rpdfium_parser/

security.rs

// Derived from PDFium's core/fpdfapi/parser/cpdf_security_handler.cpp
// Original: Copyright 2014 The PDFium Authors
// Licensed under BSD-3-Clause / Apache-2.0
// See pdfium-upstream/LICENSE for the original license.

//! PDF Standard Security Handler (R2–R6).
//!
//! Implements password verification and object/stream decryption
//! per the PDF specification's Standard Security Handler.

use std::collections::HashMap;

use rpdfium_core::{Name, PdfSource};

use crate::crypto::{self, CryptoError};
use crate::object::{Object, ObjectId};
use crate::store::ObjectStore;

/// Padding string used in password computation (Table 3.18 in PDF spec).
const PASSWORD_PADDING: [u8; 32] = [
    0x28, 0xBF, 0x4E, 0x5E, 0x4E, 0x75, 0x8A, 0x41, 0x64, 0x00, 0x4E, 0x56, 0xFF, 0xFA, 0x01, 0x08,
    0x2E, 0x2E, 0x00, 0xB6, 0xD0, 0x68, 0x3E, 0x80, 0x2F, 0x0C, 0xA9, 0xFE, 0x64, 0x53, 0x69, 0x7A,
];

/// Errors from the security handler.
#[derive(Debug, thiserror::Error)]
pub enum SecurityError {
    /// The supplied password does not match owner or user password.
    #[error("invalid password")]
    InvalidPassword,
    /// The encryption version/revision is not supported.
    #[error("unsupported encryption version: V={0}, R={1}")]
    UnsupportedVersion(u32, u32),
    /// A required key is missing from the encryption dictionary.
    #[error("missing encryption dictionary key: {0}")]
    MissingKey(String),
    /// An underlying cryptographic error.
    #[error("crypto error: {0}")]
    Crypto(#[from] CryptoError),
}

/// The method used by a crypt filter.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum CryptFilterMethod {
    /// No encryption.
    None,
    /// RC4 encryption (V2).
    V2,
    /// AES-128 encryption (AESV2).
    Aesv2,
    /// AES-256 encryption (AESV3).
    Aesv3,
}

/// Typed wrapper for the PDF permission bits stored in the `/P` field of the
/// encrypt dictionary (PDF 1.7 spec, Table 3.20).
///
/// The raw value is a signed 32-bit integer where the upper bits are always 1
/// per the spec; only bits 3, 5, 8, and 9 carry meaningful permission flags.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub struct Permissions(i32);

impl Permissions {
    /// Wrap a raw `/P` integer value.
    pub fn from_bits(bits: i32) -> Self {
        Self(bits)
    }

    /// Return the raw integer value.
    pub fn bits(self) -> i32 {
        self.0
    }

    /// Bit 4: Allow modifying document content.
    pub fn modify_content(self) -> bool {
        self.0 & (1 << 3) != 0
    }

    /// Bit 6: Allow adding, modifying, or deleting annotations.
    pub fn modify_annotation(self) -> bool {
        self.0 & (1 << 5) != 0
    }

    /// Bit 9: Allow filling in form fields and signing.
    pub fn fill_form(self) -> bool {
        self.0 & (1 << 8) != 0
    }

    /// Bit 10: Allow extracting text and graphics for accessibility.
    pub fn extract_for_accessibility(self) -> bool {
        self.0 & (1 << 9) != 0
    }
}

/// PDF Standard Security Handler — holds the derived encryption key
/// and methods for decrypting strings and streams.
pub struct SecurityHandler {
    revision: u32,
    key_length_bytes: usize,
    encryption_key: Vec<u8>,
    permissions: Permissions,
    encrypt_metadata: bool,
    stream_cf: CryptFilterMethod,
    string_cf: CryptFilterMethod,
    /// The /O value (owner hash) from the encrypt dictionary.
    o_value: Vec<u8>,
    /// The /U value (user hash) from the encrypt dictionary.
    u_value: Vec<u8>,
    /// The successfully-verified encoded password (Latin-1 for R2–R4, UTF-8 for R5/R6).
    /// Corresponds to `m_EncodedPassword` / `GetEncodedPassword()` in PDFium.
    encoded_password: Vec<u8>,
}

impl SecurityHandler {
    /// Build a `SecurityHandler` from the `/Encrypt` dictionary, verifying the
    /// password against the stored owner/user hashes.
    ///
    /// `encrypt_dict` is the resolved encryption dictionary.
    /// `file_id` is the first element of the trailer `/ID` array.
    pub fn from_encrypt_dict<S: PdfSource>(
        encrypt_dict: &HashMap<Name, Object>,
        store: &ObjectStore<S>,
        password: &str,
        file_id: &[u8],
    ) -> Result<Self, SecurityError> {
        // Parse required fields
        let v = get_int(encrypt_dict, store, &Name::v())? as u32;
        let r = get_int(encrypt_dict, store, &Name::r())? as u32;
        let p = get_int(encrypt_dict, store, &Name::p())?;

        let o_bytes = get_string_bytes(encrypt_dict, store, &Name::o())?;
        let u_bytes = get_string_bytes(encrypt_dict, store, &Name::u())?;

        // Key length: /Length in bits, default 40
        let key_length_bits =
            get_optional_int(encrypt_dict, store, &Name::length()).unwrap_or(40) as usize;
        let key_length_bytes = key_length_bits / 8;

        // Validate key length to prevent panics in key derivation.
        // R2-R4: 40-128 bits (5-16 bytes); R5-R6 always use 256-bit (32 bytes).
        if r <= 4 && !(5..=16).contains(&key_length_bytes) {
            return Err(SecurityError::UnsupportedVersion(v, r));
        }

        // EncryptMetadata: default true
        let encrypt_metadata =
            get_optional_bool(encrypt_dict, store, &Name::encrypt_metadata()).unwrap_or(true);

        // Determine crypt filter methods for streams and strings
        let (stream_cf, string_cf) = if v >= 4 {
            let stm = parse_single_crypt_filter(encrypt_dict, store, &Name::stm_f());
            let str_ = parse_single_crypt_filter(encrypt_dict, store, &Name::str_f());
            (stm, str_)
        } else if v == 1 || v == 2 || v == 3 {
            (CryptFilterMethod::V2, CryptFilterMethod::V2)
        } else {
            (CryptFilterMethod::None, CryptFilterMethod::None)
        };

        match (v, r) {
            (1, 2) | (2, 3) | (3, 3) | (4, 4) => {
                // R2-R4: MD5-based key derivation
                let pwd_bytes = encode_password_latin1(password);
                let key = derive_key_r2_r4(
                    &pwd_bytes,
                    &o_bytes,
                    p as i32,
                    file_id,
                    r,
                    key_length_bytes,
                    encrypt_metadata,
                );

                // Try user password first
                if verify_user_password_r2_r4(&key, &u_bytes, r, file_id) {
                    return Ok(Self {
                        revision: r,
                        key_length_bytes,
                        encryption_key: key,
                        permissions: Permissions::from_bits(p as i32),
                        encrypt_metadata,
                        stream_cf,
                        string_cf,
                        o_value: o_bytes.clone(),
                        u_value: u_bytes.clone(),
                        encoded_password: pwd_bytes,
                    });
                }

                // Try as owner password: recover user password from O value
                let user_password =
                    recover_user_password_from_owner(&pwd_bytes, &o_bytes, r, key_length_bytes);
                let key = derive_key_r2_r4(
                    &user_password,
                    &o_bytes,
                    p as i32,
                    file_id,
                    r,
                    key_length_bytes,
                    encrypt_metadata,
                );

                if verify_user_password_r2_r4(&key, &u_bytes, r, file_id) {
                    Ok(Self {
                        revision: r,
                        key_length_bytes,
                        encryption_key: key,
                        permissions: Permissions::from_bits(p as i32),
                        encrypt_metadata,
                        stream_cf,
                        string_cf,
                        o_value: o_bytes,
                        u_value: u_bytes,
                        encoded_password: user_password,
                    })
                } else {
                    Err(SecurityError::InvalidPassword)
                }
            }
            (5, 5) | (5, 6) => {
                // R5/R6: SHA-256 based (ISO 32000-2)
                let oe_bytes = get_string_bytes(encrypt_dict, store, &Name::oe())?;
                let ue_bytes = get_string_bytes(encrypt_dict, store, &Name::ue())?;

                let key = if r == 5 {
                    derive_key_r5(password, &u_bytes, &ue_bytes, &o_bytes, &oe_bytes)?
                } else {
                    derive_key_r6(password, &u_bytes, &ue_bytes, &o_bytes, &oe_bytes)?
                };

                match key {
                    Some(k) => {
                        // P2-33: Validate /Perms entry (R5/R6).
                        //
                        // Upstream deviation — /Perms is required:
                        //
                        // Upstream PDFium (`AES256_CheckPassword`) returns `false`
                        // when `/Perms` is missing or empty. We match that behavior
                        // by requiring the entry to be present and at least 16 bytes.
                        // The previous implementation silently skipped validation
                        // when `/Perms` was absent or malformed, which could allow
                        // an attacker to strip `/Perms` and tamper with the `/P`
                        // permission bits without detection.
                        let perms_bytes = get_string_bytes(encrypt_dict, store, &Name::perms())?;
                        if perms_bytes.len() < 16 {
                            return Err(SecurityError::MissingKey(
                                "Perms (too short, need ≥16 bytes)".into(),
                            ));
                        }
                        let decrypted = crypto::aes256_ecb_decrypt_block(&k, &perms_bytes[..16])?;
                        // Verify bytes 9-11 = "adb" (PDF spec Algorithm 2.A step 2).
                        // Byte 8 is the EncryptMetadata flag ('T'/'F'), checked
                        // separately. Upstream PDFium checks only bytes 9-11.
                        if &decrypted[9..12] != b"adb" {
                            return Err(SecurityError::InvalidPassword);
                        }
                        // Verify bytes 0-3 match /P as LE i32
                        let perms_p = i32::from_le_bytes([
                            decrypted[0],
                            decrypted[1],
                            decrypted[2],
                            decrypted[3],
                        ]);
                        if perms_p != p as i32 {
                            return Err(SecurityError::InvalidPassword);
                        }

                        Ok(Self {
                            revision: r,
                            key_length_bytes: 32,
                            encryption_key: k,
                            permissions: Permissions::from_bits(p as i32),
                            encrypt_metadata,
                            stream_cf: CryptFilterMethod::Aesv3,
                            string_cf: CryptFilterMethod::Aesv3,
                            o_value: o_bytes,
                            u_value: u_bytes,
                            encoded_password: password.as_bytes().to_vec(),
                        })
                    }
                    None => Err(SecurityError::InvalidPassword),
                }
            }
            _ => Err(SecurityError::UnsupportedVersion(v, r)),
        }
    }

    /// Return the document access permissions stored in the `/P` entry.
    pub fn permissions(&self) -> Permissions {
        self.permissions
    }

    /// Upstream-aligned alias for [`Self::permissions()`].
    ///
    /// Corresponds to `CPDF_SecurityHandler::GetPermissions()` in PDFium.
    #[inline]
    pub fn get_permissions(&self) -> Permissions {
        self.permissions()
    }

    /// Returns the successfully-verified encoded password bytes.
    ///
    /// For R2–R4, this is the Latin-1 encoded user password (or the recovered
    /// user password when authenticated as owner). For R5/R6, this is the
    /// UTF-8 encoded password. Useful for incremental save with the same password.
    ///
    /// Corresponds to `CPDF_SecurityHandler::GetEncodedPassword()` in PDFium.
    pub fn encoded_password(&self) -> &[u8] {
        &self.encoded_password
    }

    /// ADR-019 alias for [`encoded_password()`](Self::encoded_password).
    ///
    /// Corresponds to `CPDF_SecurityHandler::GetEncodedPassword()` in PDFium.
    #[inline]
    pub fn get_encoded_password(&self) -> &[u8] {
        self.encoded_password()
    }

    /// Decrypt a string value belonging to the given object.
    pub fn decrypt_string(&self, data: &[u8], obj_id: ObjectId) -> Vec<u8> {
        if self.string_cf == CryptFilterMethod::None {
            return data.to_vec();
        }

        if self.revision >= 5 {
            // R5/R6: AES-256 with the file encryption key directly
            crypto::aes256_cbc_decrypt(&self.encryption_key, data).unwrap_or_else(|_| data.to_vec())
        } else {
            let object_key = self.compute_object_key(obj_id, self.string_cf);
            match self.string_cf {
                CryptFilterMethod::V2 => {
                    crypto::rc4_crypt(&object_key, data).unwrap_or_else(|_| data.to_vec())
                }
                CryptFilterMethod::Aesv2 => {
                    crypto::aes128_cbc_decrypt(&object_key, data).unwrap_or_else(|_| data.to_vec())
                }
                CryptFilterMethod::Aesv3 => crypto::aes256_cbc_decrypt(&self.encryption_key, data)
                    .unwrap_or_else(|_| data.to_vec()),
                CryptFilterMethod::None => data.to_vec(),
            }
        }
    }

    /// Decrypt stream data belonging to the given object.
    pub fn decrypt_stream(&self, data: &[u8], obj_id: ObjectId) -> Vec<u8> {
        if self.stream_cf == CryptFilterMethod::None {
            return data.to_vec();
        }

        if self.revision >= 5 {
            crypto::aes256_cbc_decrypt(&self.encryption_key, data).unwrap_or_else(|_| data.to_vec())
        } else {
            let object_key = self.compute_object_key(obj_id, self.stream_cf);
            match self.stream_cf {
                CryptFilterMethod::V2 => {
                    crypto::rc4_crypt(&object_key, data).unwrap_or_else(|_| data.to_vec())
                }
                CryptFilterMethod::Aesv2 => {
                    crypto::aes128_cbc_decrypt(&object_key, data).unwrap_or_else(|_| data.to_vec())
                }
                CryptFilterMethod::Aesv3 => crypto::aes256_cbc_decrypt(&self.encryption_key, data)
                    .unwrap_or_else(|_| data.to_vec()),
                CryptFilterMethod::None => data.to_vec(),
            }
        }
    }

    /// Returns `true` if metadata streams are encrypted.
    ///
    /// Corresponds to `CPDF_SecurityHandler::IsMetadataEncrypted()` in PDFium.
    pub fn is_metadata_encrypted(&self) -> bool {
        self.encrypt_metadata
    }

    /// The encryption revision number.
    pub fn revision(&self) -> u32 {
        self.revision
    }

    /// The crypt filter method in use (returns stream filter for backwards compat).
    pub fn crypt_filter_method(&self) -> CryptFilterMethod {
        self.stream_cf
    }

    /// The encryption key length in bytes.
    pub fn key_length_bytes(&self) -> usize {
        self.key_length_bytes
    }

    /// The raw encryption key.
    pub fn encryption_key(&self) -> &[u8] {
        &self.encryption_key
    }

    /// The stream crypt filter method.
    pub fn stream_crypt_filter(&self) -> CryptFilterMethod {
        self.stream_cf
    }

    /// The string crypt filter method.
    pub fn string_crypt_filter(&self) -> CryptFilterMethod {
        self.string_cf
    }

    /// The /O value (owner hash) from the encrypt dictionary.
    pub fn o_value(&self) -> &[u8] {
        &self.o_value
    }

    /// The /U value (user hash) from the encrypt dictionary.
    pub fn u_value(&self) -> &[u8] {
        &self.u_value
    }

    /// The encryption version number (V value).
    ///
    /// Derived from the revision: R2→V1, R3/R4→V2..V4, R5/R6→V5.
    pub fn version(&self) -> u32 {
        match self.revision {
            2 => 1,
            3 | 4 => {
                if self.stream_cf == CryptFilterMethod::V2
                    && self.string_cf == CryptFilterMethod::V2
                {
                    if self.key_length_bytes == 5 { 1 } else { 2 }
                } else {
                    4
                }
            }
            5 | 6 => 5,
            _ => 0,
        }
    }

    /// Encrypt a string value belonging to the given object.
    ///
    /// RC4 is symmetric (encrypt = decrypt). For AES, a zero IV is used
    /// and prepended to the ciphertext (matching PDF convention where the
    /// first 16 bytes of the encrypted data are the IV).
    pub fn encrypt_string(&self, data: &[u8], obj_id: ObjectId) -> Vec<u8> {
        if self.string_cf == CryptFilterMethod::None {
            return data.to_vec();
        }
        self.encrypt_with_method(data, obj_id, self.string_cf)
    }

    /// Encrypt stream data belonging to the given object.
    pub fn encrypt_stream(&self, data: &[u8], obj_id: ObjectId) -> Vec<u8> {
        if self.stream_cf == CryptFilterMethod::None {
            return data.to_vec();
        }
        self.encrypt_with_method(data, obj_id, self.stream_cf)
    }

    /// Encrypt data with the specified crypt filter method.
    ///
    /// # Panics
    ///
    /// Panics if AES encryption fails due to an invalid key length.
    /// Key sizes are validated in [`SecurityHandler::from_encrypt_dict`], so
    /// this should never happen in normal operation.
    ///
    /// # Upstream deviation — error handling
    ///
    /// Upstream PDFium (`CPDF_CryptoHandler::EncryptContent`) does not handle
    /// encryption failure at this level — the C++ code assumes valid key sizes
    /// and cannot return an error. Our previous implementation silently returned
    /// plaintext on failure (`Err(_) => data.to_vec()`), which could expose
    /// confidential data in the output PDF without any warning. We now panic
    /// instead, since key sizes are validated at construction time and an error
    /// here indicates a programming bug, not a recoverable condition.
    fn encrypt_with_method(&self, data: &[u8], obj_id: ObjectId, cf: CryptFilterMethod) -> Vec<u8> {
        let iv = Self::generate_iv();

        if self.revision >= 5 {
            let encrypted = crypto::aes256_cbc_encrypt(&self.encryption_key, &iv, data)
                .expect("AES-256 encryption failed: key size validated at construction");
            let mut result = iv.to_vec();
            result.extend_from_slice(&encrypted);
            result
        } else {
            let object_key = self.compute_object_key(obj_id, cf);
            match cf {
                CryptFilterMethod::V2 => crypto::rc4_crypt(&object_key, data)
                    .expect("RC4 encryption failed: key size validated at construction"),
                CryptFilterMethod::Aesv2 => {
                    let encrypted = crypto::aes128_cbc_encrypt(&object_key, &iv, data)
                        .expect("AES-128 encryption failed: key size validated at construction");
                    let mut result = iv.to_vec();
                    result.extend_from_slice(&encrypted);
                    result
                }
                CryptFilterMethod::Aesv3 => {
                    let encrypted = crypto::aes256_cbc_encrypt(&self.encryption_key, &iv, data)
                        .expect("AES-256 encryption failed: key size validated at construction");
                    let mut result = iv.to_vec();
                    result.extend_from_slice(&encrypted);
                    result
                }
                CryptFilterMethod::None => data.to_vec(),
            }
        }
    }

    /// Generate a cryptographically random 16-byte IV for AES encryption.
    ///
    /// # Upstream deviation — IV generation
    ///
    /// Upstream PDFium uses C `rand()` (seeded from system state) to fill IVs.
    /// We use `getrandom` (OS CSPRNG) instead for stronger cryptographic
    /// guarantees: upstream's `rand()` is not a CSPRNG and its output quality
    /// varies by platform. Using a true CSPRNG ensures IVs are unpredictable
    /// across process invocations, which is required for AES-CBC semantic
    /// security (IND-CPA).
    fn generate_iv() -> [u8; 16] {
        let mut iv = [0u8; 16];
        getrandom::fill(&mut iv).expect("OS RNG unavailable");
        iv
    }

    /// Compute the per-object encryption key (Algorithm 1 in PDF spec, R2–R4).
    ///
    /// 1. Start with the file encryption key.
    /// 2. Append the low 3 bytes of the object number (LE).
    /// 3. Append the low 2 bytes of the generation number (LE).
    /// 4. If AES (AESV2): append `sAlT` bytes.
    /// 5. MD5 hash, take first min(key_length + 5, 16) bytes.
    fn compute_object_key(&self, obj_id: ObjectId, cf: CryptFilterMethod) -> Vec<u8> {
        let obj_num = obj_id.number;
        let gen_num = obj_id.generation;

        let mut buf = Vec::with_capacity(self.encryption_key.len() + 9);
        buf.extend_from_slice(&self.encryption_key);
        // Object number: 3 bytes LE
        buf.push((obj_num & 0xFF) as u8);
        buf.push(((obj_num >> 8) & 0xFF) as u8);
        buf.push(((obj_num >> 16) & 0xFF) as u8);
        // Generation number: 2 bytes LE
        buf.push((gen_num & 0xFF) as u8);
        buf.push(((gen_num >> 8) & 0xFF) as u8);

        if cf == CryptFilterMethod::Aesv2 {
            // "sAlT" = 0x73 0x41 0x6C 0x54
            buf.extend_from_slice(&[0x73, 0x41, 0x6C, 0x54]);
        }

        let hash = crypto::md5(&buf);
        let n = std::cmp::min(self.key_length_bytes + 5, 16);
        hash[..n].to_vec()
    }
}

// ---------------------------------------------------------------------------
// Key derivation (R2–R4) — Algorithm 2
// ---------------------------------------------------------------------------

/// Encode a UTF-8 password to ISO 8859-1 (Latin-1) for R2-R4 compatibility.
/// Characters outside the Latin-1 range (>255) are replaced with `?` (0x3F).
fn encode_password_latin1(password: &str) -> Vec<u8> {
    password
        .chars()
        .map(|c| {
            let code = c as u32;
            if code <= 255 {
                code as u8
            } else {
                0x3F // '?'
            }
        })
        .collect()
}

/// Pad or truncate a password to exactly 32 bytes using PASSWORD_PADDING.
fn pad_password(password: &[u8]) -> [u8; 32] {
    let mut padded = [0u8; 32];
    let copy_len = std::cmp::min(password.len(), 32);
    padded[..copy_len].copy_from_slice(&password[..copy_len]);
    if copy_len < 32 {
        padded[copy_len..].copy_from_slice(&PASSWORD_PADDING[..(32 - copy_len)]);
    }
    padded
}

/// Derive the file encryption key for R2–R4 (PDF spec Algorithm 2).
fn derive_key_r2_r4(
    password: &[u8],
    o_value: &[u8],
    permissions: i32,
    file_id: &[u8],
    revision: u32,
    key_length_bytes: usize,
    encrypt_metadata: bool,
) -> Vec<u8> {
    let padded = pad_password(password);

    let mut buf = Vec::with_capacity(32 + o_value.len() + 4 + file_id.len() + 4);
    buf.extend_from_slice(&padded);
    buf.extend_from_slice(o_value);
    buf.extend_from_slice(&(permissions as u32).to_le_bytes());
    buf.extend_from_slice(file_id);

    if revision >= 4 && !encrypt_metadata {
        buf.extend_from_slice(&[0xFF, 0xFF, 0xFF, 0xFF]);
    }

    let mut hash = crypto::md5(&buf);

    if revision >= 3 {
        for _ in 0..50 {
            hash = crypto::md5(&hash[..key_length_bytes]);
        }
    }

    hash[..key_length_bytes].to_vec()
}

// ---------------------------------------------------------------------------
// Password verification (R2) — Algorithm 6
// ---------------------------------------------------------------------------

/// Verify user password for R2 (Algorithm 6).
fn verify_user_password_r2(key: &[u8], u_value: &[u8]) -> bool {
    let Ok(decrypted) = crypto::rc4_crypt(key, u_value) else {
        return false;
    };
    let expected = crypto::md5(&PASSWORD_PADDING);
    decrypted[..] == expected[..]
}

// ---------------------------------------------------------------------------
// Password verification (R3–R4) — Algorithm 7
// ---------------------------------------------------------------------------

/// Verify user password for R3/R4 (Algorithm 7).
fn verify_user_password_r3_r4(key: &[u8], u_value: &[u8], file_id: &[u8]) -> bool {
    // Step a: MD5(PASSWORD_PADDING + file_id)
    let mut buf = Vec::with_capacity(32 + file_id.len());
    buf.extend_from_slice(&PASSWORD_PADDING);
    buf.extend_from_slice(file_id);
    let hash = crypto::md5(&buf);

    // Step b: RC4 with key
    let Ok(mut result) = crypto::rc4_crypt(key, &hash) else {
        return false;
    };

    // Step c: 19 rounds of RC4 with modified keys
    for i in 1..=19u8 {
        let modified_key: Vec<u8> = key.iter().map(|b| b ^ i).collect();
        let Ok(next) = crypto::rc4_crypt(&modified_key, &result) else {
            return false;
        };
        result = next;
    }

    // Compare first 16 bytes
    u_value.len() >= 16 && result.len() >= 16 && result[..16] == u_value[..16]
}

/// Dispatch to the correct password verification for R2–R4.
fn verify_user_password_r2_r4(key: &[u8], u_value: &[u8], revision: u32, file_id: &[u8]) -> bool {
    if revision == 2 {
        verify_user_password_r2(key, u_value)
    } else {
        verify_user_password_r3_r4(key, u_value, file_id)
    }
}

// ---------------------------------------------------------------------------
// Owner password recovery (R2–R4)
// ---------------------------------------------------------------------------

/// Recover the user password from the O value using the owner password.
fn recover_user_password_from_owner(
    owner_password: &[u8],
    o_value: &[u8],
    revision: u32,
    key_length_bytes: usize,
) -> Vec<u8> {
    let padded = pad_password(owner_password);
    let mut hash = crypto::md5(&padded);

    if revision >= 3 {
        for _ in 0..50 {
            hash = crypto::md5(&hash[..key_length_bytes]);
        }
    }

    let key = &hash[..key_length_bytes];

    if revision == 2 {
        crypto::rc4_crypt(key, o_value)
            .expect("RC4 key size validated from MD5 hash (always 5-16 bytes)")
    } else {
        let mut result = o_value.to_vec();
        for i in (0..=19u8).rev() {
            let modified_key: Vec<u8> = key.iter().map(|b| b ^ i).collect();
            result = crypto::rc4_crypt(&modified_key, &result)
                .expect("RC4 key size validated from MD5 hash (always 5-16 bytes)");
        }
        result
    }
}

// ---------------------------------------------------------------------------
// R5/R6 key derivation (ISO 32000-2)
// ---------------------------------------------------------------------------

/// Derive the file encryption key for R5 (deprecated draft, Adobe extension).
///
/// Returns `Some(key)` if either user or owner password matches, else `None`.
fn derive_key_r5(
    password: &str,
    u_value: &[u8],
    ue_value: &[u8],
    o_value: &[u8],
    oe_value: &[u8],
) -> Result<Option<Vec<u8>>, CryptoError> {
    let pwd = truncate_utf8_password(password);

    // Try user password: hash(password + Validation Salt from U)
    if u_value.len() >= 48 && ue_value.len() >= 32 {
        let validation_salt = &u_value[32..40];
        let hash = compute_r5_hash(&pwd, validation_salt);
        if hash[..] == u_value[..32] {
            // Decrypt UE with hash(password + Key Salt from U)
            let key_salt = &u_value[40..48];
            let key_hash = compute_r5_hash(&pwd, key_salt);
            let file_key = crypto::aes256_cbc_decrypt_no_padding(&key_hash, &[0u8; 16], ue_value)?;
            return Ok(Some(file_key));
        }
    }

    // Try owner password: hash(password + Validation Salt from O + U[0..48])
    if o_value.len() >= 48 && oe_value.len() >= 32 && u_value.len() >= 48 {
        let validation_salt = &o_value[32..40];
        let mut input = Vec::with_capacity(pwd.len() + 8 + 48);
        input.extend_from_slice(&pwd);
        input.extend_from_slice(validation_salt);
        input.extend_from_slice(&u_value[..48]);
        let hash = crypto::sha256(&input);
        if hash[..] == o_value[..32] {
            let key_salt = &o_value[40..48];
            let mut key_input = Vec::with_capacity(pwd.len() + 8 + 48);
            key_input.extend_from_slice(&pwd);
            key_input.extend_from_slice(key_salt);
            key_input.extend_from_slice(&u_value[..48]);
            let key_hash = crypto::sha256(&key_input);
            let file_key = crypto::aes256_cbc_decrypt_no_padding(&key_hash, &[0u8; 16], oe_value)?;
            return Ok(Some(file_key));
        }
    }

    Ok(None)
}

/// Derive the file encryption key for R6 (ISO 32000-2, Algorithm 2.A).
///
/// R6 uses Algorithm 2.B (iterative hash) instead of simple SHA-256.
fn derive_key_r6(
    password: &str,
    u_value: &[u8],
    ue_value: &[u8],
    o_value: &[u8],
    oe_value: &[u8],
) -> Result<Option<Vec<u8>>, CryptoError> {
    let pwd = truncate_utf8_password(password);

    // Try user password: compute_r6_hash(password, validation_salt, "")
    if u_value.len() >= 48 && ue_value.len() >= 32 {
        let validation_salt = &u_value[32..40];
        let hash = compute_r6_hash(&pwd, validation_salt, &[]);
        if hash[..] == u_value[..32] {
            // Decrypt UE with hash(password, key_salt, "")
            let key_salt = &u_value[40..48];
            let key_hash = compute_r6_hash(&pwd, key_salt, &[]);
            let file_key = crypto::aes256_cbc_decrypt_no_padding(&key_hash, &[0u8; 16], ue_value)?;
            return Ok(Some(file_key));
        }
    }

    // Try owner password: compute_r6_hash(password, validation_salt, U[0..48])
    if o_value.len() >= 48 && oe_value.len() >= 32 && u_value.len() >= 48 {
        let validation_salt = &o_value[32..40];
        let hash = compute_r6_hash(&pwd, validation_salt, &u_value[..48]);
        if hash[..] == o_value[..32] {
            let key_salt = &o_value[40..48];
            let key_hash = compute_r6_hash(&pwd, key_salt, &u_value[..48]);
            let file_key = crypto::aes256_cbc_decrypt_no_padding(&key_hash, &[0u8; 16], oe_value)?;
            return Ok(Some(file_key));
        }
    }

    Ok(None)
}

/// Interpret the first 16 bytes of `bytes` as a big-endian 128-bit integer and return it mod 3.
fn big_endian_mod3(bytes: &[u8]) -> u32 {
    bytes
        .iter()
        .take(16)
        .fold(0u32, |acc, &b| (acc * 256 + b as u32) % 3)
}

/// ISO 32000-2 Algorithm 2.B — compute hash for R6 encryption.
///
/// Iterative hash using SHA-256/384/512 and AES-128-CBC.  Mirrors PDFium's
/// `Revision6_Hash` exactly:
///
/// * K is kept at its **full** hash output width (32 / 48 / 64 bytes) so that
///   the next round's K1 uses the correct number of bytes.  Previously K was
///   always truncated to 32 bytes, which diverged from every other compliant
///   implementation.
/// * The AES-128-CBC step uses **no padding**.  K1 is always a multiple of
///   16 bytes (`(pwd + block + u) * 64`), so no padding block should be
///   appended.  Previously PKCS#7 padding added an extra 16-byte block,
///   corrupting the subsequent hash and causing `IncorrectPassword` even for
///   plain ASCII passwords.
/// * The exit condition increments `i` before checking, matching PDFium's
///   `do { ++i; } while (i < 64 || i−32 < E.back())`.
fn compute_r6_hash(password: &[u8], salt: &[u8], u_value: &[u8]) -> [u8; 32] {
    // Step a: K = SHA-256(password || salt || u_value)
    let mut input = Vec::with_capacity(password.len() + salt.len() + u_value.len());
    input.extend_from_slice(password);
    input.extend_from_slice(salt);
    input.extend_from_slice(u_value);
    // K starts as 32 bytes and may grow to 48 or 64 bytes in subsequent rounds.
    let mut k: Vec<u8> = crypto::sha256(&input).to_vec();

    let mut i: u32 = 0;
    loop {
        // Step b: K1 = (password || K || u_value) repeated 64 times.
        // K may be 32, 48, or 64 bytes depending on the previous round's hash selection.
        let seq_len = password.len() + k.len() + u_value.len();
        let mut k1 = Vec::with_capacity(seq_len * 64);
        for _ in 0..64 {
            k1.extend_from_slice(password);
            k1.extend_from_slice(&k);
            k1.extend_from_slice(u_value);
        }

        // Step c: E = AES-128-CBC(K[0..16], K[16..32], K1) — no padding.
        // k1.len() = seq_len * 64 is always divisible by 16, so NoPadding is correct.
        let aes_key = &k[..16];
        let aes_iv = &k[16..32];
        let e = crypto::aes128_cbc_encrypt_no_padding(aes_key, aes_iv, &k1)
            .expect("K1 is block-aligned; key and IV derived from prior hash are always valid");

        // Step d: select hash based on big-endian value of E[0..16] mod 3.
        let hash_select = big_endian_mod3(&e);

        // Step e: K = full output of selected hash (32, 48, or 64 bytes).
        k = match hash_select {
            0 => crypto::sha256(&e).to_vec(),
            1 => crypto::sha384(&e).to_vec(),
            _ => crypto::sha512(&e).to_vec(),
        };

        // Step f: increment i, then exit when i >= 64 and last byte of E <= i − 32.
        // Mirrors PDFium: `do { …; ++i; } while (i < 64 || i−32 < E.back())`.
        i += 1;
        if i >= 64 && (*e.last().unwrap_or(&0) as u32) <= i - 32 {
            break;
        }
    }

    // Return first 32 bytes of K (K may be 32, 48, or 64 bytes at this point).
    let mut result = [0u8; 32];
    result.copy_from_slice(&k[..32]);
    result
}

/// Compute R5 hash: SHA-256(password + salt).
fn compute_r5_hash(password: &[u8], salt: &[u8]) -> [u8; 32] {
    let mut input = Vec::with_capacity(password.len() + salt.len());
    input.extend_from_slice(password);
    input.extend_from_slice(salt);
    crypto::sha256(&input)
}

/// Truncate a UTF-8 password to at most 127 bytes (R5/R6 spec).
fn truncate_utf8_password(password: &str) -> Vec<u8> {
    let bytes = password.as_bytes();
    if bytes.len() <= 127 {
        bytes.to_vec()
    } else {
        bytes[..127].to_vec()
    }
}

// ---------------------------------------------------------------------------
// Crypt filter method parsing
// ---------------------------------------------------------------------------

/// Parse a single crypt filter from the encryption dictionary by filter key name
/// (e.g. /StmF or /StrF). Looks up the named filter in /CF to determine the method.
fn parse_single_crypt_filter<S: PdfSource>(
    encrypt_dict: &HashMap<Name, Object>,
    store: &ObjectStore<S>,
    filter_key: &Name,
) -> CryptFilterMethod {
    let filter_name = encrypt_dict
        .get(filter_key)
        .and_then(|obj| store.deep_resolve(obj).ok())
        .and_then(|obj| obj.as_name())
        .cloned()
        .unwrap_or_else(|| Name::from("StdCF"));

    if filter_name == Name::from("Identity") {
        return CryptFilterMethod::None;
    }

    // Look up the filter in /CF dict
    let cf_dict = encrypt_dict
        .get(&Name::cf())
        .and_then(|obj| store.deep_resolve(obj).ok())
        .and_then(|obj| obj.as_dict());

    if let Some(cf) = cf_dict {
        if let Some(filter_obj) = cf.get(&filter_name) {
            if let Ok(filter_resolved) = store.deep_resolve(filter_obj) {
                if let Some(filter_dict) = filter_resolved.as_dict() {
                    let method = filter_dict
                        .get(&Name::cfm())
                        .and_then(|obj| store.deep_resolve(obj).ok())
                        .and_then(|obj| obj.as_name())
                        .cloned();

                    if let Some(m) = method {
                        if m == Name::aesv2() {
                            return CryptFilterMethod::Aesv2;
                        } else if m == Name::aesv3() {
                            return CryptFilterMethod::Aesv3;
                        } else if m == Name::v2() {
                            return CryptFilterMethod::V2;
                        } else if m == Name::none() {
                            return CryptFilterMethod::None;
                        }
                    }
                }
            }
        }
    }

    // Default: RC4 for V4
    CryptFilterMethod::V2
}

// ---------------------------------------------------------------------------
// Dictionary helpers
// ---------------------------------------------------------------------------

fn get_int<S: PdfSource>(
    dict: &HashMap<Name, Object>,
    store: &ObjectStore<S>,
    key: &Name,
) -> Result<i64, SecurityError> {
    dict.get(key)
        .and_then(|obj| store.deep_resolve(obj).ok())
        .and_then(|obj| obj.as_i64())
        .ok_or_else(|| SecurityError::MissingKey(key.to_string()))
}

fn get_optional_int<S: PdfSource>(
    dict: &HashMap<Name, Object>,
    store: &ObjectStore<S>,
    key: &Name,
) -> Option<i64> {
    dict.get(key)
        .and_then(|obj| store.deep_resolve(obj).ok())
        .and_then(|obj| obj.as_i64())
}

fn get_optional_bool<S: PdfSource>(
    dict: &HashMap<Name, Object>,
    store: &ObjectStore<S>,
    key: &Name,
) -> Option<bool> {
    dict.get(key)
        .and_then(|obj| store.deep_resolve(obj).ok())
        .and_then(|obj| obj.as_bool())
}

fn get_string_bytes<S: PdfSource>(
    dict: &HashMap<Name, Object>,
    store: &ObjectStore<S>,
    key: &Name,
) -> Result<Vec<u8>, SecurityError> {
    dict.get(key)
        .and_then(|obj| store.deep_resolve(obj).ok())
        .and_then(|obj| obj.as_string())
        .map(|s| s.as_bytes().to_vec())
        .ok_or_else(|| SecurityError::MissingKey(key.to_string()))
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_password_padding_empty() {
        let padded = pad_password(b"");
        assert_eq!(padded, PASSWORD_PADDING);
    }

    #[test]
    fn test_password_padding_short() {
        let padded = pad_password(b"test");
        assert_eq!(&padded[..4], b"test");
        assert_eq!(&padded[4..], &PASSWORD_PADDING[..28]);
    }

    #[test]
    fn test_password_padding_exact_32() {
        let pwd = b"abcdefghijklmnopqrstuvwxyz012345"; // 32 bytes
        let padded = pad_password(pwd);
        assert_eq!(&padded[..], &pwd[..]);
    }

    #[test]
    fn test_password_padding_longer_than_32() {
        let pwd = b"abcdefghijklmnopqrstuvwxyz0123456789"; // 36 bytes
        let padded = pad_password(pwd);
        assert_eq!(&padded[..], &pwd[..32]);
    }

    #[test]
    fn test_key_derivation_r2_known() {
        // Use empty password, known O value, P=-44, known file_id
        let o_value = [0u8; 32];
        let file_id = b"test_file_id_123";
        let key = derive_key_r2_r4(b"", &o_value, -44, file_id, 2, 5, true);
        assert_eq!(key.len(), 5);
        // Verify the key is deterministic
        let key2 = derive_key_r2_r4(b"", &o_value, -44, file_id, 2, 5, true);
        assert_eq!(key, key2);
    }

    #[test]
    fn test_key_derivation_r3_known() {
        let o_value = [0u8; 32];
        let file_id = b"test_file_id_123";
        let key = derive_key_r2_r4(b"", &o_value, -44, file_id, 3, 16, true);
        assert_eq!(key.len(), 16);
        // R3 applies 50 additional MD5 rounds — key should differ from R2
        let key_r2 = derive_key_r2_r4(b"", &o_value, -44, file_id, 2, 5, true);
        assert_ne!(key[..5], key_r2[..]);
    }

    #[test]
    fn test_user_password_verification_r2_round_trip() {
        // Derive a key, compute the expected U value, then verify
        let o_value = [0x42u8; 32];
        let file_id = b"abcdef0123456789";
        let key = derive_key_r2_r4(b"password", &o_value, -4, file_id, 2, 5, true);

        // Compute U: RC4-encrypt MD5(PASSWORD_PADDING) with key
        let expected_u = crypto::rc4_crypt(&key, &crypto::md5(&PASSWORD_PADDING)).unwrap();
        assert!(verify_user_password_r2(&key, &expected_u));
    }

    #[test]
    fn test_user_password_verification_r2_wrong_password() {
        let o_value = [0x42u8; 32];
        let file_id = b"abcdef0123456789";
        let key = derive_key_r2_r4(b"password", &o_value, -4, file_id, 2, 5, true);
        let expected_u = crypto::rc4_crypt(&key, &crypto::md5(&PASSWORD_PADDING)).unwrap();

        // Wrong password yields different key
        let wrong_key = derive_key_r2_r4(b"wrong", &o_value, -4, file_id, 2, 5, true);
        assert!(!verify_user_password_r2(&wrong_key, &expected_u));
    }

    #[test]
    fn test_user_password_verification_r3_round_trip() {
        let o_value = [0x42u8; 32];
        let file_id = b"abcdef0123456789";
        let key = derive_key_r2_r4(b"pass", &o_value, -4, file_id, 3, 16, true);

        // Compute U for R3: MD5(PADDING + file_id), then 20 rounds of RC4
        let mut buf = Vec::new();
        buf.extend_from_slice(&PASSWORD_PADDING);
        buf.extend_from_slice(file_id);
        let hash = crypto::md5(&buf);

        let mut result = crypto::rc4_crypt(&key, &hash).unwrap();
        for i in 1..=19u8 {
            let modified_key: Vec<u8> = key.iter().map(|b| b ^ i).collect();
            result = crypto::rc4_crypt(&modified_key, &result).unwrap();
        }
        // Pad U to 32 bytes (remaining bytes are random, but first 16 matter)
        let mut u_value = result;
        u_value.resize(32, 0);

        assert!(verify_user_password_r3_r4(&key, &u_value, file_id));
    }

    #[test]
    fn test_object_key_computation() {
        let handler = SecurityHandler {
            revision: 3,
            key_length_bytes: 5,
            encryption_key: vec![0x01, 0x02, 0x03, 0x04, 0x05],
            permissions: Permissions::from_bits(-4),
            encrypt_metadata: true,
            stream_cf: CryptFilterMethod::V2,
            string_cf: CryptFilterMethod::V2,
            o_value: Vec::new(),
            u_value: Vec::new(),
            encoded_password: Vec::new(),
        };

        let obj_id = ObjectId::new(10, 0);
        let key = handler.compute_object_key(obj_id, CryptFilterMethod::V2);

        // key_length + 5 = 10, but min(10, 16) = 10
        assert_eq!(key.len(), 10);

        // Verify deterministic
        let key2 = handler.compute_object_key(obj_id, CryptFilterMethod::V2);
        assert_eq!(key, key2);

        // Different object ID should yield different key
        let key3 = handler.compute_object_key(ObjectId::new(11, 0), CryptFilterMethod::V2);
        assert_ne!(key, key3);
    }

    #[test]
    fn test_object_key_aesv2_includes_salt() {
        let handler = SecurityHandler {
            revision: 4,
            key_length_bytes: 16,
            encryption_key: vec![0xAA; 16],
            permissions: Permissions::from_bits(-4),
            encrypt_metadata: true,
            stream_cf: CryptFilterMethod::Aesv2,
            string_cf: CryptFilterMethod::V2,
            o_value: Vec::new(),
            u_value: Vec::new(),
            encoded_password: Vec::new(),
        };

        let obj_id = ObjectId::new(1, 0);
        let key_rc4 = handler.compute_object_key(obj_id, CryptFilterMethod::V2);
        let key_aes = handler.compute_object_key(obj_id, CryptFilterMethod::Aesv2);

        // AES key should differ because of "sAlT" suffix
        assert_ne!(key_rc4, key_aes);
    }

    #[test]
    fn test_decrypt_string_rc4_round_trip() {
        let handler = SecurityHandler {
            revision: 3,
            key_length_bytes: 5,
            encryption_key: vec![0x01, 0x02, 0x03, 0x04, 0x05],
            permissions: Permissions::from_bits(-4),
            encrypt_metadata: true,
            stream_cf: CryptFilterMethod::V2,
            string_cf: CryptFilterMethod::V2,
            o_value: Vec::new(),
            u_value: Vec::new(),
            encoded_password: Vec::new(),
        };

        let obj_id = ObjectId::new(1, 0);
        let plaintext = b"Hello, encrypted world!";

        // Encrypt (RC4 is symmetric, so encrypt = decrypt)
        let object_key = handler.compute_object_key(obj_id, handler.string_cf);
        let encrypted = crypto::rc4_crypt(&object_key, plaintext).unwrap();

        // Decrypt via handler
        let decrypted = handler.decrypt_string(&encrypted, obj_id);
        assert_eq!(decrypted, plaintext);
    }

    #[test]
    fn test_crypt_filter_method_none_passthrough() {
        let handler = SecurityHandler {
            revision: 4,
            key_length_bytes: 16,
            encryption_key: vec![0; 16],
            permissions: Permissions::from_bits(-4),
            encrypt_metadata: true,
            stream_cf: CryptFilterMethod::None,
            string_cf: CryptFilterMethod::None,
            o_value: Vec::new(),
            u_value: Vec::new(),
            encoded_password: Vec::new(),
        };

        let data = b"unencrypted data";
        let obj_id = ObjectId::new(1, 0);
        assert_eq!(handler.decrypt_string(data, obj_id), data);
        assert_eq!(handler.decrypt_stream(data, obj_id), data);
    }

    #[test]
    fn test_truncate_utf8_password_short() {
        let pwd = truncate_utf8_password("hello");
        assert_eq!(pwd, b"hello");
    }

    #[test]
    fn test_truncate_utf8_password_long() {
        let long_pwd = "a".repeat(200);
        let pwd = truncate_utf8_password(&long_pwd);
        assert_eq!(pwd.len(), 127);
    }

    #[test]
    fn test_compute_r6_hash_basic() {
        // Verify that compute_r6_hash returns a deterministic 32-byte result
        let hash = compute_r6_hash(b"password", &[0u8; 8], &[]);
        assert_eq!(hash.len(), 32);
        // Same input should produce same output
        let hash2 = compute_r6_hash(b"password", &[0u8; 8], &[]);
        assert_eq!(hash, hash2);
    }

    #[test]
    fn test_compute_r6_hash_differs_from_simple_sha256() {
        // R6 iterative hash should differ from simple SHA-256
        let salt = [0x01u8; 8];
        let r6_hash = compute_r6_hash(b"test", &salt, &[]);
        let simple_hash = crypto::sha256(&{
            let mut v = b"test".to_vec();
            v.extend_from_slice(&salt);
            v
        });
        // The iterative hash should produce a different result than simple SHA-256
        // (because it goes through multiple rounds with AES + different hash functions)
        assert_ne!(r6_hash, simple_hash);
    }

    #[test]
    fn test_compute_r6_hash_with_u_value() {
        // Hash with non-empty u_value should differ from empty u_value
        let salt = [0x42u8; 8];
        let hash_no_u = compute_r6_hash(b"pwd", &salt, &[]);
        let hash_with_u = compute_r6_hash(b"pwd", &salt, &[0xAAu8; 48]);
        assert_ne!(hash_no_u, hash_with_u);
    }

    #[test]
    fn test_r6_user_password_round_trip() {
        // Simulate creating R6 encryption data and verifying it
        let password = b"test123";
        let validation_salt = [0x11u8; 8];
        let key_salt = [0x22u8; 8];
        let file_key = [0x42u8; 32]; // the actual file encryption key

        // Compute U value: hash(password, validation_salt) || validation_salt || key_salt
        let u_hash = compute_r6_hash(password, &validation_salt, &[]);
        let mut u_value = Vec::with_capacity(48);
        u_value.extend_from_slice(&u_hash);
        u_value.extend_from_slice(&validation_salt);
        u_value.extend_from_slice(&key_salt);

        // Compute UE: AES-256-CBC encrypt file_key with hash(password, key_salt), no padding.
        // Per ISO 32000-2 Algorithm 2.A: UE/OE store raw CBC ciphertext without a padding block.
        let key_hash = compute_r6_hash(password, &key_salt, &[]);
        let ue_value =
            crypto::aes256_cbc_encrypt_no_padding(&key_hash, &[0u8; 16], &file_key).unwrap();

        // Now verify: derive_key_r6 should recover the file key
        let result = derive_key_r6(
            "test123", &u_value, &ue_value, &[0u8; 48], // dummy O
            &[0u8; 32], // dummy OE
        )
        .unwrap();

        assert!(result.is_some());
        assert_eq!(result.unwrap(), file_key);
    }

    #[test]
    fn test_r6_wrong_password_returns_none() {
        let password = b"correct";
        let validation_salt = [0x33u8; 8];
        let key_salt = [0x44u8; 8];

        let u_hash = compute_r6_hash(password, &validation_salt, &[]);
        let mut u_value = Vec::with_capacity(48);
        u_value.extend_from_slice(&u_hash);
        u_value.extend_from_slice(&validation_salt);
        u_value.extend_from_slice(&key_salt);

        let key_hash = compute_r6_hash(password, &key_salt, &[]);
        let ue_value =
            crypto::aes256_cbc_encrypt_no_padding(&key_hash, &[0u8; 16], &[0u8; 32]).unwrap();

        // Wrong password should not match
        let result = derive_key_r6("wrong", &u_value, &ue_value, &[0u8; 48], &[0u8; 32]).unwrap();

        assert!(result.is_none());
    }

    // -----------------------------------------------------------------------
    // KAT: Algorithm 2.B — known-answer tests against PDFium's test fixture
    //
    // All byte values are extracted from:
    //   pdfium-upstream/testing/resources/encrypted_hello_world_r6.pdf
    // which was created by PDFium (the reference implementation) with:
    //   user password : "hôtel"  (UTF-8 bytes: 68 c3 b4 74 65 6c)
    //   owner password: "âge"   (UTF-8 bytes: c3 a2 67 65)
    //
    // These tests fail if the Algorithm 2.B implementation diverges from PDFium,
    // which is exactly the class of regression the self-consistent round-trip
    // tests (test_r6_user_password_round_trip etc.) cannot catch.
    // -----------------------------------------------------------------------

    /// Upstream: PDFium `encrypted_hello_world_r6.pdf`, user-password path.
    /// U[0..32] must equal compute_r6_hash("hôtel", U[32..40], []).
    #[test]
    fn test_compute_r6_hash_kat_pdfium_user_validation() {
        // User password "hôtel" in UTF-8
        let password = "h\u{00f4}tel".as_bytes();

        // U value from the PDF (48 bytes).
        // U[32..40] = validation salt, U[40..48] = key salt.
        let u: [u8; 48] = [
            0x07, 0x98, 0xab, 0x4b, 0x1c, 0x93, 0xd3, 0x60, // U[0..8]
            0xf9, 0x6b, 0x8b, 0xa4, 0x1d, 0x1a, 0xdd, 0x5b, // U[8..16]
            0x7e, 0xaf, 0x4b, 0x11, 0x0f, 0x01, 0x4d, 0xe8, // U[16..24]
            0x8a, 0x57, 0x61, 0x5f, 0xdd, 0x6f, 0x67, 0x7c, // U[24..32]  ← expected hash
            0x1a, 0x5e, 0x05, 0x9d, 0x15, 0xed, 0x6e, 0xed, // U[32..40] validation salt
            0x88, 0xd9, 0x4c, 0x03, 0x49, 0x58, 0x3f, 0x86, // U[40..48] key salt
        ];

        let computed = compute_r6_hash(password, &u[32..40], &[]);
        assert_eq!(
            computed,
            u[..32],
            "Algorithm 2.B hash must match U[0..32] from PDFium-generated R6 PDF"
        );
    }

    /// Upstream: PDFium `encrypted_hello_world_r6.pdf`, end-to-end user-password key recovery.
    /// derive_key_r6 must accept "hôtel" and return Some(file_key).
    #[test]
    fn test_derive_key_r6_kat_pdfium_user_password() {
        // Values extracted from encrypted_hello_world_r6.pdf
        let u: [u8; 48] = [
            0x07, 0x98, 0xab, 0x4b, 0x1c, 0x93, 0xd3, 0x60, 0xf9, 0x6b, 0x8b, 0xa4, 0x1d, 0x1a,
            0xdd, 0x5b, 0x7e, 0xaf, 0x4b, 0x11, 0x0f, 0x01, 0x4d, 0xe8, 0x8a, 0x57, 0x61, 0x5f,
            0xdd, 0x6f, 0x67, 0x7c, 0x1a, 0x5e, 0x05, 0x9d, 0x15, 0xed, 0x6e, 0xed, 0x88, 0xd9,
            0x4c, 0x03, 0x49, 0x58, 0x3f, 0x86,
        ];
        let ue: [u8; 32] = [
            0x9e, 0x30, 0x4c, 0x9f, 0xff, 0x64, 0x7b, 0x71, 0x53, 0x6d, 0xb3, 0x68, 0x4c, 0x72,
            0x91, 0x4c, 0xae, 0x38, 0x82, 0x88, 0x5e, 0xb8, 0xcf, 0x9c, 0xfb, 0xf3, 0x02, 0x6d,
            0xae, 0x2e, 0x1f, 0x35,
        ];
        let o: [u8; 48] = [
            0xd8, 0x0e, 0x61, 0x06, 0xfd, 0x39, 0x47, 0x8c, 0x88, 0x60, 0xc9, 0x14, 0x5e, 0x89,
            0x6f, 0x12, 0x6c, 0x3f, 0xa0, 0xc9, 0x12, 0x5a, 0xd2, 0x09, 0x6d, 0x24, 0x2c, 0x07,
            0x5f, 0xa6, 0x21, 0xac, 0x99, 0x22, 0x41, 0x60, 0x8c, 0xc3, 0xd3, 0x97, 0x13, 0x5a,
            0x2c, 0x0a, 0xec, 0x96, 0xdb, 0x3b,
        ];
        let oe: [u8; 32] = [
            0x90, 0x46, 0xa2, 0x2c, 0x32, 0xd3, 0x32, 0x86, 0x55, 0x95, 0x94, 0xea, 0xef, 0x09,
            0xb9, 0xcf, 0x49, 0x22, 0x8b, 0x58, 0xd0, 0x2b, 0xf5, 0xdd, 0xc3, 0x38, 0x3d, 0xf9,
            0x26, 0x32, 0x82, 0xe2,
        ];

        // User password "hôtel" (UTF-8)
        let result = derive_key_r6("h\u{00f4}tel", &u, &ue, &o, &oe)
            .expect("derive_key_r6 must not error on valid R6 data");
        assert!(
            result.is_some(),
            "user password 'hôtel' must be accepted for PDFium-generated R6 PDF"
        );
    }

    /// Upstream: PDFium `encrypted_hello_world_r6.pdf`, end-to-end owner-password key recovery.
    /// derive_key_r6 must accept "âge" (owner password) and return Some(file_key).
    #[test]
    fn test_derive_key_r6_kat_pdfium_owner_password() {
        let u: [u8; 48] = [
            0x07, 0x98, 0xab, 0x4b, 0x1c, 0x93, 0xd3, 0x60, 0xf9, 0x6b, 0x8b, 0xa4, 0x1d, 0x1a,
            0xdd, 0x5b, 0x7e, 0xaf, 0x4b, 0x11, 0x0f, 0x01, 0x4d, 0xe8, 0x8a, 0x57, 0x61, 0x5f,
            0xdd, 0x6f, 0x67, 0x7c, 0x1a, 0x5e, 0x05, 0x9d, 0x15, 0xed, 0x6e, 0xed, 0x88, 0xd9,
            0x4c, 0x03, 0x49, 0x58, 0x3f, 0x86,
        ];
        let ue: [u8; 32] = [
            0x9e, 0x30, 0x4c, 0x9f, 0xff, 0x64, 0x7b, 0x71, 0x53, 0x6d, 0xb3, 0x68, 0x4c, 0x72,
            0x91, 0x4c, 0xae, 0x38, 0x82, 0x88, 0x5e, 0xb8, 0xcf, 0x9c, 0xfb, 0xf3, 0x02, 0x6d,
            0xae, 0x2e, 0x1f, 0x35,
        ];
        let o: [u8; 48] = [
            0xd8, 0x0e, 0x61, 0x06, 0xfd, 0x39, 0x47, 0x8c, 0x88, 0x60, 0xc9, 0x14, 0x5e, 0x89,
            0x6f, 0x12, 0x6c, 0x3f, 0xa0, 0xc9, 0x12, 0x5a, 0xd2, 0x09, 0x6d, 0x24, 0x2c, 0x07,
            0x5f, 0xa6, 0x21, 0xac, 0x99, 0x22, 0x41, 0x60, 0x8c, 0xc3, 0xd3, 0x97, 0x13, 0x5a,
            0x2c, 0x0a, 0xec, 0x96, 0xdb, 0x3b,
        ];
        let oe: [u8; 32] = [
            0x90, 0x46, 0xa2, 0x2c, 0x32, 0xd3, 0x32, 0x86, 0x55, 0x95, 0x94, 0xea, 0xef, 0x09,
            0xb9, 0xcf, 0x49, 0x22, 0x8b, 0x58, 0xd0, 0x2b, 0xf5, 0xdd, 0xc3, 0x38, 0x3d, 0xf9,
            0x26, 0x32, 0x82, 0xe2,
        ];

        // Owner password "âge" (UTF-8: c3 a2 67 65)
        let result = derive_key_r6("\u{00e2}ge", &u, &ue, &o, &oe)
            .expect("derive_key_r6 must not error on valid R6 data");
        assert!(
            result.is_some(),
            "owner password 'âge' must be accepted for PDFium-generated R6 PDF"
        );
    }

    #[test]
    fn test_owner_password_recovery_r2() {
        // Set up: compute O from a known user password + owner password
        let user_pwd = b"user";
        let owner_pwd = b"owner";
        let key_len = 5;

        // Compute O value: pad owner_pwd, MD5, RC4-encrypt padded user_pwd
        let padded_owner = pad_password(owner_pwd);
        let hash = crypto::md5(&padded_owner);
        let owner_key = &hash[..key_len];
        let padded_user = pad_password(user_pwd);
        let o_value = crypto::rc4_crypt(owner_key, &padded_user).unwrap();

        // Now recover
        let recovered = recover_user_password_from_owner(owner_pwd, &o_value, 2, key_len);
        assert_eq!(&recovered[..], &padded_user[..]);
    }

    // -----------------------------------------------------------------------
    // P0-1: Verify PASSWORD_PADDING matches PDF spec byte-by-byte
    // -----------------------------------------------------------------------

    #[test]
    fn test_password_padding_matches_pdf_spec() {
        // Table 3.18 / ISO 32000-1:2008 section 7.6.3.3
        let spec_padding: [u8; 32] = [
            0x28, 0xBF, 0x4E, 0x5E, 0x4E, 0x75, 0x8A, 0x41, 0x64, 0x00, 0x4E, 0x56, 0xFF, 0xFA,
            0x01, 0x08, 0x2E, 0x2E, 0x00, 0xB6, 0xD0, 0x68, 0x3E, 0x80, 0x2F, 0x0C, 0xA9, 0xFE,
            0x64, 0x53, 0x69, 0x7A,
        ];
        assert_eq!(PASSWORD_PADDING, spec_padding);
    }

    // -----------------------------------------------------------------------
    // P0-2: Test big-endian mod 3 vs sum mod 3 divergence
    // -----------------------------------------------------------------------

    #[test]
    fn test_big_endian_mod3_basic() {
        // All zeros: 0 mod 3 = 0
        assert_eq!(big_endian_mod3(&[0u8; 16]), 0);
        // All 0xFF: large number mod 3
        assert_eq!(big_endian_mod3(&[0xFF; 16]), big_endian_mod3(&[0xFF; 16]));
    }

    #[test]
    fn test_big_endian_mod3_differs_from_sum_mod3() {
        // Find a value where sum%3 differs from big-endian%3
        // bytes = [0x01, 0x00, ...0x00] (15 zeros after):
        //   sum   = 1, 1 % 3 = 1
        //   big-endian = 256^15 mod 3. Since 256 mod 3 = 1, 256^15 mod 3 = 1. Same.
        // Try [0x02, 0x01, 0, ...]:
        //   sum   = 3, 3 % 3 = 0
        //   big-endian = 2*256 + 1 = 513 mod 3 = 0. Same.
        // Try [0x80, 0x00, ...0x00, 0x01]:
        //   sum   = 0x80 + 1 = 129, 129 % 3 = 0
        //   big-endian = 0x80 * 256^15 + 1. Since 256 mod 3 = 1: 128*1 + 1 = 129 mod 3 = 0. Same.
        // Try [3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2]:
        //   sum = 5, 5%3 = 2
        //   big-endian = 3*256^15 + 2. 256^15 mod 3 = 1, so 3+2=5 mod 3 = 2. Same.
        // Actually the two methods differ when the positional weights matter.
        // [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 0]:
        //   sum = 2, 2%3 = 2
        //   big-endian: 2*256 = 512. 512%3 = 2. Same.
        // [0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 1]:
        //   sum = 2, 2%3 = 2
        //   big-endian: 1*256+1 = 257. 257%3 = 2. Same.
        // Since 256 mod 3 = 1, positional weighting doesn't change mod3 result.
        // So sum%3 == big-endian%3 for mod 3 specifically.
        // However, the spec says to interpret as big-endian, so our implementation is still correct.
        // Let's just verify the function works correctly on known values.
        let bytes = [0u8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1];
        assert_eq!(big_endian_mod3(&bytes), 1);
        let bytes = [0u8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2];
        assert_eq!(big_endian_mod3(&bytes), 2);
        let bytes = [0u8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3];
        assert_eq!(big_endian_mod3(&bytes), 0);
    }

    // -----------------------------------------------------------------------
    // P2-31: Test separate StrF/StmF
    // -----------------------------------------------------------------------

    #[test]
    fn test_separate_strf_stmf_decrypt() {
        // Create a handler where streams use AES but strings use RC4
        let handler = SecurityHandler {
            revision: 4,
            key_length_bytes: 16,
            encryption_key: vec![0xBB; 16],
            permissions: Permissions::from_bits(-4),
            encrypt_metadata: true,
            stream_cf: CryptFilterMethod::Aesv2,
            string_cf: CryptFilterMethod::V2,
            o_value: Vec::new(),
            u_value: Vec::new(),
            encoded_password: Vec::new(),
        };

        // Verify accessor returns stream_cf
        assert_eq!(handler.crypt_filter_method(), CryptFilterMethod::Aesv2);

        let obj_id = ObjectId::new(1, 0);

        // String uses RC4 (V2) — round-trip
        let plaintext = b"hello";
        let obj_key_str = handler.compute_object_key(obj_id, CryptFilterMethod::V2);
        let encrypted_str = crypto::rc4_crypt(&obj_key_str, plaintext).unwrap();
        let decrypted = handler.decrypt_string(&encrypted_str, obj_id);
        assert_eq!(decrypted, plaintext);

        // Stream uses AESV2 — verify the object key includes sAlT
        let obj_key_stm = handler.compute_object_key(obj_id, CryptFilterMethod::Aesv2);
        assert_ne!(obj_key_str, obj_key_stm); // sAlT suffix makes them differ
    }

    // -----------------------------------------------------------------------
    // P2-32: Test Latin-1 password encoding
    // -----------------------------------------------------------------------

    #[test]
    fn test_encode_password_latin1_ascii() {
        let encoded = encode_password_latin1("hello");
        assert_eq!(encoded, b"hello");
    }

    #[test]
    fn test_encode_password_latin1_latin_chars() {
        // e-acute (U+00E9) is within Latin-1 range
        let encoded = encode_password_latin1("\u{00E9}");
        assert_eq!(encoded, vec![0xE9]);
    }

    #[test]
    fn test_encode_password_latin1_non_latin() {
        // CJK character (U+4E2D) is outside Latin-1 range, replaced with '?'
        let encoded = encode_password_latin1("\u{4E2D}");
        assert_eq!(encoded, vec![0x3F]);
    }

    #[test]
    fn test_encode_password_latin1_mixed() {
        // Mix of ASCII, Latin-1, and non-Latin-1
        let encoded = encode_password_latin1("a\u{00FC}\u{4E2D}b");
        assert_eq!(encoded, vec![b'a', 0xFC, 0x3F, b'b']);
    }

    // -----------------------------------------------------------------------
    // P2-33: Test /Perms validation
    // -----------------------------------------------------------------------

    #[test]
    fn test_encode_password_latin1_empty() {
        let encoded = encode_password_latin1("");
        assert!(encoded.is_empty());
    }

    #[test]
    fn test_encode_password_latin1_ascii_alphanumeric() {
        let encoded = encode_password_latin1("ABC123");
        assert_eq!(encoded, b"ABC123");
    }

    #[test]
    fn test_encode_password_latin1_0xff() {
        // U+00FF (y-diaeresis) is the last character in Latin-1 range
        let encoded = encode_password_latin1("\u{00FF}");
        assert_eq!(encoded, vec![0xFF]);
    }

    #[test]
    fn test_encode_password_latin1_over_range() {
        // U+0100 (Latin Extended-A) is just outside Latin-1 range
        let encoded = encode_password_latin1("\u{0100}");
        assert_eq!(encoded, vec![0x3F]); // '?' fallback
    }

    #[test]
    fn test_truncate_utf8_password_empty() {
        let pwd = truncate_utf8_password("");
        assert!(pwd.is_empty());
    }

    #[test]
    fn test_truncate_utf8_password_exact_127() {
        let input = "a".repeat(127);
        let pwd = truncate_utf8_password(&input);
        assert_eq!(pwd.len(), 127);
        assert_eq!(pwd, input.as_bytes());
    }

    #[test]
    fn test_truncate_utf8_password_over_127() {
        let input = "a".repeat(128);
        let pwd = truncate_utf8_password(&input);
        assert_eq!(pwd.len(), 127);
    }

    #[test]
    fn test_perms_validation_construct_and_verify() {
        // Build a valid /Perms block per PDF spec Algorithm 2.A:
        //   [0..4]  = /P value as LE i32
        //   [8]     = 'T' (EncryptMetadata=true) or 'F'
        //   [9..12] = "adb"
        let permissions: i32 = -4;
        let mut perms_plain = [0u8; 16];
        perms_plain[0..4].copy_from_slice(&permissions.to_le_bytes());
        // Bytes 4-7: can be anything
        perms_plain[8] = b'T'; // EncryptMetadata flag
        perms_plain[9] = b'a';
        perms_plain[10] = b'd';
        perms_plain[11] = b'b';

        // Encrypt with AES-256-ECB (single block, no padding)
        let file_key = [0x42u8; 32];
        // Use aes256_ecb_encrypt_block equivalent: encrypt then decrypt round-trip
        // For this test, we encrypt using the raw AES block cipher
        use aes::cipher::{BlockEncrypt, KeyInit};
        let cipher = aes::Aes256::new_from_slice(&file_key).unwrap();
        let mut block = aes::cipher::generic_array::GenericArray::clone_from_slice(&perms_plain);
        cipher.encrypt_block(&mut block);
        let encrypted_perms: [u8; 16] = block.into();

        // Now decrypt and validate (simulating what from_encrypt_dict does)
        let decrypted = crypto::aes256_ecb_decrypt_block(&file_key, &encrypted_perms).unwrap();

        // Byte 8 = 'T' (EncryptMetadata), bytes 9-11 = "adb"
        assert_eq!(decrypted[8], b'T');
        assert_eq!(&decrypted[9..12], b"adb");
        let recovered_p =
            i32::from_le_bytes([decrypted[0], decrypted[1], decrypted[2], decrypted[3]]);
        assert_eq!(recovered_p, permissions);
    }

    #[test]
    fn test_get_permissions_alias_delegates_to_permissions() {
        let handler = SecurityHandler {
            revision: 3,
            key_length_bytes: 5,
            encryption_key: vec![0x01; 5],
            permissions: Permissions::from_bits(-4),
            encrypt_metadata: true,
            stream_cf: CryptFilterMethod::V2,
            string_cf: CryptFilterMethod::V2,
            o_value: Vec::new(),
            u_value: Vec::new(),
            encoded_password: b"secret".to_vec(),
        };
        assert_eq!(handler.get_permissions(), handler.permissions());
    }

    #[test]
    fn test_encoded_password_stored_and_accessible() {
        let handler = SecurityHandler {
            revision: 3,
            key_length_bytes: 5,
            encryption_key: vec![0x01; 5],
            permissions: Permissions::from_bits(-4),
            encrypt_metadata: true,
            stream_cf: CryptFilterMethod::V2,
            string_cf: CryptFilterMethod::V2,
            o_value: Vec::new(),
            u_value: Vec::new(),
            encoded_password: b"my_password".to_vec(),
        };
        assert_eq!(handler.encoded_password(), b"my_password");
    }

    // -----------------------------------------------------------------------
    // Encrypted PDF round-trip tests (P3: integration)
    // -----------------------------------------------------------------------

    /// Verify SecurityHandler stores encoded_password for R2/R4 user password path.
    ///
    /// Derives a key for a known password, computes the matching U value for R3,
    /// constructs a SecurityHandler directly, and verifies that `encoded_password()`
    /// returns the same Latin-1-encoded bytes used during key derivation.
    #[test]
    fn test_security_handler_stores_encoded_password_user_path() {
        // Derive key for a known password
        let password = "test";
        let pwd_bytes = encode_password_latin1(password);
        let o_value = [0x42u8; 32];
        let file_id = b"abcdef0123456789";
        let key = derive_key_r2_r4(&pwd_bytes, &o_value, -4, file_id, 3, 5, true);

        // Compute U value for R3: MD5(PASSWORD_PADDING + file_id), then 20 rounds of RC4
        let mut buf = Vec::new();
        buf.extend_from_slice(&PASSWORD_PADDING);
        buf.extend_from_slice(file_id);
        let hash = crypto::md5(&buf);
        let mut result = crypto::rc4_crypt(&key, &hash).unwrap();
        for i in 1..=19u8 {
            let modified: Vec<u8> = key.iter().map(|b| b ^ i).collect();
            result = crypto::rc4_crypt(&modified, &result).unwrap();
        }
        let mut u_value = result;
        u_value.resize(32, 0);

        // Construct a SecurityHandler directly with the same components
        let handler = SecurityHandler {
            revision: 3,
            key_length_bytes: 5,
            encryption_key: key,
            permissions: Permissions::from_bits(-4),
            encrypt_metadata: true,
            stream_cf: CryptFilterMethod::V2,
            string_cf: CryptFilterMethod::V2,
            o_value: o_value.to_vec(),
            u_value,
            encoded_password: pwd_bytes.clone(),
        };

        assert_eq!(handler.encoded_password(), pwd_bytes.as_slice());
        // "test" encodes as plain ASCII bytes in Latin-1
        assert_eq!(handler.encoded_password(), b"test");
    }

    /// Verify that `get_permissions()` alias returns the same value as `permissions()`.
    ///
    /// Uses a non-trivial permission value (-3904) to confirm both accessors agree
    /// and that `Permissions::bits()` round-trips correctly through the alias.
    #[test]
    fn test_security_handler_get_permissions_alias_r3() {
        let handler = SecurityHandler {
            revision: 3,
            key_length_bytes: 5,
            encryption_key: vec![0x01; 5],
            permissions: Permissions::from_bits(-3904),
            encrypt_metadata: true,
            stream_cf: CryptFilterMethod::V2,
            string_cf: CryptFilterMethod::V2,
            o_value: Vec::new(),
            u_value: Vec::new(),
            encoded_password: b"owner".to_vec(),
        };
        assert_eq!(handler.get_permissions().bits(), -3904);
        assert_eq!(handler.get_permissions(), handler.permissions());
    }
}