Commit graph

2 commits

Author SHA1 Message Date
jedarden
706f39bbf0 docs(pdftract-1z0qt): update verification note - encryption implementation verified
Verified complete encryption implementation:
- detection.rs: /Encrypt dictionary parsing, /Standard handler validation
- rc4.rs: RC4-40/128 decryption with PDF spec algorithms
- aes_128.rs: AES-128 CBC decryption with PKCS#7
- aes_256.rs: AES-256 with Algorithm 8 key derivation
- decryptor.rs: High-level API, password attempt (empty first)
- CLI: password.rs (stdin, env, insecure flag)
- Extract: decrypt_with_password integration
- Stream: decryption before decompression

All EC-04/05/06 fixtures and tests pass.
Decrypt feature is default-on per plan.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-28 07:04:45 -04:00
jedarden
a62913f25d feat(pdftract-1z0qt): implement encryption detection + RC4/AES-128/AES-256 decryption
Implement decrypt feature with RC4, AES-128, and AES-256 decryption support
for encrypted PDFs per PDF 1.7/2.0 spec.

Core components:
- detection.rs: Parse /Encrypt dictionary, validate encryption metadata
- rc4.rs: V=1 R=2 (40-bit) and V=2 R=3 (40-128 bit) key derivation
- aes_128.rs: V=4 R=4 AES-128 CBC with PKCS#7 padding
- aes_256.rs: V=5 R=5/6 AES-256 with SHA-256/384/512 key derivation
- decryptor.rs: Unified API for password validation and stream/string decryption

Integration:
- extract_pdf: Detect encryption and validate passwords after xref loading
- CLI: Exit code 3 for encryption errors (wrong password, unsupported)
- Password sources: --password-stdin, PDFTRACT_PASSWORD, --password VALUE (opt-in)

Password validation: Empty string first, then user-provided. Wrong
password emits ENCRYPTION_UNSUPPORTED diagnostic and exits with code 3.

Tests: Unit tests for RC4, AES-128, AES-256 key derivation and
validation. All pass with `cargo test --features decrypt`.

Refs: Plan Phase 1.4 line 1114, EC-04/EC-05/EC-06, PDF spec 7.6

Co-Authored-By: Claude Code <noreply@anthropic.com>
2026-05-28 03:22:36 -04:00