Implement Type-1 decryption

jkseppan · jkseppan · commit b81313fe285c · 2021-07-22T13:07:45.000+03:00
This is a prerequisite of subsetting.
diff --git a/doc/api/next_api_changes/behavior/20634-JKS.rst b/doc/api/next_api_changes/behavior/20634-JKS.rst
@@ -0,0 +1,8 @@
+``Type1Font`` objects now decrypt the encrypted part
+----------------------------------------------------
+
+Type 1 fonts have a large part of their code encrypted as an obsolete
+copy-protection measure. This part is now available decrypted as the
+``decrypted`` attribute of :class:`~matplotlib.type1font.Type1Font`.
+This decrypted data is not yet parsed, but this is a prerequisite for
+implementing subsetting.
diff --git a/lib/matplotlib/tests/test_type1font.py b/lib/matplotlib/tests/test_type1font.py
@@ -15,6 +15,8 @@ def test_Type1Font():
     assert font.parts[2] == rawdata[0x8985:0x8ba6]
     assert font.parts[1:] == slanted.parts[1:]
     assert font.parts[1:] == condensed.parts[1:]
+    assert font.decrypted.startswith(b'dup\n/Private 18 dict dup begin')
+    assert font.decrypted.endswith(b'mark currentfile closefile\n')
 
     differ = difflib.Differ()
     diff = list(differ.compare(
@@ -67,3 +69,11 @@ def test_overprecision():
     assert matrix == '0.001 0 0.000167 0.001 0 0'
     # and here we had -9.48090361795083
     assert angle == '-9.4809'
+
+
+def test_encrypt_decrypt_roundtrip():
+    data = b'this is my plaintext \0\1\2\3'
+    encrypted = t1f.Type1Font._encrypt(data, 'eexec')
+    decrypted = t1f.Type1Font._decrypt(encrypted, 'eexec')
+    assert encrypted != decrypted
+    assert data == decrypted
diff --git a/lib/matplotlib/type1font.py b/lib/matplotlib/type1font.py
@@ -46,10 +46,12 @@ class Type1Font:
     parts : tuple
         A 3-tuple of the cleartext part, the encrypted part, and the finale of
         zeros.
+    decrypted : bytes
+        The decrypted form of parts[1].
     prop : dict[str, Any]
         A dictionary of font properties.
     """
-    __slots__ = ('parts', 'prop')
+    __slots__ = ('parts', 'decrypted', 'prop')
 
     def __init__(self, input):
         """
@@ -68,6 +70,7 @@ def __init__(self, input):
                 data = self._read(file)
             self.parts = self._split(data)
 
+        self.decrypted = self._decrypt(self.parts[1], 'eexec')
         self._parse()
 
     def _read(self, file):
@@ -139,6 +142,59 @@ def _split(self, data):
     _token_re = re.compile(br'/{0,2}[^]\0\t\r\v\n ()<>{}/%[]+')
     _instring_re = re.compile(br'[()\\]')
 
+    @staticmethod
+    def _decrypt(ciphertext, key, ndiscard=4):
+        """
+        Decrypt ciphertext using the Type-1 font algorithm
+
+        The algorithm is described in Adobe's "Adobe Type 1 Font Format".
+        The key argument can be an integer, or one of the strings
+        'eexec' and 'charstring', which map to the key specified for the
+        corresponding part of Type-1 fonts.
+
+        The ndiscard argument should be an integer, usually 4.
+        That number of bytes is discarded from the beginning of plaintext.
+        """
+
+        key = {'eexec': 55665, 'charstring': 4330}.get(key, key)
+        if not isinstance(key, int):
+            raise ValueError(f'Invalid decryption key {key!r}')
+
+        plaintext = bytearray(len(ciphertext))
+        for i, byte in enumerate(ciphertext):
+            plaintext[i] = byte ^ (key >> 8)
+            key = ((key+byte) * 52845 + 22719) & 0xffff
+
+        return bytes(plaintext[ndiscard:])
+
+    @staticmethod
+    def _encrypt(plaintext, key, ndiscard=4):
+        """
+        Encrypt plaintext using the Type-1 font algorithm
+
+        The algorithm is described in Adobe's "Adobe Type 1 Font Format".
+        The key argument can be an integer, or one of the strings
+        'eexec' and 'charstring', which map to the key specified for the
+        corresponding part of Type-1 fonts.
+
+        The ndiscard argument should be an integer, usually 4. That
+        number of bytes is prepended to the plaintext before encryption.
+        This function prepends NUL bytes for reproducibility, even though
+        the original algorithm uses random bytes, presumably to avoid
+        cryptanalysis.
+        """
+
+        key = {'eexec': 55665, 'charstring': 4330}.get(key, key)
+        if not isinstance(key, int):
+            raise ValueError(f'Invalid encryption key {key!r}')
+
+        ciphertext = bytearray(len(plaintext) + ndiscard)
+        for i, byte in enumerate(b'\0' * ndiscard + plaintext):
+            ciphertext[i] = byte ^ (key >> 8)
+            key = ((key + ciphertext[i]) * 52845 + 22719) & 0xffff
+
+        return bytes(ciphertext)
+
     @classmethod
     def _tokens(cls, text):
         """
