@jasy/pdf 1.0.0-alpha.3 → 1.0.0-alpha.4

package/dist/crypto/security-handler.d.ts

@@ -0,0 +1,46 @@
+/** A handler encrypts/decrypts the strings + streams of a document and describes itself as an `/Encrypt` dict. */
+export interface SecurityHandler {
+    /** The `/Encrypt` dictionary body (between `<<` and `>>`). Its own strings are never encrypted. */
+    encryptDict(): string;
+    /** Encrypt one string/stream. `ref` is unused for V5/R6 (one file key) but kept for future per-object schemes. */
+    encrypt(data: Uint8Array, ref?: {
+        num: number;
+        gen: number;
+    }): Promise<Uint8Array>;
+    /** Decrypt one string/stream (the groundwork the future "open/edit existing PDF" path reuses). */
+    decrypt(data: Uint8Array, ref?: {
+        num: number;
+        gen: number;
+    }): Promise<Uint8Array>;
+}
+/** What the user grants; everything defaults to allowed. Maps to the `/P` bitfield (ISO 32000-2 Table 22). */
+export interface Permissions {
+    printing?: boolean;
+    copying?: boolean;
+    modifying?: boolean;
+    annotating?: boolean;
+}
+export interface EncryptOptions {
+    /** Only "aes-256" today - the seam for future algorithms. */
+    algorithm?: "aes-256";
+    userPassword: string;
+    /** Full-rights password; defaults to the user password if omitted. */
+    ownerPassword?: string;
+    permissions?: Permissions;
+}
+declare class StandardAes256 implements SecurityHandler {
+    private readonly fileKey;
+    private readonly dict;
+    private constructor();
+    static create(opts: EncryptOptions): Promise<StandardAes256>;
+    encryptDict(): string;
+    encrypt(data: Uint8Array): Promise<Uint8Array>;
+    decrypt(data: Uint8Array): Promise<Uint8Array>;
+    /** Recover the file key from a password as a reader does: validate it against /U FIRST (so a wrong
+     *  password is rejected, not silently turned into a garbage key), then decrypt /UE. The groundwork the
+     *  future "open/edit existing PDF" path reuses. Throws on a wrong password. */
+    static recoverFileKey(userPassword: string, u: Uint8Array, ue: Uint8Array): Promise<Uint8Array>;
+}
+/** The factory = the seam. Today it always returns the AES-256 handler. */
+export declare function createSecurityHandler(opts: EncryptOptions): Promise<SecurityHandler>;
+export { StandardAes256 };

package/dist/crypto/security-handler.js

@@ -0,0 +1,129 @@
+// PDF Standard security handler. The PDFObjectManager talks to the `SecurityHandler` interface, never to a
+// concrete algorithm - so adding another scheme later (a new revision, or per-object RC4/AES-128) is just a
+// second implementation + a factory branch, with the writer untouched. Today we ship exactly one:
+// `StandardAes256` = AES-256, V5/R6 (ISO 32000-2 / PDF 2.0), the newest standard PDF encryption.
+import { aesCbcDecrypt, aesCbcDecryptNoPad, aesCbcEncrypt, aesCbcEncryptNoPad, randomBytes, sha, } from "./webcrypto.js";
+const utf8 = (s) => new TextEncoder().encode(s).subarray(0, 127); // R6 truncates passwords to 127 bytes
+const concat = (...parts) => {
+    const out = new Uint8Array(parts.reduce((n, p) => n + p.length, 0));
+    let o = 0;
+    for (const p of parts) {
+        out.set(p, o);
+        o += p.length;
+    }
+    return out;
+};
+const toHex = (a) => [...a].map((b) => b.toString(16).padStart(2, "0")).join("");
+// Constant-time-ish equality for password validation (no early-out on the first differing byte).
+const bytesEqual = (a, b) => {
+    if (a.length !== b.length)
+        return false;
+    let diff = 0;
+    for (let i = 0; i < a.length; i++)
+        diff |= a[i] ^ b[i];
+    return diff === 0;
+};
+// ISO 32000-2 Algorithm 2.B: the hardened password hash. Loops AES-128-CBC + SHA-256/384/512 until the
+// stopping rule. `udata` is the 48-byte /U for the owner computations, empty for the user ones.
+async function hash2B(password, salt, udata) {
+    let k = await sha(256, concat(password, salt, udata));
+    let e = new Uint8Array(0);
+    // At least 64 rounds; then stop once the last byte of E <= round - 32 (ISO 32000-2 Algorithm 2.B).
+    for (let round = 0; round < 64 || e[e.length - 1] > round - 32; round++) {
+        const block = concat(password, k, udata);
+        const k1 = new Uint8Array(block.length * 64);
+        for (let i = 0; i < 64; i++)
+            k1.set(block, i * block.length);
+        e = await aesCbcEncryptNoPad(k.subarray(0, 16), k.subarray(16, 32), k1);
+        let sum = 0;
+        for (let i = 0; i < 16; i++)
+            sum += e[i]; // big-endian 128-bit mod 3 == byte-sum mod 3 (256 ≡ 1 mod 3)
+        k = await sha([256, 384, 512][sum % 3], e);
+    }
+    return k.subarray(0, 32);
+}
+function permissionBits(p = {}) {
+    const { printing = true, copying = true, modifying = true, annotating = true } = p;
+    let bits = 0xfffff000 | 0b11000000; // reserved-1 bits (positions 7-8 and 13-32)
+    if (printing)
+        bits |= 4 | 2048;
+    if (modifying)
+        bits |= 8 | 1024;
+    if (copying)
+        bits |= 16 | 512;
+    if (annotating)
+        bits |= 32 | 256;
+    return bits | 0; // int32
+}
+class StandardAes256 {
+    constructor(fileKey, dict) {
+        this.fileKey = fileKey;
+        this.dict = dict;
+    }
+    static async create(opts) {
+        const user = utf8(opts.userPassword);
+        const owner = utf8(opts.ownerPassword ?? opts.userPassword);
+        const fileKey = randomBytes(32);
+        const p = permissionBits(opts.permissions);
+        // Algorithm 8: /U and /UE.
+        const uVS = randomBytes(8);
+        const uKS = randomBytes(8);
+        const empty = new Uint8Array(0);
+        const u = concat(await hash2B(user, uVS, empty), uVS, uKS); // 48 bytes
+        const ue = await aesCbcEncryptNoPad(await hash2B(user, uKS, empty), new Uint8Array(16), fileKey);
+        // Algorithm 9: /O and /OE (these also fold in /U).
+        const oVS = randomBytes(8);
+        const oKS = randomBytes(8);
+        const o = concat(await hash2B(owner, oVS, u), oVS, oKS); // 48 bytes
+        const oe = await aesCbcEncryptNoPad(await hash2B(owner, oKS, u), new Uint8Array(16), fileKey);
+        // Algorithm 10: /Perms (a 16-byte block, ECB == single-block CBC with a zero IV).
+        const perms = new Uint8Array(16);
+        perms[0] = p & 0xff;
+        perms[1] = (p >> 8) & 0xff;
+        perms[2] = (p >> 16) & 0xff;
+        perms[3] = (p >> 24) & 0xff;
+        perms[4] = perms[5] = perms[6] = perms[7] = 0xff;
+        perms[8] = 0x46; // 'F' - metadata (XMP) stays unencrypted (standard; keeps it indexer-readable)
+        perms[9] = 0x61; // 'a'
+        perms[10] = 0x64; // 'd'
+        perms[11] = 0x62; // 'b'
+        perms.set(randomBytes(4), 12);
+        const permsEnc = await aesCbcEncryptNoPad(fileKey, new Uint8Array(16), perms);
+        const dict = `/Filter /Standard /V 5 /R 6 /Length 256 /P ${p} /EncryptMetadata false ` +
+            `/CF << /StdCF << /CFM /AESV3 /AuthEvent /DocOpen /Length 32 >> >> /StmF /StdCF /StrF /StdCF ` +
+            `/U <${toHex(u)}> /UE <${toHex(ue)}> /O <${toHex(o)}> /OE <${toHex(oe)}> /Perms <${toHex(permsEnc)}>`;
+        return new StandardAes256(fileKey, dict);
+    }
+    encryptDict() {
+        return this.dict;
+    }
+    async encrypt(data) {
+        const iv = randomBytes(16);
+        const ct = await aesCbcEncrypt(this.fileKey, iv, data);
+        return concat(iv, ct);
+    }
+    async decrypt(data) {
+        return aesCbcDecrypt(this.fileKey, data.subarray(0, 16), data.subarray(16));
+    }
+    /** Recover the file key from a password as a reader does: validate it against /U FIRST (so a wrong
+     *  password is rejected, not silently turned into a garbage key), then decrypt /UE. The groundwork the
+     *  future "open/edit existing PDF" path reuses. Throws on a wrong password. */
+    static async recoverFileKey(userPassword, u, ue) {
+        const pw = utf8(userPassword);
+        // Algorithm 11: hash(password + validation salt) must equal the first 32 bytes of /U.
+        const check = await hash2B(pw, u.subarray(32, 40), new Uint8Array(0));
+        if (!bytesEqual(check, u.subarray(0, 32))) {
+            throw new Error("@jasy/pdf: wrong password.");
+        }
+        const intermediate = await hash2B(pw, u.subarray(40, 48), new Uint8Array(0));
+        return aesCbcDecryptNoPad(intermediate, new Uint8Array(16), ue);
+    }
+}
+/** The factory = the seam. Today it always returns the AES-256 handler. */
+export async function createSecurityHandler(opts) {
+    if (opts.algorithm && opts.algorithm !== "aes-256") {
+        throw new Error(`@jasy/pdf: unsupported encryption algorithm "${opts.algorithm}" (only "aes-256").`);
+    }
+    return StandardAes256.create(opts);
+}
+export { StandardAes256 };

package/dist/crypto/webcrypto.d.ts

@@ -0,0 +1,11 @@
+export declare function randomBytes(n: number): Uint8Array;
+export declare function sha(bits: 256 | 384 | 512, data: Uint8Array): Promise<Uint8Array>;
+/** AES-CBC with PKCS#7 padding (the AESV3 mode for PDF strings/streams). */
+export declare function aesCbcEncrypt(key: Uint8Array, iv: Uint8Array, data: Uint8Array): Promise<Uint8Array>;
+export declare function aesCbcDecrypt(key: Uint8Array, iv: Uint8Array, data: Uint8Array): Promise<Uint8Array>;
+/** AES-CBC WITHOUT padding (`data.length` must be a multiple of 16). WebCrypto pads unconditionally, so we
+ *  encrypt and drop the extra full pad block - the leading blocks are the true unpadded CBC. */
+export declare function aesCbcEncryptNoPad(key: Uint8Array, iv: Uint8Array, data: Uint8Array): Promise<Uint8Array>;
+/** AES-CBC no-padding DECRYPT (`data` a multiple of 16). We append one cipher block crafted to decrypt to a
+ *  full 0x10 PKCS#7 pad (so WebCrypto accepts and strips it), leaving the original. */
+export declare function aesCbcDecryptNoPad(key: Uint8Array, iv: Uint8Array, data: Uint8Array): Promise<Uint8Array>;

package/dist/crypto/webcrypto.js

@@ -0,0 +1,62 @@
+// Isomorphic crypto via the platform WebCrypto (`globalThis.crypto.subtle`) - native in the browser AND in
+// Node 20+, with zero dependencies. This is the primitive layer the PDF Standard security handler (AES-256,
+// R6) builds on. Everything is async (so is `render()`), so that is no constraint.
+//
+// One wrinkle: WebCrypto's AES-CBC ALWAYS applies PKCS#7 padding and offers no raw/no-pad mode. The PDF R6
+// key derivation (Algorithm 2.B, /UE, /OE, /Perms) needs UNPADDED AES, so we synthesize it from the padded
+// primitive (encrypt: drop the trailing pad block; decrypt: append a block that decrypts to a full pad, then
+// let WebCrypto strip it). Document strings/streams use the padded primitive directly - that IS AESV3.
+const subtle = () => {
+    const c = globalThis.crypto;
+    if (!c?.subtle) {
+        throw new Error("@jasy/pdf: PDF encryption needs WebCrypto (globalThis.crypto.subtle), unavailable here.");
+    }
+    return c.subtle;
+};
+export function randomBytes(n) {
+    const b = new Uint8Array(n);
+    globalThis.crypto.getRandomValues(b);
+    return b;
+}
+// WebCrypto's types want a BufferSource backed by ArrayBuffer; our Uint8Arrays are ArrayBuffer-backed, so
+// this cast at the platform boundary is safe (TS 5.7+ just can't prove it isn't a SharedArrayBuffer).
+const buf = (a) => a;
+export async function sha(bits, data) {
+    return new Uint8Array(await subtle().digest(`SHA-${bits}`, buf(data)));
+}
+async function aesKey(key, usage) {
+    return subtle().importKey("raw", buf(key), { name: "AES-CBC" }, false, [usage]);
+}
+/** AES-CBC with PKCS#7 padding (the AESV3 mode for PDF strings/streams). */
+export async function aesCbcEncrypt(key, iv, data) {
+    return new Uint8Array(await subtle().encrypt({ name: "AES-CBC", iv: buf(iv) }, await aesKey(key, "encrypt"), buf(data)));
+}
+export async function aesCbcDecrypt(key, iv, data) {
+    return new Uint8Array(await subtle().decrypt({ name: "AES-CBC", iv: buf(iv) }, await aesKey(key, "decrypt"), buf(data)));
+}
+/** AES-CBC WITHOUT padding (`data.length` must be a multiple of 16). WebCrypto pads unconditionally, so we
+ *  encrypt and drop the extra full pad block - the leading blocks are the true unpadded CBC. */
+export async function aesCbcEncryptNoPad(key, iv, data) {
+    if (data.length % 16 !== 0)
+        throw new Error("aesCbcEncryptNoPad: data must be a multiple of 16 bytes.");
+    return (await aesCbcEncrypt(key, iv, data)).subarray(0, data.length);
+}
+const xor16 = (a, b) => {
+    const o = new Uint8Array(16);
+    for (let i = 0; i < 16; i++)
+        o[i] = a[i] ^ b[i];
+    return o;
+};
+/** AES-CBC no-padding DECRYPT (`data` a multiple of 16). We append one cipher block crafted to decrypt to a
+ *  full 0x10 PKCS#7 pad (so WebCrypto accepts and strips it), leaving the original. */
+export async function aesCbcDecryptNoPad(key, iv, data) {
+    if (data.length === 0 || data.length % 16 !== 0)
+        throw new Error("aesCbcDecryptNoPad: data must be a non-zero multiple of 16 bytes.");
+    const prev = data.length >= 16 ? data.subarray(data.length - 16) : iv;
+    // ECB(x) == first block of CBC(iv=0, x); we want the appended block to decrypt to 0x10*16 after the CBC xor.
+    const appended = await aesCbcEncryptNoPad(key, new Uint8Array(16), xor16(new Uint8Array(16).fill(16), prev));
+    const withPad = new Uint8Array(data.length + 16);
+    withPad.set(data);
+    withPad.set(appended, data.length);
+    return aesCbcDecrypt(key, iv, withPad);
+}

package/dist/renderer/pdf-renderer.js

@@ -74,6 +74,8 @@ export class PDFRenderer {
         // Now that the render pass has revealed which glyphs each embedded font uses, fill the reserved
         // font objects with the subset font program (must happen before the objects are serialized).
         objectManager.finalizeCustomFonts();
+        // Encrypt every registered stream + add the /Encrypt object (no-op unless a security handler was set).
+        await objectManager.finalizeEncryption();
         // Add rendered objects
         pdfContent += objectManager.getRenderedObjects();
         // Add XRef table and trailer

package/dist/utils/md5.js

@@ -4,10 +4,9 @@
 // matching `hash.update(string)`'s default encoding.
 // Per-round left-rotate amounts.
 const S = [
-    7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22,
-    5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14, 20,
-    4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23,
-    6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21,
+    7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22, 7, 12, 17, 22, 5, 9, 14, 20, 5, 9, 14, 20, 5, 9, 14,
+    20, 5, 9, 14, 20, 4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23, 4, 11, 16, 23, 6, 10, 15, 21, 6,
+    10, 15, 21, 6, 10, 15, 21, 6, 10, 15, 21,
 ];
 // Per-round constants K[i] = floor(abs(sin(i+1)) * 2^32).
 const K = new Int32Array(64);
@@ -57,7 +56,7 @@ export function md5(input) {
             A = D;
             D = C;
             C = B;
-            B = (B + (((f << S[i]) | (f >>> (32 - S[i]))) | 0)) | 0;
+            B = (B + ((f << S[i]) | (f >>> (32 - S[i])) | 0)) | 0;
         }
         a0 = (a0 + A) | 0;
         b0 = (b0 + B) | 0;

package/dist/utils/pdf-object-manager.d.ts

@@ -1,4 +1,5 @@
 import type { OverflowPolicy } from "../layout/fragmentation.js";
+import type { SecurityHandler } from "../crypto/security-handler.js";
 import type { PDFConfig } from "../renderer/pdf-document-class.js";
 import type { FontMetrics } from "./font-metrics.js";
 interface FontIndexes {
@@ -32,12 +33,17 @@ export declare class PDFObjectManager implements FontMetrics {
     private documentId;
     private compress;
     private overflowPolicy;
+    private security?;
+    private encJobs;
+    private encryptObjNum?;
     constructor();
     addObject(content: string): number;
     replaceObject(objectNumber: number, content: string): void;
     setCompress(on: boolean): void;
     setOverflowPolicy(policy: OverflowPolicy): void;
     getOverflowPolicy(): OverflowPolicy;
+    private encToken;
+    private streamPayload;
     private stream;
     addContentStream(content: string): number;
     changePDFConfig(config: PDFConfig): void;
@@ -67,6 +73,8 @@ export declare class PDFObjectManager implements FontMetrics {
     getPdfVersion(): string;
     getHeader(): string;
     enableDocumentId(): void;
+    setSecurityHandler(handler: SecurityHandler): void;
+    finalizeEncryption(): Promise<void>;
     registerExtGState(fillAlpha: number, strokeAlpha: number): string;
     getAllExtGStatesRaw(): Map<string, number>;
     registerFont(fontName: string, fontStyle?: FontStyle, fullName?: string): FontIndexes;

package/dist/utils/ttf-subsetter.js

@@ -3,7 +3,7 @@
 // the `glyf` outlines of unused glyphs (the bulk of the file) and rebuild `loca`; every other table
 // is copied verbatim. The used-glyph set is closed over composite-glyph components first, so a glyph
 // built from others (e.g. "ä") keeps its parts. Fonts without `glyf`/`loca` (CFF/OTF) pass through.
-import { concatBytes, i16, latin1FromBytes, u16, u32, wi16, wu16, wu32, writeLatin1 } from "./bytes.js";
+import { concatBytes, i16, latin1FromBytes, u16, u32, wi16, wu16, wu32, writeLatin1, } from "./bytes.js";
 const wrap32 = (n) => n >>> 0;
 /** TrueType table checksum: sum of big-endian uint32 over the 4-byte-padded table data. */
 function checksum(buf) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jasy/pdf",
-  "version": "1.0.0-alpha.3",
+  "version": "1.0.0-alpha.4",
   "description": "Declarative, component-based PDF generation in pure TypeScript - Flutter-style components, real AFM font metrics, a hand-rolled PDF writer. No headless browser, no Java.",
   "keywords": [
     "declarative",