npm - spd-lib - Versions diffs - 1.1.5 → 1.1.7 - Mend

spd-lib 1.1.5 → 1.1.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/index.js +84 -13
package/package.json +1 -1

package/index.js CHANGED Viewed

@@ -11,11 +11,27 @@ class SPD {
         this.keyPair; // Generate a key pair for encryption/decryption
         this.userKey;
         this.salt;
+        this.signingKeyPair;
         this.init();
     }
     async init() {
         await sodium.ready;
         this.keyPair = sodium.crypto_box_keypair()
+        this.signingKeyPair = sodium.crypto_sign_keypair();
+    }
+    static async deriveSigningKeys(passcode, salt) {
+        if (!passcode || typeof passcode !== 'string' || passcode.length < 8 ||
+            !salt || !(salt instanceof Buffer) || salt.length !== 16) {
+            throw new Error('Invalid passcode or salt.');
+        }
+        const { pbk } = await SPD.derivePBK(passcode, salt);
+        await sodium.ready;
+        // Derive separate keys for signing to avoid key reuse
+        const signingSeed = pbk.slice(0, sodium.crypto_sign_SEEDBYTES);
+        const signingKeyPair = sodium.crypto_sign_seed_keypair(signingSeed);
+        return { signingKeyPair };
     }
     async setPassKey(passcode){
             await sodium.ready;
@@ -24,6 +40,8 @@ class SPD {
 const userKey = pqcKey.publicKey;
 this.userKey = userKey;
 this.salt = salt;
+const derivedKeys = await SPD.deriveSigningKeys(passcode, salt);
+    this.signingKeyPair = derivedKeys.signingKeyPair;
     }
     async addData(name, data) {
@@ -36,7 +54,8 @@ this.salt = salt;
         const nonce = sodium.randombytes_buf(sodium.crypto_box_NONCEBYTES);
         const encryptedData = sodium.crypto_secretbox_easy(compressedData, nonce, this.userKey);
         const hash = crypto.createHash('sha256').update(encryptedData).digest('hex');
-        this.data.push({ dataName: name, nonce: Array.from(nonce), data: Array.from(encryptedData), hash, dataType: dmap[1] });
+        const signature = sodium.crypto_sign_detached(encryptedData, this.signingKeyPair.privateKey);
+        this.data.push({ dataName: name, nonce: Array.from(nonce), data: Array.from(encryptedData),signature:Array.from(signature), hash, dataType: dmap[1] });
     }
     saveToFile(outputPath) {
@@ -44,7 +63,7 @@ this.salt = salt;
             throw new Error('Invalid output path or salt.');
         }
-        const spdData = JSON.stringify({ data: this.data, salt: Array.from(this.salt) });
+        const spdData = JSON.stringify({ data: this.data, salt: Array.from(this.salt),signingPublicKey:Array.from(this.signingKeyPair.publicKey) });
         const compressedSpdData = zlib.deflateSync(spdData);
         fs.writeFileSync(outputPath, compressedSpdData, { mode: 0o600 });
     }
@@ -60,7 +79,7 @@ this.salt = salt;
         await sodium.ready;
         const compressedSpdData = fs.readFileSync(spdPath);
         const spdData = zlib.inflateSync(compressedSpdData).toString('utf8');
-        const { data, salt } = JSON.parse(spdData);
+        const { data, salt, signingPublicKey } = JSON.parse(spdData);
         const { pqcKey } = await new SPD().convertPasscodeToPQCKeySalted(passcode, new Uint8Array(salt));
         const pbk = pqcKey.publicKey;
@@ -69,19 +88,34 @@ this.salt = salt;
         spd.keyPair = {
             publicKey: pbk.publicKey
         };
+        spd.signingKeyPair = { publicKey: Uint8Array.from(signingPublicKey) };
         spd.data = data.map(dat => ({
             dataName: dat.dataName,
             nonce: Buffer.from(dat.nonce),
             data: Buffer.from(dat.data),
+            signature: Buffer.from(dat.signature),
             hash: dat.hash,
             dataType: dat.dataType
         }));
         spd.data.forEach(dat => {
-            const calculatedHash = crypto.createHash('sha256').update(Buffer.from(dat.data)).digest('hex');
+            const encryptedBuffer = Buffer.from(dat.data);
+            const signatureBuffer = Buffer.from(dat.signature);
+            const signingPublicKeyBuffer = Uint8Array.from(signingPublicKey);
+            const isValid = sodium.crypto_sign_verify_detached(signatureBuffer, encryptedBuffer, signingPublicKeyBuffer);
+            if (!isValid) {
+                rej(new Error(`Signature verification failed for ${dat.dataName}`));
+                return;
+            }
+            const calculatedHash = crypto.createHash('sha256').update(encryptedBuffer).digest('hex');
             if (calculatedHash !== dat.hash) {
                 rej(new Error(`Data integrity check failed for ${dat.dataName}`));
+                return;
             }
         });
         res(spd);
     }catch{
         rej()
@@ -95,10 +129,34 @@ this.salt = salt;
         await sodium.ready;
         let extractedFiles = {};
         this.data.forEach(async dat => {
-            const decryptedData = sodium.crypto_secretbox_open_easy(dat.data, dat.nonce, this.userKey);
-            const decompressedData = zlib.inflateSync(decryptedData);
-            const dt = decompressedData.toString('utf8');
-            extractedFiles[dat.dataName] = await this.CSTI(dt, dat.dataType);
+            try{
+                const calculatedHash = crypto.createHash('sha256').update(dat.data).digest('hex');
+                if (calculatedHash !== dat.hash) {
+                    throw new Error(`Hash mismatch for ${dat.dataName}`);
+                }
+                // Verify signature
+                const isValid = sodium.crypto_sign_verify_detached(
+                    Buffer.from(dat.signature),
+                    Buffer.from(dat.data),
+                    this.signingKeyPair.publicKey
+                );
+                if (!isValid) {
+                    throw new Error(`Signature verification failed for ${dat.dataName}`);
+                }
+                // Decrypt data
+                const decryptedData = sodium.crypto_secretbox_open_easy(
+                    Buffer.from(dat.data),
+                    Buffer.from(dat.nonce),
+                    this.userKey
+                );
+                const decompressedData = zlib.inflateSync(decryptedData);
+                const dt = decompressedData.toString('utf8');
+                extractedFiles[dat.dataName] = await this.CSTI(dt, dat.dataType);
+            }catch{
+                rej()
+            }
         });
         res(extractedFiles);
     }catch{
@@ -141,14 +199,16 @@ this.salt = salt;
         await sodium.ready;
         const spdDataBuffer = Buffer.from(spdData, 'base64');
         const spdData2 = zlib.inflateSync(spdDataBuffer).toString('utf8');
-        const { data, salt } = JSON.parse(spdData2);
+        const { data, salt, signingPublicKey } = JSON.parse(spdData2);
         const { pqcKey } = await new SPD().convertPasscodeToPQCKeySalted(passcode, new Uint8Array(salt));
         const pbk = pqcKey.publicKey;
         const spd = new SPD();
         spd.userKey = pbk;
         spd.keyPair = {
             publicKey: pbk.publicKey
         };
+        spd.signingKeyPair = { publicKey: Uint8Array.from(signingPublicKey) };
         spd.data = data.map(dat => ({
             dataName: dat.dataName,
             nonce: Buffer.from(dat.nonce),
@@ -157,10 +217,21 @@ this.salt = salt;
             dataType: dat.dataType
         }));
         spd.data.forEach(dat => {
-            const calculatedHash = crypto.createHash('sha256').update(Buffer.from(dat.data)).digest('hex');
-            if (calculatedHash !== dat.hash) {
-                rej(new Error(`Data integrity check failed for ${dat.dataName}`));
-            }
+            const encryptedBuffer = Buffer.from(dat.data);
+                const signatureBuffer = Buffer.from(dat.signature);
+                const signingPublicKeyBuffer = Uint8Array.from(signingPublicKey);
+                const isValid = sodium.crypto_sign_verify_detached(signatureBuffer, encryptedBuffer, signingPublicKeyBuffer);
+                if (!isValid) {
+                    rej(new Error(`Signature verification failed for ${dat.dataName}`));
+                    return;
+                }
+                const calculatedHash = crypto.createHash('sha256').update(encryptedBuffer).digest('hex');
+                if (calculatedHash !== dat.hash) {
+                    rej(new Error(`Data integrity check failed for ${dat.dataName}`));
+                    return;
+                }
         });
         res(spd);
     }catch{

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "spd-lib",
-  "version": "1.1.5",
+  "version": "1.1.7",
   "description": "SPD or Secure Packaged Data is a compress PQC protected file format to store sensitive data localy",
   "main": "index.js",
   "scripts": {