%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /proc/thread-self/root/proc/thread-self/root/usr/share/ghostscript/Resource/Init/
Upload File :
Create Path :
Current File : //proc/thread-self/root/proc/thread-self/root/usr/share/ghostscript/Resource/Init/pdf_sec.ps

% Copyright (C) 2001-2019 Artifex Software, Inc.
% All Rights Reserved.
%
% This software is provided AS-IS with no warranty, either express or
% implied.
%
% This software is distributed under license and may not be copied,
% modified or distributed except as expressly authorized under the terms
% of the license contained in the file LICENSE in this distribution.
%
% Refer to licensing information at http://www.artifex.com or contact
% Artifex Software, Inc.,  1305 Grant Avenue - Suite 200, Novato,
% CA 94945, U.S.A., +1(415)492-9861, for further information.
%
% Copyright (C) 1996-1998 Geoffrey Keating.
% Copyright (C) 2001-2008 Artifex Software, Inc.
% This file may be freely distributed with or without modifications,
% so long as modified versions are marked as such and copyright notices are
% not removed.

% Implementation of security hooks for PDF reader.

% This file contains the procedures that have to take encryption into
% account when reading a PDF file. It was originally distributed
% separately by Geoffrey Keating as an add-on to version 6 and earlier.

% Modified by Alex Cherepanov to work with GS 6.60 and higher.
% New versions of GS require explicit checks for /true, /false, and /null
% in .decpdfrun. This fix is backward-compatible.

% Modified by Raph Levien and Ralph Giles to use the new C
% implementations of md5 and arcfour in ghostscript 7.01, and to
% be compatible with PDF 1.4 128-bit encryption.

% Modified by Ralph Giles for PDF 1.6 AES encryption.

% Modified by Michael Constant for PDF 1.7 ExtensionLevel 3
% AES-256 encryption.

/.setlanguagelevel where { pop 2 .setlanguagelevel } if
.currentglobal //true .setglobal
pdfdict begin

% Older ghostscript versions do not have .pdftoken, so we use 'token' instead.
/.pdftoken where { pop } { /.pdftoken /token load def } ifelse

% take a stream and arc4 decrypt it.
% <stream> <key> arc4decodefilter <stream>
/arc4decodefilter {
  1 dict begin
  /Key exch def
  currentdict end /ArcfourDecode filter
} bind executeonly def

% <ciphertext> <key> arc4decode <plaintext>
/arc4decode {
  1 index length 0 eq {
    pop
  } {
    1 index length string 3 1 roll arc4decodefilter exch readstring pop
  } ifelse
} bind executeonly def

% take a stream and aes decrypt it.
% <stream> <key> aesdecodefilter <stream>
/aesdecodefilter {
  1 dict begin
  /Key exch def
  currentdict end
  /AESDecode filter
} bind executeonly def

% AES decrypt a string, returning a string.  The second argument can
% be a dictionary of the form << /Key key /Padding false >>, which
% specifies the key and any options for the AESDecode filter, or it
% can just be a string (the key).
%
% <ciphertext> <dict> aesdecode <plaintext>
% <ciphertext> <key> aesdecode <plaintext>
/aesdecode {
  1 index length 0 eq {
    pop
  } {
    1 index length string 3 1 roll

    % If our second argument is a dictionary, it's the full set
    % of decoding options (including the key); pass it directly
    % to the AESDecode filter.  Otherwise, it's just the key, so
    % call aesdecodefilter to construct the dictionary.
    dup type /dicttype eq { /AESDecode filter } { aesdecodefilter } ifelse

    exch readstring pop
  } ifelse
} bind executeonly def

/md5 {
  16 string dup /MD5Encode filter dup 4 3 roll writestring closefile
} bind executeonly def

/md5_trunk {
  md5 0 pdf_key_length getinterval
} bind executeonly def

/sha256 {
  32 string dup /SHA256Encode filter dup 4 3 roll writestring closefile
} bind executeonly def

% <string> contains_non_ascii <bool>
/contains_non_ascii {
  //false exch { 128 ge { pop //true exit } if } forall
} bind executeonly def

/pdf_padding_string
   <28bf4e5e4e758a41 64004e56fffa0108
    2e2e00b6d0683e80 2f0ca9fe6453697a>
def

% Pad a key out to 32 bytes.
/pdf_pad_key {         % <key> pdf_pad_key <padded key>
  dup length 32 gt { 0 32 getinterval } if
  pdf_padding_string
  0 32 3 index length sub getinterval
  concatstrings
} bind executeonly def

/pdf_xorbytes {      % <iter-num> <key> pdf_xorbytes <xored-key>
  dup length dup string
  exch 1 sub 0 1 3 2 roll {
    % <iter-num> <key> <new-key> <byte-num>
    dup 3 index exch get 4 index xor
    % <iter-num> <key> <new-key> <byte-num> <byte>
    3 copy put pop pop
  } for
  3 1 roll pop pop
} bind executeonly def

% Get length of encryption key in bytes
/pdf_key_length {    % pdf_key_length <key_length>
  Trailer /Encrypt oget
  dup /V knownoget not { 0 } if 1 eq
  { pop 5 }	% If V == 1 then always use 40 bits
  { /Length knownoget { -3 bitshift } { 5 } ifelse }
  ifelse
} bind executeonly def

% Algorithm 3.2
/pdf_compute_encryption_key {  % <password> pdf_compute_encryption_key <key>
  % Step 1.
  pdf_pad_key

  % Step 2, 3.
  Trailer /Encrypt oget dup /O oget
  % <padded-key> <encrypt> <O>

  % Step 4.
  exch /P oget 4 string exch
  2 copy 255 and 0 exch put
  2 copy -8 bitshift 255 and 1 exch put
  2 copy -16 bitshift 255 and 2 exch put
  2 copy -24 bitshift 255 and 3 exch put pop
  % <padded-key> <O> <P>

  % Step 5.
  Trailer /ID knownoget { 0 oget } {
    ()
    (   **** Error: ID key in the trailer is required for encrypted files.\n) pdfformaterror
    (               File may not be possible to decrypt.\n) pdfformaterror
  } ifelse
  3 { concatstrings } repeat
  % We will finish step 5 after possibly including step 6.

  % The following only executed for /R equal to 3 or more
  Trailer /Encrypt oget dup /R oget dup 3 ge {

     % Step 6.  If EncryptMetadata is false, pass 0xFFFFFFFF to md5 function
     % The PDF 1.5 Spec says that EncryptMetadata is an undocumented
     % feature of PDF 1.4.  That implies that this piece of logic should
     % be executed if R >= 3.  However testing with Acrobat 5.0 and 6.0 shows
     % that this step is not executed if R equal to 3.  Thus we have a test for
     % R being >= 4.
     4 ge {
       /EncryptMetadata knownoget	% Get EncryptMetadata (if present)
       not { //true } if		% Default is true
       not {				% If EncryptMetadata is false
         <ff ff ff ff> concatstrings	% Add 0xFFFFFFFF to working string
       } if
     } {
       pop				% Remove Encrypt dict
     } ifelse
     md5_trunk				% Finish step 5 and 6.

     % Step 7.  Executed as part of step 6
     % Step 8.  (This step is defintely a part of PDF 1.4.)
     50 { md5_trunk } repeat
  } {
     pop pop md5_trunk			% Remove R, Encrypt dict, finish step 5
  } ifelse

  % Step 9 - Done in md5_trunk.
} bind executeonly def

% Algorithm 3.4
/pdf_gen_user_password_R2 { % <filekey> pdf_gen_user_password_R2 <U>

  % Step 2.
  pdf_padding_string exch arc4decode
} bind executeonly def

% Algorithm 3.5
/pdf_gen_user_password_R3 { % <filekey> pdf_gen_user_password_R3 <U>

  % Step 2.
  pdf_padding_string

  % Step 3.
  Trailer /ID knownoget { 0 oget } {
    ()
    (   **** Error: ID key in the trailer is required for encrypted files.\n) pdfformaterror
    (               File may not be possible to decrypt.\n) pdfformaterror
  } ifelse
  concatstrings md5

  % Step 4.
  1 index arc4decode

  % Step 5.
  1 1 19 {
    2 index pdf_xorbytes arc4decode
  } for
  exch pop

} bind executeonly def

/pdf_gen_user_password { % <password> pdf_gen_user_password <filekey> <U>
  % common Step 1 of Algorithms 3.4 and 3.5.
  pdf_compute_encryption_key dup

  Trailer /Encrypt oget

  /R oget dup 2 eq {
    pop pdf_gen_user_password_R2
  } {
    dup 3 eq {
      pop pdf_gen_user_password_R3
    } {
      dup 4 eq {	% 4 uses the algorithm as 3
        pop pdf_gen_user_password_R3
      } {
        % This procedure is only used if R is between 2 and 4,
        % so we should never get here.
        /pdf_gen_user_password cvx /undefined signalerror
      } ifelse
    } ifelse
  } ifelse
} bind executeonly def

% Algorithm 3.6
% <password> pdf_check_pre_r5_user_password <filekey> true
% <password> pdf_check_pre_r5_user_password false
/pdf_check_pre_r5_user_password {
  pdf_gen_user_password

  Trailer /Encrypt oget /U oget

  0 2 index length getinterval eq {
    //true
  } {
    pop //false
  } ifelse
} bind executeonly def

% Compute an owner key, ie the result of step 4 of Algorithm 3.3
/pdf_owner_key % <password> pdf_owner_key <owner-key>
{
  % Step 1.
  pdf_pad_key

  % Step 2.
  md5_trunk

  % 3.3 Step 3.  Only executed for /R equal to 3 or more
  Trailer /Encrypt oget /R oget 3 ge {
    50 { md5_trunk } repeat
  } if

  % Step 4 - Done in md5_trunk.
} bind executeonly def

% Algorithm 3.7
% <password> pdf_check_pre_r5_owner_password <filekey> true
% <password> pdf_check_pre_r5_owner_password false
/pdf_check_pre_r5_owner_password {
  % Step 1.
  pdf_owner_key

  % Step 2.
  Trailer /Encrypt oget dup /O oget 2 index arc4decode
  % <encryption-key> <encrypt-dict> <decrypted-O>

  % Step 3.  Only executed for /R equal to 3 or more
  exch /R oget 3 ge {
    1 1 19 {
      2 index pdf_xorbytes arc4decode
    } for
  } if
  exch pop
  % <result-of-step-3>

  pdf_check_pre_r5_user_password
} bind executeonly def

% Algorithm 3.2a
% <password> pdf_check_r5_password <filekey> true
% <password> pdf_check_r5_password false
/pdf_check_r5_password {
  10 dict begin                   % temporary dict for local variables

  % Step 1.
  % If the .saslprep operator isn't available (because ghostscript
  % wasn't built with libidn support), just skip this step.  ASCII
  % passwords will still work fine, and even most non-ASCII passwords
  % will be okay; any non-ASCII passwords that fail will produce a
  % warning from pdf_process_Encrypt.
  /.saslprep where { pop .saslprep } if

  % Step 2.
  dup length 127 gt { 0 127 getinterval } if
  /Password exch def

  % Step 3.
  /O Trailer /Encrypt oget /O oget def
  /U Trailer /Encrypt oget /U oget def

  Password O 32 8 getinterval concatstrings
  U 0 48 getinterval concatstrings sha256

  O 0 32 getinterval eq {
    % Step 3, second paragraph.

    Password O 40 8 getinterval concatstrings
    U 0 48 getinterval concatstrings sha256

    16 string Trailer /Encrypt oget /OE oget concatstrings
    << /Key 4 -1 roll /Padding //false >> aesdecode //true
  } {
    % Step 4.
    Password U 32 8 getinterval concatstrings sha256
    U 0 32 getinterval eq {
      % Step 4, second paragraph.
      Password U 40 8 getinterval concatstrings sha256

      16 string Trailer /Encrypt oget /UE oget concatstrings
      << /Key 4 -1 roll /Padding //false >> aesdecode //true
    } {
      //false
    } ifelse
  } ifelse

  % Step 5.
  dup {
    % Adobe says to decrypt the Perms string using "ECB mode with
    % an initialization vector of zero", which must be a mistake --
    % ECB mode doesn't use initialization vectors.  It looks like
    % they meant "ECB mode, or CBC mode with an initialization
    % vector of zero", since the two are equivalent for a single-
    % block message.  We use the latter.
    16 string Trailer /Encrypt oget /Perms oget concatstrings
    << /Key 4 index /Padding //false >> aesdecode

    9 3 getinterval (adb) eq not {
      (   **** Error: Failed to decrypt Perms string.\n) pdfformaterror
      (               Cannot decrypt PDF file.\n) pdfformaterror
      printProducer
      /pdf_check_r5_password cvx /rangecheck signalerror
    } if
  } if

  end
} bind executeonly def

% <password> pdf_check_password <filekey> true
% <password> pdf_check_password false
/pdf_check_password {
  % If R is 2, 3, or 4, use Algorithms 3.6 and 3.7 to see if this is
  % a valid user or owner password.  Following historical practice,
  % we treat the password as an arbitrary string of bytes and don't
  % interpret it in any way.  (If the password fails, it would be
  % nice to try some plausible character set conversions, but this
  % gets complicated.  Even Adobe products don't seem to handle it
  % consistently.)
  %
  % If R is 5, use Algorithm 3.2a.  The password should be text, in
  % either UTF-8 or the current locale's charset.

  Trailer /Encrypt oget /R oget

  dup dup 2 ge exch 4 le and {
    pop
    dup pdf_check_pre_r5_user_password {
      exch pop //true
    } {
      pdf_check_pre_r5_owner_password
    } ifelse
  } {
    dup 5 eq {
      pop
      % First, try the password as UTF-8.
      dup pdf_check_r5_password {
        exch pop //true
      } {
        % The password didn't work as UTF-8, so maybe it's in the
        % locale character set instead.  If possible, convert it to
        % UTF-8 and try again.
        /.locale_to_utf8 where {
          pop .locale_to_utf8 pdf_check_r5_password
        } {
          pop //false
        } ifelse
      } ifelse
    } {
      dup 6 eq {
        pop
        % First, try the password as UTF-8.
        dup Trailer /Encrypt oget //check_r6_password exec {
          exch pop //true
        } {
          % The password didn't work as UTF-8, so maybe it's in the
          % locale character set instead.  If possible, convert it to
          % UTF-8 and try again.
          /.locale_to_utf8 where {
            pop .locale_to_utf8 Trailer /Encrypt oget //check_r6_password exec
          } {
            pop //false
          } ifelse
        } ifelse
      } {
        (   **** Warning: This file uses an unknown standard security handler revision: )
        exch =string cvs concatstrings (\n) concatstrings pdfformatwarning
        (                 Cannot decrypt PDF file.\n) pdfformaterror
        printProducer
        /pdf_check_password cvx /undefined signalerror
      } ifelse
    } ifelse
  } ifelse
} bind executeonly def
systemdict /check_r6_password .forceundef

% Process the encryption information in the Trailer.
/pdf_process_Encrypt {
  Trailer /Encrypt oget
  /Filter oget /Standard eq not {
    (   **** Warning: This file uses an unknown security handler.\n) pdfformatwarning
    (                 Cannot decrypt PDF file.\n) pdfformaterror
    printProducer
    /pdf_process_Encrypt cvx /undefined signalerror
  } if
  () pdf_check_password
  {
    /FileKey exch def
  } {
    /PDFPassword where {
       pop PDFPassword pdf_check_password
       {
         /FileKey exch def
       } {
         (   **** Error: Password did not work.\n) pdfformaterror
         (               Cannot decrypt PDF file.\n) pdfformaterror

         % If ghostscript was built without libidn, it's missing the
         % .saslprep operator and thus can't do proper Unicode password
         % normalization.  Similarly, if the system provides neither
         % iconv nor the Windows MultiByteToWideChar function, then we
         % won't have the .locale_to_utf8 operator to convert passwords
         % from the locale character set to UTF-8.
         %
         % It's not a huge problem if you're missing either or both of
         % these.  ASCII passwords will work fine regardless, and even
         % Unicode passwords will often be okay.
         %
         % However, if .saslprep or .locale_to_utf8 is missing, and the
         % user enters a non-ASCII password that doesn't work, we give
         % a warning message.
         PDFPassword contains_non_ascii {
           /.saslprep where not {
             (   **** WARNING: Ghostscript was configured without libidn,\n)
             (   **** so non-ASCII passwords aren't supported!\n)
             concatstrings pdfformaterror
           } {
             pop
             /.locale_to_utf8 where not {
               (   **** WARNING: Ghostscript was configured without iconv,\n)
               (   **** so non-ASCII passwords aren't supported!\n)
               concatstrings pdfformaterror
             } {
               pop
             } ifelse
           } ifelse
         } if

         /pdf_process_Encrypt cvx /invalidfileaccess signalerror
       } ifelse
    } {
      (   **** This file requires a password for access.\n) pdfformaterror
      /pdf_process_Encrypt cvx /invalidfileaccess signalerror
    } ifelse
  } ifelse

%   Trailer /Encrypt oget /P oget 4 and 0 eq #? and
%    { (   ****This owner of this file has requested you do not print it.\n)
%      pdfformaterror printProducer
%      /pdf_process_Encrypt cvx /invalidfileaccess signalerror
%    }
%   if
} bind executeonly def

% Calculate the key used to decrypt an object (to pass to .decpdfrun or
% put into a stream dictionary).
/computeobjkey	% <object#> <generation#> computeobjkey <keystring>
{
  Trailer /Encrypt oget /V oget 5 eq {
    % Encrypt version 5 doesn't use object keys; everything is
    % encrypted with the file key.
    pop pop FileKey
  } {
    exch
    FileKey length 5 add string
    dup 0 FileKey putinterval
    exch
                  % stack:  gen# string obj#
      2 copy 255 and FileKey length exch put
      2 copy -8 bitshift 255 and FileKey length 1 add exch put
      2 copy -16 bitshift 255 and FileKey length 2 add exch put
    pop exch
      2 copy 255 and FileKey length 3 add exch put
      2 copy -8 bitshift 255 and FileKey length 4 add exch put
    pop
      % this step is for the AES cipher only
      Trailer /Encrypt oget
      dup /StmF knownoget {
        %% Treat StmF of 'Identity' the same as if it is missing.
        dup /Identity eq {
          pop pop
        } {
          exch /CF knownoget {
            exch oget /CFM oget /AESV2 eq {
              (sAlT) concatstrings
            } if
          } {
            pop
          } ifelse
        } ifelse
      } {
        pop
      } ifelse
    md5 0 FileKey length 5 add 2 index length .min getinterval
  } ifelse
} bind executeonly def

% As .pdfrun, but decrypt strings with key <key>.
/PDFScanRules_true << /PDFScanRules //true >> def
/PDFScanRules_null << /PDFScanRules //null >> def
/.decpdfrun			% <file> <keystring> <opdict> .decpdfrun -
 {     % Construct a procedure with the file, opdict and key bound into it.
   2 index cvlit mark
   /PDFScanRules .getuserparam //null eq {
     //PDFScanRules_true { setuserparams } 0 get % force PDF scanning mode
     mark 7 4 roll
   } {
     mark 5 2 roll
   } ifelse
    { .pdftoken not { (%%EOF) cvn cvx } if
      dup xcheck
       { PDFDEBUG { dup //== exec flush } if
         3 -1 roll pop
         2 copy .knownget
          { exch pop exch pop exec
          }
          { exch pop
            dup /true eq
              { pop //true
              }
              { dup /false eq
                  { pop //false
                  }
                  { dup /null eq
                      { pop //null
                      }
                      { (   **** Error: Unknown operator: )
                        exch =string cvs concatstrings (\n) concatstrings
                        pdfformaterror
                        (               Output may be incorrect.\n) pdfformaterror
                      }
                    ifelse
                  }
                ifelse
              }
            ifelse
          }
         ifelse
       }
       { exch pop PDFDEBUG { dup ==only ( ) print flush } if
         dup type /stringtype eq
          {
        % Check if we have encrypted strings R>=4 allows for
        % selection of encryption on streams and strings
            Trailer /Encrypt oget	% Get encryption dictionary
            dup /R oget 4 lt		% only >=4 has selectable
             {				% R < 4 --> arc4 strings
               pop 1 index arc4decode	% Decrypt string
               PDFDEBUG { (%Decrypted: ) print dup //== exec flush } if
             } {			% Else R >= 4
               /StrF knownoget		% Get StrF (if present)
                {			% If StrF is present ...
                  dup /Identity eq not	% Check if StrF != Identity
                   { /StdCF eq
                       { Trailer /Encrypt oget /CF knownoget {
                           /StdCF oget /CFM oget
                           dup /AESV2 eq exch /AESV3 eq or
                         } {
                           //false
                         } ifelse {     % Decrypt string
                           1 index aesdecode
                         } {
                           1 index arc4decode
                         } ifelse
                       }
                       { 1 index arc4decode }
                     ifelse		% If StrF != StdCF
                     PDFDEBUG { (%Decrypted: ) print dup //== exec flush } if
                   }
                   { pop }
                  ifelse		% If StrF != identity
                }
               if			% If StrF is known
             }
            ifelse			% Ifelse R < 4
          } {
            dup type /nametype eq {
              .pdffixname
            } if
          }
         ifelse
         exch pop
       }
      ifelse
    }
   aload pop //.packtomark exec cvx
   { loop } 0 get 2 packedarray cvx
    { stopped } 0 get
   /PDFScanRules .getuserparam //null eq {
     //PDFScanRules_null { setuserparams } 0 get % reset PDF scannig mode if it was off
   } if
   /PDFsource PDFsource
    { store { stop } if } aload pop //.packtomark exec cvx
   /PDFsource 3 -1 roll store exec
 } bind executeonly def
currentdict /PDFScanRules_true undef
currentdict /PDFScanRules_null undef

% Run the code to resolve an object reference.
/pdf_run_resolve
{ /FileKey where			% Check if the file is encrypted
  { pop					% File is encrypted
    2 copy computeobjkey dup 4 1 roll
    PDFfile exch resolveopdict .decpdfrun
    dup dup dup 5 2 roll
        % stack: object object key object object
    {	% Use loop to provide an exitable context.
      xcheck exch type /dicttype eq and % Check if executable dictionary
      not {				% If object is not ...
        pop pop				% ignore object
        exit				% Exit 'loop' context
      } if				% If not possible stream
        % Starting with PDF 1.4 (R = 3), there are some extra features
        % which control encryption of streams.  The EncryptMetadata entry
        % in the Encrypt dict controls the encryption of metadata streams.
      Trailer /Encrypt oget		% Get encryption dictionary
      dup /R oget dup 3 lt		% Only PDF 1.4 and higher has options
      {					% R < 3 --> all streams encrypted
        pop pop /StreamKey exch put	% Insert StreamKey in dictionary
        exit				% Exit 'loop' context
      } if
        % Check EncryptMeta.  stack: object object key Encrypt R
      exch dup /EncryptMetadata knownoget % Get EncryptMetadata (if present)
      not { //true } if			% If not present default = true
      not				% Check if EncryptMetadata = false
      {					% if false we need to check the stream type
        3 index /Type knownoget		% Get stream type (if present)
        not { //null } if		% If type not present use fake name
        /Metadata eq			% Check if the type is Metadata
        { pop pop pop pop		% Type == Metadata --> no encryption
          exit				% Exit 'loop' context
        } if
      } if
        % PDF 1.5 encryption (R == 4) has selectable encryption handlers.  If
        % this is not PDF 1.5 encryption (R < 4) then we are done checking and
        % we need to decrypt the stream.  stack: object object key R Encrypt
      exch 4 lt				% Check for less than PDF 1.5
      { pop /StreamKey exch put		% Insert StreamKey in dictionary
        exit				% Exit 'loop' context
      } if
        % Check if the stream encryption handler (StmF) == Identity.
      PDFDEBUG {
        Trailer /Encrypt oget /CF knownoget {
          /StdCF oget /CFM oget
          (Encrypt StmF is StdCF with CFM ) print =
        } if
      } if
      /StmF knownoget			% Get StmF (if present)
      not { /Identity } if		% If StmF not present default = Identity
      /Identity eq			% Check if StmF == Identity
      { pop pop				% Identity --> no encryption
        exit				% Exit 'loop' context
      } if
        % If we get here then we need to decrypt the stream.
      /StreamKey exch put		% Insert StreamKey into dictionary
      exit				% Exit 'loop' context, never loop
    } loop				% End of loop exitable context
  } {					% Else file is not encrypted
    PDFfile resolveopdict .pdfrun
  } ifelse				% Ifelse encrypted
} bind executeonly def

% Prefix a decryption filter to a stream if needed.
% Stack: readdata? dict parms file/string filternames
% (both before and after).
/pdf_decrypt_stream
 { 3 index /StreamKey known	% Check if the file is encrypted
   {
      exch
        % Stack: readdata? dict parms filternames file/string
      3 index /StreamKey get
      Trailer /Encrypt oget
      dup /StmF knownoget
       {                        % stack: key Encrypt StmF
        exch /CF knownoget {
          exch oget /CFM oget	% stack: key StmF-CFM
          dup /AESV2 eq exch /AESV3 eq or
        } { pop //false } ifelse
         { aesdecodefilter }	% install the requested filter
         { arc4decodefilter }
        ifelse
       }
       { pop arc4decodefilter }	% fallback for no StmF
      ifelse
      exch
   } if
 } bind executeonly def

end			% pdfdict

systemdict /pdfdict .forceundef		% hide pdfdict

.setglobal

Zerion Mini Shell 1.0