PyPDF2 to pypdf copying over original document passwords using protected attributes of PDFWriter

[mmalik1234]

Hi, I'm working on migrating from pypdf2 to pypdf. MY scenario is as follows:

• writer.encrypt with a user_password and owner_password
• reader.decrypt with JUST an owner_password
• writer.encrypt again

When I encrypt again, I want the original passwords to be copied over and then encrypted with the owner_password.
Here's how it was done in pypdf2. The important part is copying over the original document passwords:

reader = PyPDF2.PdfFileReader(in_io
if reader.isEncrypted and password:
       reader.decrypt(password)
encrypt_string = PyPDF2.generic.TextStringObject("/Encrypt")
id_string = PyPDF2.generic.TextStringObject("/ID")

decrypt = None
decrypt_id = None
decrypt_key = None

if encrypt_string in reader.trailer:
       decrypt_id = reader.trailer[id_string].getObject()
       decrypt = reader.trailer[encrypt_string].getObject()
       decrypt_key = reader._decryption_key 


# writer needs to copy over original document passwords 
writer = PyPDF2.PdfFileWriter()
if decrypt is not None:
       writer._encrypt = writer._addObject(decrypt)
       writer._encrypt_key = decrypt_key
       writer._ID = id

writer.encrypt(password…)

I'm having trouble doing this in pypdf. I'm able to fetch the reader properties. But don't know what to modify on the writer. Maybe writer._encryption? or writer._encrypt_entry? The writer's encrypt function implementation has changed from pypdf2 and new property names are being used.

[mmalik1234]

Basically as an owner, can I encrypt the writer again using the existing user_passwords? I don't know what they are but I want to keep them there.

[pubpub-zz]

@exiledkingcc
Can you give your opinion ?

[exiledkingcc]

@mmalik1234 maybe you can try this, althoght i have not verified if it can work:

reader.decrypt(owner_password)
# copy the PdfReader._encryption
# copy the "/Encrypt" entry

# do something else

# call writer encrypt first
writer.encrypt(owner_password)
# then replace PdfWriter._encryption with PdfReader._encryption
# also replace PdfWriter._encrypt_entry with copied "/Encrypt" entry
# then call write
writer.write(pdf_file)

[mmalik1234]

@exiledkingcc Thank you so much for the answer. I tried it but it seems that the password is incorrect now? Maybe it saved an encrypted version? I get this error for the correct user and owner_password that I set:

[pubpub-zz]

I did the following test:

import pypdf
w = pypdf.PdfWriter(clone_from="resources/crazyones.pdf")
w.encrypt("test","owner", algorithm="AES-256")
w.write("ee.pdf")

the result
ee.pdf
This can be opened with either password.

[mmalik1234]

@pubpub-zz Hey the scneario is a little different. After I encrypt with "test" and "owner", I want to do

r = pypdf.PdfReader("ee.pdf")
r.decrypt("owner")

w = pypdf.PdfWriter()
# copy "test" over somehow
w.encrypt("owner")

# I want to still be prompted to type in "test" when I open the pdf

[mmalik1234]

Here's a mockup scenario of my code. Don't look too deep into it for smal stuff since I wrote a very base-level one for the discussion. The main part is copying the original passwords:

import pypdf

class PDFClass:
    _user_password = None
    _owner_password = None
    _decryption = None
    _decrypt_entry = None
    _ID = None
    
    def __init__(self, pdf_path, password=None):
        self._pdf_path = pdf_path
        (self._decryption,
         self._decrypt_entry,
         self._ID,
         self._user_type) = openPDF(pdf_path, password)

        ## store password
        if self._user_type == "USER_PASSWORD":
            self._user_password = password
        elif self._user_type == "OWNER_PASSWORD":
            self._owner_password = password
            

    def openPDF(pdf_path, password=None):
        # read PDF
        with open(pdf_path, 'rb') as in_stream:
            in_io = io.BytesIO(in_stream.read())
            
        reader = pypdf.PdfReader(in_io)
        user_type = 0
        if reader.is_encrypted and password:
            user_type = reader.decrypt(password)

        # store encryption information
        decrypt_string = pypdf.generic.TextStringObject("/Encrypt")
        id_string = pypdf.generic.TextStringObject("/ID")

        decryption = reader._encryption
        decrypt_entry = reader.trailer[encrypt_string].get_object()
        decrypt_id = reader.trailer[id_string].get_object()

        return (decryption, decrypt_entry, decrypt_id, user_type)

    def closePDF(self):
        writer = pypdf.PdfWriter()
        ## add pages to writer and information

        # encrypt if a password
        writer._encrypt(self._user_password if self._user_password else "",
                        self._owner_password,
                        algorithm = "AES-256")

        ## ***ADDED to copy over original document passwords ##
        if self._decryption:
            writer._encryption = self._decryption
            writer._encrypt_entry = writer._add_object(self._decrypt_entry)
            writer._ID = self._ID

        # write
        with open(self._pdf_path, 'wb') as stream:
            writer.write(stream)

    def setPasswords(self, new_owner_password=None, new_user_password=None):
        if self._user_type == "USER_PASSWORD":
            ##return error - cannot set passwords as a user
        self._user_password = new_user_password
        self._owner_password = new_owner_password

    def __name__ == '__main__':
        # USE CASE
        pdf_path = 'some_path.pdf'

        # open the pdf that has no password
        pdf = PDFClass(pdf_path)
        # set a user and owner password
        pdf.setPasswords("user", "owner")
        pdf.closePDF() # saves the changes

        ## here I can open the pdf with "user" and change its settings with "owner" in Adobe

        # open as owner
        pdf2 = PDFClass(pdf_path, "owner")
        # decrypts as the owner type
        pdf2.closePDF() # encrypts the pdf

        ## *** here is the issue: when I open the pdf in Adobe, the user password is now gone
        ## it's not copying over the original document passwords

[exiledkingcc]

@mmalik1234 i have time to verify it today. my bad to ignore the ID and the reference changed in my last reply. i have figured out how to make it work. you can try this one:

def test_reuse_encrypt():
    curr_dir = Path(__file__).parent.resolve()
    with open(curr_dir / "x.pdf", "rb") as ff:
        pdf = ff.read()
    reader = PdfReader(io.BytesIO(pdf))
    reader.decrypt("ownerpass")

    e_cls = reader._encryption
    e_entry = reader.trailer["/Encrypt"]
    # need keep ID, which is used to auth the passwords
    e_id = reader.trailer["/ID"]

    writer = PdfWriter()
    for p in reader.pages:
        writer.add_page(p)

    # writer.encrypt("ownerpass")
    writer._encryption = e_cls
    writer._encrypt_entry = e_entry
    # add object to make the reference correct
    writer._add_object(e_entry)
    writer._ID = e_id
    writer.write("a.pdf")

[pubpub-zz]

a) as far as I've experienced, from a PdfReader point of view, owner and user have the same effect when you copy them into a PdfWriter point of view : both passwords will allow you to read the data and copy then in clear mode: you are actually rebuilding a new document with similar content" (the indirect objects are different as regenerated when copied).
b) I have not been deeply in the specifications (iso 32000:2-2020 which is free to download), but from my understanding, the encryption entries requires both the user and owner password (see 7.6.4.4.2) therefore you should not be able to re-encrypt with a new owner password without knowing the old user password.

[mmalik1234]

@pubpub-zz Thank you for all of your help!