Web Crypto Streams

Draft Community Group Report,

More details about this document
This version:
https://webcrypto-streams.proposal.wintercg.org/
Issue Tracking:
GitHub
Inline In Spec
Editors:
(Cloudflare)
(Deno Land Inc)

Copyright © 2024 the Contributors to the Web Crypto Streams Specification, published by the Web-interoperable Runtimes Community Group under the W3C Community Contributor License Agreement (CLA). A human-readable summary is available.

Abstract

Streaming data support for the the Web Crypto API.

Status of this document

This specification was published by the Web-interoperable Runtimes Community Group. It is not a W3C Standard nor is it on the W3C Standards Track. Please note that under the W3C Community Contributor License Agreement (CLA) there is a limited opt-out and other conditions apply. Learn more about W3C Community and Business Groups.

1. Introduction

This section is non-normative.

Introduction!

2. Use Cases

This section is non-normative.

Elaborate on use cases here.

3. Terminology

A chunk is a piece of data. In the case of EncryptionStream and VerificationStream, the output chunk type is Uint8Array. They accept any BufferSource type as input.

A stream represents an ordered sequence of chunks. The terms ReadableStream and WritableStream are defined in [WHATWG-STREAMS].

A encryption context is the internal state maintained by a encryption algorithm. The contents of a encryption context depend on the algorithm and implementation in use. From the point of view of this specification, it is an opaque object. A encryption context is initially in a start state such that it anticipates the first byte of input.

4. Interface EncryptionStream

Note: The EncryptionStream class complements SubtleCrypto.encrypt(). The constructor takes the same arguments as SubtleCrypto.encrypt() except for the data argument.

[Exposed=*]
interface EncryptionStream {
  constructor(AlgorithmIdentifier algorithm, CryptoKey key);
};
EncryptionStream includes GenericTransformStream;

A EncryptionStream has an associated algorithm, key and encryption context context.

The new EncryptionStream(algorithm, key) steps are:

  1. Let normalizedAlgorithm be the result of normalizing an algorithm, with alg set to algorithm and op set to "encrypt".

    • normalize an algorithm doesn’t link correctly (needs to be exported in Web Crypto API).

  2. Set this's algorithm to normalizedAlgorithm.

  3. Set this's key to key.

  4. Let transformAlgorithm be an algorithm which takes a chunk argument and runs the encrypt and enqueue a chunk algorithm with this and chunk.

  5. Let flushAlgorithm be an algorithm which takes no argument and runs the encrypt flush and enqueue algorithm with this.

  6. Set this's transform to a new TransformStream.

  7. Set up this's transform with transformAlgorithm set to transformAlgorithm and flushAlgorithm set to flushAlgorithm.

The encrypt and enqueue a chunk algorithm, given a EncryptionStream object stream and a chunk, runs these steps:

  1. If chunk is not a BufferSource type, then throw a TypeError.

  2. Let buffer be the result of encrypting chunk with stream's algorithm and context.

  3. If buffer is empty, return.

  4. Split buffer into one or more non-empty pieces and convert them into Uint8Arrays.

  5. For each Uint8Array array, enqueue array in stream's transform.

The encrypt flush and enqueue algorithm, which handles the end of data from the input ReadableStream object, given a EncryptionStream object stream, runs these steps:

  1. Let buffer be the result of encrypting an empty input with stream's algorithm and context, with the finish flag.

  2. If buffer is empty, return.

  3. Split buffer into one or more non-empty pieces and convert them into Uint8Arrays.

  4. For each Uint8Array array, enqueue array in stream's transform.

Conformance

Document conventions

Conformance requirements are expressed with a combination of descriptive assertions and RFC 2119 terminology. The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in the normative parts of this document are to be interpreted as described in RFC 2119. However, for readability, these words do not appear in all uppercase letters in this specification.

All of the text of this specification is normative except sections explicitly marked as non-normative, examples, and notes. [RFC2119]

Examples in this specification are introduced with the words “for example” or are set apart from the normative text with class="example", like this:

This is an example of an informative example.

Informative notes begin with the word “Note” and are set apart from the normative text with class="note", like this:

Note, this is an informative note.

Index

Terms defined by this specification

Terms defined by reference

References

Normative References

[RFC2119]
S. Bradner. Key words for use in RFCs to Indicate Requirement Levels. March 1997. Best Current Practice. URL: https://datatracker.ietf.org/doc/html/rfc2119
[WebCryptoAPI]
Mark Watson. Web Cryptography API. URL: https://w3c.github.io/webcrypto/
[WEBIDL]
Edgar Chen; Timothy Gu. Web IDL Standard. Living Standard. URL: https://webidl.spec.whatwg.org/
[WHATWG-STREAMS]
Adam Rice; et al. Streams Standard. Living Standard. URL: https://streams.spec.whatwg.org/

IDL Index

[Exposed=*]
interface EncryptionStream {
  constructor(AlgorithmIdentifier algorithm, CryptoKey key);
};
EncryptionStream includes GenericTransformStream;

Issues Index

normalize an algorithm doesn’t link correctly (needs to be exported in Web Crypto API).