks + self.U)
+                    else
+                        okey = compute_hardened_hash(passwd, oks, self.U)
                     end
+
+                    iv = ::Array.new(AES::BLOCKSIZE, 0).pack("C*")
+                    AES.new(okey, nil, false).decrypt(iv + self.OE.value)
                 end
 
                 #
                 # Set up document passwords.
                 #
-                def set_passwords(ownerpassword, userpassword, salt = nil)
-                    if self.R < 5
-                        key = compute_owner_key(ownerpassword)
-                        upadded = pad_password(userpassword)
+                def set_passwords(owner_password, user_password, salt = nil)
+                    return set_legacy_passwords(owner_password, user_password, salt) if self.R < 5
 
-                        owner_key = RC4.encrypt(key, upadded)
-                        19.times { |i| owner_key = RC4.encrypt(xor(key,i+1), owner_key) } if self.R >= 3
+                    upass = password_to_utf8(user_password)
+                    opass = password_to_utf8(owner_password)
 
-                        self.O = owner_key
-                        self.U = compute_user_password(userpassword, salt)
+                    uvs, uks, ovs, oks = ::Array.new(4) { Encryption.rand_bytes(8) }
+                    file_key = Encryption.strong_rand_bytes(32)
+                    iv = ::Array.new(AES::BLOCKSIZE, 0).pack("C*")
 
+                    if self.R == 5
+                        self.U = Digest::SHA256.digest(upass + uvs) + uvs + uks
+                        self.O = Digest::SHA256.digest(opass + ovs + self.U) + ovs + oks
+                        ukey = Digest::SHA256.digest(upass + uks)
+                        okey = Digest::SHA256.digest(opass + oks + self.U)
                     else
-                        upass = password_to_utf8(userpassword)
-                        opass = password_to_utf8(ownerpassword)
-
-                        uvs, uks, ovs, oks = ::Array.new(4) { Encryption.rand_bytes(8) }
-                        file_key = Encryption.strong_rand_bytes(32)
-                        iv = ::Array.new(AES::BLOCKSIZE, 0).pack("C*")
-
-                        if self.R == 5
-                            self.U = Digest::SHA256.digest(upass + uvs) + uvs + uks
-                            self.O = Digest::SHA256.digest(opass + ovs + self.U) + ovs + oks
-                            ukey = Digest::SHA256.digest(upass + uks)
-                            okey = Digest::SHA256.digest(opass + oks + self.U)
-                        else
-                            self.U = compute_hardened_hash(upass, uvs) + uvs + uks
-                            self.O = compute_hardened_hash(opass, ovs, self.U) + ovs + oks
-                            ukey = compute_hardened_hash(upass, uks)
-                            okey = compute_hardened_hash(opass, oks, self.U)
-                        end
+                        self.U = compute_hardened_hash(upass, uvs) + uvs + uks
+                        self.O = compute_hardened_hash(opass, ovs, self.U) + ovs + oks
+                        ukey = compute_hardened_hash(upass, uks)
+                        okey = compute_hardened_hash(opass, oks, self.U)
+                    end
 
-                        self.UE = AES.new(ukey, iv, false).encrypt(file_key)[iv.size, 32]
-                        self.OE = AES.new(okey, iv, false).encrypt(file_key)[iv.size, 32]
+                    self.UE = AES.new(ukey, iv, false).encrypt(file_key)[iv.size, 32]
+                    self.OE = AES.new(okey, iv, false).encrypt(file_key)[iv.size, 32]
 
-                        perms =
-                            [ self.P ].pack("V") +                              # 0-3
-                            [ -1 ].pack("V") +                                  # 4-7
-                            (self.EncryptMetadata == true ? "T" : "F") +        # 8
-                            "adb" +                                             # 9-11
-                            [ 0 ].pack("V")                                     # 12-15
+                    perms =
+                        [ self.P ].pack("V") +                              # 0-3
+                        [ -1 ].pack("V") +                                  # 4-7
+                        (self.EncryptMetadata == true ? "T" : "F") +        # 8
+                        "adb" +                                             # 9-11
+                        [ 0 ].pack("V")                                     # 12-15
 
-                        self.Perms = AES.new(file_key, iv, false).encrypt(perms)[iv.size, 16]
+                    self.Perms = AES.new(file_key, iv, false).encrypt(perms)[iv.size, 16]
 
-                        file_key
-                    end
+                    file_key
+                end
+
+                #
+                # Set up document passwords.
+                # Only for Revision 4 and less.
+                #
+                def set_legacy_passwords(owner_password, user_password, salt)
+                    owner_key = compute_owner_key(owner_password)
+                    upadded = pad_password(user_password)
+
+                    owner_key_hash = RC4.encrypt(owner_key, upadded)
+                    19.times { |i| owner_key_hash = RC4.encrypt(xor(owner_key, i + 1), owner_key_hash) } if self.R >= 3
+
+                    self.O = owner_key_hash
+                    self.U = compute_user_password_hash(user_password, salt)
                 end
 
                 #
                 # Checks user password.
-                # For version 2,3 and 4, _salt_ is the document ID.
+                # For version 2, 3 and 4, _salt_ is the document ID.
                 # For version 5 and 6, _salt_ is the User Key Salt.
                 #
                 def is_user_password?(pass, salt)
 
                     if self.R == 2
-                        compute_user_password(pass, salt) == self.U
+                        compute_user_password_hash(pass, salt) == self.U
                     elsif self.R == 3 or self.R == 4
-                        compute_user_password(pass, salt)[0, 16] == self.U[0, 16]
+                        compute_user_password_hash(pass, salt)[0, 16] == self.U[0, 16]
                     elsif self.R == 5
                         uvs = self.U[32, 8]
                         Digest::SHA256.digest(password_to_utf8(pass) + uvs) == self.U[0, 32]
@@ -1309,9 +947,9 @@ module Origami
                 # Retrieve user password from owner password.
                 # Cannot be used with revision 5.
                 #
-                def retrieve_user_password(ownerpassword)
+                def retrieve_user_password(owner_password)
 
-                    key = compute_owner_key(ownerpassword)
+                    key = compute_owner_key(owner_password)
 
                     if self.R == 2
                         RC4.decrypt(key, self.O)
@@ -1330,31 +968,27 @@ module Origami
                 # Rev 2,3,4: O = crypt(user_pass, owner_key).
                 # Rev 5: unused.
                 #
-                def compute_owner_key(ownerpassword) #:nodoc:
+                def compute_owner_key(owner_password) #:nodoc:
 
-                    opadded = pad_password(ownerpassword)
+                    opadded = pad_password(owner_password)
 
-                    hash = Digest::MD5.digest(opadded)
-                    50.times { hash = Digest::MD5.digest(hash) } if self.R >= 3
+                    owner_key = Digest::MD5.digest(opadded)
+                    50.times { owner_key = Digest::MD5.digest(owner_key) } if self.R >= 3
 
-                    if self.R == 2
-                        hash[0, 5]
-                    elsif self.R >= 3
-                        hash[0, self.Length / 8]
-                    end
+                    truncate_key(owner_key)
                 end
 
                 #
                 # Compute the value of the U field.
                 # Cannot be used with revision 5.
                 #
-                def compute_user_password(userpassword, salt) #:nodoc:
+                def compute_user_password_hash(user_password, salt) #:nodoc:
 
                     if self.R == 2
-                        key = compute_user_encryption_key(userpassword, salt)
+                        key = compute_user_encryption_key(user_password, salt)
                         user_key = RC4.encrypt(key, PADDING)
                     elsif self.R == 3 or self.R == 4
-                        key = compute_user_encryption_key(userpassword, salt)
+                        key = compute_user_encryption_key(user_password, salt)
 
                         upadded = PADDING + salt
                         hash = Digest::MD5.digest(upadded)
@@ -1382,14 +1016,10 @@ module Origami
 
                         block = input[0, block_size]
 
-                        if Origami::OPTIONS[:use_openssl]
-                            aes = OpenSSL::Cipher::Cipher.new("aes-128-cbc").encrypt
-                            aes.iv = iv
-                            aes.key = key
-                            aes.padding = 0
-                        else
-                            fail "You need OpenSSL support to encrypt/decrypt documents with this method"
-                        end
+                        aes = OpenSSL::Cipher.new("aes-128-cbc").encrypt
+                        aes.iv = iv
+                        aes.key = key
+                        aes.padding = 0
 
                         64.times do |j|
                             x = ''
@@ -1416,13 +1046,25 @@ module Origami
                     h[0, 32]
                 end
 
+                #
+                # Some revision handlers require different key sizes.
+                # Revision 2 uses 40-bit keys.
+                # Revisions 3 and higher rely on the Length field for the key size.
+                #
+                def truncate_key(key)
+                    if self.R == 2
+                        key[0, 5]
+                    elsif self.R >= 3
+                        key[0, self.Length / 8]
+                    end
+                end
+
                 def xor(str, byte) #:nodoc:
-                    str.split(//).map!{|c| (c[0].ord ^ byte).chr }.join
+                    str.bytes.map!{|b| b ^ byte }.pack("C*")
                 end
 
                 def pad_password(password) #:nodoc:
-                    return PADDING.dup if password.empty? # Fix for Ruby 1.9 bug
-                    password[0,32].ljust(32, PADDING)
+                    password[0, 32].ljust(32, PADDING)
                 end
 
                 def password_to_utf8(passwd) #:nodoc: