Go: archive/zip: support for encrypted archives
ZIP file format specification includes encrypted archives.
Current implementation doesn't support writing/reading such archives.
raichu
All 4 comments
I've got a working implementation of archive/zip that can read/write password protected archives. The code is at https://github.com/alexmullins/zip.
Details:
The encryption/decryption method used is WinZip AES Encryption Specification (http://www.winzip.com/aes_info.htm). There are 2 other encryption methods specified in the original Zip Spec (https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT, Sections 6 and 7) which aren't implemented. The method described in Section 6, also known as ZipCrypto, is generally considered 'weak' and isn't advisable to use. The method described in Section 7 seems to be exclusively used with PKWARE products as I haven't seen any other opensource implementations support it.
Public API additions:
- FileHeader.DeferAuth
- func (*FileHeader) IsEncrypted
- func (*FileHeader) SetPassword
- func (*Writer) Encrypt
Current roadblocks:
- The method to turn a password into a master-key is PBKDF2 and I'm getting that functionality from the 3rd party package golang.org/x/crypto/pbkdf2.
- Duplicating the cipher.NewCTR implementation from Go's Standard Library. (See here: https://github.com/alexmullins/zip/blob/master/crypto.go#L109). It was clarified for me that Go uses a right-aligned counter which is the standard way of doing it. WinZip AES uses a left-aligned counter. The difference between the two is:
Go CTR:
00000000000000000000000000000001
00000000000000000000000000000002WinZip CTR:
01000000000000000000000000000000
02000000000000000000000000000000
Any feedback is welcome.
Thanks.
alexmullins
on 6 Dec 2015
I was working on a project that requires me to send a password protected zip file to a system that can only read Zip Standard Encryption. Not finding any go source for this, I manage to create a working code based on @alexmullins code. Special thanks to you Sir 馃憤
While it's not advisable to use Zip Standard Encryption for security reason, for those who have to work with it, you can check my code at https://github.com/yeka/zip
I hope the awesome Go Team can integrate encryption into their standard zip/archive 馃槃
yeka
on 17 Oct 2016
Any updates here? officially supporting protected files would be good enough :)
ghost
on 15 Jul 2017
@yeka Could you add a license to your git repo?
florianpinel
on 29 Aug 2018
Related issues
rsc
路
3Comments
ashb
路
3Comments
Miserlou
路
3Comments
enoodle
路
3Comments
stub42
路
3Comments
Most helpful comment
I've got a working implementation of archive/zip that can read/write password protected archives. The code is at https://github.com/alexmullins/zip.
Details:
The encryption/decryption method used is WinZip AES Encryption Specification (http://www.winzip.com/aes_info.htm). There are 2 other encryption methods specified in the original Zip Spec (https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT, Sections 6 and 7) which aren't implemented. The method described in Section 6, also known as ZipCrypto, is generally considered 'weak' and isn't advisable to use. The method described in Section 7 seems to be exclusively used with PKWARE products as I haven't seen any other opensource implementations support it.
Public API additions:
Current roadblocks:
Any feedback is welcome.
Thanks.