#282 Convert password to utf-8 before encrypting

srikanth-lingala · srikanth-lingala · commit b69843a2a03b · 2021-02-02T17:52:44.000+01:00
diff --git a/src/main/java/net/lingala/zip4j/crypto/AESEncrypter.java b/src/main/java/net/lingala/zip4j/crypto/AESEncrypter.java
@@ -23,6 +23,10 @@
 
 import java.security.SecureRandom;
 
+import static net.lingala.zip4j.crypto.AesCipherUtil.derivePasswordBasedKey;
+import static net.lingala.zip4j.crypto.AesCipherUtil.derivePasswordVerifier;
+import static net.lingala.zip4j.crypto.AesCipherUtil.getAESEngine;
+import static net.lingala.zip4j.crypto.AesCipherUtil.getMacBasedPRF;
 import static net.lingala.zip4j.crypto.AesCipherUtil.prepareBuffAESIVBytes;
 import static net.lingala.zip4j.util.InternalZipConstants.AES_BLOCK_SIZE;
 
@@ -31,19 +35,17 @@
  */
 public class AESEncrypter implements Encrypter {
 
-  private char[] password;
-  private AesKeyStrength aesKeyStrength;
   private AESEngine aesEngine;
   private MacBasedPRF mac;
-  private SecureRandom random = new SecureRandom();
+  private final SecureRandom random = new SecureRandom();
 
   private boolean finished;
 
   private int nonce = 1;
   private int loopCount = 0;
 
-  private byte[] iv;
-  private byte[] counterBlock;
+  private final byte[] iv;
+  private final byte[] counterBlock;
   private byte[] derivedPasswordVerifier;
   private byte[] saltBytes;
 
@@ -56,20 +58,18 @@ public AESEncrypter(char[] password, AesKeyStrength aesKeyStrength) throws ZipEx
       throw new ZipException("Invalid AES key strength");
     }
 
-    this.password = password;
-    this.aesKeyStrength = aesKeyStrength;
     this.finished = false;
     counterBlock = new byte[AES_BLOCK_SIZE];
     iv = new byte[AES_BLOCK_SIZE];
-    init();
+    init(password, aesKeyStrength);
   }
 
-  private void init() throws ZipException {
+  private void init(char[] password, AesKeyStrength aesKeyStrength) throws ZipException {
     saltBytes = generateSalt(aesKeyStrength.getSaltLength());
-    byte[] derivedKey = AesCipherUtil.derivePasswordBasedKey(saltBytes, password, aesKeyStrength);
-    derivedPasswordVerifier = AesCipherUtil.derivePasswordVerifier(derivedKey, aesKeyStrength);
-    aesEngine = AesCipherUtil.getAESEngine(derivedKey, aesKeyStrength);
-    mac = AesCipherUtil.getMacBasedPRF(derivedKey, aesKeyStrength);
+    byte[] derivedKey = derivePasswordBasedKey(saltBytes, password, aesKeyStrength);
+    derivedPasswordVerifier = derivePasswordVerifier(derivedKey, aesKeyStrength);
+    aesEngine = getAESEngine(derivedKey, aesKeyStrength);
+    mac = getMacBasedPRF(derivedKey, aesKeyStrength);
   }
 
   public int encryptData(byte[] buff) throws ZipException {
@@ -116,18 +116,18 @@ private byte[] generateSalt(int size) throws ZipException {
       throw new ZipException("invalid salt size, cannot generate salt");
     }
 
-    int rounds = 0;
+    int rounds;
 
     if (size == 8) {
       rounds = 2;
-    } else if (size == 16) {
+    } else {
       rounds = 4;
     }
 
     byte[] salt = new byte[size];
     for (int j = 0; j < rounds; j++) {
       int i = random.nextInt();
-      salt[0 + j * 4] = (byte) (i >> 24);
+      salt[j * 4] = (byte) (i >> 24);
       salt[1 + j * 4] = (byte) (i >> 16);
       salt[2 + j * 4] = (byte) (i >> 8);
       salt[3 + j * 4] = (byte) i;
diff --git a/src/main/java/net/lingala/zip4j/crypto/StandardEncrypter.java b/src/main/java/net/lingala/zip4j/crypto/StandardEncrypter.java
@@ -25,13 +25,10 @@
 
 public class StandardEncrypter implements Encrypter {
 
-  private ZipCryptoEngine zipCryptoEngine;
+  private final ZipCryptoEngine zipCryptoEngine = new ZipCryptoEngine();
   private byte[] headerBytes;
 
   public StandardEncrypter(char[] password, long key) throws ZipException {
-   this.zipCryptoEngine = new ZipCryptoEngine();
-
-    this.headerBytes = new byte[STD_DEC_HDR_SIZE];
     init(password, key);
   }
 
@@ -40,17 +37,13 @@ private void init(char[] password, long key) throws ZipException {
       throw new ZipException("input password is null or empty, cannot initialize standard encrypter");
     }
     zipCryptoEngine.initKeys(password);
-    headerBytes = generateRandomBytes(STD_DEC_HDR_SIZE);
+    headerBytes = generateRandomBytes();
     // Initialize again since the generated bytes were encrypted.
     zipCryptoEngine.initKeys(password);
 
     headerBytes[STD_DEC_HDR_SIZE - 1] = (byte) ((key >>> 24));
     headerBytes[STD_DEC_HDR_SIZE - 2] = (byte) ((key >>> 16));
 
-    if (headerBytes.length < STD_DEC_HDR_SIZE) {
-      throw new ZipException("invalid header bytes generated, cannot perform standard encryption");
-    }
-
     encryptData(headerBytes);
   }
 
@@ -78,17 +71,12 @@ protected byte encryptByte(byte val) {
     return temp_val;
   }
 
-  protected byte[] generateRandomBytes(int size) throws ZipException {
-    if (size <= 0) {
-      throw new ZipException("size is either 0 or less than 0, cannot generate header for standard encryptor");
-    }
-
-    byte[] buff = new byte[size];
+  protected byte[] generateRandomBytes() {
+    byte[] buff = new byte[STD_DEC_HDR_SIZE];
     SecureRandom random = new SecureRandom();
     for (int i = 0; i < buff.length; i++) {
       buff[i] = encryptByte((byte) random.nextInt(256));
     }
-
     return buff;
   }
 
diff --git a/src/main/java/net/lingala/zip4j/crypto/engine/ZipCryptoEngine.java b/src/main/java/net/lingala/zip4j/crypto/engine/ZipCryptoEngine.java
@@ -1,62 +1,65 @@
-/*
- * Copyright 2010 Srikanth Reddy Lingala
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing,
- * software distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-
-package net.lingala.zip4j.crypto.engine;
-
-public class ZipCryptoEngine {
-
-  private final int keys[] = new int[3];
-  private static final int[] CRC_TABLE = new int[256];
-
-  static {
-    for (int i = 0; i < 256; i++) {
-      int r = i;
-      for (int j = 0; j < 8; j++) {
-        if ((r & 1) == 1) {
-          r = (r >>> 1) ^ 0xedb88320;
-        } else {
-          r >>>= 1;
-        }
-      }
-      CRC_TABLE[i] = r;
-    }
-  }
-
-  public void initKeys(char[] password) {
-    keys[0] = 305419896;
-    keys[1] = 591751049;
-    keys[2] = 878082192;
-    for (int i = 0; i < password.length; i++) {
-      updateKeys((byte) (password[i] & 0xff));
-    }
-  }
-
-  public void updateKeys(byte charAt) {
-    keys[0] = crc32(keys[0], charAt);
-    keys[1] += keys[0] & 0xff;
-    keys[1] = keys[1] * 134775813 + 1;
-    keys[2] = crc32(keys[2], (byte) (keys[1] >> 24));
-  }
-
-  private int crc32(int oldCrc, byte charAt) {
-    return ((oldCrc >>> 8) ^ CRC_TABLE[(oldCrc ^ charAt) & 0xff]);
-  }
-
-  public byte decryptByte() {
-    int temp = keys[2] | 2;
-    return (byte) ((temp * (temp ^ 1)) >>> 8);
-  }
-}
+/*
+ * Copyright 2010 Srikanth Reddy Lingala
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package net.lingala.zip4j.crypto.engine;
+
+import static net.lingala.zip4j.util.Zip4jUtil.convertCharArrayToByteArray;
+
+public class ZipCryptoEngine {
+
+  private final int[] keys = new int[3];
+  private static final int[] CRC_TABLE = new int[256];
+
+  static {
+    for (int i = 0; i < 256; i++) {
+      int r = i;
+      for (int j = 0; j < 8; j++) {
+        if ((r & 1) == 1) {
+          r = (r >>> 1) ^ 0xedb88320;
+        } else {
+          r >>>= 1;
+        }
+      }
+      CRC_TABLE[i] = r;
+    }
+  }
+
+  public void initKeys(char[] password) {
+    keys[0] = 305419896;
+    keys[1] = 591751049;
+    keys[2] = 878082192;
+    byte[] bytes = convertCharArrayToByteArray(password);
+    for (byte b : bytes) {
+      updateKeys((byte) (b & 0xff));
+    }
+  }
+
+  public void updateKeys(byte charAt) {
+    keys[0] = crc32(keys[0], charAt);
+    keys[1] += keys[0] & 0xff;
+    keys[1] = keys[1] * 134775813 + 1;
+    keys[2] = crc32(keys[2], (byte) (keys[1] >> 24));
+  }
+
+  private int crc32(int oldCrc, byte charAt) {
+    return ((oldCrc >>> 8) ^ CRC_TABLE[(oldCrc ^ charAt) & 0xff]);
+  }
+
+  public byte decryptByte() {
+    int temp = keys[2] | 2;
+    return (byte) ((temp * (temp ^ 1)) >>> 8);
+  }
+}
diff --git a/src/main/java/net/lingala/zip4j/util/Zip4jUtil.java b/src/main/java/net/lingala/zip4j/util/Zip4jUtil.java
@@ -23,6 +23,9 @@
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
+import java.nio.ByteBuffer;
+import java.nio.CharBuffer;
+import java.nio.charset.StandardCharsets;
 import java.util.Calendar;
 
 public class Zip4jUtil {
@@ -96,11 +99,18 @@ private static long dosToEpochTime(long dosTime) {
   }
 
   public static byte[] convertCharArrayToByteArray(char[] charArray) {
-    byte[] bytes = new byte[charArray.length];
-    for (int i = 0; i < charArray.length; i++) {
-      bytes[i] = (byte) charArray[i];
+    try {
+      ByteBuffer buf = StandardCharsets.UTF_8.encode(CharBuffer.wrap(charArray));
+      byte[] bytes = new byte[buf.limit()];
+      buf.get(bytes);
+      return bytes;
+    } catch (Exception e) {
+      byte[] bytes = new byte[charArray.length];
+      for (int i = 0; i < charArray.length; i++) {
+        bytes[i] = (byte) charArray[i];
+      }
+      return bytes;
     }
-    return bytes;
   }
 
   public static CompressionMethod getCompressionMethod(LocalFileHeader localFileHeader) {
diff --git a/src/test/java/net/lingala/zip4j/util/Zip4jUtilTest.java b/src/test/java/net/lingala/zip4j/util/Zip4jUtilTest.java
@@ -127,6 +127,25 @@ public void testConvertCharArrayToByteArray() {
     assertThat(byteArray[8]).isEqualTo((byte)'y');
   }
 
+  @Test
+  public void testConvertCharArrayToByteArrayChineseChars() {
+    char[] charArray = "你好".toCharArray();
+
+    byte[] byteArray = Zip4jUtil.convertCharArrayToByteArray(charArray);
+
+    try {
+      // Make sure that StandardCharsets exists on the classpath
+      Class.forName("java.nio.charset.StandardCharsets");
+      assertThat(byteArray.length).isEqualTo(6);
+      assertThat(byteArray).isEqualTo(new byte[]{-28, -67, -96, -27, -91, -67});
+    } catch (ClassNotFoundException e) {
+      // In some test environments (old Android SDK), StandardCharset class does not exist, in this case
+      // the method under test falls back to converting char to its byte representation
+      assertThat(byteArray.length).isEqualTo(2);
+      assertThat(byteArray).isEqualTo(new byte[]{96, 125});
+    }
+  }
+
   @Test
   public void testGetCompressionMethodForNonAesReturnsAsIs() {
     LocalFileHeader localFileHeader = new LocalFileHeader();
