I have a problem decrypting text, which is encrypted in Go lang, with CryptoJS.

Here is Go code: https://play.golang.org/p/xCbl48T_iN

package main

import (
    "crypto/aes"
    "crypto/cipher"
    "encoding/base64"
    "fmt"
)

func main() {
    key := []byte("1234567890123456")
    plaintext := []byte("text can be a random lenght")

    block, err := aes.NewCipher(key)
    if err != nil {
        panic(err)
    }

    // The IV needs to be unique, but not secure. Therefore it's common to
    // include it at the beginning of the ciphertext.
    // BTW (only for test purpose) I don't include it

    ciphertext := make([]byte, len(plaintext))

    iv := []byte{'\x0f','\x0f','\x0f','\x0f','\x0f','\x0f','\x0f','\x0f','\x0f','\x0f','\x0f','\x0f','\x0f','\x0f','\x0f','\x0f'}

    stream := cipher.NewCTR(block, iv)
    stream.XORKeyStream(ciphertext, plaintext) 

    // CTR mode is the same for both encryption and decryption, so we can
    // also decrypt that ciphertext with NewCTR.
        base := base64.StdEncoding.EncodeToString(ciphertext)
    fmt.Printf("encodedHEX: %x\n", ciphertext)
    fmt.Printf("encodedBASE: %s\n", base)

    plaintext2 := make([]byte, len(plaintext))
    stream = cipher.NewCTR(block, iv)
    stream.XORKeyStream(plaintext2, ciphertext)

    fmt.Printf("decoded: %s\n", plaintext2)
}

Here is JS code: http://jsfiddle.net/Ltkxm64n/

var key = CryptoJS.enc.Hex.parse('31323334353637383930313233343536');
var iv = CryptoJS.enc.Hex.parse('0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f');
var encrypted = CryptoJS.AES.encrypt("text can be a random lenght", key, {
  mode: CryptoJS.mode.CTR,
  iv: iv
});

console.log(encrypted.ciphertext.toString());
console.log(encrypted.toString());

var decrypted = CryptoJS.AES.decrypt(encrypted, key, {
  mode: CryptoJS.mode.CTR,
  iv: iv
});
console.log(decrypted.toString(CryptoJS.enc.Utf8)); 
// text can be a random lenght

Both works well encrypting and decrypting, but when I copy the base64 ciphertext from GO to JS (or viceversa), it doesn't work. I also noticed that first part of js output is the same of Go output, but in js output there are more bytes than in Go one.

My purpose is to encrypt some text in GO, then ship Base64 ciphertext to JS that can decrypt it.

Thank you

Ok, here is what you do to fix this:

1. Add no-padding js to your sources list: http://crypto-js.googlecode.com/svn/tags/3.1/build/components/pad-nopadding.js

2. When encrypting/decrypting specify parameter: padding: CryptoJS.pad.NoPadding

CTR mode doesn't require padding plain text before encrypting.
Keystream generated from multiple AES blocks is trimmed to match plain text length before XORing.
Looks like CryptoJS generates keystream to xor it with plain text but doesn't trim it, because the length of ciphertext generated by CryptoJS without padding: CryptoJS.pad.NoPadding is always multiple of 16 bytes (exactly as AES block size).

var key = CryptoJS.enc.Hex.parse('31323334353637383930313233343536');
var iv = CryptoJS.enc.Hex.parse('0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f0f');
var encrypted = CryptoJS.AES.encrypt("text can be a random lenght", key, {
  mode: CryptoJS.mode.CTR,
  iv: iv,
  padding: CryptoJS.pad.NoPadding
});

document.getElementById("id").innerHTML = encrypted.ciphertext.toString();
document.getElementById("id2").innerHTML = encrypted.toString();

var decrypted = CryptoJS.AES.decrypt(encrypted, key, {
  mode: CryptoJS.mode.CTR,
  iv: iv,
  padding: CryptoJS.pad.NoPadding
});
document.getElementById("decrypt").innerHTML = decrypted.toString(CryptoJS.enc.Utf8); // text can be a random lenght

<script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/rollups/aes.js"></script>
<script src="http://crypto-js.googlecode.com/svn/tags/3.1.2/build/components/mode-ctr.js"></script>
<script src="http://crypto-js.googlecode.com/svn/tags/3.1/build/components/pad-nopadding.js"></script>
<p> Ciphertext in HEX: </p>
<p id="id"> </p>
<p> Ciphertext in BASE64: </p>
<p id="id2"> </p>
<p> PlainText: </p>
<p id="decrypt"></p>

you have to add padding to plaintext before encode it

for example:

func addPadding(data []byte, blocksize int) []byte {

    padSize := len(data) % blocksize
    if padSize == 0 {
        return data
    }
    padSize = blocksize - padSize
    return append(data, bytes.Repeat([]byte{byte(padSize)}, padSize)...)
}
//in main
    plaintext := []byte("text can be a random lenght")
    plaintext = addPadding(plaintext, aes.BlockSize)

UPDATE: 2023

// CryotoJS CDN
<script src="https://cdnjs.cloudflare.com/ajax/libs/crypto-js/4.1.1/crypto-js.min.js" integrity="sha512-E8QSvWZ0eCLGk4km3hxSsNmGWbLtSCSUcewDQPQWZF6pEU8GlT8a5fF32wOl1i8ftdMhssTrF/OhyGWwonTcXA==" crossorigin="anonymous" referrerpolicy="no-referrer"></script>

let config = {
    mode: CryptoJS.mode.CTR,
    iv: CryptoJS.enc.Utf8.parse('YourInitialVector'),
    padding: CryptoJS.pad.NoPadding
};

let dataObjString = JSON.stringify(YourDataObj);

let ciphertext = CryptoJS.AES.encrypt(dataObjString, CryptoJS.enc.Utf8.parse('YourEncryptionKey'), config).toString();

console.log("Encrypted ", ciphertext);

let bytes = CryptoJS.AES.decrypt(ciphertext, CryptoJS.enc.Utf8.parse('YourEncryptionKey'), config);
                
console.log("Decrypted ", JSON.parse(bytes.toString(CryptoJS.enc.Utf8)));

References:

• https://cryptojs.gitbook.io/docs/
• https://github.com/brix/crypto-js
• https://cdnjs.com/libraries/crypto-js

Hope this will help. Cheers :)