itext
diff --git a/‎kernel/src/main/java/com/itextpdf/kernel/pdf/EncryptedEmbeddedStreamsHandler.java
Lines changed: 61 additions & 0 deletions b/‎kernel/src/main/java/com/itextpdf/kernel/pdf/EncryptedEmbeddedStreamsHandler.java
Lines changed: 61 additions & 0 deletions
diff --git a/‎kernel/src/main/java/com/itextpdf/kernel/pdf/PdfDocument.java
Lines changed: 26 additions & 0 deletions b/‎kernel/src/main/java/com/itextpdf/kernel/pdf/PdfDocument.java
Lines changed: 26 additions & 0 deletions
diff --git a/‎kernel/src/main/java/com/itextpdf/kernel/pdf/PdfEncryption.java
Lines changed: 28 additions & 1 deletion b/‎kernel/src/main/java/com/itextpdf/kernel/pdf/PdfEncryption.java
Lines changed: 28 additions & 1 deletion
diff --git a/‎kernel/src/main/java/com/itextpdf/kernel/pdf/PdfOutputStream.java
Lines changed: 3 additions & 2 deletions b/‎kernel/src/main/java/com/itextpdf/kernel/pdf/PdfOutputStream.java
Lines changed: 3 additions & 2 deletions
diff --git a/‎kernel/src/main/java/com/itextpdf/kernel/pdf/PdfReader.java
Lines changed: 2 additions & 1 deletion b/‎kernel/src/main/java/com/itextpdf/kernel/pdf/PdfReader.java
Lines changed: 2 additions & 1 deletion
diff --git a/‎kernel/src/main/java/com/itextpdf/kernel/pdf/filespec/PdfFileSpec.java
Lines changed: 1 addition & 0 deletions b/‎kernel/src/main/java/com/itextpdf/kernel/pdf/filespec/PdfFileSpec.java
Lines changed: 1 addition & 0 deletions
diff --git a/‎kernel/src/test/java/com/itextpdf/kernel/crypto/PdfEncryptionTest.java
Lines changed: 3 additions & 3 deletions b/‎kernel/src/test/java/com/itextpdf/kernel/crypto/PdfEncryptionTest.java
Lines changed: 3 additions & 3 deletions
@@ -0,0 +1,61 @@
+package com.itextpdf.kernel.pdf;
+
+import java.io.Serializable;
+import java.util.HashSet;
+import java.util.Set;
+
+class EncryptedEmbeddedStreamsHandler implements Serializable {
+
+    private static final long serialVersionUID = -4542644924377740467L;
+
+    private final PdfDocument document;
+
+    private final Set<PdfStream> embeddedStreams = new HashSet<>();
+
+    /**
+     * Creates {@link EncryptedEmbeddedStreamsHandler} instance.
+     *
+     * @param document {@link PdfDocument} associated with this handler
+     */
+    EncryptedEmbeddedStreamsHandler(PdfDocument document) {
+        this.document = document;
+    }
+
+    /**
+     * Stores all embedded streams present in the {@link PdfDocument}.
+     * Note that during this method we traverse through every indirect object of the document.
+     */
+    void storeAllEmbeddedStreams() {
+        for (int i = 0; i < document.getNumberOfPdfObjects(); ++i) {
+            PdfObject indirectObject = document.getPdfObject(i);
+            if (indirectObject instanceof PdfDictionary) {
+                PdfStream embeddedStream = getEmbeddedFileStreamFromDictionary((PdfDictionary) indirectObject);
+                if (embeddedStream != null) {
+                    storeEmbeddedStream(embeddedStream);
+                }
+            }
+        }
+    }
+
+    void storeEmbeddedStream(PdfStream embeddedStream) {
+        embeddedStreams.add(embeddedStream);
+    }
+
+    /**
+     * Checks, whether this {@link PdfStream} was stored as embedded stream.
+     *
+     * @param stream to be checked
+     * @return true if this stream is embedded, false otherwise
+     */
+    boolean isStreamStoredAsEmbedded(PdfStream stream) {
+        return embeddedStreams.contains(stream);
+    }
+
+    private static PdfStream getEmbeddedFileStreamFromDictionary(PdfDictionary dictionary) {
+        PdfDictionary embeddedFileDictionary = dictionary.getAsDictionary(PdfName.EF);
+        if (PdfName.Filespec.equals(dictionary.getAsName(PdfName.Type)) && embeddedFileDictionary != null) {
+            return embeddedFileDictionary.getAsStream(PdfName.F);
+        }
+        return null;
+    }
+}
@@ -230,6 +230,8 @@ public class PdfDocument implements IEventDispatcher, Closeable, Serializable {
      */
     MemoryLimitsAwareHandler memoryLimitsAwareHandler = null;
 
+    private EncryptedEmbeddedStreamsHandler encryptedEmbeddedStreamsHandler;
+
     /**
      * Open PDF document in reading mode.
      *
@@ -460,6 +462,17 @@ public PdfPage getLastPage() {
         return getPage(getNumberOfPages());
     }
 
+    /**
+     * Marks {@link PdfStream} object as embedded file stream. Note that this method is for internal usage.
+     * To add an embedded file to the PDF document please use specialized API for file attachments.
+     * (e.g. {@link PdfDocument#addFileAttachment(String, PdfFileSpec)}, {@link PdfPage#addAnnotation(PdfAnnotation)})
+     *
+     * @param stream to be marked as embedded file stream
+     */
+    public void markStreamAsEmbeddedFile(PdfStream stream) {
+        encryptedEmbeddedStreamsHandler.storeEmbeddedStream(stream);
+    }
+
     /**
      * Creates and adds new page to the end of document.
      *
@@ -1913,9 +1926,11 @@ protected void flushObject(PdfObject pdfObject, boolean canBeInObjStm) throws IO
      */
     protected void open(PdfVersion newPdfVersion) {
         this.fingerPrint = new FingerPrint();
+        this.encryptedEmbeddedStreamsHandler = new EncryptedEmbeddedStreamsHandler(this);
 
         try {
             EventCounterHandler.getInstance().onEvent(CoreEvent.PROCESS, properties.metaInfo, getClass());
+            boolean embeddedStreamsSavedOnReading = false;
             if (reader != null) {
                 if (reader.pdfDocument != null) {
                     throw new PdfException(PdfException.PdfReaderHasBeenAlreadyUtilized);
@@ -1926,6 +1941,10 @@ protected void open(PdfVersion newPdfVersion) {
                     memoryLimitsAwareHandler = new MemoryLimitsAwareHandler(reader.tokens.getSafeFile().length());
                 }
                 reader.readPdf();
+                if (reader.decrypt != null && reader.decrypt.isEmbeddedFilesOnly()) {
+                    encryptedEmbeddedStreamsHandler.storeAllEmbeddedStreams();
+                    embeddedStreamsSavedOnReading = true;
+                }
                 for (ICounter counter : getCounters()) {
                     counter.onDocumentRead(reader.getFileLength());
                 }
@@ -2053,6 +2072,9 @@ protected void open(PdfVersion newPdfVersion) {
                     writer.initCryptoIfSpecified(pdfVersion);
                 }
                 if (writer.crypto != null) {
+                    if (!embeddedStreamsSavedOnReading && writer.crypto.isEmbeddedFilesOnly()) {
+                        encryptedEmbeddedStreamsHandler.storeAllEmbeddedStreams();
+                    }
                     if (writer.crypto.getCryptoMode() < EncryptionConstants.ENCRYPTION_AES_256) {
                         VersionConforming.validatePdfVersionForDeprecatedFeatureLogWarn(this, PdfVersion.PDF_2_0, VersionConforming.DEPRECATED_ENCRYPTION_ALGORITHMS);
                     } else if (writer.crypto.getCryptoMode() == EncryptionConstants.ENCRYPTION_AES_256) {
@@ -2195,6 +2217,10 @@ long getDocumentId() {
         return documentId;
     }
 
+    boolean doesStreamBelongToEmbeddedFile(PdfStream stream) {
+        return encryptedEmbeddedStreamsHandler.isStreamStoredAsEmbedded(stream);
+    }
+
     /**
      * Gets iText version info.
      *
 
@@ -484,7 +484,6 @@ private int setCryptoMode(int mode, int length) {
                 revision = STANDARD_ENCRYPTION_40;
                 break;
             case EncryptionConstants.STANDARD_ENCRYPTION_128:
-                embeddedFilesOnly = false;
                 if (length > 0) {
                     setKeyLength(length);
                 } else {
@@ -514,6 +513,7 @@ private int readAndSetCryptoModeForStdHandler(PdfDictionary encDict) {
         if (rValue == null)
             throw new PdfException(PdfException.IllegalRValue);
         int revision  = rValue.intValue();
+        boolean embeddedFilesOnlyMode = readEmbeddedFilesOnlyFromEncryptDictionary(encDict);
         switch (revision) {
             case 2:
                 cryptoMode = EncryptionConstants.STANDARD_ENCRYPTION_40;
@@ -545,6 +545,9 @@ private int readAndSetCryptoModeForStdHandler(PdfDictionary encDict) {
                 if (em != null && !em.getValue()) {
                     cryptoMode |= EncryptionConstants.DO_NOT_ENCRYPT_METADATA;
                 }
+                if (embeddedFilesOnlyMode) {
+                    cryptoMode |= EncryptionConstants.EMBEDDED_FILES_ONLY;
+                }
                 break;
             case 5:
             case 6:
@@ -553,6 +556,9 @@ private int readAndSetCryptoModeForStdHandler(PdfDictionary encDict) {
                 if (em5 != null && !em5.getValue()) {
                     cryptoMode |= EncryptionConstants.DO_NOT_ENCRYPT_METADATA;
                 }
+                if (embeddedFilesOnlyMode) {
+                    cryptoMode |= EncryptionConstants.EMBEDDED_FILES_ONLY;
+                }
                 break;
             default:
                 throw new PdfException(PdfException.UnknownEncryptionTypeREq1).setMessageParams(rValue);
@@ -570,6 +576,7 @@ private int readAndSetCryptoModeForPubSecHandler(PdfDictionary encDict) {
         if (vValue == null)
             throw new PdfException(PdfException.IllegalVValue);
         int v = vValue.intValue();
+        boolean embeddedFilesOnlyMode = readEmbeddedFilesOnlyFromEncryptDictionary(encDict);
         switch (v) {
             case 1:
                 cryptoMode = EncryptionConstants.STANDARD_ENCRYPTION_40;
@@ -608,13 +615,33 @@ private int readAndSetCryptoModeForPubSecHandler(PdfDictionary encDict) {
                 if (em != null && !em.getValue()) {
                     cryptoMode |= EncryptionConstants.DO_NOT_ENCRYPT_METADATA;
                 }
+                if (embeddedFilesOnlyMode) {
+                    cryptoMode |= EncryptionConstants.EMBEDDED_FILES_ONLY;
+                }
                 break;
             default:
                 throw new PdfException(PdfException.UnknownEncryptionTypeVEq1, vValue);
         }
         return setCryptoMode(cryptoMode, length);
     }
 
+    static boolean readEmbeddedFilesOnlyFromEncryptDictionary(PdfDictionary encDict) {
+        PdfName embeddedFilesFilter = encDict.getAsName(PdfName.EFF);
+        boolean encryptEmbeddedFiles = !PdfName.Identity.equals(embeddedFilesFilter) && embeddedFilesFilter != null;
+        boolean encryptStreams = !PdfName.Identity.equals(encDict.getAsName(PdfName.StmF));
+        boolean encryptStrings = !PdfName.Identity.equals(encDict.getAsName(PdfName.StrF));
+        if (encryptStreams || encryptStrings || !encryptEmbeddedFiles) {
+            return false;
+        }
+
+        PdfDictionary cfDictionary = encDict.getAsDictionary(PdfName.CF);
+        if (cfDictionary != null) {
+            // Here we check if the crypt filter for embedded files and the filter in the CF dictionary are the same
+            return cfDictionary.getAsDictionary(embeddedFilesFilter) != null;
+        }
+        return false;
+    }
+
     private int fixAccessibilityPermissionPdf20(int permissions) {
         // This bit was previously used to determine whether
         // content could be extracted for the purposes of accessibility,
 
@@ -298,7 +298,8 @@ private void write(PdfStream pdfStream) {
                 java.io.OutputStream fout = this;
                 DeflaterOutputStream def = null;
                 OutputStreamEncryption ose = null;
-                if (crypto != null && !crypto.isEmbeddedFilesOnly()) {
+                if (crypto != null &&
+                        (!crypto.isEmbeddedFilesOnly() || document.doesStreamBelongToEmbeddedFile(pdfStream))) {
                     fout = ose = crypto.getEncryptionStream(fout);
                 }
                 if (toCompress && (allowCompression || userDefinedCompression)) {
@@ -390,7 +391,7 @@ private void write(PdfStream pdfStream) {
     }
 
     protected boolean checkEncryption(PdfStream pdfStream) {
-        if (crypto == null || crypto.isEmbeddedFilesOnly()) {
+        if (crypto == null || (crypto.isEmbeddedFilesOnly() && !document.doesStreamBelongToEmbeddedFile(pdfStream))) {
             return false;
         } else if (isXRefStream(pdfStream)) {
             // The cross-reference stream shall not be encrypted
 
@@ -390,7 +390,8 @@ public byte[] readStreamBytesRaw(PdfStream stream) throws IOException {
             file.seek(stream.getOffset());
             bytes = new byte[length];
             file.readFully(bytes);
-            if (decrypt != null && !decrypt.isEmbeddedFilesOnly()) {
+            boolean embeddedStream = pdfDocument.doesStreamBelongToEmbeddedFile(stream);
+            if (decrypt != null && (!decrypt.isEmbeddedFilesOnly() || embeddedStream)) {
                 PdfObject filter = stream.get(PdfName.Filter, true);
                 boolean skip = false;
                 if (filter != null) {
 
@@ -387,6 +387,7 @@ private static PdfFileSpec createEmbeddedFileSpec(PdfDocument doc, PdfStream str
         ef.put(PdfName.F, stream);
         ef.put(PdfName.UF, stream);
         dict.put(PdfName.EF, ef);
+        doc.markStreamAsEmbeddedFile(stream);
 
         return (PdfFileSpec) new PdfFileSpec(dict).makeIndirect(doc);
     }
 
@@ -421,9 +421,9 @@ public void encryptWithPasswordAes128EmbeddedFilesOnly() throws IOException {
         document.close();
 
 
-        //NOTE: Specific crypto filters for EFF StmF and StrF are not supported at the moment. iText don't distinguish objects based on their semantic role
-        //      because of this we can't read streams correctly and corrupt such documents on stamping.
-        boolean ERROR_IS_EXPECTED = true;
+        //TODO DEVSIX-5355 Specific crypto filters for EFF StmF and StrF are not supported at the moment.
+        // However we can read embedded files only mode.
+        boolean ERROR_IS_EXPECTED = false;
         checkDecryptedWithPasswordContent(destinationFolder + filename, OWNER, textContent, ERROR_IS_EXPECTED);
         checkDecryptedWithPasswordContent(destinationFolder + filename, USER, textContent, ERROR_IS_EXPECTED);
     }
Original file line number	Diff line number	Diff line change
`@@ -387,6 +387,7 @@ private static PdfFileSpec createEmbeddedFileSpec(PdfDocument doc, PdfStream str`
`387`	`387`	`ef.put(PdfName.F, stream);`
`388`	`388`	`ef.put(PdfName.UF, stream);`
`389`	`389`	`dict.put(PdfName.EF, ef);`
	`390`	`+ doc.markStreamAsEmbeddedFile(stream);`
`390`	`391`
`391`	`392`	`return (PdfFileSpec) new PdfFileSpec(dict).makeIndirect(doc);`
`392`	`393`	`}`