Package Exports
- json-signatures
This package does not declare an exports field, so the exports above have been automatically detected and optimized by JSPM instead. If any package subpath is missing, it is recommended to post an issue to the original package (json-signatures) to support the "exports" field. If that is not possible, create a JSPM override to customize the exports field for this package.
Readme
JSON Signatures
Simplified API to sign and verify JSON data. Summary:
const JSONSign = require('json-signatures')
// create keypair
const kp = JSONSign.keypair()
// whatever, sign it
const msg = {b: 'foo', a: [1,2,3], c: [1,[{}]]}
const signedMessage = JSONSign.sign(kp.secret, msg)
// see if it has a valid signature
JSONSign.verify(signedMessage) // => trueBasically, it takes a JSON message M and a secret key,
and turns it into JSON which can be used to verify M:
{ message: M
, signedBy: {
pubkey: "HPe1gjvok8tL8wYQUJKnYHhWxhPNVywQ0kjDEjTxozE=",
signature: "DRV1bnJamWrW73oMHIqYDRiO71SH0IdJL...g969qzh0Ag=="
}
}Detailed usage
npm install --save json-signatures
First, create a key pair.
const kp = JSONSign.keypair(nrOfRandomBytesForSecret)It looks like
{
public: "HPe1gjvok8tL8wYQUJ...VywQ0kjDEjTxozE=",
secret: "QM+USi7HbuRHU1/DdYkzL322XNm3qJ...D+LLpjw=="
}Then, you can use it to sign a JSON dictionary,
const signedMessage = JSONSign.sign(kp.secret, M)The public key will be derived from the passed secret key.
The resulting signedMessage will look like this:
{
message: M,
signedBy: {
pubkey: kp.public,
signature: "+AAhMxhhjvz5CUEbZcziqb...ds/g6xFbU8WXLkdbloOUHBw=="
}
}Later, you can verify is a message is signed by a person with the secret corresponding to the public key.
if (! JSONSign.verify(signedMessage) ) {
// message was tampered with
}Links
- Algorithm used is ed2219 = (Curve25519 + EdDSA) see pg. 7
- Implementation is elliptic
- Uses
secure-randomto generate secret - Uses
canonical-jsonto create the string on which the signature is based