GithubHelp home page GithubHelp logo

minisign's Introduction

minisign

Build Status

JavaScript implementation of Frank Denis' (@jedisct1) minisign tool.

minisign is a CLI tool to perform minisign operations.

All functions are defined in minisign.js.

Usage

Generating a key pair

$ minisign -G

Public key is printed and saved to minisign.pub file in the current working directory by default; the secret key is encrypted and saved to ~/.minisign/minisign.key by default.

$ minisign -G -p pubkey.pub -c 'public key comment' -t 'secret key comment'

Flags may be used to designate specific file names and to introduce comments, which are displayed in the respective key files.

Signing files

$ minisign -Sm example.txt

example.txt content is signed using ~/.minisign/minisign.key and signature is saved to example.txt.minisig by default.

$ minisign -Sm example.txt -s specific.key -x signature.txt -t 'trusted comment'

Specific secret keys and signature files may be designated using the -s and -x flags respectively or the -t flag can be a trusted comment, which will be verified and displayed when verifying the file.

Verifying a file

$ minisign -Vm example.txt -p pubkey.pub

or

$ minisign -Vm example.txt -x signature.txt -P RWQf6LRCGA9i53mlYecO4IzT51TGPpvWucNSCh1CBM0QTaLn73Y7GFO3

If no signature file is specified, the signature file must be in the same directory as the original file and be of the form (filename).minisig. The public key may either be given as a file, ./minisign.pub by default, or directly specified on the command line using the -P flag.

Full usage information

 Usage:
 $ minisign -G [-F] [-p pubkey file] [-s seckey file] [-c pubkey comment] [-t seckey comment]
 $ minisign -S [-H] [-s seckey file] [-x signature file] [-c comment] [-t trusted comment] -m file
 $ minisign -V [-x signature file] [-p pubkey file | -P public key] [-o] [-q] -m file

 -G                generate a new key pair
 -S                sign a file
 -V                verify that a signature is valid for a given file
 -m <file>         file to sign/verify
 -o                combined with -V, output the file content after verification
 -p <pubkeyfile>   public key file (default: ./minisign.pub)
 -P <pubkey>       public key, as a base64 string
 -s <seckey>       secret key file (default: ~/.minisign/minisign.key)
 -x <sigfile>      signature file (default: <file>.minisig)
 -c <comment>      add a one-line untrusted comment / comment for public key
 -t <comment>      add a one-line trusted comment / comment for secret key
 -q                quiet mode, suppress output
 -Q                pretty quiet mode, only print the trusted comment - overrides quiet mode
 -f                force. Combined with -G, overwrite a previous key pair
 -v                display version number
 -X                read password directly into secure buffer, note that input will not be hidden

Security issue

When generating keys and signing documents a password is required to retrieve the secret key. In order to suppress the password input being displayed, this input is read from stdin as a string before being passed into a secure buffer and therefore exists in memory.

This can be suppressed using the --secure flag, but note that the password input will not be hidden in the terminal window.

API

Public Key

parsePubKey(pubKeyFileContent) takes public key file content as a buffer and returns key information asbuffers:

{
  untrustedComment,
  signatureAlgorithm,
  keyID,
  publicKey
}

parseKeyCLI(pubKeyString) takes a 56 character string and returns public key information as buffers:

{
  signatureAlgorithm,
  keyID,
  publicKey
}

Reading signature

parseSignature(sigFileContent) takes signature file content as a buffer and returns signature information as buffers:

{
  untrustedComment,
  signatureAlgorithm,
  keyID,
  signature,
  trustedComment,
  globalSignature
}

Reading secret key

parseSecretKey(secKeyFileContent) takes secret key file content as a buffer and returns encrypted key information as buffers if checksum is verified:

{
  untrustedComment,
  signatureAlgorithm,
  kdfAlgorithm,
  cksumAlgorithm,
  kdfSalt,
  kdfOpsLimit,
  kdfMemLimit,
  keynumSK
}

extractSecretKey(pwd, secretKeyInfo) takes input password as buffer and encrypted key information directly from parseSecretKey and returns secret key information as buffers:

{
  keyID,
  secretKey,
  sumCheck,
  checkSum,
  signatureAlgorithm
}

Signing content provided as buffer

signContent(content, SKdetails, opts) takes content as buffer, secret key details directly from extractSecretKey and opts = { comment, tComment, sigAlgorithm = 'Ed' || 'ED' } and returns a minisign formatted output together with signature properties:

{
  outputBuf,
  untrustedComment,
  sigInfoBase64,
  trustComment,
  globalSigBase64
}

Verifying signature

verifySignature(signature, originalContent, publicKeyInfo) first checks the key ID of the secret key used to sign corresponds to that of the public key given to verify, then the signature is verifieda nd lastly the global signature with the trusted comment included is verified.

Returns true for succesful verification or prints err otherwise.

Generating Keys

keypairGen(passwordd, opts) takes password as a secure buffer and opts = { PKcomment, SKcomment, sigAlgorithm = 'Ed', kdfAlgorithm = 'Sc', ckSumAlgorithm = 'B2' }. Returns key information as buffers:

{
  publicKey,
  sigAlgorithm,
  keyID,
  kdfAlgorithm,
  cksumAlgorithm,
  kdfSalt,
  kdfLimits,
  keynumSK,
  SKcomment,
  PKcomment
}

sigAlgorithm, kdfAlgorithm and ckSumAlgorithm should be left as their default value as there is currently no support for alternative algorithms.

formatKeys(keypairGenOutput) takes the output of keypairGen directly and outputs minisign formatted key information as separate buffers:

{
  PK,
  SK
}

License

ISC

minisign's People

Contributors

chm-diederichs avatar emilbayes avatar jedisct1 avatar

Stargazers

Charlike Mike Reagent avatar Denis Dubovikov avatar Hasin Hayder avatar Md Obidullah avatar avatar MaxPeal avatar Saúl Ibarra Corretgé avatar Stefan Knoblich avatar Juri Hahn avatar Zhao Xiaohong avatar lucky avatar Sabbir Ahmed avatar Joel avatar Matthew McEachen avatar Un poney, mais sans existence. avatar John avatar Matias Korhonen avatar 大関 金城 秀喜 カシオ avatar jahed.dev avatar Eugene avatar Rajiv Shah avatar Notas Hellout avatar Nathan Hutchision avatar Jason Dreyzehner avatar monz avatar William Casarin avatar Emile Bosch avatar Sung Jeon avatar Tristan NGUYEN avatar Allen Hai avatar Bruno Gomes avatar Cat avatar Darcy Turk avatar Jim Pick avatar Yichuan Shen avatar ⊣˚∆˚⊢ avatar Toan Tran avatar Helder S Ribeiro avatar Julien avatar Johannes Schobel avatar The web walker avatar alianhha avatar Derek Reynolds avatar Brian Faust avatar Ahsan Javed avatar Luke Childs avatar Jake Burden avatar harry lachenmayer avatar J. Felix Etcetera avatar Michael Jett avatar Alexandru Vlăduţu avatar Ryan Ramage avatar 1dao avatar Jonas Galvez avatar James Kyburz avatar Lsong avatar J. J. Knudsen avatar Jannis R avatar Kevin Segal avatar Chris Hartgerink avatar Konstantinos Faliagkas avatar Luís Couto avatar Gavin Uhma avatar Petri Kola avatar Dirk Schumacher avatar Mathias Buus avatar Eric Drechsel avatar Jim Kang avatar Joseph Werle avatar Dmitriev Sergey avatar Denis Denisov avatar Sylvain Vuilliot avatar avatar Brian Kim avatar Vadym Nekhai avatar Max avatar Guillaume Dumoulin avatar Bret Comnes avatar Andrew Chou avatar Andrew Osheroff avatar avatar Yerko Palma avatar Nampoina Andriamilanto avatar

Watchers

⊣˚∆˚⊢ avatar Mathias Buus avatar James Cloos avatar

Forkers

jb55 kbryan joelfischerr jedisct1 kaerez aepyornis

minisign's Issues

Error: ENOMEM, Cannot allocate memory on extractSecretKey

I am receiving an Error: ENOMEM, Cannot allocate memory when trying to use the extractSecretKey functionality.

my code looks like:

index.js

const fs = require('fs');
const Minisign = require('./src/Minisign');

const file = fs.readFileSync('/Users/jared/.minisign/minisign.key');
const miniSign = new Minisign('abcd', file);
miniSign.signFile('/Users/jared/filetosign.txt');

/src/Minisign.js

const minisign = require('minisign');
const fs = require('fs');

class Minisign {
  constructor(password, privateKey) {
    this.MINISIGN_PASSWORD = Buffer.from(password);
    this.MINISIGN_PRIVATE_KEY = privateKey;
  }

  signFile(filePath) {
    const privateKeyBuffer = minisign.parseSecretKey(this.MINISIGN_PRIVATE_KEY);
    const privateKey = minisign.extractSecretKey(
      this.MINISIGN_PASSWORD,
      privateKeyBuffer
    );
    console.log(privateKey);
  }
}

module.exports = Minisign;

Full error:

/Users/jared/Projects/scratch/minisign-tests/node_modules/minisign/minisign.js:130
sodium.sodium_mprotect_readwrite(pwd)
^

Error: ENOMEM, Cannot allocate memory
at Object.extractSecretKey (/Users/jared/Projects/scratch/minisign-tests/node_modules/minisign/minisign.js:130:10)
at Minisign.signFile (/Users/jared/Projects/scratch/minisign-tests/src/Minisign.js:14:33)
at Object. (/Users/jared/Projects/scratch/minisign-tests/index.js:10:10)
at Module._compile (internal/modules/cjs/loader.js:688:30)
at Object.Module._extensions..js (internal/modules/cjs/loader.js:699:10)
at Module.load (internal/modules/cjs/loader.js:598:32)
at tryModuleLoad (internal/modules/cjs/loader.js:537:12)
at Function.Module._load (internal/modules/cjs/loader.js:529:3)
at Function.Module.runMain (internal/modules/cjs/loader.js:741:12)
at startup (internal/bootstrap/node.js:285:19)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.