Serialization decision needed at encryption time

[veselov]

As I'm going through the code, I also realized that there can be a problem with the sequence of encryption and serialization.

If there is only one recipient, and both protected and unprotected headers are given, then the compact serialization must join the headers into common headers, and use that as protected header values. However, JSON serialization must maintain the headers separately. Since the protected headers are used as part of the AAD, we can't decide which actual keys to authenticate, if it's not known what serialization is to be used. There are few solutions here, please let me know which one you would rather have:

1. Serialization type must be known at the time of encryption
2. Encryption must produce artifacts that can be used for both JSON and Compact (AFAIU, that means double the cipher text, because GCM blocks will be different if AAD is different)
3. Shift actual encryption to the serialization phase. Re-encrypt on repeat calls, if serialization changes. The serialization can already fail, so the caller must check the return values anyway, I don't see this breaking compatibility.

Thank you.