Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

archive/zip: support for encrypted archives #12081

Open
raichu opened this issue Aug 9, 2015 · 4 comments

Comments

@raichu
Copy link

commented Aug 9, 2015

ZIP file format specification includes encrypted archives.
Current implementation doesn't support writing/reading such archives.

@ianlancetaylor ianlancetaylor changed the title zip: support for encrpyted archives archive/zip: support for encrpyted archives Aug 9, 2015

@ianlancetaylor ianlancetaylor added this to the Unplanned milestone Aug 9, 2015

@alexmullins

This comment has been minimized.

Copy link

commented Dec 5, 2015

I've got a working implementation of archive/zip that can read/write password protected archives. The code is at https://github.com/alexmullins/zip.

Details:
The encryption/decryption method used is WinZip AES Encryption Specification (http://www.winzip.com/aes_info.htm). There are 2 other encryption methods specified in the original Zip Spec (https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT, Sections 6 and 7) which aren't implemented. The method described in Section 6, also known as ZipCrypto, is generally considered 'weak' and isn't advisable to use. The method described in Section 7 seems to be exclusively used with PKWARE products as I haven't seen any other opensource implementations support it.

Public API additions:

  • FileHeader.DeferAuth
  • func (*FileHeader) IsEncrypted
  • func (*FileHeader) SetPassword
  • func (*Writer) Encrypt

Current roadblocks:

  • The method to turn a password into a master-key is PBKDF2 and I'm getting that functionality from the 3rd party package golang.org/x/crypto/pbkdf2.
  • Duplicating the cipher.NewCTR implementation from Go's Standard Library. (See here: https://github.com/alexmullins/zip/blob/master/crypto.go#L109). It was clarified for me that Go uses a right-aligned counter which is the standard way of doing it. WinZip AES uses a left-aligned counter. The difference between the two is:

Go CTR:
00000000000000000000000000000001
00000000000000000000000000000002

WinZip CTR:
01000000000000000000000000000000
02000000000000000000000000000000

Any feedback is welcome.
Thanks.

@bradfitz bradfitz changed the title archive/zip: support for encrpyted archives archive/zip: support for encrypted archives May 10, 2016

@yeka

This comment has been minimized.

Copy link

commented Oct 17, 2016

I was working on a project that requires me to send a password protected zip file to a system that can only read Zip Standard Encryption. Not finding any go source for this, I manage to create a working code based on @alexmullins code. Special thanks to you Sir 👍

While it's not advisable to use Zip Standard Encryption for security reason, for those who have to work with it, you can check my code at https://github.com/yeka/zip

I hope the awesome Go Team can integrate encryption into their standard zip/archive 😄

@ghost

This comment has been minimized.

Copy link

commented Jul 15, 2017

Any updates here? officially supporting protected files would be good enough :)

@florianpinel

This comment has been minimized.

Copy link

commented Aug 29, 2018

@yeka Could you add a license to your git repo?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.