json-signatures
v1.0.2
Published
Add a signature to JSON data and verify it
Downloads
6
Maintainers
Readme
JSON Signatures
Simplified API to sign and verify JSON data. Summary:
const JSONSign = require('json-signatures')
// create keypair
const kp = JSONSign.keypair()
// whatever, sign it
const msg = {b: 'foo', a: [1,2,3], c: [1,[{}]]}
const signedMessage = JSONSign.sign(kp.secret, msg)
// see if it has a valid signature
JSONSign.verify(signedMessage) // => true
Basically, it takes a JSON message M
and a secret key,
and turns it into JSON which can be used to verify M:
{ message: M
, signedBy: {
pubkey: "HPe1gjvok8tL8wYQUJKnYHhWxhPNVywQ0kjDEjTxozE=",
signature: "DRV1bnJamWrW73oMHIqYDRiO71SH0IdJL...g969qzh0Ag=="
}
}
Detailed usage
npm install --save json-signatures
First, create a key pair.
const kp = JSONSign.keypair(nrOfRandomBytesForSecret)
It looks like
{
public: "HPe1gjvok8tL8wYQUJ...VywQ0kjDEjTxozE=",
secret: "QM+USi7HbuRHU1/DdYkzL322XNm3qJ...D+LLpjw=="
}
Then, you can use it to sign a JSON dictionary,
const signedMessage = JSONSign.sign(kp.secret, M)
The public key will be derived from the passed secret key.
The resulting signedMessage
will look like this:
{
message: M,
signedBy: {
pubkey: kp.public,
signature: "+AAhMxhhjvz5CUEbZcziqb...ds/g6xFbU8WXLkdbloOUHBw=="
}
}
Later, you can verify is a message is signed by a person with the secret corresponding to the public key.
if (! JSONSign.verify(signedMessage) ) {
// message was tampered with
}
Links
- Algorithm used is ed2219 = (Curve25519 + EdDSA) see pg. 7
- Implementation is elliptic
- Uses
secure-random
to generate secret - Uses
canonical-json
to create the string on which the signature is based