[COMPRESS-633] Add encryption support for SevenZ

[Dougniel]

👉🏼 The purpose is to provide password based encryption for 7z compression in the same way of decryption already supported, so go forward of one know limitation

☝️In this way, I would like to submit my contribution based on the existing implementation of decryption and the C++ implementation of 7z

✅ I added one unit test
Implementation of password-based encryption for 7z compressor

Let me know what do you think about this implementation 👍

https://issues.apache.org/jira/browse/COMPRESS-633

[codecov-commenter]

Codecov Report

Merging #332 (f22b216) into master (346e8a4) will increase coverage by 0.03%.
The diff coverage is 83.92%.

@@             Coverage Diff              @@
##             master     #332      +/-   ##
============================================
+ Coverage     80.22%   80.25%   +0.03%     
- Complexity     6640     6657      +17     
============================================
  Files           341      342       +1     
  Lines         25184    25266      +82     
  Branches       4102     4112      +10     
============================================
+ Hits          20203    20278      +75     
- Misses         3402     3404       +2     
- Partials       1579     1584       +5     

Impacted Files	Coverage Δ
...compress/archivers/sevenz/AES256SHA256Decoder.java	75.96% <79.10%> (+6.15%)	⬆️
...mmons/compress/archivers/sevenz/AES256Options.java	83.33% <83.33%> (ø)
.../commons/compress/archivers/sevenz/SevenZFile.java	75.96% <100.00%> (+0.20%)	⬆️
...ns/compress/archivers/sevenz/SevenZOutputFile.java	97.46% <100.00%> (+0.51%)	⬆️
...ommons/compress/archivers/sevenz/LZMA2Decoder.java	63.15% <0.00%> (ø)

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

[Dougniel]

I pushed an alternate implementation to throw out use of AES/CBC/PKCS5Padding raised by Code scanning
/ CodeQL as weak

[kinow]

Hi @Dougniel

Thanks a lot for your contribution.

I normally don't contribute much to Commons Compress, so I just did a quick review, and left some comments. But some of these are not necessarily must-haves (e.g. questions about storing password, random). Take a look at the other ones for misspellings, and javadocs 👍

I stopped before taking a look at AES256SHA256Decoder as I realized it would take a bit longer to understand the change there.

Cheers
-Bruno

[kinow]

I don't know the Commons Compress API well enough, but I guess it'd be better if the password were never stored in an object in memory or serialized, if possible. This means instead of storing the object in the class, instead trying to design a method public void decompress(byte[] data, byte[] password) {...} that never stores the password.

But if other classes are already doing that, then I guess that should be fine. (Didn't have time to check, sorry)

[Dougniel]

I consider myself not enought skilled in security concerns, but I asked myself about that too when I saw this mechanism that clears password as soon as possible 🤔.

I have chosen to implement the encryption like decryption done in SevenZFile.java (that stores password too) for homogeneous reasons 🤷.

By the way, as the password is required to decrypt each file independently (the sevenZ archive is not entirely encrypted - we can access metadata like file names without password - only files are encrypted). I don't know how to manage that without storing it somewhere in memory - asking user to fulfill it for each file to compress/decompress ? Even in this way it will be stored inside the Input/OutputStream used by the library user. (Update: I checked through my debugger and I'm not so sure about that 😅)

👉🏼 What I could try is to store it in less places (I stored it in AES256Options as in SevenZOutputFile) and even try to initialise a Cipher early as it seems a secure place for it

[kinow]

Unnecessary string concatenation?

[Dougniel]

Right, a stupid copy/paste that I made. Maybe it was done that way for formatting purposes

[garydgregory]

Why is a new Random instance allocated each time?

[Dougniel]

I rework the implementation and now I only use SecureRandom one time

As in Java 8 it's not clear that SecureRandom is thread safe or not, I didn't put In a static member (even if the JavaDocs 9 seems to tell that it could be ThreadSafe)

What do you think ?

[kinow]

(Also needs a JIRA issue for the changelog)

[tcurdt]

@kinow It seems like you have tagged the wrong person.

[kinow]

@kinow It seems like you have tagged the wrong person.

Oh, apologies @tcurdt . No idea why GitHub suggested your user. it's normally pretty clever to show the handle of the opener of the issue first at the list. Fixed!

[Dougniel]

(Also needs a JIRA issue for the changelog)

Hi @kinow,

Thank you for your rigorous and interesting review, I will correct these and respond

The JIRA in description is not right for the purpose of changelog ? (https://issues.apache.org/jira/browse/COMPRESS-633)

Cheers,
Daniel

[garydgregory]

Instance variables should be private and final when possible.

[garydgregory]

Why is a new Random instance allocated each time?

[garydgregory]

This is not possible since SHA-256 is required by the JRE specification, see https://docs.oracle.com/javase/8/docs/api/java/security/MessageDigest.html, therefore this could be an IllegalStateException.

[Dougniel]

@kinow, @garydgregory,

Thanks for your reviews, I just pushed corrections that you suggested and I changed the place where Cipher is initialized in order to not store password in a clear way (following @kinow advice), let me know what do you think about that.

With these changes, the implementation between decryption and encryption is less homogeneous. In my opinion the decryption could be aligned in the encryption way for the same concern about password storage, but also to reduce the complexity of decode method (ex: replace coder and password parameters with options as done in encode method). But that could introduce a lot of changes that could be better held in another PR

Cheers,
Daniel

[kinow]

(Also needs a JIRA issue for the changelog)

Hi @kinow,

Thank you for your rigorous and interesting review, I will correct these and respond

The JIRA in description is not right for the purpose of changelog ? (https://issues.apache.org/jira/browse/COMPRESS-633)

Cheers, Daniel

Hi Daniel,\My bad, I hadn't seen that there was already a JIRA created for this issue. Thanks for updating the PR!

[garydgregory]

It looks like this method is only used from the sevenz package so let's keep it package-private there and avoid increasing the public API surface.

[Dougniel]

Right, I move it on AES256SHA256Decoder because it is used to convert password from char to byte for encryption/decryption

[kinow]

Just one comment about the VSCode files. But everything else looks OK to me. I would need to find some spare time now to sit down, read some of the surrounding API in Compress, and then really understand what's going on in order to do a proper review 👍 Thanks!

[kinow]

This file does not need to be added. I believe the repository does not include anything specific to Eclipse/IntelliJ/etc. If you use this file locally, you can add a global .gitignore to prevent Git from including it with your changes (or just ignore it when committing your changes).

[Dougniel]

Right, It was a mistake 👍

[Dougniel]

It seems that there is an issue with actions/setup-java : actions/setup-java#422

[garydgregory]

Just rebase on git master to test with the latest, that will help us get closer ;-)

[garydgregory]

Please complete the Javadoc comments. You need a starting sentence.

[garydgregory]

@Dougniel
Merged. Thank you for your work and patience. Please verify.

[Dougniel]

@Dougniel
Merged. Thank you for your work and patience. Please verify.

Thank you for your rigor, all is ok 👍

I noticed that you switched AES256Options to package-private, I hesitated because, as public, it offers more possibilities to advanced uses (per file Initialization Vector, per file password.. when setting it at SevenZArchiveEntry level). But this increases the public API surface and is not documented

[garydgregory]

@Dougniel
Right. We can always document it and make it public later. But also then make sure the API is right.

[Dougniel]

Hi @garydgregory, do you have an idea of next release date ?

[garydgregory]

Nope, we have other components to work through and Commons Net just had a release.