Skip to content

/ go

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

archive/zip: support for encrypted archives #12081

Open
raichu opened this issue Aug 9, 2015 · 4 comments
Open

archive/zip: support for encrypted archives #12081

raichu opened this issue Aug 9, 2015 · 4 comments
Labels
FeatureRequest
Milestone
Unplanned

Comments

@raichu
Copy link

@raichu raichu commented Aug 9, 2015

ZIP file format specification includes encrypted archives.
Current implementation doesn't support writing/reading such archives.
@ianlancetaylor ianlancetaylor changed the title zip: support for encrpyted archives archive/zip: support for encrpyted archives Aug 9, 2015
@ianlancetaylor ianlancetaylor added this to the Unplanned milestone Aug 9, 2015
@dsnet dsnet mentioned this issue Oct 17, 2015
Closed
@alexmullins
Copy link

@alexmullins alexmullins commented Dec 5, 2015

I've got a working implementation of archive/zip that can read/write password protected archives. The code is at https://github.com/alexmullins/zip.

Details:
The encryption/decryption method used is WinZip AES Encryption Specification (http://www.winzip.com/aes_info.htm). There are 2 other encryption methods specified in the original Zip Spec (https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT, Sections 6 and 7) which aren't implemented. The method described in Section 6, also known as ZipCrypto, is generally considered 'weak' and isn't advisable to use. The method described in Section 7 seems to be exclusively used with PKWARE products as I haven't seen any other opensource implementations support it.

Public API additions:

  • FileHeader.DeferAuth
  • func (*FileHeader) IsEncrypted
  • func (*FileHeader) SetPassword
  • func (*Writer) Encrypt

Current roadblocks:

  • The method to turn a password into a master-key is PBKDF2 and I'm getting that functionality from the 3rd party package golang.org/x/crypto/pbkdf2.
  • Duplicating the cipher.NewCTR implementation from Go's Standard Library. (See here: https://github.com/alexmullins/zip/blob/master/crypto.go#L109). It was clarified for me that Go uses a right-aligned counter which is the standard way of doing it. WinZip AES uses a left-aligned counter. The difference between the two is:

Go CTR:
00000000000000000000000000000001
00000000000000000000000000000002

WinZip CTR:
01000000000000000000000000000000
02000000000000000000000000000000

Any feedback is welcome.
Thanks.
@alexmullins alexmullins mentioned this issue Jan 16, 2016
Closed
@bradfitz bradfitz changed the title archive/zip: support for encrpyted archives archive/zip: support for encrypted archives May 10, 2016
@yeka
Copy link

@yeka yeka commented Oct 17, 2016

I was working on a project that requires me to send a password protected zip file to a system that can only read Zip Standard Encryption. Not finding any go source for this, I manage to create a working code based on @alexmullins code. Special thanks to you Sir 👍

While it's not advisable to use Zip Standard Encryption for security reason, for those who have to work with it, you can check my code at https://github.com/yeka/zip

I hope the awesome Go Team can integrate encryption into their standard zip/archive 😄
@ghost
Copy link

@ghost ghost commented Jul 15, 2017

Any updates here? officially supporting protected files would be good enough :)
@mholt mholt mentioned this issue Aug 25, 2017
Closed
@florianpinel
Copy link

@florianpinel florianpinel commented Aug 29, 2018

@yeka Could you add a license to your git repo?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
FeatureRequest
Projects
None yet
Milestone
Unplanned
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
6 participants
@bradfitz @alexmullins @yeka @raichu @ianlancetaylor @florianpinel