Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for AES encryption zip file #696

Open
wants to merge 10 commits into
base: main
Choose a base branch
from
Open

Conversation

xqdoo00o
Copy link
Contributor

@xqdoo00o xqdoo00o commented Jul 15, 2020

Add wzAES encryption & decryption (doc). min.js size just increase 13KB(from 96KB main dist).
Support different password & encryptStrength and non-encrypt file mixed in single zip(use "password" & "encryptStrength(1|2|3, default 3(AES-256))" in file options or generate options).
Thanks the very efficient crypto library sjcl.

@xqdoo00o xqdoo00o marked this pull request as draft July 31, 2020 09:30
@xqdoo00o xqdoo00o marked this pull request as ready for review August 9, 2020 16:02
@xqdoo00o
Copy link
Contributor Author

xqdoo00o commented Aug 12, 2020

Hi, @Stuk , I think this's pretty good for production, the min.js size only increase 13KB (107KB, gziped: 31KB) from the master branch (94KB, gziped: 27KB). And the speed & memory usage are quite fast & small for most users.
Could you plz reiview this pr? thanks.

@xqdoo00o xqdoo00o changed the title Add support for wzAes zip Add support for wzAes encryption zip file Sep 22, 2020
@rony2818
Copy link

rony2818 commented Sep 26, 2020

@xqdoo00o Thanks for your PR.
I try to use this PR. But data is empty when saveas file zip and dowload.
Could you check it?

const zip = new JSZip();
zip.file("Hello.txt", "Hello World\n");

const content = await zip.generateAsync({
type: "blob",
password: "12345678",
encryptStrength: 3,
});
// const data = await JSZip.loadAsync(content, { password: "12345678" });
saveAs(content, "example.zip");

@xqdoo00o
Copy link
Contributor Author

@xqdoo00o Thanks for your PR.
I try to use this PR. But data is empty when saveas file zip and dowload.
Could you check it?

const zip = new JSZip();
zip.file("Hello.txt", "Hello World\n");

const content = await zip.generateAsync({
type: "blob",
password: "12345678",
encryptStrength: 3,
});
// const data = await JSZip.loadAsync(content, { password: "12345678" });
saveAs(content, "example.zip");

I tested with your code, it's ok. Did you recompile this PR use npm i & npm run test-browser,then use the js dist/jszip.js?

async function aaa(){
    const zip = new JSZip();
    zip.file("Hello.txt", "Hello World\n");
    const content = await zip.generateAsync({
        type: "blob",
        password: "12345678",
        encryptStrength: 3,
    });
    console.log(content);
    saveAs(content, "example.zip");
}
aaa()

@rony2818
Copy link

const zip = new JSZip();
zip.file("Hello.txt", "Hello World\n");
const content = await zip.generateAsync({
type: "blob",
password: "12345678",
encryptStrength: 3,
});
console.log(content);
saveAs(content, "example.zip");

@xqdoo00o Yes, I already recompile it. When i unzip the file with password, the data is empty. I didn't see any thing text such as Hello Word.
I use MacOs.

@rony2818
Copy link

const zip = new JSZip();
zip.file("Hello.txt", "Hello World\n");
const content = await zip.generateAsync({
type: "blob",
password: "12345678",
encryptStrength: 3,
});
console.log(content);
saveAs(content, "example.zip");

@xqdoo00o Yes, I already recompile it. When i unzip the file with password, the data is empty. I didn't see any thing text such as Hello Word.
I use MacOs.

Chrome or Safari? Any errors in console? Same bug if using the origin jszip.js?

I use chrome. I think i use jszip of this PR. if it is origin i can't input password when unzip, right?

@xqdoo00o
Copy link
Contributor Author

image

@xqdoo00o xqdoo00o changed the title Add support for wzAes encryption zip file Add support for AES encryption zip file Sep 27, 2020
@mastoica
Copy link

There is any plan to merge this PR?

@killerfurbel
Copy link

I would love to see this merged as well. While I'm no maintainer of this projects, I ask myself if it wouldn't be better to reference sjcl as a dependency in package.json instead of copying the sjcl.js file into the jszip repo? Wouldn't it help with keeping the version up to date? On the other hand, the sjcl was last changed about 2 years ago, maybe it's that stable that it doesn't need updates at all?

@xqdoo00o
Copy link
Contributor Author

I would love to see this merged as well. While I'm no maintainer of this projects, I ask myself if it wouldn't be better to reference sjcl as a dependency in package.json instead of copying the sjcl.js file into the jszip repo? Wouldn't it help with keeping the version up to date? On the other hand, the sjcl was last changed about 2 years ago, maybe it's that stable that it doesn't need updates at all?

1, The origin sjcl does't have the module system, you have to use global variable to reference it. so I modify some code to fulfill the requirement(module export, pbkdf2 & ctr algorithm etc.) and reduce the code size.
2, I think the algorithm code will not change anymore since it has been used so long time.

@imp0rtp3
Copy link

imp0rtp3 commented Sep 3, 2021

Would love to see it merged, I use it and it works flawlessly for me.
(Here: https://github.com/imp0rtp3/Yobi).

@onassar
Copy link

onassar commented Sep 10, 2021

+1 for merge

@enboig
Copy link

enboig commented Sep 30, 2021

I tried @xqdoo00o fork but generated files didn't had a password at all

@xqdoo00o
Copy link
Contributor Author

I tried @xqdoo00o fork but generated files didn't had a password at all

How do you generate files, show the code.

@enboig
Copy link

enboig commented Oct 1, 2021

      jQuery("#blob").on("click", function () {
        async function aaa() {
          const zip = new JSZip();
          zip.file("Hello.txt", "Hello World\n");
          const content = await zip.generateAsync({
            type: "blob",
            password: "12345678",
            encryptStrength: 3,
          });
          console.log(content);
          saveAs(content, "example222.zip");
        }
        aaa();
      });

I need a code compatible with FF, chrome and IE11

@xqdoo00o
Copy link
Contributor Author

xqdoo00o commented Oct 1, 2021

      jQuery("#blob").on("click", function () {
        async function aaa() {
          const zip = new JSZip();
          zip.file("Hello.txt", "Hello World\n");
          const content = await zip.generateAsync({
            type: "blob",
            password: "12345678",
            encryptStrength: 3,
          });
          console.log(content);
          saveAs(content, "example222.zip");
        }
        aaa();
      });

I need a code compatible with FF, chrome and IE11

It should work. Did you recompile this PR use npm i & npm run test-browser,then use the js dist/jszip.js

@enboig
Copy link

enboig commented Oct 4, 2021

I cloned your repo, I didn't use this PR. The browser tests hang there (using firefox)

@xqdoo00o
Copy link
Contributor Author

xqdoo00o commented Oct 4, 2021

I cloned your repo, I didn't use this PR. The browser tests hang there (using firefox)

Never mind, just terminate the test-browser, and use js dist/jszip.js

@enboig
Copy link

enboig commented Oct 4, 2021

No password set. I attach full code:

<html>
    <head>
        <script type="text/javascript" src="vendor/FileSaver.js"></script>
        <script type="text/javascript" src="dist/jszip.js"></script>
        <!-- <script
            type="text/javascript"
            src="//stuk.github.io/jszip-utils/dist/jszip-utils.js"
        ></script> -->
        <script type="text/javascript">
            var zip = new JSZip();
            zip.file("Hello.txt", "Hello World444\n");
            // var img = zip.folder("images");
            // img.file("smile.gif", imgData, { base64: true });
            zip.generateAsync({
                type: "blob",
                password: "12345678",
                encryptStrength: 3,
            }).then(function (content) {
                // see FileSaver.js
                saveAs(content, "example444.zip");
            });
        </script>
    </head>
    <body>
        Lorem ipsum
    </body>
</html>

*removed jQuery, and ensured it works on firefox and IE11 (except password part)

@enboig
Copy link

enboig commented Oct 4, 2021

After purging the dist files, and recreating them, now it fails:
Uncaught TypeError: JSZip is not a constructor

@enboig
Copy link

enboig commented Oct 4, 2021

I cannot create de dist files if I delete them.

enboig@:/var/www/html/jszip(master)$ node --version
v14.18.0
enboig@:/var/www/html/jszip(master)$ npm --version
7.22.0
enboig@:/var/www/html/jszip(master)$ npm run test-browser

> jszip@3.7.1 test-browser
> grunt build && grunt test

Running "browserify:all" (browserify) task
>> Error: module not found: "/var/www/html/jszip/lib/index.js" from file /var/www/html/jszip/lib/_fake.js
Warning: Error running grunt-browserify. Use --force to continue.

Aborted due to warnings.

I forgot to

1. In `package.json` temporarily change `"./lib/index"` to `"."`

Now it gets generated and appear to work

@enboig
Copy link

enboig commented Oct 7, 2021

Files are missing CRC; is this accidental or adding CRC may lead to less secured files?

CompressedObject.createWorkerFrom = function (uncompressedWorker, compression, compressionOptions, encryptOptions) {
    if (encryptOptions.password !== null) {
        return uncompressedWorker
            .pipe(new DataLengthProbe("uncompressedSize"))
            .pipe(new Crc32Probe())  //  <----missing
            .pipe(compression.compressWorker(compressionOptions))
            .pipe(aes.EncryptWorker(encryptOptions))
            .pipe(new DataLengthProbe("compressedSize"))
            .withStreamInfo("compression", compression);
    } else {
        return uncompressedWorker
            .pipe(new Crc32Probe())
            .pipe(new DataLengthProbe("uncompressedSize"))
            .pipe(compression.compressWorker(compressionOptions))
            .pipe(new DataLengthProbe("compressedSize"))
            .withStreamInfo("compression", compression);
    }
};

@xqdoo00o
Copy link
Contributor Author

xqdoo00o commented Oct 7, 2021

Files are missing CRC; is this accidental or adding CRC may lead to less secured files?

CompressedObject.createWorkerFrom = function (uncompressedWorker, compression, compressionOptions, encryptOptions) {
    if (encryptOptions.password !== null) {
        return uncompressedWorker
            .pipe(new DataLengthProbe("uncompressedSize"))
            .pipe(new Crc32Probe())  //  <----missing
            .pipe(compression.compressWorker(compressionOptions))
            .pipe(aes.EncryptWorker(encryptOptions))
            .pipe(new DataLengthProbe("compressedSize"))
            .withStreamInfo("compression", compression);
    } else {
        return uncompressedWorker
            .pipe(new Crc32Probe())
            .pipe(new DataLengthProbe("uncompressedSize"))
            .pipe(compression.compressWorker(compressionOptions))
            .pipe(new DataLengthProbe("compressedSize"))
            .withStreamInfo("compression", compression);
    }
};

The CRC is not useful in AE-2 encrypted zip. The document on this PR first line has explained doc.

@enboig
Copy link

enboig commented Oct 7, 2021

Sorry, I didn't read de link; I compared a file created with jszip and the same created using ark (KDE utility to create zips), and the second one has CRC.

@goodgrid
Copy link

Hi,

I found some weird behaviour. I'm using your pull request to encrypt the zips I generate. I'm adding a self-generated csv file to the zips (using the stringify() module from csvjs.org). I found that this csv gets corrupted when i turn on encryption on the zips. I was using the default STORE compression type (no compression). After i either stopped encrypting or changed to DEFLATE, my csv is valid.

Other documents I am adding to the zip do not have this problem. Also, a plain text i added file did not suffer the problem.

Anyone interested in this problem? What do you need to analyse? My project is not public, but i could share the piece of code to reproduce.

And thanks for this pull request!

@xqdoo00o
Copy link
Contributor Author

xqdoo00o commented Apr 28, 2022

Hi,

I found some weird behaviour. I'm using your pull request to encrypt the zips I generate. I'm adding a self-generated csv file to the zips (using the stringify() module from csvjs.org). I found that this csv gets corrupted when i turn on encryption on the zips. I was using the default STORE compression type (no compression). After i either stopped encrypting or changed to DEFLATE, my csv is valid.

Other documents I am adding to the zip do not have this problem. Also, a plain text i added file did not suffer the problem.

Anyone interested in this problem? What do you need to analyse? My project is not public, but i could share the piece of code to reproduce.

And thanks for this pull request!

Hi, could you add some minimal reproduce demo? By the way, you don't need to stringify csv file to zip, just add blob or arraybuffer of the csvfile.

@AndrewReisdorph-BioRad
Copy link

+1 for merge
This works for me!

@c-plus-plus-equals-c-plus-one

Encryption support would be super convenient built-in the jszip library!

@DeveloperEnvY
Copy link

+1 for merge. Are there plans to do so?

@SitpiRajendran
Copy link

+1 for merge,

any update on when it will be done ?

@kunbo233
Copy link

kunbo233 commented Jun 9, 2023

I found some zip file still cannot decrypt,like this,how to increase support by it
111111.zip

@xqdoo00o
Copy link
Contributor Author

xqdoo00o commented Jun 9, 2023

I found some zip file still cannot decrypt,like this,how to increase support by it 111111.zip

The zip file is encypted with legacy ZipCrypto, you should get an error unsupported encrypt method
ZipCrypto is not safe, could crack with bkcrack of known plaintext attack, that's not brute-force attack, so no matter how complicated the password is, the zip could easily cracked. for your zip, I get password 123456.
So AES is a better encrypt method.

@kunbo233
Copy link

I found some zip file still cannot decrypt,like this,how to increase support by it 111111.zip

The zip file is encypted with legacy ZipCrypto, you should get an error unsupported encrypt method ZipCrypto is not safe, could crack with bkcrack of known plaintext attack, that's not brute-force attack, so no matter how complicated the password is, the zip could easily cracked. for your zip, I get password 123456. So AES is a better encrypt method.

yes,I know what you mean,but many files are using zipcrypto on market【eg: maczip etc... 】, we should support more type

@xqdoo00o
Copy link
Contributor Author

I found some zip file still cannot decrypt,like this,how to increase support by it 111111.zip

The zip file is encypted with legacy , you should get an error is not safe, could crack with bkcrack of known plaintext attack, that's not brute-force attack, so no matter how complicated the password is, the zip could easily cracked. for your zip, I get password . So is a better encrypt method.ZipCrypto``unsupported encrypt method``ZipCrypto``123456``AES

yes,I know what you mean,but many files are using zipcrypto on market【eg: maczip etc... 】, we should support more type

Maybe you should use other zip program which support aes on mac, like keka, betterzip etc.

@kunbo233
Copy link

I found some zip file still cannot decrypt,like this,how to increase support by it 111111.zip

The zip file is encypted with legacy , you should get an error is not safe, could crack with bkcrack of known plaintext attack, that's not brute-force attack, so no matter how complicated the password is, the zip could easily cracked. for your zip, I get password . So is a better encrypt method. ZipCryptounsupported encrypt methodZipCrypto123456AES

yes,I know what you mean,but many files are using zipcrypto on market【eg: maczip etc... 】, we should support more type

Maybe you should use other zip program which support aes on mac, like keka, betterzip etc.

I mean was if support decryption should support the encryption method account for more than on the market.

@xqdoo00o
Copy link
Contributor Author

I found some zip file still cannot decrypt,like this,how to increase support by it 111111.zip

The zip file is encypted with legacy , you should get an error is not safe, could crack with bkcrack of known plaintext attack, that's not brute-force attack, so no matter how complicated the password is, the zip could easily cracked. for your zip, I get password . So is a better encrypt method. ZipCryptounsupported encrypt methodZipCrypto123456AES

yes,I know what you mean,but many files are using zipcrypto on market【eg: maczip etc... 】, we should support more type

Maybe you should use other zip program which support aes on mac, like keka, betterzip etc.

I mean was if support decryption should support the encryption method account for more than on the market.

No, I won't support that proved weak and unsafe. If you really want Zipcrypto, maybe you should try or modify this PR.

@hponcet
Copy link

hponcet commented Oct 9, 2023

+1 for merge

@SitpiRajendran
Copy link

Can we have any updates on this PR ? I would really love to have this merge. What is blocking ? Why not merging it ?

Thank you in advance :D

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.