npm - @cj-tech-master/excelts - Versions diffs - 8.0.0 → 8.1.0 - Mend

@cj-tech-master/excelts 8.0.0 → 8.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (106) hide show

package/README.md +14 -1
package/README_zh.md +6 -0
package/dist/browser/modules/archive/zip/stream.d.ts +4 -0
package/dist/browser/modules/archive/zip/stream.js +53 -0
package/dist/browser/modules/pdf/core/crypto.d.ts +65 -0
package/dist/browser/modules/pdf/core/crypto.js +637 -0
package/dist/browser/modules/pdf/core/encryption.d.ts +23 -20
package/dist/browser/modules/pdf/core/encryption.js +88 -261
package/dist/browser/modules/pdf/core/pdf-writer.d.ts +6 -4
package/dist/browser/modules/pdf/core/pdf-writer.js +19 -10
package/dist/browser/modules/pdf/index.d.ts +23 -2
package/dist/browser/modules/pdf/index.js +21 -3
package/dist/browser/modules/pdf/reader/annotation-extractor.d.ts +63 -0
package/dist/browser/modules/pdf/reader/annotation-extractor.js +155 -0
package/dist/browser/modules/pdf/reader/cmap-parser.d.ts +70 -0
package/dist/browser/modules/pdf/reader/cmap-parser.js +321 -0
package/dist/browser/modules/pdf/reader/content-interpreter.d.ts +57 -0
package/dist/browser/modules/pdf/reader/content-interpreter.js +715 -0
package/dist/browser/modules/pdf/reader/font-decoder.d.ts +58 -0
package/dist/browser/modules/pdf/reader/font-decoder.js +1513 -0
package/dist/browser/modules/pdf/reader/form-extractor.d.ts +48 -0
package/dist/browser/modules/pdf/reader/form-extractor.js +355 -0
package/dist/browser/modules/pdf/reader/image-extractor.d.ts +55 -0
package/dist/browser/modules/pdf/reader/image-extractor.js +220 -0
package/dist/browser/modules/pdf/reader/metadata-reader.d.ts +56 -0
package/dist/browser/modules/pdf/reader/metadata-reader.js +275 -0
package/dist/browser/modules/pdf/reader/pdf-decrypt.d.ts +26 -0
package/dist/browser/modules/pdf/reader/pdf-decrypt.js +443 -0
package/dist/browser/modules/pdf/reader/pdf-document.d.ts +191 -0
package/dist/browser/modules/pdf/reader/pdf-document.js +818 -0
package/dist/browser/modules/pdf/reader/pdf-parser.d.ts +65 -0
package/dist/browser/modules/pdf/reader/pdf-parser.js +285 -0
package/dist/browser/modules/pdf/reader/pdf-reader.d.ts +143 -0
package/dist/browser/modules/pdf/reader/pdf-reader.js +200 -0
package/dist/browser/modules/pdf/reader/pdf-tokenizer.d.ts +101 -0
package/dist/browser/modules/pdf/reader/pdf-tokenizer.js +543 -0
package/dist/browser/modules/pdf/reader/reader-utils.d.ts +15 -0
package/dist/browser/modules/pdf/reader/reader-utils.js +27 -0
package/dist/browser/modules/pdf/reader/stream-filters.d.ts +20 -0
package/dist/browser/modules/pdf/reader/stream-filters.js +456 -0
package/dist/browser/modules/pdf/reader/text-reconstruction.d.ts +44 -0
package/dist/browser/modules/pdf/reader/text-reconstruction.js +463 -0
package/dist/cjs/modules/archive/zip/stream.js +53 -0
package/dist/cjs/modules/pdf/core/crypto.js +649 -0
package/dist/cjs/modules/pdf/core/encryption.js +88 -263
package/dist/cjs/modules/pdf/core/pdf-writer.js +19 -10
package/dist/cjs/modules/pdf/index.js +23 -4
package/dist/cjs/modules/pdf/reader/annotation-extractor.js +158 -0
package/dist/cjs/modules/pdf/reader/cmap-parser.js +326 -0
package/dist/cjs/modules/pdf/reader/content-interpreter.js +718 -0
package/dist/cjs/modules/pdf/reader/font-decoder.js +1518 -0
package/dist/cjs/modules/pdf/reader/form-extractor.js +358 -0
package/dist/cjs/modules/pdf/reader/image-extractor.js +223 -0
package/dist/cjs/modules/pdf/reader/metadata-reader.js +278 -0
package/dist/cjs/modules/pdf/reader/pdf-decrypt.js +447 -0
package/dist/cjs/modules/pdf/reader/pdf-document.js +822 -0
package/dist/cjs/modules/pdf/reader/pdf-parser.js +301 -0
package/dist/cjs/modules/pdf/reader/pdf-reader.js +203 -0
package/dist/cjs/modules/pdf/reader/pdf-tokenizer.js +517 -0
package/dist/cjs/modules/pdf/reader/reader-utils.js +30 -0
package/dist/cjs/modules/pdf/reader/stream-filters.js +459 -0
package/dist/cjs/modules/pdf/reader/text-reconstruction.js +467 -0
package/dist/esm/modules/archive/zip/stream.js +53 -0
package/dist/esm/modules/pdf/core/crypto.js +637 -0
package/dist/esm/modules/pdf/core/encryption.js +88 -261
package/dist/esm/modules/pdf/core/pdf-writer.js +19 -10
package/dist/esm/modules/pdf/index.js +21 -3
package/dist/esm/modules/pdf/reader/annotation-extractor.js +155 -0
package/dist/esm/modules/pdf/reader/cmap-parser.js +321 -0
package/dist/esm/modules/pdf/reader/content-interpreter.js +715 -0
package/dist/esm/modules/pdf/reader/font-decoder.js +1513 -0
package/dist/esm/modules/pdf/reader/form-extractor.js +355 -0
package/dist/esm/modules/pdf/reader/image-extractor.js +220 -0
package/dist/esm/modules/pdf/reader/metadata-reader.js +275 -0
package/dist/esm/modules/pdf/reader/pdf-decrypt.js +443 -0
package/dist/esm/modules/pdf/reader/pdf-document.js +818 -0
package/dist/esm/modules/pdf/reader/pdf-parser.js +285 -0
package/dist/esm/modules/pdf/reader/pdf-reader.js +200 -0
package/dist/esm/modules/pdf/reader/pdf-tokenizer.js +543 -0
package/dist/esm/modules/pdf/reader/reader-utils.js +27 -0
package/dist/esm/modules/pdf/reader/stream-filters.js +456 -0
package/dist/esm/modules/pdf/reader/text-reconstruction.js +463 -0
package/dist/iife/excelts.iife.js +703 -267
package/dist/iife/excelts.iife.js.map +1 -1
package/dist/iife/excelts.iife.min.js +35 -35
package/dist/types/modules/archive/zip/stream.d.ts +4 -0
package/dist/types/modules/pdf/core/crypto.d.ts +65 -0
package/dist/types/modules/pdf/core/encryption.d.ts +23 -20
package/dist/types/modules/pdf/core/pdf-writer.d.ts +6 -4
package/dist/types/modules/pdf/index.d.ts +23 -2
package/dist/types/modules/pdf/reader/annotation-extractor.d.ts +63 -0
package/dist/types/modules/pdf/reader/cmap-parser.d.ts +70 -0
package/dist/types/modules/pdf/reader/content-interpreter.d.ts +57 -0
package/dist/types/modules/pdf/reader/font-decoder.d.ts +58 -0
package/dist/types/modules/pdf/reader/form-extractor.d.ts +48 -0
package/dist/types/modules/pdf/reader/image-extractor.d.ts +55 -0
package/dist/types/modules/pdf/reader/metadata-reader.d.ts +56 -0
package/dist/types/modules/pdf/reader/pdf-decrypt.d.ts +26 -0
package/dist/types/modules/pdf/reader/pdf-document.d.ts +191 -0
package/dist/types/modules/pdf/reader/pdf-parser.d.ts +65 -0
package/dist/types/modules/pdf/reader/pdf-reader.d.ts +143 -0
package/dist/types/modules/pdf/reader/pdf-tokenizer.d.ts +101 -0
package/dist/types/modules/pdf/reader/reader-utils.d.ts +15 -0
package/dist/types/modules/pdf/reader/stream-filters.d.ts +20 -0
package/dist/types/modules/pdf/reader/text-reconstruction.d.ts +44 -0
package/package.json +1 -1

package/dist/browser/modules/pdf/reader/pdf-decrypt.js ADDED Viewed

@@ -0,0 +1,443 @@
+/**
+ * PDF decryption for reading encrypted PDFs.
+ *
+ * Supports:
+ * - Standard Security Handler (V1/V2/V4/V5, R2/R3/R4/R5)
+ * - RC4 encryption (40-bit and 128-bit)
+ * - AES-128 encryption (PDF 1.6+)
+ * - AES-256 encryption (PDF 2.0, V=5, R=5)
+ *
+ * @see PDF Reference 1.7, §3.5 - Encryption
+ * @see PDF 2.0 (ISO 32000-2), §7.6 - Encryption
+ */
+import { rc4, md5, sha256, aesCbcDecrypt, aesCbcDecryptRaw, concatArrays } from "../core/crypto.js";
+import { dictGetNumber, dictGetName, dictGetBytes, dictGetArray, dictGetBool } from "./pdf-parser.js";
+import { PdfStructureError } from "../errors.js";
+// =============================================================================
+// Constants
+// =============================================================================
+/** PDF password padding string (32 bytes) per PDF spec §3.5.2 */
+const PASSWORD_PADDING = new Uint8Array([
+    0x28, 0xbf, 0x4e, 0x5e, 0x4e, 0x75, 0x8a, 0x41, 0x64, 0x00, 0x4e, 0x56, 0xff, 0xfa, 0x01, 0x08,
+    0x2e, 0x2e, 0x00, 0xb6, 0xd0, 0x68, 0x3e, 0x80, 0x2f, 0x0c, 0xa9, 0xfe, 0x64, 0x53, 0x69, 0x7a
+]);
+/** Cached TextEncoder instance */
+const textEncoder = new TextEncoder();
+// =============================================================================
+// Public API
+// =============================================================================
+/**
+ * Initialize decryption for a PDF document.
+ * Returns true if decryption was successfully initialized, false if
+ * the password was incorrect.
+ *
+ * @param doc - The PDF document
+ * @param password - User or owner password (empty string for no password)
+ */
+export function initDecryption(doc, password = "") {
+    const encryptDict = doc.derefDict(doc.trailer.get("Encrypt"));
+    if (!encryptDict) {
+        return true; // Not encrypted
+    }
+    const filter = dictGetName(encryptDict, "Filter");
+    if (filter !== "Standard") {
+        throw new PdfStructureError(`Unsupported encryption filter: ${filter}`);
+    }
+    const v = dictGetNumber(encryptDict, "V") ?? 0;
+    const r = dictGetNumber(encryptDict, "R") ?? 0;
+    const keyLength = (dictGetNumber(encryptDict, "Length") ?? 40) / 8; // bits → bytes
+    const permissions = dictGetNumber(encryptDict, "P") ?? 0;
+    const oValue = dictGetBytes(encryptDict, "O");
+    const uValue = dictGetBytes(encryptDict, "U");
+    if (!oValue || !uValue) {
+        throw new PdfStructureError("Missing /O or /U values in Encrypt dictionary");
+    }
+    // Get file ID from trailer
+    const idArray = dictGetArray(doc.trailer, "ID");
+    const fileId = idArray && idArray.length > 0 && idArray[0] instanceof Uint8Array
+        ? idArray[0]
+        : new Uint8Array(0);
+    // Determine EncryptMetadata flag (default true per spec)
+    const encryptMetadata = readEncryptMetadata(encryptDict);
+    // Handle V=5 (AES-256, PDF 2.0)
+    if (v === 5) {
+        return initDecryptionV5(doc, encryptDict, password, r, oValue, uValue, permissions, fileId);
+    }
+    // Determine if we should use AES
+    const useAes = v === 4 && isAesCryptFilter(encryptDict);
+    // Try user password first, then owner password
+    let encryptionKey = tryUserPassword(password, oValue, permissions, fileId, r, keyLength, uValue, encryptMetadata);
+    if (!encryptionKey) {
+        // Try as owner password
+        const derivedUser = deriveUserPasswordFromOwner(password, oValue, r, keyLength);
+        encryptionKey = tryUserPassword(derivedUser, oValue, permissions, fileId, r, keyLength, uValue, encryptMetadata);
+    }
+    if (!encryptionKey) {
+        // Try empty password
+        if (password !== "") {
+            encryptionKey = tryUserPassword("", oValue, permissions, fileId, r, keyLength, uValue, encryptMetadata);
+        }
+    }
+    if (!encryptionKey) {
+        return false; // Password incorrect
+    }
+    // Set up decryption function
+    const finalKey = encryptionKey;
+    if (useAes) {
+        doc.decryptFn = (data, objNum, gen) => decryptAes128(data, objNum, gen, finalKey);
+    }
+    else {
+        doc.decryptFn = (data, objNum, gen) => decryptRc4PerObject(data, objNum, gen, finalKey);
+    }
+    return true;
+}
+/**
+ * Check if the document is encrypted.
+ */
+export function isEncrypted(doc) {
+    return doc.trailer.has("Encrypt");
+}
+// =============================================================================
+// V5 (AES-256) Decryption
+// =============================================================================
+/**
+ * Initialize decryption for V=5 (AES-256, PDF 2.0).
+ * Supports R=5 using SHA-256 based key derivation (Algorithm 2.A).
+ */
+function initDecryptionV5(doc, encryptDict, password, revision, oValue, uValue, _permissions, _fileId) {
+    if (revision === 6) {
+        throw new PdfStructureError("R=6 (PDF 2.0 extension) requires SHA-384/SHA-512 which is not yet supported");
+    }
+    if (revision !== 5) {
+        throw new PdfStructureError(`Unsupported revision ${revision} for V=5 encryption`);
+    }
+    const oeValue = dictGetBytes(encryptDict, "OE");
+    const ueValue = dictGetBytes(encryptDict, "UE");
+    if (!oeValue || !ueValue) {
+        throw new PdfStructureError("Missing /OE or /UE values in V=5 Encrypt dictionary");
+    }
+    // O value layout: 32 bytes hash + 8 bytes validation salt + 8 bytes key salt
+    // U value layout: 32 bytes hash + 8 bytes validation salt + 8 bytes key salt
+    if (oValue.length < 48 || uValue.length < 48) {
+        throw new PdfStructureError("Invalid /O or /U length for V=5 encryption");
+    }
+    const passwordBytes = truncatePassword(password);
+    // Try user password (Algorithm 2.A step a - user)
+    let encryptionKey = tryUserPasswordV5(passwordBytes, uValue, ueValue);
+    if (!encryptionKey) {
+        // Try owner password (Algorithm 2.A step a - owner)
+        encryptionKey = tryOwnerPasswordV5(passwordBytes, oValue, oeValue, uValue);
+    }
+    if (!encryptionKey) {
+        // Try empty password
+        if (password !== "") {
+            const emptyBytes = new Uint8Array(0);
+            encryptionKey = tryUserPasswordV5(emptyBytes, uValue, ueValue);
+            if (!encryptionKey) {
+                encryptionKey = tryOwnerPasswordV5(emptyBytes, oValue, oeValue, uValue);
+            }
+        }
+    }
+    if (!encryptionKey) {
+        return false;
+    }
+    // V=5 always uses AES-256 with the file encryption key directly (no per-object key derivation)
+    const finalKey = encryptionKey;
+    doc.decryptFn = (data, _objNum, _gen) => decryptAes256Direct(data, finalKey);
+    return true;
+}
+/**
+ * Truncate password to 127 bytes (UTF-8) per PDF 2.0 spec.
+ */
+function truncatePassword(password) {
+    const bytes = textEncoder.encode(password);
+    return bytes.length > 127 ? bytes.subarray(0, 127) : bytes;
+}
+/**
+ * Try user password for V=5/R=5.
+ * Validates using SHA-256(password + validation salt from U).
+ * If valid, derives file encryption key using SHA-256(password + key salt from U).
+ */
+function tryUserPasswordV5(passwordBytes, uValue, ueValue) {
+    // U = hash(32) + validation salt(8) + key salt(8)
+    const uHash = uValue.subarray(0, 32);
+    const uValidationSalt = uValue.subarray(32, 40);
+    const uKeySalt = uValue.subarray(40, 48);
+    // Validate: SHA-256(password + validation salt) == first 32 bytes of U
+    const validateInput = concatArrays(passwordBytes, uValidationSalt);
+    const computedHash = sha256(validateInput);
+    if (!arraysEqual(computedHash, uHash)) {
+        return null;
+    }
+    // Derive key: SHA-256(password + key salt) => use as AES-256 key to decrypt UE
+    const keyInput = concatArrays(passwordBytes, uKeySalt);
+    const keyHash = sha256(keyInput);
+    // Decrypt UE with this key using AES-256-CBC with zero IV
+    const zeroIv = new Uint8Array(16);
+    return aesCbcDecryptRaw(ueValue.subarray(0, 32), keyHash, zeroIv);
+}
+/**
+ * Try owner password for V=5/R=5.
+ * Validates using SHA-256(password + validation salt from O + U(48)).
+ * If valid, derives file encryption key using SHA-256(password + key salt from O + U(48)).
+ */
+function tryOwnerPasswordV5(passwordBytes, oValue, oeValue, uValue) {
+    // O = hash(32) + validation salt(8) + key salt(8)
+    const oHash = oValue.subarray(0, 32);
+    const oValidationSalt = oValue.subarray(32, 40);
+    const oKeySalt = oValue.subarray(40, 48);
+    const u48 = uValue.subarray(0, 48);
+    // Validate: SHA-256(password + validation salt + U(0..47)) == first 32 bytes of O
+    const validateInput = concatArrays(passwordBytes, oValidationSalt, u48);
+    const computedHash = sha256(validateInput);
+    if (!arraysEqual(computedHash, oHash)) {
+        return null;
+    }
+    // Derive key: SHA-256(password + key salt + U(0..47))
+    const keyInput = concatArrays(passwordBytes, oKeySalt, u48);
+    const keyHash = sha256(keyInput);
+    // Decrypt OE with this key using AES-256-CBC with zero IV
+    const zeroIv = new Uint8Array(16);
+    return aesCbcDecryptRaw(oeValue.subarray(0, 32), keyHash, zeroIv);
+}
+/**
+ * Decrypt data using AES-256 directly (no per-object key derivation).
+ * For V=5, the file encryption key is used directly. The first 16 bytes are IV.
+ */
+function decryptAes256Direct(data, encryptionKey) {
+    if (data.length < 16) {
+        return data;
+    }
+    const iv = data.subarray(0, 16);
+    const ciphertext = data.subarray(16);
+    if (ciphertext.length === 0 || ciphertext.length % 16 !== 0) {
+        return data;
+    }
+    return aesCbcDecrypt(ciphertext, encryptionKey, iv);
+}
+// =============================================================================
+// Password Verification (V1-V4)
+// =============================================================================
+/**
+ * Try to authenticate with the user password.
+ * Returns the encryption key if successful, null otherwise.
+ */
+function tryUserPassword(password, oValue, permissions, fileId, revision, keyLength, uValue, encryptMetadata) {
+    const key = computeEncryptionKeyForReading(password, oValue, permissions, fileId, revision, keyLength, encryptMetadata);
+    // Verify against U value
+    if (revision === 2) {
+        // R2: encrypt password padding with key, compare to U
+        const encrypted = rc4(key, PASSWORD_PADDING);
+        if (arraysEqual(encrypted, uValue.subarray(0, 32))) {
+            return key;
+        }
+    }
+    else if (revision >= 3) {
+        // R3/R4: MD5(padding + fileId), encrypt, iterate 19 times
+        const hashInput = new Uint8Array(32 + fileId.length);
+        hashInput.set(PASSWORD_PADDING);
+        hashInput.set(fileId, 32);
+        const hash = md5(hashInput);
+        let result = rc4(key, hash);
+        for (let i = 1; i <= 19; i++) {
+            const modKey = new Uint8Array(key.length);
+            for (let j = 0; j < key.length; j++) {
+                modKey[j] = key[j] ^ i;
+            }
+            result = rc4(modKey, result);
+        }
+        // Compare first 16 bytes
+        if (arraysEqual(result.subarray(0, 16), uValue.subarray(0, 16))) {
+            return key;
+        }
+    }
+    return null;
+}
+/**
+ * Compute the encryption key for reading (Algorithm 2, PDF spec §3.5.2).
+ */
+function computeEncryptionKeyForReading(password, oValue, permissions, fileId, revision, keyLength, encryptMetadata) {
+    const paddedPwd = padPassword(password);
+    // When encryptMetadata is false and revision >= 4, append 4 bytes of 0xFF
+    const extraBytes = revision >= 4 && !encryptMetadata ? 4 : 0;
+    const input = new Uint8Array(32 + 32 + 4 + fileId.length + extraBytes);
+    let offset = 0;
+    input.set(paddedPwd, offset);
+    offset += 32;
+    input.set(oValue.subarray(0, 32), offset);
+    offset += 32;
+    // P value as 4 LE bytes
+    input[offset] = permissions & 0xff;
+    input[offset + 1] = (permissions >> 8) & 0xff;
+    input[offset + 2] = (permissions >> 16) & 0xff;
+    input[offset + 3] = (permissions >> 24) & 0xff;
+    offset += 4;
+    input.set(fileId, offset);
+    offset += fileId.length;
+    // If EncryptMetadata is false and revision >= 4, append 0xFFFFFFFF
+    if (revision >= 4 && !encryptMetadata) {
+        input[offset] = 0xff;
+        input[offset + 1] = 0xff;
+        input[offset + 2] = 0xff;
+        input[offset + 3] = 0xff;
+        offset += 4;
+    }
+    let hash = md5(input.subarray(0, offset));
+    // For revision >= 3, hash 50 more times
+    if (revision >= 3) {
+        for (let i = 0; i < 50; i++) {
+            hash = md5(hash.subarray(0, keyLength));
+        }
+    }
+    return hash.subarray(0, keyLength);
+}
+/**
+ * Derive the user password from the owner password.
+ * Uses Algorithm 7 from PDF spec §3.5.2.
+ */
+function deriveUserPasswordFromOwner(ownerPassword, oValue, revision, keyLength) {
+    let hash = md5(padPassword(ownerPassword));
+    if (revision >= 3) {
+        for (let i = 0; i < 50; i++) {
+            hash = md5(hash.subarray(0, keyLength));
+        }
+    }
+    const key = hash.subarray(0, keyLength);
+    let result = new Uint8Array(oValue.subarray(0, 32));
+    if (revision === 2) {
+        result = rc4(key, result);
+    }
+    else if (revision >= 3) {
+        for (let i = 19; i >= 0; i--) {
+            const modKey = new Uint8Array(key.length);
+            for (let j = 0; j < key.length; j++) {
+                modKey[j] = key[j] ^ i;
+            }
+            result = rc4(modKey, result);
+        }
+    }
+    // Convert result bytes to password string
+    let pwd = "";
+    for (let i = 0; i < 32; i++) {
+        if (result[i] === PASSWORD_PADDING[0] &&
+            arraysEqual(result.subarray(i, i + Math.min(32 - i, 32)), PASSWORD_PADDING.subarray(0, Math.min(32 - i, 32)))) {
+            break;
+        }
+        pwd += String.fromCharCode(result[i]);
+    }
+    return pwd;
+}
+// =============================================================================
+// AES-128 Decryption
+// =============================================================================
+/**
+ * Decrypt data using RC4 with per-object key derivation.
+ * Per-object key = MD5(encryptionKey + objNum(3LE) + genNum(2LE)), truncated to min(n+5, 16).
+ */
+function decryptRc4PerObject(data, objectNumber, generation, encryptionKey) {
+    const keyInput = new Uint8Array(encryptionKey.length + 5);
+    keyInput.set(encryptionKey);
+    keyInput[encryptionKey.length] = objectNumber & 0xff;
+    keyInput[encryptionKey.length + 1] = (objectNumber >> 8) & 0xff;
+    keyInput[encryptionKey.length + 2] = (objectNumber >> 16) & 0xff;
+    keyInput[encryptionKey.length + 3] = generation & 0xff;
+    keyInput[encryptionKey.length + 4] = (generation >> 8) & 0xff;
+    const objKey = md5(keyInput);
+    const keyLen = Math.min(encryptionKey.length + 5, 16);
+    return rc4(objKey.subarray(0, keyLen), data);
+}
+/**
+ * Decrypt data using AES-128-CBC.
+ * Per PDF spec, the first 16 bytes of the data are the IV.
+ */
+function decryptAes128(data, objectNumber, generation, encryptionKey) {
+    if (data.length < 16) {
+        return data;
+    }
+    // Compute per-object key: MD5(encryptionKey + objNum(3LE) + genNum(2LE) + "sAlT")
+    const keyInput = new Uint8Array(encryptionKey.length + 5 + 4);
+    keyInput.set(encryptionKey);
+    keyInput[encryptionKey.length] = objectNumber & 0xff;
+    keyInput[encryptionKey.length + 1] = (objectNumber >> 8) & 0xff;
+    keyInput[encryptionKey.length + 2] = (objectNumber >> 16) & 0xff;
+    keyInput[encryptionKey.length + 3] = generation & 0xff;
+    keyInput[encryptionKey.length + 4] = (generation >> 8) & 0xff;
+    // AES salt
+    keyInput[encryptionKey.length + 5] = 0x73; // s
+    keyInput[encryptionKey.length + 6] = 0x41; // A
+    keyInput[encryptionKey.length + 7] = 0x6c; // l
+    keyInput[encryptionKey.length + 8] = 0x54; // T
+    const objKey = md5(keyInput);
+    const keyLen = Math.min(encryptionKey.length + 5, 16);
+    const aesKey = objKey.subarray(0, keyLen);
+    // Extract IV (first 16 bytes) and ciphertext
+    const iv = data.subarray(0, 16);
+    const ciphertext = data.subarray(16);
+    if (ciphertext.length === 0 || ciphertext.length % 16 !== 0) {
+        return data;
+    }
+    return aesCbcDecrypt(ciphertext, aesKey, iv);
+}
+// =============================================================================
+// Helpers
+// =============================================================================
+function padPassword(password) {
+    const result = new Uint8Array(32);
+    const bytes = textEncoder.encode(password);
+    const len = Math.min(bytes.length, 32);
+    result.set(bytes.subarray(0, len));
+    result.set(PASSWORD_PADDING.subarray(0, 32 - len), len);
+    return result;
+}
+function arraysEqual(a, b) {
+    if (a.length !== b.length) {
+        return false;
+    }
+    for (let i = 0; i < a.length; i++) {
+        if (a[i] !== b[i]) {
+            return false;
+        }
+    }
+    return true;
+}
+/**
+ * Read the EncryptMetadata flag from the encrypt dictionary.
+ * Per spec, defaults to true if not present.
+ * Checks both the top-level dict and CF/StdCF sub-dictionary.
+ */
+function readEncryptMetadata(encryptDict) {
+    // Check top-level EncryptMetadata first
+    const topLevel = dictGetBool(encryptDict, "EncryptMetadata");
+    if (topLevel !== undefined) {
+        return topLevel;
+    }
+    // Check CF/StdCF/EncryptMetadata
+    const cf = encryptDict.get("CF");
+    if (cf && cf instanceof Map) {
+        const stdCF = cf.get("StdCF");
+        if (stdCF && stdCF instanceof Map) {
+            const cfVal = stdCF.get("EncryptMetadata");
+            if (typeof cfVal === "boolean") {
+                return cfVal;
+            }
+        }
+    }
+    // Default per spec
+    return true;
+}
+/**
+ * Check if V4 encryption uses AES (vs RC4).
+ */
+function isAesCryptFilter(encryptDict) {
+    const cf = encryptDict.get("CF");
+    if (!cf || !(cf instanceof Map)) {
+        return false;
+    }
+    // Check StdCF filter
+    const stdCF = cf.get("StdCF");
+    if (!stdCF || !(stdCF instanceof Map)) {
+        return false;
+    }
+    const cfm = stdCF.get("CFM");
+    return cfm === "AESV2";
+}

package/dist/browser/modules/pdf/reader/pdf-document.d.ts ADDED Viewed

@@ -0,0 +1,191 @@
+/**
+ * PDF document parser.
+ *
+ * Handles the high-level PDF file structure:
+ * - Locating startxref
+ * - Parsing cross-reference tables (traditional and stream-based)
+ * - Reading trailer dictionaries
+ * - Resolving indirect object references
+ * - Handling incremental updates
+ *
+ * @see PDF Reference 1.7, §3.4 - File Structure
+ */
+import type { PdfObject, PdfDictValue, PdfRef, PdfStream } from "./pdf-parser.js";
+/** Result of resolving an object with its object/generation numbers for decryption */
+interface ResolvedObject {
+    /** The resolved PDF object */
+    obj: PdfObject | null;
+    /** The object number */
+    objNum: number;
+    /** The generation number */
+    gen: number;
+}
+/**
+ * Parsed PDF document with lazy object resolution.
+ *
+ * Reads the cross-reference table and trailer on construction,
+ * then resolves individual objects on demand with caching.
+ */
+export declare class PdfDocument {
+    private tokenizer;
+    private xref;
+    private cache;
+    readonly trailer: PdfDictValue;
+    /** Encryption handler (set externally after decryption is initialized) */
+    decryptFn: ((data: Uint8Array, objNum: number, gen: number) => Uint8Array) | null;
+    constructor(data: Uint8Array);
+    /** Get the underlying raw data */
+    get data(): Uint8Array;
+    private parseFileStructure;
+    /**
+     * Find the startxref offset by scanning backward from EOF.
+     */
+    private findStartxref;
+    /**
+     * Parse the xref chain starting at the given offset.
+     * Follows /Prev links for incremental updates.
+     * Returns the merged trailer dictionary.
+     */
+    private parseXrefChain;
+    /**
+     * Parse a traditional xref table and its trailer.
+     */
+    private parseTraditionalXref;
+    /**
+     * Parse a cross-reference stream (PDF 1.5+).
+     */
+    private parseXrefStream;
+    /**
+     * Reconstruct the xref table by scanning the entire file for `N N obj` patterns.
+     * This is a fallback for corrupted or broken PDFs where the normal xref parsing fails.
+     *
+     * @returns A synthetic trailer dictionary
+     */
+    private reconstructXref;
+    /**
+     * Merge trailer entries from an older trailer into the current one.
+     * Only adds keys that don't already exist.
+     */
+    private mergeTrailer;
+    /**
+     * Resolve a PDF object by its object number and generation.
+     * Returns null if the object doesn't exist.
+     */
+    resolve(objNum: number, gen?: number): PdfObject | null;
+    /**
+     * Resolve a PDF object and return it along with its object/generation numbers.
+     * Useful for tracking which object a value came from (for decryption).
+     *
+     * @param objNum - The object number to resolve
+     * @param gen - The generation number (default 0)
+     * @returns The resolved object with its objNum and gen for decryption context
+     */
+    resolveWithObjNum(objNum: number, gen?: number): ResolvedObject;
+    /**
+     * Dereference a PdfRef to its actual object value.
+     * If the input is not a PdfRef, returns it as-is.
+     */
+    deref(obj: PdfObject | null | undefined): PdfObject | null;
+    /**
+     * Dereference a PdfRef and assert it's a dictionary.
+     */
+    derefDict(obj: PdfObject | null | undefined): PdfDictValue | null;
+    /**
+     * Dereference a PdfRef and get the stream, along with the objNum/gen
+     * needed for correct per-object decryption.
+     */
+    derefStream(obj: PdfObject | null | undefined): PdfStream | null;
+    /**
+     * Dereference a PdfRef and get the stream with its object number and generation.
+     * Returns null if the object is not a stream.
+     * The objNum/gen are needed for correct per-object decryption (V1-V4).
+     */
+    derefStreamWithObjNum(obj: PdfObject | null | undefined): {
+        stream: PdfStream;
+        objNum: number;
+        gen: number;
+    } | null;
+    /**
+     * Get decoded stream data from a stream object.
+     * Applies filter chain decoding and decryption.
+     *
+     * When objNum/gen are not provided (default 0), decryption may not
+     * produce correct results. Use {@link resolveWithObjNum} to obtain
+     * the correct objNum/gen for the stream's containing object.
+     */
+    getStreamData(stream: PdfStream, objNum?: number, gen?: number): Uint8Array;
+    /**
+     * Decrypt a string value (bytes) if encryption is active.
+     */
+    decryptString(bytes: Uint8Array, objNum: number, gen: number): Uint8Array;
+    /**
+     * Decode a PDF string to a JS string, with optional decryption.
+     */
+    decodeString(bytes: Uint8Array, objNum?: number, gen?: number): string;
+    /**
+     * Recursively decrypt all string values (Uint8Array) within a parsed PDF object.
+     * PDF spec requires all strings in an encrypted document to be decrypted using
+     * the per-object key derived from the containing object's objNum/gen.
+     * Streams are NOT decrypted here — they are decrypted in getStreamData().
+     */
+    private decryptObjectStrings;
+    /**
+     * Get the catalog dictionary (the root of the document structure).
+     */
+    getCatalog(): PdfDictValue;
+    /**
+     * Get the pages array from the page tree.
+     * Returns an array of page dictionaries in order.
+     */
+    getPages(): PdfDictValue[];
+    /**
+     * Get pages with their object numbers (needed for correct decryption of
+     * inline streams within page objects).
+     */
+    getPagesWithObjInfo(): Array<{
+        dict: PdfDictValue;
+        objNum: number;
+        gen: number;
+    }>;
+    /**
+     * Recursively collect page dictionaries from the page tree.
+     * Uses a visited set to prevent infinite recursion on cyclic page trees.
+     */
+    private collectPages;
+    /**
+     * Get the object number for a given object reference.
+     * Useful for tracking which object a value came from (for decryption).
+     */
+    getObjNumForRef(ref: PdfRef): number;
+    /**
+     * Parse an object definition at the given byte offset.
+     */
+    private parseObjectAt;
+    /**
+     * Parse a compressed object from an object stream.
+     * @param objStmNum - The object number of the object stream
+     * @param index - The index of the object within the stream
+     */
+    private parseCompressedObject;
+    /**
+     * Parse all objects from an object stream.
+     * @returns Map of object number → object value
+     */
+    private parseObjectStream;
+    /**
+     * Resolve a page's bounding box (MediaBox/CropBox) with indirect ref resolution
+     * and parent inheritance. Returns `{ width, height }` or null if no box found.
+     *
+     * This is a shared helper so callers don't duplicate box resolution logic.
+     */
+    resolvePageBox(pageDict: PdfDictValue, visited?: Set<PdfDictValue>): {
+        width: number;
+        height: number;
+    } | null;
+    /**
+     * Resolve a page's Resources dictionary, inheriting from parent pages if needed.
+     * Protected against cyclic parent chains.
+     */
+    resolvePageResources(pageDict: PdfDictValue, visited?: Set<PdfDictValue>): PdfDictValue;
+}
+export {};