[PING] PoC for JDK-4347142: Need method to set Password protection to Zip entries
Yasumasa Suenaga
yasuenag at gmail.com
Sat Dec 12 12:23:03 UTC 2015
Hi Sherman,
Our proposal is affected by JDK-8142508.
We have to change ZipFile.java and and ZipFile.c .
Thus we will create a new webrev for current (after 8142508) jdk9/dev repos.
Do you have any comments about current webrev?
http://cr.openjdk.java.net/~ysuenaga/JDK-4347142/webrev.00/
If you have comments, we will fix them in new webrev.
Thanks,
Yasumasa
On 2015/12/03 16:51, KUBOTA Yuji wrote:
> Hi Sherman,
>
> Thanks for your quick response :)
>
> I aimed to implement the "traditional" at this proposal by the below reasons.
>
> * We want to prepare API for encrypted zip files at first.
> * Many people use the "traditional" in problem-free scope like a
> temporary file.
> * We do not know which implementation of the "stronger" is best for openjdk.
> * PKWare claims that they have patents about the "stronger" on Zip[1].
> * OTOH, WinZip have the alternative implementation of the "stronger" [2][3].
> * Instead, we prepared the extensibility by ZipCryption interface to
> implement other encrypt engine, such as the AES based.
>
> Thus, I think this PoC should support the "traditional" only.
> In the future, anyone who want to implement the "stronger" can easily
> add their code by virtue of this proposal.
>
> [1] https://pkware.cachefly.net/webdocs/APPNOTE/APPNOTE-6.3.3.TXT
> (1.4 Permitted Use & 7.0 Strong Encryption Specification)
> [2] https://en.wikipedia.org/wiki/Zip_(file_format)#Strong_encryption_controversy
> [3] http://www.winzip.com/aes_info.htm
>
> Thanks,
> Yuji
>
> 2015-12-03 12:29 GMT+09:00 Xueming Shen <xueming.shen at oracle.com>:
>>
>> Hi Yuji,
>>
>> I will take a look at your PoC. Might need some time and even bring in the
>> security guy
>> to evaluate the proposal. It seems like you are only interested in the
>> "traditional PKWare
>> decryption", which is, based on the wiki, "known to be seriously flawed, and
>> in particular
>> is vulnerable to known-plaintext attacks":-) Any request to support
>> "stronger" encryption
>> mechanism, such as the AES based?
>>
>> Regards,
>> Sherman
>>
>>
>> On 12/2/15 6:48 PM, KUBOTA Yuji wrote:
>>>
>>> Hi all,
>>>
>>> We need reviewer(s) for this PoC.
>>> Could you please review this proposal and PoC ?
>>>
>>> Thanks,
>>> Yuji
>>>
>>> 2015-11-26 13:22 GMT+09:00 KUBOTA Yuji <kubota.yuji at gmail.com>:
>>>>
>>>> Hi all,
>>>>
>>>> * Sorry for my mistake. I re-post this mail because I sent before get
>>>> a response of subscription confirmation of core-libs-dev.
>>>>
>>>> Our customers have to handle password-protected zip files. However,
>>>> Java SE does not provide the APIs to handle it yet, so we must use
>>>> third party library so far.
>>>>
>>>> Recently, we found JDK-4347142: "Need method to set Password
>>>> protection to Zip entries", and we tried to implement it.
>>>>
>>>> The current zlib in JDK is completely unaffected by this proposal. The
>>>> traditional zip encryption encrypts a data after it is has been
>>>> compressed by zlib.[1] So we do NOT need to change existing zlib
>>>> implementation.
>>>>
>>>> We've created PoC and uploaded it as webrev:
>>>>
>>>> http://cr.openjdk.java.net/~ysuenaga/JDK-4347142/webrev.00/
>>>>
>>>> Test code is as below. This code will let you know how this PoC
>>>> works.
>>>> http://cr.openjdk.java.net/~ysuenaga/JDK-4347142/webrev.00/Test.java
>>>>
>>>> In NTT, a Japanese telecommunications company. We are providing many
>>>> enterprise systems to customers. Some of them, we need to implement to
>>>> handle password-protected zip file. I guess that this proposal is
>>>> desired for many developers and users.
>>>>
>>>> I'm working together with Yasumasa Suenaga, jdk9 committer (ysuenaga).
>>>> We want to implement it if this proposal accepted.
>>>>
>>>> [1]: https://pkware.cachefly.net/webdocs/APPNOTE/APPNOTE-6.3.3.TXT
>>>> (6.0 Traditional PKWARE Encryption)
>>>>
>>>> Thanks,
>>>> Yuji
>>
>>
More information about the core-libs-dev
mailing list