Implement support for reading AES-enrypted entries

[thekid]

When extracting, the code remains unchanged - simply set the password, the implementation will decrypt the contents with either traditional PKZIP cipher or AES(-128/-192/-256) based on the entry's header.

use io\archive\zip\ZipFile;
use util\cmd\Console;

$zip= ZipFile::open($argv[1])->usingPassword($argv[2]);
foreach ($zip->entries() as $entry) {
  Console::writeLine($entry->getName(), ': ', $entry->in()->read(72).'…');
}
$zip->close();

Implementation

• Detect AES via compression=99
• Implement password verification
• Decrypt with AES-CTR / little endian
• Test streaming with larger data
• Throw for missing passwords
• Add support for using util.Secret instances for passwords

Strengths

• 1 -> AES-128
• 2 -> AES-292
• 3 -> AES-256

See also

• https://github.com/danifus/pyzipper/blob/master/pyzipper/zipfile_aes.py

[thekid]

Test streaming with larger data

$ for file in /usr/bin/xp.exe ../backup.tgz ../core/debug ; do \
  7z a -mem=AES256 -p'secret' test.zip $file ; \
  7z l test.zip ; \
  xp decompress.script.php test.zip ; \
  diff -q target $file && echo "OK" ; \
  rm test.zip ; \
done
# [...]
2025-09-20 18:31:49 .....        78848        32706  xp.exe
2017-11-04 21:14:26 .....        29502        29530  backup.tgz
2025-04-21 11:14:07 .....       178117        23251  debug
# [...]

• Tests with different file types - worked
• Fuzz-testing with passing rand(512, 8192) to read() - showed necessity to ensure block size while streaming decryption

[thekid]

Released in https://github.com/xp-framework/zip/releases/tag/v11.3.0