minisign

package
v1.5.43 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 2, 2024 License: GPL-3.0, MIT Imports: 17 Imported by: 0

Documentation

Overview

Package minisign implements the minisign signature scheme.

Index

Constants

View Source 
const (
	// EdDSA refers to the Ed25519 signature scheme.
	//
	// Minisign uses this signature scheme to sign and
	// verify (non-hashed) messages.
	EdDSA uint16 = 0x6445

	// HashEdDSA refers to a Ed25519 signature scheme
	// with pre-hashed messages.
	//
	// Minisign uses this signature scheme to sign and
	// verify message that don't fit into memory.
	HashEdDSA uint16 = 0x4445
)

Variables

This section is empty.

Functions

func EncryptKey 

func EncryptKey(password string, privateKey PrivateKey) ([]byte, error)

EncryptKey encrypts the private key with the given password using some entropy from the RNG of the OS.

func GenerateKey 

func GenerateKey(random io.Reader) (PublicKey, PrivateKey, error)

GenerateKey generates a public/private key pair using entropy from random. If random is nil, crypto/rand.Reader will be used.

func Sign 

func Sign(privateKey PrivateKey, message []byte) []byte

Sign signs the given message with the private key.

It behaves like SignWithComments with some generic comments.

func SignWithComments 

func SignWithComments(privateKey PrivateKey, message []byte, trustedComment, untrustedComment string) []byte

SignWithComments signs the given message with the private key.

The trustedComment as well as the untrustedComment are embedded into the returned signature. The trustedComment is signed and will be checked when the signature is verified. The untrustedComment is not signed and must not be trusted.

func Verify 

func Verify(publicKey PublicKey, message, signature []byte) bool

Verify checks whether message is authentic by verifying it with the given public key and signature. It returns true if and only if the signature verification is successful.

Types

type PrivateKey 

type PrivateKey struct {
	RawID    uint64
	RawBytes [ed25519.PrivateKeySize]byte
	// contains filtered or unexported fields
}

PrivateKey is a minisign private key.

A private key can sign messages to prove the their origin and authenticity.

PrivateKey implements the crypto.Signer interface.

func DecryptKey 

func DecryptKey(password string, privateKey []byte) (PrivateKey, error)

DecryptKey tries to decrypt the encrypted private key with the given password.

func PrivateKeyFromFile 

func PrivateKeyFromFile(password, path string) (PrivateKey, error)

PrivateKeyFromFile reads and decrypts the private key file with the given password.

func (PrivateKey) Bytes 

func (p PrivateKey) Bytes() []byte

func (PrivateKey) Equal 

func (p PrivateKey) Equal(x crypto.PrivateKey) bool

Equal returns true if and only if p and x have equivalent values.

func (PrivateKey) ID 

func (p PrivateKey) ID() uint64

ID returns the 64 bit key ID.

func (PrivateKey) Public 

func (p PrivateKey) Public() crypto.PublicKey

Public returns the corresponding public key.

func (PrivateKey) Sign 

func (p PrivateKey) Sign(_ io.Reader, message []byte, opts crypto.SignerOpts) (signature []byte, err error)

Sign signs the given message.

The minisign signature scheme relies on Ed25519 and supports plain as well as pre-hashed messages. Therefore, opts can be either crypto.Hash(0) to signal that the message has not been hashed or crypto.BLAKE2b_512 to signal that the message is a BLAKE2b-512 digest. If opts is crypto.BLAKE2b_512 then message must be a 64 bytes long.

Minisign signatures are deterministic such that no randomness is necessary.

type PublicKey 

type PublicKey struct {
	// contains filtered or unexported fields
}

PublicKey is a minisign public key.

A public key is used to verify whether messages have been signed with the corresponding private key.

func PublicKeyFromFile 

func PublicKeyFromFile(path string) (PublicKey, error)

PublicKeyFromFile reads a new PublicKey from the given file.

func (PublicKey) Equal 

func (p PublicKey) Equal(x crypto.PublicKey) bool

Equal returns true if and only if p and x have equivalent values.

func (PublicKey) ID 

func (p PublicKey) ID() uint64

ID returns the 64 bit key ID.

func (PublicKey) MarshalText 

func (p PublicKey) MarshalText() ([]byte, error)

MarshalText returns a textual representation of the PublicKey p.

It never returns an error.

func (PublicKey) String 

func (p PublicKey) String() string

String returns a base64 string representation of the PublicKey p.

func (*PublicKey) UnmarshalText 

func (p *PublicKey) UnmarshalText(text []byte) error

UnmarshalText parses text as textual-encoded public key. It returns an error if text is not a well-formed public key.

type Reader 

type Reader struct {
	// contains filtered or unexported fields
}

Reader is an io.Reader that reads a message while, at the same time, computes its digest.

At any point, typically at the end of the message, Reader can sign the message digest with a private key or try to verify the message with a public key and signature.

func NewReader 

func NewReader(r io.Reader) *Reader

NewReader returns a new Reader that reads from r and computes a digest of the read data.

func (*Reader) Read 

func (r *Reader) Read(p []byte) (int, error)

Read reads from the underlying io.Reader as specified by the io.Reader interface.

func (*Reader) Sign 

func (r *Reader) Sign(privateKey PrivateKey) []byte

Sign signs whatever has been read from the underlying io.Reader up to this point in time with the given private key.

It behaves like SignWithComments but uses some generic comments.

func (*Reader) SignWithComments 

func (r *Reader) SignWithComments(privateKey PrivateKey, trustedComment, untrustedComment string) []byte

SignWithComments signs whatever has been read from the underlying io.Reader up to this point in time with the given private key.

The trustedComment as well as the untrustedComment are embedded into the returned signature. The trustedComment is signed and will be checked when the signature is verified. The untrustedComment is not signed and must not be trusted.

SignWithComments computes the digest as a snapshot. So, it is possible to create multiple signatures of different message prefixes by reading up to a certain byte, signing this message prefix, and then continue reading.

func (*Reader) Verify 

func (r *Reader) Verify(publicKey PublicKey, signature []byte) bool

Verify checks whether whatever has been read from the underlying io.Reader up to this point in time is authentic by verifying it with the given public key and signature.

Verify computes the digest as a snapshot. Therefore, Verify can verify any signature produced by Sign or SignWithComments, including signatures of partial messages, given the correct public key and signature.

type Signature 

type Signature struct {

	// Algorithm is the signature algorithm. It is either
	// EdDSA or HashEdDSA.
	Algorithm uint16

	// KeyID may be the 64 bit ID of the private key that was used
	// to produce this signature. It can be used to identify the
	// corresponding public key that can verify the signature.
	//
	// However, key IDs are random identifiers and not protected at all.
	// A key ID is just a hint to quickly identify a public key candidate.
	KeyID uint64

	// TrustedComment is a comment that has been signed and is
	// verified during signature verification.
	TrustedComment string

	// UntrustedComment is a comment that has not been signed
	// and is not verified during signature verification.
	//
	// It must not be considered authentic - in contrast to the
	// TrustedComment.
	UntrustedComment string

	// Signature is the Ed25519 signature of the message that
	// has been signed.
	Signature [ed25519.SignatureSize]byte

	// CommentSignature is the Ed25519 signature of Signature
	// concatenated with the TrustedComment:
	//
	//    CommentSignature = ed25519.Sign(PrivateKey, Signature || TrustedComment)
	//
	// It is used to verify that the TrustedComment is authentic.
	CommentSignature [ed25519.SignatureSize]byte
	// contains filtered or unexported fields
}

Signature is a structured representation of a minisign signature.

A signature is generated when signing a message with a private key: 

signature = Sign(privateKey, message)

The signature of a message can then be verified with the corresponding public key: 

if Verify(publicKey, message, signature) {
   // => signature is valid
   // => message has been signed with correspoding private key
}

func SignatureFromFile 

func SignatureFromFile(file string) (Signature, error)

SignatureFromFile reads a new Signature from the given file.

func (Signature) Equal 

func (s Signature) Equal(x Signature) bool

Equal reports whether s and x have equivalent values.

The untrusted comments of two equivalent signatures may differ.

func (Signature) MarshalText 

func (s Signature) MarshalText() ([]byte, error)

MarshalText returns a textual representation of the Signature s.

It returns an error if s cannot be a valid signature - e.g. because the signature algorithm is neither EdDSA nor HashEdDSA.

func (Signature) String 

func (s Signature) String() string

String returns a string representation of the Signature s.

In contrast to MarshalText, String does not fail if s is not a valid minisign signature.

func (*Signature) UnmarshalText 

func (s *Signature) UnmarshalText(text []byte) error

UnmarshalText parses text as textual-encoded signature. It returns an error if text is not a well-formed minisign signature.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.