Add encryption support and access privileges

.changeset/young-dodos-invent.md

@@ -0,0 +1,5 @@
+---
+"@react-pdf/pdfkit": minor
+---
+
+Add encryption support and access privileges

packages/pdfkit/src/document.js

@@ -119,7 +119,7 @@ class PDFDocument extends stream.Readable {
     this._id = PDFSecurity.generateFileID(this.info);
 
     // Initialize security settings
-    // this._security = PDFSecurity.create(this, options);
+    this._security = PDFSecurity.create(this, options);
 
     // Write the header PDF version
     this._write(`%PDF-${this.version}`);
@@ -276,9 +276,9 @@ class PDFDocument extends stream.Readable {
       this._root.data.ViewerPreferences.end();
     }
 
-    // if (this._security) {
-    //   this._security.end();
-    // }
+    if (this._security) {
+      this._security.end();
+    }
 
     if (this._waiting === 0) {
       return this._finalize();
@@ -307,9 +307,9 @@ class PDFDocument extends stream.Readable {
       ID: [this._id, this._id]
     };
 
-    // if (this._security) {
-    //   trailer.Encrypt = this._security.dictionary;
-    // }
+    if (this._security) {
+      trailer.Encrypt = this._security.dictionary;
+    }
 
     this._write('trailer');
     this._write(PDFObject.convert(trailer));

packages/pdfkit/src/object.js

@@ -32,7 +32,7 @@ const swapBytes = function (buff) {
 };
 
 class PDFObject {
-  static convert(object) {
+  static convert(object, encryptFn = null) {
     // String literals are converted to the PDF name type
     if (typeof object === 'string') {
       return `/${object}`;
@@ -51,20 +51,28 @@ class PDFObject {
       }
 
       // If so, encode it as big endian UTF-16
+      let stringBuffer;
       if (isUnicode) {
-        string = swapBytes(Buffer.from(`\ufeff${string}`, 'utf16le')).toString(
-          'binary'
-        );
+        stringBuffer = swapBytes(Buffer.from(`\ufeff${string}`, 'utf16le'));
+      } else {
+        stringBuffer = Buffer.from(string.valueOf(), 'ascii');
+      }
+
+      // Encrypt the string when necessary
+      if (encryptFn) {
+        string = encryptFn(stringBuffer).toString('binary');
+      } else {
+        string = stringBuffer.toString('binary');
       }
 
       // Escape characters as required by the spec
       string = string.replace(escapableRe, (c) => escapable[c]);
 
       return `(${string})`;
 
-      // Buffers are converted to PDF hex strings
     }
 
+    // Buffers are converted to PDF hex strings
     if (Buffer.isBuffer(object)) {
       return `<${object.toString('hex')}>`;
     }
@@ -74,20 +82,29 @@ class PDFObject {
     }
 
     if (object instanceof Date) {
-      return (
-        `(D:${pad(object.getUTCFullYear(), 4)}` +
+      let string =
+        `D:${pad(object.getUTCFullYear(), 4)}` +
         pad(object.getUTCMonth() + 1, 2) +
         pad(object.getUTCDate(), 2) +
         pad(object.getUTCHours(), 2) +
         pad(object.getUTCMinutes(), 2) +
         pad(object.getUTCSeconds(), 2) +
-        'Z)'
-      );
+        'Z';
+
+      // Encrypt the string when necessary
+      if (encryptFn) {
+        string = encryptFn(Buffer.from(string, 'ascii')).toString('binary');
+
+        // Escape characters as required by the spec
+        string = string.replace(escapableRe, c => escapable[c]);
+      }
+
+      return `(${string})`;
     }
 
     if (Array.isArray(object)) {
       const items = Array.from(object)
-        .map((e) => PDFObject.convert(e))
+        .map(e => PDFObject.convert(e, encryptFn))
         .join(' ');
       return `[${items}]`;
     }
@@ -96,7 +113,7 @@ class PDFObject {
       const out = ['<<'];
       for (let key in object) {
         const val = object[key];
-        out.push(`/${key} ${PDFObject.convert(val)}`);
+        out.push(`/${key} ${PDFObject.convert(val, encryptFn)}`);
       }
 
       out.push('>>');

packages/pdfkit/src/reference.js

@@ -1,89 +1,73 @@
 import zlib from 'zlib';
-import stream from 'stream';
 import PDFObject from './object';
 
-class PDFReference extends stream.Writable {
-  constructor(document, id, data) {
-    super({ decodeStrings: false });
-
-    this.finalize = this.finalize.bind(this);
+class PDFReference {
+  constructor(document, id, data = {}) {
     this.document = document;
     this.id = id;
-    if (data == null) {
-      data = {};
-    }
     this.data = data;
-
     this.gen = 0;
-    this.deflate = null;
     this.compress = this.document.compress && !this.data.Filter;
     this.uncompressedLength = 0;
-    this.chunks = [];
-  }
-
-  initDeflate() {
-    this.data.Filter = 'FlateDecode';
-
-    this.deflate = zlib.createDeflate();
-    this.deflate.on('data', (chunk) => {
-      this.chunks.push(chunk);
-      return (this.data.Length += chunk.length);
-    });
-
-    return this.deflate.on('end', this.finalize);
+    this.buffer = [];
   }
 
-  _write(chunk, encoding, callback) {
-    if (!(chunk instanceof Uint8Array)) {
+  write(chunk) {
+    if (!Buffer.isBuffer(chunk)) {
       chunk = Buffer.from(chunk + '\n', 'binary');
     }
 
     this.uncompressedLength += chunk.length;
     if (this.data.Length == null) {
       this.data.Length = 0;
     }
-
+    this.buffer.push(chunk);
+    this.data.Length += chunk.length;
     if (this.compress) {
-      if (!this.deflate) {
-        this.initDeflate();
-      }
-      this.deflate.write(chunk);
-    } else {
-      this.chunks.push(chunk);
-      this.data.Length += chunk.length;
+      return (this.data.Filter = 'FlateDecode');
     }
-
-    return callback();
   }
 
-  end() {
-    super.end(...arguments);
-
-    if (this.deflate) {
-      return this.deflate.end();
+  end(chunk) {
+    if (chunk) {
+      this.write(chunk);
     }
-
     return this.finalize();
   }
 
   finalize() {
     this.offset = this.document._offset;
 
+    const encryptFn = this.document._security
+      ? this.document._security.getEncryptFn(this.id, this.gen)
+      : null;
+
+    if (this.buffer.length) {
+      this.buffer = Buffer.concat(this.buffer);
+      if (this.compress) {
+        this.buffer = zlib.deflateSync(this.buffer);
+      }
+
+      if (encryptFn) {
+        this.buffer = encryptFn(this.buffer);
+      }
+
+      this.data.Length = this.buffer.length;
+    }
+
     this.document._write(`${this.id} ${this.gen} obj`);
-    this.document._write(PDFObject.convert(this.data));
+    this.document._write(PDFObject.convert(this.data, encryptFn));
 
-    if (this.chunks.length) {
+    if (this.buffer.length) {
       this.document._write('stream');
-      for (let chunk of Array.from(this.chunks)) {
-        this.document._write(chunk);
-      }
+      this.document._write(this.buffer);
 
-      this.chunks.length = 0; // free up memory
+      this.buffer = []; // free up memory
       this.document._write('\nendstream');
     }
 
     this.document._write('endobj');
-    return this.document._refEnd(this);
+    this.document._refEnd(this);
   }
 
   toString() {

packages/pdfkit/src/saslprep/index.js

@@ -0,0 +1,147 @@
+import {
+  isUnassignedCodePoint,
+  isCommonlyMappedToNothing,
+  isNonASCIISpaceCharacter,
+  isProhibitedCharacter,
+  isBidirectionalRAL,
+  isBidirectionalL
+} from './lib/code-points';
+
+// 2.1.  Mapping
+
+/**
+ * non-ASCII space characters [StringPrep, C.1.2] that can be
+ * mapped to SPACE (U+0020)
+ */
+const mapping2space = isNonASCIISpaceCharacter;
+
+/**
+ * the "commonly mapped to nothing" characters [StringPrep, B.1]
+ * that can be mapped to nothing.
+ */
+const mapping2nothing = isCommonlyMappedToNothing;
+
+// utils
+const getCodePoint = character => character.codePointAt(0);
+const first = x => x[0];
+const last = x => x[x.length - 1];
+
+/**
+ * Convert provided string into an array of Unicode Code Points.
+ * Based on https://stackoverflow.com/a/21409165/1556249
+ * and https://www.npmjs.com/package/code-point-at.
+ * @param {string} input
+ * @returns {number[]}
+ */
+function toCodePoints(input) {
+  const codepoints = [];
+  const size = input.length;
+
+  for (let i = 0; i < size; i += 1) {
+    const before = input.charCodeAt(i);
+
+    if (before >= 0xd800 && before <= 0xdbff && size > i + 1) {
+      const next = input.charCodeAt(i + 1);
+
+      if (next >= 0xdc00 && next <= 0xdfff) {
+        codepoints.push((before - 0xd800) * 0x400 + next - 0xdc00 + 0x10000);
+        i += 1;
+        continue;
+      }
+    }
+
+    codepoints.push(before);
+  }
+
+  return codepoints;
+}
+
+/**
+ * SASLprep.
+ * @param {string} input
+ * @param {Object} opts
+ * @param {boolean} opts.allowUnassigned
+ * @returns {string}
+ */
+function saslprep(input, opts = {}) {
+  if (typeof input !== 'string') {
+    throw new TypeError('Expected string.');
+  }
+
+  if (input.length === 0) {
+    return '';
+  }
+
+  // 1. Map
+  const mapped_input = toCodePoints(input)
+    // 1.1 mapping to space
+    .map(character => (mapping2space(character) ? 0x20 : character))
+    // 1.2 mapping to nothing
+    .filter(character => !mapping2nothing(character));
+
+  // 2. Normalize
+  const normalized_input = String.fromCodePoint
+    .apply(null, mapped_input)
+    .normalize('NFKC');
+
+  const normalized_map = toCodePoints(normalized_input);
+
+  // 3. Prohibit
+  const hasProhibited = normalized_map.some(isProhibitedCharacter);
+
+  if (hasProhibited) {
+    throw new Error(
+      'Prohibited character, see https://tools.ietf.org/html/rfc4013#section-2.3'
+    );
+  }
+
+  // Unassigned Code Points
+  if (opts.allowUnassigned !== true) {
+    const hasUnassigned = normalized_map.some(isUnassignedCodePoint);
+
+    if (hasUnassigned) {
+      throw new Error(
+        'Unassigned code point, see https://tools.ietf.org/html/rfc4013#section-2.5'
+      );
+    }
+  }
+
+  // 4. check bidi
+
+  const hasBidiRAL = normalized_map.some(isBidirectionalRAL);
+
+  const hasBidiL = normalized_map.some(isBidirectionalL);
+
+  // 4.1 If a string contains any RandALCat character, the string MUST NOT
+  // contain any LCat character.
+  if (hasBidiRAL && hasBidiL) {
+    throw new Error(
+      'String must not contain RandALCat and LCat at the same time,' +
+        ' see https://tools.ietf.org/html/rfc3454#section-6'
+    );
+  }
+
+  /**
+   * 4.2 If a string contains any RandALCat character, a RandALCat
+   * character MUST be the first character of the string, and a
+   * RandALCat character MUST be the last character of the string.
+   */
+
+  const isFirstBidiRAL = isBidirectionalRAL(
+    getCodePoint(first(normalized_input))
+  );
+  const isLastBidiRAL = isBidirectionalRAL(
+    getCodePoint(last(normalized_input))
+  );
+
+  if (hasBidiRAL && !(isFirstBidiRAL && isLastBidiRAL)) {
+    throw new Error(
+      'Bidirectional RandALCat character must be the first and the last' +
+        ' character of the string, see https://tools.ietf.org/html/rfc3454#section-6'
+    );
+  }
+
+  return normalized_input;
+}
+
+export default saslprep;