[thanks to sebb for changing the subject line] On 2019-09-28, Christopher Schultz wrote:
> According to > https://commons.apache.org/proper/commons-compress/limitations.html, > ZIP support does not include AES encryption when *writing* archives. You must have looked at the entry for 7z. Unfortunately we don't support reading of any of the encrytion mechanisms available for ZIP archives either. > I'm wondering if that was a design decision or just that nobody has > volunteered to write the export code to support that feature. For 7z it merely is the latter. Somebody contributed code for reading but nobody has taken the time to implement writing so far. For ZIP the situation is not that clear. There exists a very weak feature that is called "traditional encryption" that some people could use to decrypt old password protected archives. Then there is WinZIP AES that you mention yourself. For both of them we simply haven't had anybody write the code. https://issues.apache.org/jira/browse/COMPRESS-251 https://issues.apache.org/jira/browse/COMPRESS-247 And then there is PKWare's own "strong encryption" feature which is what commercial tools likely use for encryption. In order to implement that one needs a license from PKWare. PKWare is not willing to provde such a license for an open source library - I've asked. So we'll never be able to implement that. See "Incorporating PKWARE Proprietary Technology into Your Product" in https://pkware.cachefly.net/webdocs/casestudies/APPNOTE.TXT WinZIP AES has been on my personal TODO list for years, I just have never come around to it. I guess you know what I'm talking about yourself. > I've been using the library that was once hosted at > https://code.google.com/p/winzipaes, but is would be nice to have it > available through commons-compress as well. This seems to have moved to https://github.com/mobsandgeeks/winzipaes It looks abandoned - last commit more than four years ago - and I don't see which license the code would be under. A long while ago it seems to have been under the Apache Software License, at least this is what my comment on https://issues.apache.org/jira/browse/COMPRESS-88 says (not that I recalled ever writing that before I went back to the issues :-). Actually WinZIP AES itself looks pretty much straight forward. It is implemented as a separate "compression method" - unlike PKWare's strong encryption feature which does a lot more than that and in particular encrypts metadata in additon to the contents. https://www.winzip.com/win/en/aes_info.html It shouldn't be too difficult to implement using JCE, it's mostly a matter of finding the time to do so. The zip package itself hasn't been designed with extension in mind and so far we have only plugged in non-standard compression methods for reading (a few of the old methods, bzip2 and deflate64). It is quite possible that adding one for writing is quite a bit more work. https://issues.apache.org/jira/browse/COMPRESS-143 Stefan --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
