Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
jsonld-signatures
Advanced tools
An implementation of the Linked Data Signatures specifications for JSON-LD in JavaScript.
An implementation of the Linked Data Signatures specification for JSON-LD, for Node.js and browsers.
jsonld-signatures
v9.0 is compatible with the following signature suites:
ed25519-signature-2020
>= 2.1.0
.and the following related libraries:
crypto-ld
>= 5.0.0
(and related key crypto suites such as
ed25519-verification-key-2020
>= 2.1.0
).vc-js
>= 7.0
(currently, branch v7.x
)A Linked Data Signature proof is created (or verified) by specifying a signature suite and a proof purpose.
The signature suite performs the cryptographic operation required to sign (or
verify) a digital signature and includes information in a proof such as the
verificationMethod
identifier, the proof's controller
, and the date the
proof was created.
The proof purpose indicates why the proof was created and what its intended use
is. This information can also be used to make sure that the
verificationMethod
was authorized for the stated purpose in the proof. Using
a proof purpose helps to encourage people to authorize certain cryptographic
keys (verification methods) for explicit purposes rather than granting them
ambient authority. This approach can help prevent people from accidentally
signing documents for reasons they did not intend.
This library provides base classes for signature suites and proof purposes so that custom extensions can be written. It also provides some commonly used proof purposes.
jsonld-signatures
is a low-level library that is meant to sign any JSON-LD
document.
One common use case for creating these signatures is for use with
Verifiable Credentials (VCs). If you're
working with those, you should use a higher-level library that's specifically
made for that purpose, such as vc-js
.
(Incidentally, vc-js
uses this library, jsonld-signatures
, under the hood.)
As with most security- and cryptography-related tools, the overall security of your system will largely depend on your design decisions (which key types you will use, where you'll store the private keys, what you put into your credentials, and so on).
During verification, the key and key controller information must be discovered.
This library allows for the key and key controller information to be looked up
via a documentLoader
or it can be provided directly to the API via the
signature suite or proof purpose, respectively.
This library's default documentLoader
is very strict for security and content
integrity purposes. It will only load locally available copies of the context
documents that define the terms it uses internally. Any attempt to load any
other documents (including other contexts) will throw an error. If other
documents such as verification methods (e.g., public key documents), cannot
be provided directly to the API and thus need to be loaded, a custom document
loader must be passed. For the sake of clarity, the default document loader
will only load locally available copies of the following documents:
If you require other documents to be loaded then you will need to provide a
documentLoader
that can provide them. jsonld.js provides both a node and browser
documentLoader
you can use, however, depending on your use case, you may
increase security by using a custom documentLoader
that is similarly strict
and will only load a subset of documents that is constrained by some technical,
security, or business rules.
To install from NPM:
npm install jsonld-signatures
To install locally (for development):
git clone https://github.com/digitalbazaar/jsonld-signatures.git
cd jsonld-signatures
npm install
jsonld-signatures
(version 8.x
and above) is not meant for standalone use.
Instead, it's generally used through an individual crypto suite.
For detailed usage instructions, see the READMEs of the supported suites:
Most of the usages with individual suites and key types will have elements in common. You'll need to:
@digitalbazaar/crypto-ld >=v5.0
)
library), or use a secure signer()
function provided by your secure
cryptographic module.Ed25519Signature2020
suite, and for legacy/compatibility work, you can use
Ed25519Signature2018
suite.
See also the Choosing a Key Type
section of crypto-ld
documentation.documentLoader
to fetch contexts and documents securely.jsigs.sign()
or jsigs.verify()
operations.Specialized use cases may wish to use the native canonize bindings. This mode
can be enabled by setting the useNativeCanonize
option to true
. See the
jsonld.js notes
on this feature and note you should benchmark performance before using it.
See the contribute file!
PRs accepted.
If editing the Readme, please conform to the standard-readme specification.
Commercial support for this library is available upon request from Digital Bazaar: support@digitalbazaar.com
New BSD License (3-clause) © Digital Bazaar
11.3.2 - 2024-11-06
proof.@context
is unmodified for JCS Data Integrity Cryptosuites.FAQs
An implementation of the Linked Data Signatures specifications for JSON-LD in JavaScript.
The npm package jsonld-signatures receives a total of 13,803 weekly downloads. As such, jsonld-signatures popularity was classified as popular.
We found that jsonld-signatures demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 5 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.