[PING] PoC for JDK-4347142: Need method to set Password protection to Zip entries

Xueming Shen xueming.shen at oracle.com
Thu Dec 3 03:29:54 UTC 2015 

Hi Yuji,

I will take a look at your PoC.  Might need some time and even bring in 
the security guy
to evaluate the proposal. It seems like you are only interested in the 
"traditional PKWare
decryption", which is, based on the wiki, "known to be seriously flawed, 
and in particular
is vulnerable to known-plaintext attacks":-) Any request to support 
"stronger" encryption
mechanism, such as the AES based?

Regards,
Sherman

On 12/2/15 6:48 PM, KUBOTA Yuji wrote:
> Hi all,
>
> We need reviewer(s) for this PoC.
> Could you please review this proposal and PoC ?
>
> Thanks,
> Yuji
>
> 2015-11-26 13:22 GMT+09:00 KUBOTA Yuji <kubota.yuji at gmail.com>:
>> Hi all,
>>
>> * Sorry for my mistake. I re-post this mail because I sent before get
>> a response of subscription confirmation of core-libs-dev.
>>
>> Our customers have to handle password-protected zip files. However,
>> Java SE does not provide the APIs to handle it yet, so we must use
>> third party library so far.
>>
>> Recently, we found JDK-4347142: "Need method to set Password
>> protection to Zip entries", and we tried to implement it.
>>
>> The current zlib in JDK is completely unaffected by this proposal. The
>> traditional zip encryption encrypts a data after it is has been
>> compressed by zlib.[1] So we do NOT need to change existing zlib
>> implementation.
>>
>> We've created PoC and uploaded it as webrev:
>>
>>      http://cr.openjdk.java.net/~ysuenaga/JDK-4347142/webrev.00/
>>
>>      Test code is as below. This code will let you know how this PoC works.
>>      http://cr.openjdk.java.net/~ysuenaga/JDK-4347142/webrev.00/Test.java
>>
>> In NTT, a Japanese telecommunications company. We are providing many
>> enterprise systems to customers. Some of them, we need to implement to
>> handle password-protected zip file. I guess that this proposal is
>> desired for many developers and users.
>>
>> I'm working together with Yasumasa Suenaga, jdk9 committer (ysuenaga).
>> We want to implement it if this proposal accepted.
>>
>> [1]: https://pkware.cachefly.net/webdocs/APPNOTE/APPNOTE-6.3.3.TXT
>> (6.0  Traditional PKWARE Encryption)
>>
>> Thanks,
>> Yuji

More information about the core-libs-dev mailing list