@cloudpss/crypto 0.5.24 → 0.5.25

package/src/encryption/js/gcm.ts

@@ -0,0 +1,258 @@
+import { AES } from './aes.js';
+
+// const console = { log() {} };
+const EMPTY = new Uint8Array(0);
+
+/** GCM (Galois/Counter Mode) */
+export class GCM {
+    constructor(
+        readonly cipher: AES,
+        readonly iv: Uint8Array,
+        readonly tagLength = 128,
+        readonly aad = EMPTY,
+    ) {
+        this.H = new Uint32Array(4);
+        this.cipher.encrypt(new Uint32Array(4), 0, this.H, 0);
+    }
+
+    /** Convert a Uint8Array to a Uint32Array */
+    private toUint32Array(data: Uint8Array): Uint32Array {
+        const out = new Uint32Array(Math.ceil(data.byteLength / 4));
+        for (let i = 0; i < out.length; i++) {
+            out[i] = (data[i * 4] << 24) | (data[i * 4 + 1] << 16) | (data[i * 4 + 2] << 8) | data[i * 4 + 3];
+        }
+        return out;
+    }
+    /** Convert a Uint32Array to a Uint8Array */
+    private toUint8Array(data: Uint32Array, byteLength: number): Uint8Array {
+        const out = new Uint8Array(byteLength);
+        for (let i = 0; i < byteLength; i++) {
+            out[i] = (data[Math.trunc(i / 4)] >>> (24 - (i % 4) * 8)) & 0xff;
+        }
+        return out;
+    }
+
+    /** Set out of range bytes to 0 */
+    private clamp(data: Uint32Array, byteLength: number): void {
+        const mask = 0xffff_ffff << (32 - (byteLength % 4) * 8);
+        data[Math.trunc(byteLength / 4)] &= mask;
+    }
+
+    private readonly H: Uint32Array;
+    /** Compute the galois multiplication of X and Y */
+    private galoisMultiply(x_r: Uint32Array, y: Uint32Array): void {
+        let Zi0 = 0,
+            Zi1 = 0,
+            Zi2 = 0,
+            Zi3 = 0;
+        let Vi0 = y[0],
+            Vi1 = y[1],
+            Vi2 = y[2],
+            Vi3 = y[3];
+
+        // Block size is 128 bits, run 128 times to get Z_128
+        for (let i = 0; i < 128; i++) {
+            const xi = (x_r[i >> 5] & (1 << (31 - (i % 32)))) !== 0;
+            if (xi) {
+                // Z_i+1 = Z_i ^ V_i
+                Zi0 ^= Vi0;
+                Zi1 ^= Vi1;
+                Zi2 ^= Vi2;
+                Zi3 ^= Vi3;
+            }
+
+            // Store the value of LSB(V_i)
+            const lsb_Vi = (Vi3 & 1) !== 0;
+
+            // V_i+1 = V_i >> 1
+            Vi3 = (Vi3 >>> 1) | ((Vi2 & 1) << 31);
+            Vi2 = (Vi2 >>> 1) | ((Vi1 & 1) << 31);
+            Vi1 = (Vi1 >>> 1) | ((Vi0 & 1) << 31);
+            Vi0 = Vi0 >>> 1;
+
+            // If LSB(V_i) is 1, V_i+1 = (V_i >> 1) ^ R
+            if (lsb_Vi) {
+                Vi0 = Vi0 ^ (0xe1 << 24);
+            }
+        }
+        x_r[0] = Zi0;
+        x_r[1] = Zi1;
+        x_r[2] = Zi2;
+        x_r[3] = Zi3;
+    }
+
+    /** Ghash */
+    private ghash(Y: Uint32Array, data: Uint32Array): void {
+        const l = data.length;
+        for (let i = 0; i < l; i += 4) {
+            Y[0] ^= 0xffff_ffff & data[i];
+            Y[1] ^= 0xffff_ffff & data[i + 1];
+            Y[2] ^= 0xffff_ffff & data[i + 2];
+            Y[3] ^= 0xffff_ffff & data[i + 3];
+            this.galoisMultiply(Y, this.H);
+        }
+    }
+
+    /** GCM CTR mode. */
+    private ctr(encrypt: boolean, data: Uint32Array, length: number): { data: Uint32Array; tag: Uint8Array } {
+        // console.log('data inpm', toHex(data));
+        // Calculate data lengths
+        const l = length / 4;
+        const bl = l * 32;
+        const abl = this.aad.byteLength * 8;
+        const ivbl = this.iv.byteLength * 8;
+
+        // Calculate the parameters
+        const J0 = new Uint32Array(4);
+        if (ivbl === 96) {
+            new Uint8Array(J0.buffer, J0.byteOffset).set(this.iv);
+            J0[3] = 1;
+        } else {
+            this.ghash(J0, this.toUint32Array(this.iv));
+            this.ghash(J0, new Uint32Array([0, 0, Math.trunc(ivbl / 0x1_0000_0000), ivbl & 0xffff_ffff]));
+        }
+
+        const S0 = new Uint32Array(4);
+        this.ghash(S0, this.toUint32Array(this.aad));
+
+        // Initialize ctr and tag
+        const tag = S0.slice(0);
+
+        // If decrypting, calculate hash
+        if (!encrypt) {
+            this.ghash(tag, data);
+        }
+
+        // Encrypt all the data
+        const ctr = J0.slice(0);
+        const enc = new Uint32Array(4);
+        for (let i = 0; i < l; i += 4) {
+            ctr[3]++;
+            this.cipher.encrypt(ctr, 0, enc, 0);
+
+            data[i] ^= enc[0];
+            data[i + 1] ^= enc[1];
+            data[i + 2] ^= enc[2];
+            data[i + 3] ^= enc[3];
+        }
+        this.clamp(data, length);
+        // console.log('data inpm', toHex(data));
+
+        // console.log('H impl', toHex(this.H));
+        // console.log('tag impl', toHex(tag));
+        // If encrypting, calculate hash
+        if (encrypt) {
+            this.ghash(tag, data);
+        }
+        // console.log('tag impl', toHex(tag));
+
+        // Calculate last block from bit lengths, ugly because bitwise operations are 32-bit
+        // Calculate the final tag block
+        this.ghash(
+            tag,
+            new Uint32Array([
+                Math.trunc(abl / 0x1_0000_0000),
+                abl & 0xffff_ffff,
+                Math.trunc(bl / 0x1_0000_0000),
+                bl & 0xffff_ffff,
+            ]),
+        );
+
+        this.cipher.encrypt(J0, 0, enc, 0);
+        tag[0] ^= enc[0];
+        tag[1] ^= enc[1];
+        tag[2] ^= enc[2];
+        tag[3] ^= enc[3];
+
+        // console.log('tag impl', toHex(tag));
+        return {
+            tag: new Uint8Array(tag.buffer, tag.byteOffset, this.tagLength / 8),
+            data,
+        };
+    }
+
+    /** 加密 */
+    encrypt(data: Uint8Array): Uint8Array {
+        const length = data.byteLength;
+        const data32 = this.toUint32Array(data);
+        const { data: out, tag } = this.ctr(true, data32, length);
+        const result = new Uint8Array(length + tag.byteLength);
+        result.set(this.toUint8Array(out, length), 0);
+        result.set(tag, length);
+        return result;
+    }
+
+    /** 解密 */
+    decrypt(data: Uint8Array): Uint8Array {
+        let tag, data32, length;
+        if (this.tagLength / 8 > data.byteLength) {
+            throw new Error('GCM: invalid data length');
+        } else if (this.tagLength / 8 === data.byteLength) {
+            length = 0;
+            tag = data;
+            data32 = new Uint32Array(0);
+        } else {
+            length = data.byteLength - this.tagLength / 8;
+            tag = data.subarray(length);
+            data32 = this.toUint32Array(data.subarray(0, length));
+        }
+        const { data: out, tag: tag2 } = this.ctr(false, data32, length);
+        if (tag2.some((v, i) => v !== tag[i])) {
+            throw new Error('GCM: tag does not match');
+        }
+        return this.toUint8Array(out, length);
+    }
+}
+
+// import sjcl from 'sjcl';
+// global.sjcl = sjcl;
+
+// // @ts-expect-error sjcl is not a module
+// await import('sjcl/core/aes.js');
+// // @ts-expect-error sjcl is not a module
+// await import('sjcl/core/gcm.js');
+// // @ts-expect-error sjcl is not a module
+// await import('sjcl/core/bitArray.js');
+// // @ts-expect-error sjcl is not a module
+// await import('sjcl/core/pbkdf2.js');
+// // @ts-expect-error sjcl is not a module
+// await import('sjcl/core/hmac.js');
+// // @ts-expect-error sjcl is not a module
+// await import('sjcl/core/sha256.js');
+// // @ts-expect-error sjcl is not a module
+// await import('sjcl/core/codecBytes.js');
+
+// function toHex(arr: number[] | Uint32Array | Int32Array | Uint8Array): string[] {
+//     if (arr instanceof Uint8Array) {
+//         const result = [];
+//         for (let i = 0; i < arr.length; i += 4) {
+//             const a = arr[i].toString(16).padStart(2, '0');
+//             const b = arr[i + 1]?.toString(16).padStart(2, '0') ?? '';
+//             const c = arr[i + 2]?.toString(16).padStart(2, '0') ?? '';
+//             const d = arr[i + 3]?.toString(16).padStart(2, '0') ?? '';
+//             result.push(a + b + c + d);
+//         }
+//         return result;
+//     }
+//     return [...arr].map((x) => {
+//         if (x < 0) x = 0xffffffff + x + 1;
+//         return x.toString(16).padStart(8, '0');
+//     });
+// }
+// // @ts-expect-error sjcl is not a module
+// global.toHex = toHex;
+
+// const data = new Uint8Array([1, 2, 3, 4, 5, 6, 7]);
+// const key = [1, 2, 3, 4];
+// const iv = [9, 8, 7];
+
+// const aes = new AES(new Uint32Array(key));
+// const gcm = new GCM(aes, new Uint8Array(new Uint32Array(iv).buffer));
+// const e1 = gcm.encrypt(data);
+// const e2 = sjcl.mode.gcm.encrypt(new sjcl.cipher.aes(key), sjcl.codec.bytes.toBits([...data]), iv);
+// console.log({ d: toHex(e1), l: e1.byteLength }, { d: toHex(e2), l: sjcl.bitArray.bitLength(e2) / 8 });
+
+// const d1 = gcm.decrypt(e1);
+// const d2 = sjcl.mode.gcm.decrypt(new sjcl.cipher.aes(key), e2, iv);
+
+// console.log({ d: toHex(d1), l: d1.byteLength }, { d: toHex(d2), l: sjcl.bitArray.bitLength(d2) / 8 });

package/src/encryption/module.ts

@@ -0,0 +1,94 @@
+import { toUint8Array } from '../utils.js';
+import {
+    AAD_LEN_SIZE,
+    AAD_MAX_SIZE,
+    AAD_PADDING,
+    MAGIC_NUMBER,
+    NONCE_SIZE,
+    padding,
+    parseEncrypted,
+    type PlainData,
+} from './common.js';
+
+/** 检查密码 */
+function assertPassphrase(passphrase: string): void {
+    if (typeof passphrase !== 'string') {
+        throw new TypeError('Invalid passphrase, must be a string');
+    }
+    if (passphrase.length === 0) {
+        throw new TypeError('Invalid passphrase, must not be empty');
+    }
+}
+
+/** 模块 */
+interface Module {
+    /**
+     * 加密数据
+     * @throws {TypeError} 如果密码无效
+     */
+    encrypt(data: BinaryData, passphrase: string): Promise<Uint8Array>;
+    /**
+     * 加密数据，包含不加密的附加数据
+     * @throws {TypeError} 如果密码无效
+     */
+    encryptAad(data: BinaryData, aad: BinaryData | undefined, passphrase: string): Promise<Uint8Array>;
+    /**
+     * 解密数据
+     * @throws {TypeError} 如果数据不是有效的加密数据
+     * @throws {TypeError} 如果密码无效
+     */
+    decrypt(data: BinaryData, passphrase: string): Promise<Uint8Array>;
+}
+
+/** 创建模块 */
+export function createModule(impl: typeof import('#encryption')): Module {
+    const encryptAad: Module['encryptAad'] = async (data, aad, passphrase) => {
+        assertPassphrase(passphrase);
+        const aadSize = aad?.byteLength ?? 0;
+        if (aadSize > AAD_MAX_SIZE) {
+            throw new TypeError('Invalid AAD size');
+        }
+        const paddedAddSize = padding(aadSize, AAD_PADDING);
+        const plain: PlainData = {
+            aad: aadSize ? toUint8Array(aad!) : undefined,
+            data: toUint8Array(data),
+        };
+        const encrypted = await impl.encrypt(plain, passphrase);
+        const result = new Uint8Array(
+            MAGIC_NUMBER.length + NONCE_SIZE + AAD_LEN_SIZE + paddedAddSize + encrypted.data.length,
+        );
+        result.set(MAGIC_NUMBER);
+        result.set(encrypted.nonce, MAGIC_NUMBER.length);
+        if (aadSize) {
+            result[MAGIC_NUMBER.length + NONCE_SIZE] = aadSize >>> 24;
+            result[MAGIC_NUMBER.length + NONCE_SIZE + 1] = aadSize >>> 16;
+            result[MAGIC_NUMBER.length + NONCE_SIZE + 2] = aadSize >>> 8;
+            result[MAGIC_NUMBER.length + NONCE_SIZE + 3] = aadSize;
+            result.set(plain.aad!, MAGIC_NUMBER.length + NONCE_SIZE + AAD_LEN_SIZE);
+        }
+        result.set(encrypted.data, MAGIC_NUMBER.length + NONCE_SIZE + AAD_LEN_SIZE + paddedAddSize);
+        return result;
+    };
+    const encrypt: Module['encrypt'] = async (data, passphrase) => {
+        return await encryptAad(data, undefined, passphrase);
+    };
+
+    const decrypt: Module['decrypt'] = async (data, passphrase) => {
+        assertPassphrase(passphrase);
+        const encrypted = parseEncrypted(data);
+        if (encrypted == null) {
+            throw new TypeError('Invalid encrypted data');
+        }
+        try {
+            const result = await impl.decrypt(encrypted, passphrase);
+            return result.data;
+        } catch (ex) {
+            throw new Error('Wrong passphrase', { cause: ex });
+        }
+    };
+    return {
+        encrypt,
+        encryptAad,
+        decrypt,
+    };
+}

package/src/encryption/node.ts

@@ -1,30 +1,39 @@
 import { pbkdf2 as _pbkdf2, createCipheriv, createDecipheriv, randomBytes } from 'node:crypto';
-import { PBKDF2_ITERATIONS, PBKDF2_SALT_SIZE, type EncryptionResult, AES_IV_SIZE, AES_KEY_SIZE } from './common.js';
+import {
+    PBKDF2_ITERATIONS,
+    NONCE_SIZE,
+    AES_TAG_SIZE,
+    AES_KEY_SIZE,
+    type EncryptedData,
+    type PlainData,
+} from './common.js';
 import { promisify } from 'node:util';
 import { toUint8Array } from '../utils.js';
 
+const pbkdf2 = promisify(_pbkdf2);
 const aesKdf = (passphrase: string, salt: Uint8Array): Promise<Buffer> => {
-    return promisify(_pbkdf2)(passphrase, salt, PBKDF2_ITERATIONS, AES_KEY_SIZE, 'sha256');
+    return pbkdf2(passphrase, salt, PBKDF2_ITERATIONS, AES_KEY_SIZE, 'sha256');
 };
 
 /** nodejs encrypt */
-export async function encrypt(data: Uint8Array, passphrase: string): Promise<EncryptionResult> {
-    const salt = randomBytes(PBKDF2_SALT_SIZE);
-    const key = await aesKdf(passphrase, salt);
-    const iv = randomBytes(AES_IV_SIZE);
-    const cipher = createCipheriv('aes-256-cbc', key, iv);
-    const encrypted = Buffer.concat([cipher.update(data), cipher.final()]);
+export async function encrypt({ data, aad }: PlainData, passphrase: string): Promise<EncryptedData> {
+    const nonce = randomBytes(NONCE_SIZE);
+    const key = await aesKdf(passphrase, nonce);
+    const cipher = createCipheriv('aes-256-gcm', key, nonce, { authTagLength: AES_TAG_SIZE });
+    if (aad) cipher.setAAD(aad);
+    const encrypted = Buffer.concat([cipher.update(data), cipher.final(), cipher.getAuthTag()]);
     return {
-        salt: toUint8Array(salt),
-        iv: toUint8Array(iv),
+        nonce: toUint8Array(nonce),
         data: toUint8Array(encrypted),
     };
 }
 
 /** nodejs decrypt */
-export async function decrypt({ data, iv, salt }: EncryptionResult, passphrase: string): Promise<Uint8Array> {
-    const key = await aesKdf(passphrase, salt);
-    const decipher = createDecipheriv('aes-256-cbc', key, iv);
-    const decrypted = Buffer.concat([decipher.update(data), decipher.final()]);
-    return toUint8Array(decrypted);
+export async function decrypt({ nonce, aad, data }: EncryptedData, passphrase: string): Promise<PlainData> {
+    const key = await aesKdf(passphrase, nonce);
+    const decipher = createDecipheriv('aes-256-gcm', key, nonce, { authTagLength: AES_TAG_SIZE });
+    decipher.setAuthTag(data.subarray(data.length - AES_TAG_SIZE));
+    if (aad) decipher.setAAD(aad);
+    const decrypted = Buffer.concat([decipher.update(data.subarray(0, data.length - AES_TAG_SIZE)), decipher.final()]);
+    return { data: toUint8Array(decrypted) };
 }

package/src/encryption/pure-js.ts

@@ -1,62 +1,105 @@
-import { pbkdf2, createSHA256 } from 'hash-wasm';
-import AES from 'crypto-js/aes.js';
-import WordArray from 'crypto-js/lib-typedarrays.js';
-import type CryptoJS from 'crypto-js';
-import { AES_IV_SIZE, AES_KEY_SIZE, PBKDF2_SALT_SIZE, type EncryptionResult, PBKDF2_ITERATIONS } from './common.js';
+import sjcl from 'sjcl';
+import {
+    NONCE_SIZE,
+    AES_KEY_SIZE,
+    AES_TAG_SIZE,
+    type EncryptedData,
+    PBKDF2_ITERATIONS,
+    type PlainData,
+} from './common.js';
+
+// Load unminified version for debugging
+// globalThis.sjcl = sjcl;
+// // @ts-expect-error sjcl is not a module
+// await import('sjcl/core/aes.js');
+// // @ts-expect-error sjcl is not a module
+// await import('sjcl/core/gcm.js');
+// // @ts-expect-error sjcl is not a module
+// await import('sjcl/core/bitArray.js');
+// // @ts-expect-error sjcl is not a module
+// await import('sjcl/core/pbkdf2.js');
+// // @ts-expect-error sjcl is not a module
+// await import('sjcl/core/hmac.js');
+// // @ts-expect-error sjcl is not a module
+// await import('sjcl/core/sha256.js');
 
 /** Convert word array to buffer data */
-function wordArrayToBuffer(wordArray: WordArray): Uint8Array {
-    const { sigBytes, words } = wordArray;
-    if (sigBytes < 0 || words.length * 4 < sigBytes) throw new Error('Invalid word array');
-    const result = new Uint8Array(sigBytes);
-    for (let i = 0; i < sigBytes; i++) {
-        result[i] = (words[i >>> 2] >>> (24 - (i % 4) * 8)) & 0xff;
+function wordArrayToBuffer(bitArray: sjcl.BitArray): Uint8Array {
+    const len = sjcl.bitArray.bitLength(bitArray) / 8;
+    const out = new Uint8Array(len);
+    for (let i = 0; i < len; i += 4) {
+        const tmp = bitArray[i / 4];
+        out[i] = (tmp >>> 24) & 0xff;
+        out[i + 1] = (tmp >>> 16) & 0xff;
+        out[i + 2] = (tmp >>> 8) & 0xff;
+        out[i + 3] = tmp & 0xff;
     }
-    return result;
+    return out;
 }
 
 /** Convert buffer data to word array */
-function bufferToWordArray(buffer: Uint8Array): WordArray {
-    return WordArray.create(buffer);
+function bufferToWordArray(buffer: Uint8Array): sjcl.BitArray {
+    const out = [];
+    const length = buffer.byteLength;
+    for (let i = 0; i < length; i += 4) {
+        out.push((buffer[i] << 24) | (buffer[i + 1] << 16) | (buffer[i + 2] << 8) | buffer[i + 3]);
+    }
+    if (length & 3) {
+        out[out.length - 1] = sjcl.bitArray.partial(8 * (length & 3), out[out.length - 1], 1);
+    }
+    return out;
 }
 
 /** Create aes params */
-async function aesKdfJs(passphrase: string, salt: Uint8Array): Promise<WordArray> {
-    const result = await pbkdf2({
-        password: passphrase,
-        salt: salt,
-        iterations: PBKDF2_ITERATIONS,
-        hashLength: AES_KEY_SIZE,
-        hashFunction: createSHA256(),
-        outputType: 'binary',
-    });
-    return WordArray.create(result);
+function aesKdfJs(passphrase: string, salt: sjcl.BitArray): sjcl.BitArray {
+    return sjcl.misc.pbkdf2(passphrase, salt, PBKDF2_ITERATIONS, AES_KEY_SIZE * 8, sjcl.misc.hmac);
+}
+
+/** wrap non-error thrown */
+function wrapError(error: unknown): Error {
+    if (error instanceof Error) {
+        return error;
+    }
+    return new Error(String(error), { cause: error });
 }
 
 /** crypto-js encrypt */
-export async function encrypt(data: Uint8Array, passphrase: string): Promise<EncryptionResult> {
-    const salt = wordArrayToBuffer(WordArray.random(PBKDF2_SALT_SIZE));
-    const key = await aesKdfJs(passphrase, salt);
-    const iv = WordArray.random(AES_IV_SIZE);
-    const encrypted = AES.encrypt(bufferToWordArray(data), key, { iv });
-    return {
-        salt: salt,
-        iv: wordArrayToBuffer(iv),
-        data: wordArrayToBuffer(encrypted.ciphertext),
-    };
+export async function encrypt({ data, aad }: PlainData, passphrase: string): Promise<EncryptedData> {
+    try {
+        const nonce = sjcl.random.randomWords(NONCE_SIZE / 4);
+        const key = aesKdfJs(passphrase, nonce);
+        const encrypted = sjcl.mode.gcm.encrypt(
+            new sjcl.cipher.aes(key),
+            bufferToWordArray(data),
+            nonce,
+            aad ? bufferToWordArray(aad) : undefined,
+            AES_TAG_SIZE * 8,
+        );
+        return await Promise.resolve({
+            nonce: wordArrayToBuffer(nonce),
+            data: wordArrayToBuffer(encrypted),
+        });
+    } catch (ex) {
+        throw wrapError(ex);
+    }
 }
 
 /** crypto-js decrypt */
-export async function decrypt({ data, iv, salt }: EncryptionResult, passphrase: string): Promise<Uint8Array> {
-    const key = await aesKdfJs(passphrase, salt);
-    const decrypted = AES.decrypt(
-        {
-            ciphertext: bufferToWordArray(data),
-        } as CryptoJS.lib.CipherParams,
-        key,
-        {
-            iv: bufferToWordArray(iv),
-        },
-    );
-    return wordArrayToBuffer(decrypted);
+export async function decrypt({ data, aad, nonce }: EncryptedData, passphrase: string): Promise<PlainData> {
+    try {
+        const n = bufferToWordArray(nonce);
+        const key = aesKdfJs(passphrase, n);
+        const decrypted = sjcl.mode.gcm.decrypt(
+            new sjcl.cipher.aes(key),
+            bufferToWordArray(data),
+            n,
+            aad ? bufferToWordArray(aad) : undefined,
+            AES_TAG_SIZE * 8,
+        );
+        return await Promise.resolve({
+            data: wordArrayToBuffer(decrypted),
+        });
+    } catch (ex) {
+        throw wrapError(ex);
+    }
 }

package/src/encryption/web.ts

@@ -1,4 +1,11 @@
-import { AES_IV_SIZE, AES_KEY_SIZE, PBKDF2_SALT_SIZE, type EncryptionResult, PBKDF2_ITERATIONS } from './common.js';
+import {
+    NONCE_SIZE,
+    AES_TAG_SIZE,
+    AES_KEY_SIZE,
+    type EncryptedData,
+    type PlainData,
+    PBKDF2_ITERATIONS,
+} from './common.js';
 
 const encoder = new TextEncoder();
 
@@ -11,42 +18,44 @@ async function aesKdfWeb(passphrase: string, salt: Uint8Array): Promise<CryptoKe
         iterations: PBKDF2_ITERATIONS,
         hash: 'SHA-256',
     };
-    return await crypto.subtle.deriveKey(pbkdf2Params, pass, { name: 'AES-CBC', length: AES_KEY_SIZE * 8 }, false, [
+    return await crypto.subtle.deriveKey(pbkdf2Params, pass, { name: 'AES-GCM', length: AES_KEY_SIZE * 8 }, false, [
         'encrypt',
         'decrypt',
     ]);
 }
 
 /** webcrypto encrypt */
-export async function encrypt(data: Uint8Array, passphrase: string): Promise<EncryptionResult> {
-    const salt = crypto.getRandomValues(new Uint8Array(PBKDF2_SALT_SIZE));
-    const key = await aesKdfWeb(passphrase, salt);
-    const iv = crypto.getRandomValues(new Uint8Array(AES_IV_SIZE));
+export async function encrypt({ data, aad }: PlainData, passphrase: string): Promise<EncryptedData> {
+    const nonce = crypto.getRandomValues(new Uint8Array(NONCE_SIZE));
+    const key = await aesKdfWeb(passphrase, nonce);
     const encrypted = await crypto.subtle.encrypt(
         {
-            name: 'AES-CBC',
-            iv,
+            name: 'AES-GCM',
+            iv: nonce,
+            tagLength: AES_TAG_SIZE * 8,
+            additionalData: aad,
         },
         key,
         data,
     );
     return {
-        salt: salt,
-        iv: iv,
+        nonce,
         data: new Uint8Array(encrypted),
     };
 }
 
 /** webcrypto decrypt */
-export async function decrypt({ data, salt, iv }: EncryptionResult, passphrase: string): Promise<Uint8Array> {
-    const key = await aesKdfWeb(passphrase, salt);
+export async function decrypt({ data, nonce, aad }: EncryptedData, passphrase: string): Promise<PlainData> {
+    const key = await aesKdfWeb(passphrase, nonce);
     const decrypted = await crypto.subtle.decrypt(
         {
-            name: 'AES-CBC',
-            iv,
+            name: 'AES-GCM',
+            iv: nonce,
+            tagLength: AES_TAG_SIZE * 8,
+            additionalData: aad,
         },
         key,
         data,
     );
-    return new Uint8Array(decrypted);
+    return { data: new Uint8Array(decrypted) };
 }

package/src/index.ts

@@ -1 +1 @@
-export { isEncrypted, encrypt, decrypt } from './encryption/index.js';
+export { isEncrypted, encrypt, decrypt, encryptAad, extractAad } from './encryption/index.js';