Manifest integrity #43
Description
In the provided implementations, the Manifest is not authenticated (missing the integrity property). In practice, it means the Decrypt logic can't detect when the manifest is not the same as during the encryption. That applies both to corruption and malicious tempering.
While this property is not always required (or wanted), I strongly believe that end-user cryptography libraries should prevent misuse as much as possible.
It is technically easy to add the manifest as Additional Authentication Data (AAD), for example the AES-GCM construction already supports it.
The main question is around the API: would you prefer to make the manifest always authenticated, or add some way to configure the implementations? For the same reason as mentioned above, I like that the user can't pass unsafe parameters. But this authenticateManifest: Boolean is different as both choices are valid depending on the use-case. I would make it true by default.
Let me know what you think about it, I can help with the implementation or review.