ssb-keys - npm Package Compare versions

Comparing version 6.1.2 to 7.0.0

index.js

@@ -29,2 +29,4 @@ var deepEqual  = require('deep-equal')
 
+var hmac = sodium.crypto_auth
+
 exports.hash = u.hash
@@ -48,4 +50,2 @@
 curves.ed25519 = require('./sodium')
-try { curves.k256 = require('./eccjs') }
-catch (_) {}
 
@@ -107,3 +107,3 @@ function getCurve(keys) {
 
-exports.sign = function (keys, msg) {
+function sign (keys, msg) {
   if(isString(msg))
@@ -123,3 +123,3 @@ msg = new Buffer(msg)
 //and returns true if the signature was valid.
-exports.verify = function (keys, sig, msg) {
+function verify (keys, sig, msg) {
   if(isObject(sig))
@@ -136,10 +136,13 @@ throw new Error('signature should be base64 string, did you mean verifyObj(public, signed_obj)')
 
-exports.signObj = function (keys, obj) {
+exports.signObj = function (keys, hmac_key, obj) {
+  if(!obj) obj = hmac_key, hmac_key = null
   var _obj = clone(obj)
   var b = new Buffer(JSON.stringify(_obj, null, 2))
-  _obj.signature = exports.sign(keys, b)
+  if(hmac_key) b = hmac(b, hmac_key)
+  _obj.signature = sign(keys, b)
   return _obj
 }
 
-exports.verifyObj = function (keys, obj) {
+exports.verifyObj = function (keys, hmac_key, obj) {
+  if(!obj) obj = hmac_key, hmac_key = null
   obj = clone(obj)
@@ -149,3 +152,4 @@ var sig = obj.signature
   var b = new Buffer(JSON.stringify(obj, null, 2))
-  return exports.verify(keys, sig, b)
+  if(hmac_key) b = hmac(b, hmac_key)
+  return verify(keys, sig, b)
 }
@@ -161,5 +165,2 @@
 
-  //it's since the nonce is 24 bytes (a multiple of 3)
-  //it's possible to concatenate the base64 strings
-  //and still have a valid base64 string.
   return pb.multibox(msg, recipients).toString('base64')+'.box'
@@ -166,0 +167,0 @@ }

package.json

 {
   "name": "ssb-keys",
   "description": "keyfile operations for ssb",
-  "version": "6.1.2",
+  "version": "7.0.0",
   "homepage": "https://github.com/ssbc/ssb-keys",
@@ -20,3 +20,2 @@ "repository": {
   "devDependencies": {
-    "eccjs": "git://github.com/dominictarr/eccjs.git#586f6d47507184a2efe84684ed0a30605cbc43a5",
     "tape": "^3.0.3"
@@ -27,7 +26,4 @@ },
   },
-  "browser": {
-    "./eccjs.js": false
-  },
   "author": "Paul Frazee <pfrazee@gmail.com>",
   "license": "MIT"
 }

README.md

 # SSB-Keys
 
-A common module for secure-scuttlebutt projects, provides an API to create or load elliptic-curve keypairs and to execute related crypto operations.
+supplies key loading and other cryptographic functions needed in secure-scuttlebutt apps.
 
@@ -8,20 +8,5 @@ ```js
 
-ssbkeys.create(path, function(err, k) {
-  console.log(k) /* => {
-    id: String,
-    public: String,
-    private: String
-  }*/
-})
-
-ssbkeys.load(path, function(err, k) {
-  console.log(k) /* => {
-    id: String,
-    public: String,
-    private: String
-  }*/
-})
-
-var k = ssbkeys.createSync(path)
-console.log(k) /* => {
+//usually, load keys like this
+var keys = ssbkeys.createOrLoadSync(filename)
+/* => {
   id: String,
@@ -32,4 +17,5 @@ public: String,
 
-var k = ssbkeys.loadSync(path)
-console.log(k) /* => {
+//but for testing, .generate() is useful.
+var keys = ssbkeys.generate()
+/* => {
   id: String,
@@ -40,14 +26,6 @@ public: String,
 
-var k = ssbkeys.generate()
-console.log(k) /* => {
-  id: String,
-  public: String,
-  private: String
-}*/
 
-var hash = ssbkeys.hash(new Buffer('deadbeef', 'hex'))
-var sig = ssbkeys.sign(k, hash)
-ssbkeys.verify(k.public, sig, hash) // => true
+//hmac_key is a fixed value that applies to _THIS_ signature use, see below.
 
-var obj = ssbkeys.signObj(k, { foo: 'bar' })
+var obj = ssbkeys.signObj(k, hmac_key, { foo: 'bar' })
 console.log(obj) /* => {
@@ -57,3 +35,53 @@ foo: 'bar',
 } */
-ssbkeys.verifyObj(k, obj) // => true
+ssbkeys.verifyObj(k, hmac_key, obj) // => true
 ```
+
+## api
+
+### loadOrCreateSync (filename)
+
+Load a file containing the your private key. the file will also
+contain a comment with a warning about keeping the file secret.
+
+Works in the browser, or stores the keys is localStorage in the browser.
+(web apps should be hosted a secure way, for example [web-bootloader](https://github.com/dominictarr/web-bootloader))
+
+If the file does not exist it will be created. there is also
+variations and parts `loadOrCreate` (async), `load`, `create`
+`createSync` `loadSync`. But since you only need to load once,
+using the combined function is easiest.
+
+### generate(curve, seed)
+
+generate a key, with optional seed.
+curve defaults to `ed25519` (and no other type is currently supported)
+seed should be a 32 byte buffer.
+
+### signObj(keys, hmac_key?, obj)
+
+signs a javascript object, and then adds a signature property to it.
+
+If `hmac_key` is provided, the object is hmaced before signing,
+which means it cannot be verified without the correct `hmac_key`.
+If each way that signatures are used in your application use a different
+hmac key, it means that a signature intended for one use cannot be reused in another
+(chosen protocol attack)
+
+### verifyObj(keys, hmac_key?, obj)
+
+verify a signed object. `hmac_key` must be the same value as passed to `signObj`.
+
+### box(msg, recipients)
+
+encrypt a message to many recipients. msg will be JSON encoded, then encrypted
+with [private-box](https://github.com/auditdrivencrypto/private-box)
+
+### unbox (boxed, keys)
+
+decrypt a message encrypted with `box`. If the `boxed` successfully decrypted,
+the parsed JSON is returned, if not, `undefined` is returned.
+
+### LICENSE
+
+MIT
+

test/index.js

@@ -30,27 +30,21 @@ var tape = require('tape')
 
-tape('sign and verify', function (t) {
-  var keys = ssbkeys.generate()
-  var msg = ssbkeys.hash("HELLO THERE?")
-  var sig = ssbkeys.sign(keys, msg)
-  console.log('public', keys.public)
-  console.log('sig', sig)
-  t.ok(sig)
-  t.equal(ssbkeys.getTag(sig), 'sig.ed25519')
-  t.ok(ssbkeys.verify(keys, sig, msg))
+tape('sign and verify a javascript object', function (t) {
 
-  t.end()
+  var obj = require('../package.json')
+  var hmac_key = crypto.randomBytes(32)
+  var hmac_key2 = crypto.randomBytes(32)
+  console.log(obj)
 
-})
-
-tape('sign and verify, call with keys directly', function (t) {
-
   var keys = ssbkeys.generate()
-  var msg = ssbkeys.hash("HELLO THERE?")
-  var sig = ssbkeys.sign(keys.private, msg)
-  console.log('public', keys.public)
-  console.log('sig', sig)
+  var sig = ssbkeys.signObj(keys.private, hmac_key, obj)
+  console.log(sig)
   t.ok(sig)
-  t.equal(ssbkeys.getTag(sig), 'sig.ed25519')
-  t.ok(ssbkeys.verify(keys.public, sig, msg))
-
+  //verify must be passed the key to correctly verify
+  t.notOk(ssbkeys.verifyObj(keys, sig))
+  t.notOk(ssbkeys.verifyObj({public: keys.public}, sig))
+  t.ok(ssbkeys.verifyObj(keys, hmac_key, sig))
+  t.ok(ssbkeys.verifyObj({public: keys.public}, hmac_key, sig))
+  //a different hmac_key fails to verify
+  t.notOk(ssbkeys.verifyObj(keys, hmac_key2, sig))
+  t.notOk(ssbkeys.verifyObj({public: keys.public}, hmac_key2, sig))
   t.end()
@@ -60,3 +54,6 @@
 
-tape('sign and verify a javascript object', function (t) {
+//allow sign and verify to also take a separate key
+//so that we can create signatures that cannot be used in other places.
+//(i.e. testnet) avoiding chosen protocol attacks.
+tape('sign and verify a hmaced object javascript object', function (t) {
 
@@ -71,3 +68,4 @@ var obj = require('../package.json')
   t.ok(sig)
-  t.ok(ssbkeys.verifyObj(keys, sig, obj))
+  t.ok(ssbkeys.verifyObj(keys, sig))
+  t.ok(ssbkeys.verifyObj({public: keys.public}, sig))
   t.end()
@@ -77,50 +75,2 @@
 
-//tape('test legacy curve: k256', function (t) {
-//  var keys = ssbkeys.generate('k256')
-//
-//  var msg = ssbkeys.hash("LEGACY SYSTEMS")
-//  var sig = ssbkeys.sign(keys, msg)
-//
-//  console.log('public', keys.public)
-//  console.log('sig', sig)
-//
-//  t.ok(sig)
-//  t.equal(ssbkeys.getTag(sig), 'sig.k256')
-//  t.ok(ssbkeys.verify(keys, sig, msg))
-//
-//  t.end()
-//})
-//
-//tape('create and load async, legacy', function (t) {
-//
-//  ssbkeys.create(path, 'k256', function(err, k1) {
-//    if (err) throw err
-//    ssbkeys.load(path, function(err, k2) {
-//      if (err) throw err
-//
-//      t.equal(k2.curve, 'k256')
-//      t.equal(k1.id, k2.id)
-//      t.equal(k1.private, k2.private)
-//      t.equal(k1.public, k2.public)
-//
-//      t.end()
-//    })
-//  })
-//})
-
-//tape('create and load sync, legacy', function (t) {
-//
-//  var k1 = ssbkeys.createSync(path, 'k256', true)
-//  var k2 = ssbkeys.loadSync(path)
-//
-//  console.log(k2)
-//
-//  t.equal(k2.curve, 'k256')
-//  t.equal(k1.id, k2.id)
-//  t.equal(k1.private, k2.private)
-//  t.equal(k1.public, k2.public)
-//
-//  t.end()
-//})
-//
 tape('seeded keys, ed25519', function (t) {
@@ -138,14 +88,2 @@
 
-//tape('seeded keys, k256', function (t) {
-//
-//  var seed = crypto.randomBytes(32)
-//  var k1 = ssbkeys.generate('k256', seed)
-//  var k2 = ssbkeys.generate('k256', seed)
-//
-//  t.deepEqual(k1, k2)
-//
-//  t.end()
-//
-//})
-//
 tape('ed25519 id === "@" ++ pubkey', function (t) {
@@ -160,1 +98,9 @@
 
+
+
+
+
+
+
+
+

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Dev dependency count

1

decreased by-50%

Number of lines in readme file

84

increased by50%

Worsened metrics

Total package byte prevSize

18323

decreased by-4.45%

Number of package files

11

decreased by-8.33%

Lines of code

460

decreased by-16.21%

No dependency changes