Reactjs XChaCha20Poly1305的解密函数

目前的加密方法读取大小为read()的块，并将它们拆分成大小为chunkSize的较小块.由于read()读取的区块通常不是chunkSize的倍数，因此read()调用的最后一个区块通常小于chunkSize，因此该区块的大小未知，如下所示:

read 1: r, r, r, r, s1, 
read 2: r, r, s2,
read 3: r, r, r, r, r, s3,
...
read n: r, r, r, sn

这里的r是大小为chunkSize的块，而s1,...sn是不同大小的较短的块.

这对应于有效的块序列:

r, r, r, r, s1, r, r, s2, r, r, r, r, r, s3,..., r, r, r, sn

由于密文块的长度未知，intermediate个较小的块不可能正确识别密文块，因此解密失败.

为了避免这种情况，一种方法是暂停处理太短的块，使用read()确定下一个数据，将其附加到太短的块，然后处理结果数据.这可以防止出现太短的块:

read 1: r, r, r, r,  
read 2: r, r, 
read 3: r, r, r, r, r, 
...
read n: r, r, r, sn

r, r, r, r, r, r, r, r, r, r, r,..., r, r, r, sn

因此，只有最后一个块仍然是可能更短的块，这不是问题，因为这个块是由数据的末尾标识的.

要实现这一点，必须更改encryptFile()的代码，例如:

async function encryptFile(file, password){

    // Define chunk size - must be agreed with the decrypting side
    const chunkSize = 192 * 1024;//64 * 1024 * 1024;

    // Generate encryption key
    const salt = sodium.randombytes_buf(sodium.crypto_pwhash_SALTBYTES);                    
    const key = sodium.crypto_pwhash(
        sodium.crypto_secretstream_xchacha20poly1305_KEYBYTES,
        sodium.from_string(password),
        salt,
        sodium.crypto_pwhash_OPSLIMIT_INTERACTIVE,
        sodium.crypto_pwhash_MEMLIMIT_INTERACTIVE,
        sodium.crypto_pwhash_ALG_ARGON2ID13
    );
    
    // Initialize encryption
    const { state, header } = sodium.crypto_secretstream_xchacha20poly1305_init_push(key);

    // Create a stream controller for chunked processing
    const streamController = new TransformStream();
    const writer = streamController.writable.getWriter();

    // Write signature, salt, and header to the stream
    const signature = sodium.from_string(STATIC_SIGNATURE);
    writer.write(signature);
    writer.write(salt);
    writer.write(header);                   

    // Encrypt file in chunks
    const reader = file.stream().getReader();
    let dataQueue = new Uint8Array(0) // Queue for data to be encrypted
    while (true) {
        const { done, value } = await reader.read();

        // Add the read data to the queue
        dataQueue = new Uint8Array([...dataQueue, ...new Uint8Array(value)]);
        
        if (done) {
        
            // Finalize encryption and close the stream
            let encryptedChunk = sodium.crypto_secretstream_xchacha20poly1305_push(
                state,
                new Uint8Array(dataQueue),
                null,
                sodium.crypto_secretstream_xchacha20poly1305_TAG_FINAL
            );
            writer.write(encryptedChunk);
            writer.close();

            // Get the encrypted file blob
            const encryptedBlob = await new Response(
                streamController.readable
            ).blob();

            // send the encrypted file with the original filename + '.enc'
            const encryptedFileName = `${file.name}.enc`;
            return { encryptedBlob, encryptedFileName };
        }

        // Use chunkSize to control the size of each chunk; if the last chunk is smaller than chunkSize 
        // (which is generally the case) it will not be encrypted; the last chunk then remains in the queue;
        // This prevents intermediate chunks that are smaller than chunkSize
        let dataQueueIsEmpty = true;
        for (let i = 0; i < dataQueue.length; i += chunkSize) {
            const chunk = dataQueue.slice(i, i + chunkSize);
            if (chunk.length == chunkSize) {
                const encryptedChunk = sodium.crypto_secretstream_xchacha20poly1305_push(
                    state,
                    new Uint8Array(chunk),
                    null,
                    sodium.crypto_secretstream_xchacha20poly1305_TAG_MESSAGE
                );
                writer.write(encryptedChunk);
            }
            else {
                dataQueue = chunk;
                dataQueueIsEmpty = false;
            }
        }
        if (dataQueueIsEmpty) {dataQueue = new Uint8Array(0)}
    }
}

解密必须适应更改后的加密.还必须考虑到:

• A ciphertext chunk is larger than a plaintext chunk. The constant sodium.crypto_secretstream_xchacha20poly1305_ABYTES specifies the number of additional bytes. This must be considered during decryption when defining the chunk size: chunkSize (dec) = chunkSize(enc) + sodium.crypto_secretstream_xchacha20poly1305_ABYTES, see this example in the Libsodium documentation.
  This is not taken into account in the current code, which is another reason why the decryption fails.
• libsodium-wrapper-sumo文档中的这example说明了如何使用sodium.crypto_secretstream_xchacha20poly1305_init_pull()和sodium.crypto_secretstream_xchacha20poly1305_pull().这两种方法在当前代码中都未正确使用.这会导致sodium.crypto_secretstream_xchacha20poly1305_init_pull()为state_address返回undefined，稍后在sodium.crypto_secretstream_xchacha20poly1305_pull()中使用时会导致发布的错误消息.
• 加密后的数据在开头包含签名、SALT和头部.在接下来的实现中，首先进行read()次调用(或在必要时进行多次调用)，直到确定该数据为止.然后处理before剩余数据，使用read()来确定进一步的数据(这不是绝对必要的，但这是该实现方式以避免过大的数据量).

以下代码是一种可能的实现:

async function decryptFile(file, password) {

    // Define chunk size - must be agreed with the enrypting side
    const chunkSize = 192 * 1024 + sodium.crypto_secretstream_xchacha20poly1305_ABYTES; //64 * 1024 * 1024;
                        
    // Get signature, salt and header
    const reader = file.stream().getReader();
    let dataQueue = new Uint8Array(0); // Queue for data to be encrypted
    while (dataQueue.byteLength < STATIC_SIGNATURE.length + sodium.crypto_pwhash_SALTBYTES + sodium.crypto_secretstream_xchacha20poly1305_HEADERBYTES) {
        const { done, value } = await reader.read();

        // Add the read data to the queue
        dataQueue = new Uint8Array([...dataQueue, ...new Uint8Array(value)]);
    }
    const signature = dataQueue.slice(0, STATIC_SIGNATURE.length);
    const salt = dataQueue.slice(STATIC_SIGNATURE.length, STATIC_SIGNATURE.length + sodium.crypto_pwhash_SALTBYTES);
    const header = dataQueue.slice(STATIC_SIGNATURE.length + sodium.crypto_pwhash_SALTBYTES, STATIC_SIGNATURE.length + sodium.crypto_pwhash_SALTBYTES + sodium.crypto_secretstream_xchacha20poly1305_HEADERBYTES);
    dataQueue = dataQueue.slice(STATIC_SIGNATURE.length + sodium.crypto_pwhash_SALTBYTES + sodium.crypto_secretstream_xchacha20poly1305_HEADERBYTES);
    
    // Generate decryption key
    const key = sodium.crypto_pwhash(
        sodium.crypto_secretstream_xchacha20poly1305_KEYBYTES,
        sodium.from_string(password),
        salt,
        sodium.crypto_pwhash_OPSLIMIT_INTERACTIVE,
        sodium.crypto_pwhash_MEMLIMIT_INTERACTIVE,
        sodium.crypto_pwhash_ALG_ARGON2ID13
    );
    
    // Initialize decryption
    let state = sodium.crypto_secretstream_xchacha20poly1305_init_pull(header, key);

    // Create a stream controller for chunked processing
    const streamController = new TransformStream();
    const writer = streamController.writable.getWriter();

    // Loop for large chunks that were fetched with read() (containing multiple small chunks with size chunkSize)
    let dataWithHeader = true;
    while (true) {
    
        let done; 
        if (!dataWithHeader){
            // Add read data to queue
            let data = await reader.read();
            done = data.done;
            dataQueue = new Uint8Array([...dataQueue, ...new Uint8Array(data.value)]);
        } else {
            // Skip adding as queue still filled
            dataWithHeader = false;
            done = false;
        }
        
        if (done) {                     
            // Finalize decryption and close the stream
            let decryptedChunk = sodium.crypto_secretstream_xchacha20poly1305_pull(
                state,
                new Uint8Array(dataQueue)
            );
            // optional check: decryptedChunk.tag must be sodium.crypto_secretstream_xchacha20poly1305_TAG_FINAL
            writer.write(decryptedChunk.message);
            writer.close();
            // Get the decrypted file blob
            const decryptedBlob = await new Response(
                streamController.readable
            ).blob();
            // Send the decrypted file with the original filename + '.enc'
            const decryptedFileName = `${file.name}.enc`;
            return { decryptedBlob, decryptedFileName };
        }

        // Loop for small chunks with size chunkSize: Split the large chunks in chunks of size chunkSize.  
        // If the last chunk is smaller than chunkSize (which is generally the case) it will not be decrypted
        // and remains in the queue. This prevents intermediate chunks that are smaller than chunkSize.
        let dataQueueIsEmpty = true;
        for (let i = 0; i < dataQueue.length; i += chunkSize) {
            const chunk = dataQueue.slice(i, i + chunkSize);
            if (chunk.length == chunkSize) {
                const decryptedChunk = sodium.crypto_secretstream_xchacha20poly1305_pull(
                    state,
                    new Uint8Array(chunk),
                );
                // optional check: decryptedChunk.tag must be sodium.crypto_secretstream_xchacha20poly1305_TAG_MESSAGE
                writer.write(decryptedChunk.message);
            }
            else {
                dataQueue = chunk;
                dataQueueIsEmpty = false;
            }
        }
        if (dataQueueIsEmpty) {dataQueue = new Uint8Array(0);}
    }
};

我已经成功地对一个14072985字节的文件和192*1024字节的块大小的文件进行了加密和解密测试.使用这些参数，将执行几个读取数据不对应于chunkSize的倍数的读取调用，因此该测试还证明了对较小区块的正确处理.

Edit:个

Since the primary goal was to have a working logic and to fix the bugs, the code does not contain any error handling and is not performance-optimized!
I.e. the exception handling must therefore be added according to your requirements as well as a performance optimization.

Regarding the password: crypto_secretstream_xchacha20poly1305_pull() returns message and tag in case of success and false in case of an error (e.g. invalid/incomplete/corrupted ciphertext, wrong password etc.).
In your code, there are generally several crypto_secretstream_xchacha20poly1305_pull() calls. If one of these calls returns false, the data has been tampered with, intentionally or unintentionally, and the decryption must be considered failed (and all data should be discarded as a precaution).

在密码错误的情况下，第一次调用已经返回false，因此可以快速识别错误.

Regarding the performance issue: The main reason for the performance problem is dataQueue and the copy operations used to fill it, i.e. the line: dataQueue = new Uint8Array([...dataQueue, ...new Uint8Array(value)]).
These copy operations become increasingly inperformant as the data size increases. This can be easily verified by outputting the execution time for this line together with dataQueue.length:

This problem is basically related to the use of a fixed chunk size. The fixed chunk size requires (because of the shorter chunks) a reorganization of the chunks into chunks of the given chunk size, which is associated with copying operations, appending etc.
I have solved this problem in my sample implementation mainly for the sake of simplicity with dataQueue.

可以做些什么来提高性能？首先，existing代码可以进行性能优化.例如，在填充dataQueue之前，可以判断它是否为空.如果是这样的话，dataQueue = value就足够了，而不是昂贵的复制过程.可能会有这种类型的进一步优化 Select .

Such optimizations should require the least effort, but may not be sufficient. It would then be necessary to consider how the small chunks and the new data read in with read() could be converted into chunks of the given chunk size as efficiently as possible, i.e. with as few copy operations and/or as little copied data as possible, so that dataQueue can be dispensed with.
For this, e.g. the first chunk after a new read() call could be filled with the data of the last, too short chunk (which must be saved for this purpose somewhere) and the rest with the data of the new read() call. Subsequent chunks are then only filled with the data from the new read() call. The filling would therefore be more direct here and would not run via dataQueue. Although copying processes are also necessary here, the amount of data should be smaller.
A further optimization would of course be if copying/appending itself were more performant. Possibly, e.g. the use of regular arrays instead of typed arrays or something similar would provide a performance gain.
All in all, however, the optimizations described in this section require a larger amount of code changes and trial and error.

另一种 Select ，但是完全不同的方法，将是省go 固定的块大小并且在密文中存储未加密的块大小信息(类似于签名、盐和报头)，例如通过在相关块之前的前4个字节中存储块大小.这将使在解密期间识别块成为可能.没有必要重新组织这些数据块.由于在解密过程中会判断块的顺序，因此不存在与此方法相关的漏洞.然而，该解决方案实际上相当于一种新的实现，因此涉及最大的更改工作.