archive/zip: support for encrypted archives

[raichu]

ZIP file format specification includes encrypted archives.
Current implementation doesn't support writing/reading such archives.

[alexmullins]

I've got a working implementation of archive/zip that can read/write password protected archives. The code is at https://github.com/alexmullins/zip.

Details:
The encryption/decryption method used is WinZip AES Encryption Specification (http://www.winzip.com/aes_info.htm). There are 2 other encryption methods specified in the original Zip Spec (https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT, Sections 6 and 7) which aren't implemented. The method described in Section 6, also known as ZipCrypto, is generally considered 'weak' and isn't advisable to use. The method described in Section 7 seems to be exclusively used with PKWARE products as I haven't seen any other opensource implementations support it.

Public API additions:

• FileHeader.DeferAuth
• func (*FileHeader) IsEncrypted
• func (*FileHeader) SetPassword
• func (*Writer) Encrypt

Current roadblocks:

• The method to turn a password into a master-key is PBKDF2 and I'm getting that functionality from the 3rd party package golang.org/x/crypto/pbkdf2.
• Duplicating the cipher.NewCTR implementation from Go's Standard Library. (See here: https://github.com/alexmullins/zip/blob/master/crypto.go#L109). It was clarified for me that Go uses a right-aligned counter which is the standard way of doing it. WinZip AES uses a left-aligned counter. The difference between the two is:

Go CTR:
00000000000000000000000000000001
00000000000000000000000000000002

WinZip CTR:
01000000000000000000000000000000
02000000000000000000000000000000

Any feedback is welcome.
Thanks.

[yeka]

I was working on a project that requires me to send a password protected zip file to a system that can only read Zip Standard Encryption. Not finding any go source for this, I manage to create a working code based on @alexmullins code. Special thanks to you Sir 👍

While it's not advisable to use Zip Standard Encryption for security reason, for those who have to work with it, you can check my code at https://github.com/yeka/zip

I hope the awesome Go Team can integrate encryption into their standard zip/archive 😄

[ghost]

Any updates here? officially supporting protected files would be good enough :)

[florianpinel]

@yeka Could you add a license to your git repo?