Skip to content

paywithcurl/signex

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

49 Commits
config
config
 
 
lib
lib
 
 
test
test
 
 
util
util
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
VERSION
VERSION
 
 
mix.exs
mix.exs
 
 
mix.lock
mix.lock
 
 

Repository files navigation

SignEx

Secure messages through digests and signing.

SignEx can work with any message which has:

  • content that can be represented as a binary, such as an HTML body.
  • metadata that can be represented as a map, such as HTML headers.

Signing a message consists of two steps

  • Generating a digest of the content
  • Signing the message metadata which includes the content digest.

Generating digest

Digests are calculated as the sha256 hashed body content. This digest is base64 encoded for transport.

Currently SignEx only digests using SHA-256. To support other digest methods in the future a digest identifier is added to the digest e.g.

digest = "SHA-256=" digest_content
digest_content = Base64(SHA-256(content_string))

Signing metadata

Signatures are generated by using a private key to sign a signing_string that is generated from the message metadata. Metadata is any enumerable list of keyvalue pairs where both key and value are castable to binaries.

[{"foo" => "value-1"}, {"bar" => "value-2"}]

signing_string = """
foo: value-1\n
bar: value-2\n
"""

Line delimiters shown for clarity

The signature is sent with additional parameters that allow a receiver to check the signature.

  • headers: A list of metadata keys that were uses to build the signing string
  • key_id: An opaque string that the receiver uses to identify the correct publich key to check that message is intact
  • algorithm: Identify the algorithm used, "rsa-sha512" or "ec-sha512"

Usage

Signing generic messages

content = "My exciting message!!!"
metadata = %{"my-key" => "my-value"}
{:ok, {metadata_with_digest, signature}} = SignEx.sign(content, metadata, keypair)
true = SignEx.verified?(content, metadata_with_digest, signature, keypair.public_key)

SignEx.HTTP

Would be nice to have a different word for the combination of actions other than sign. e.g. lock, fossilise!, bond(glue), hallmark, stamp, seal, intact

Notes

  • Adding extra headers does not count as tampering with the message

How test keys were generated

EC

  • openssl ecparam -out ec_private_key.pem -name secp521r1 -genkey
  • openssl ec -in ec_private_key.pem -pubout -out ec_public_key.pem

RSA

  • openssl genrsa -out private_key.pem 2048
  • openssl rsa -in private_key.pem -pubout > public_key.pem

Notes

  • Hashes and Digests refer to the same process. A hash function produces a digest. hash function == digest algorithm

About

Sign messages with private key

Resources

Readme
Activity
Custom properties

Stars

3 stars

Watchers

6 watching

Forks

0 forks
Report repository

Releases

18 tags

Packages

No packages published

Contributors 5

Languages