From 6be7a04fcece68c3b3227e15a3d342d391cac8a7 Mon Sep 17 00:00:00 2001 From: Antariksh Date: Wed, 16 Jun 2021 17:46:32 +0800 Subject: [PATCH 1/5] build: add separate keypairs for dev environment --- src/resource/signing-keys.ts | 4 ++-- src/resource/verification-keys.ts | 4 ++-- src/util/publicKey.ts | 2 ++ 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/src/resource/signing-keys.ts b/src/resource/signing-keys.ts index 52bd056..02e093d 100644 --- a/src/resource/signing-keys.ts +++ b/src/resource/signing-keys.ts @@ -4,8 +4,8 @@ export const SIGNING_KEYS = { publicKey: 'rjv41kYqZwcbe3r6ymMEEKQ+Vd+DPuogN+Gzq3lP2Og=', }, development: { - // Using the same keys for staging. - publicKey: 'rjv41kYqZwcbe3r6ymMEEKQ+Vd+DPuogN+Gzq3lP2Og=', + publicKey: '5AYDhjpaloNn4kg7PY0LVpsYAEG/7oI8n1XZjR42vz0=', + secretKey: '0oUKRb8q2l8/n32WeXWQ0yiBhEQXTD7i3UPGj2Y0a0g=', }, production: { // production must never contain secret keys diff --git a/src/resource/verification-keys.ts b/src/resource/verification-keys.ts index 88b03b6..14233a0 100644 --- a/src/resource/verification-keys.ts +++ b/src/resource/verification-keys.ts @@ -4,8 +4,8 @@ export const VERIFICATION_KEYS = { publicKey: 'bDgK1223JbrDNePFIrj7b0z02Z5nSiBzkRYRqDdVPfA=', }, development: { - // Using the same keys for staging. - publicKey: 'bDgK1223JbrDNePFIrj7b0z02Z5nSiBzkRYRqDdVPfA=', + publicKey: 'yMfJ8unVMWfHPoDRY23SdFnWudMXmB6pGfDgBVhRbzs=', + secretKey: 'p4iJR5B/YobjRYcIO8iiJmmsMH7YjIr4O1P4DY1lyO0=', }, production: { // production must never contain secret keys diff --git a/src/util/publicKey.ts b/src/util/publicKey.ts index 286fb95..a187f00 100644 --- a/src/util/publicKey.ts +++ b/src/util/publicKey.ts @@ -12,6 +12,7 @@ import STAGE from './stage' function getSigningPublicKey(mode?: PackageMode) { switch (mode) { case STAGE.development: + return SIGNING_KEYS.development.publicKey case STAGE.staging: return SIGNING_KEYS.staging.publicKey case STAGE.test: @@ -29,6 +30,7 @@ function getSigningPublicKey(mode?: PackageMode) { function getVerificationPublicKey(mode?: PackageMode) { switch (mode) { case STAGE.development: + return VERIFICATION_KEYS.development.publicKey case STAGE.staging: return VERIFICATION_KEYS.staging.publicKey case STAGE.test: From 9d53e5e6b552b82df2f286c0af666a29a4202925 Mon Sep 17 00:00:00 2001 From: Antariksh Date: Thu, 17 Jun 2021 10:46:37 +0800 Subject: [PATCH 2/5] fix: use nacl.sign instead of nacl.box for keygen --- src/resource/signing-keys.ts | 4 ++-- src/resource/verification-keys.ts | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/resource/signing-keys.ts b/src/resource/signing-keys.ts index 02e093d..19f6bbf 100644 --- a/src/resource/signing-keys.ts +++ b/src/resource/signing-keys.ts @@ -4,8 +4,8 @@ export const SIGNING_KEYS = { publicKey: 'rjv41kYqZwcbe3r6ymMEEKQ+Vd+DPuogN+Gzq3lP2Og=', }, development: { - publicKey: '5AYDhjpaloNn4kg7PY0LVpsYAEG/7oI8n1XZjR42vz0=', - secretKey: '0oUKRb8q2l8/n32WeXWQ0yiBhEQXTD7i3UPGj2Y0a0g=', + publicKey: 'Tl5gfszlKcQj99/0uafLwVpT6JAu4C0dHGvLq1cHzFE=', + secretKey: 'HDBXpu+2/gu10bLHpy8HjpN89xbA6boH9GwibPGJA8BOXmB+zOUpxCP33/S5p8vBWlPokC7gLR0ca8urVwfMUQ==', }, production: { // production must never contain secret keys diff --git a/src/resource/verification-keys.ts b/src/resource/verification-keys.ts index 14233a0..bd08bd2 100644 --- a/src/resource/verification-keys.ts +++ b/src/resource/verification-keys.ts @@ -4,8 +4,8 @@ export const VERIFICATION_KEYS = { publicKey: 'bDgK1223JbrDNePFIrj7b0z02Z5nSiBzkRYRqDdVPfA=', }, development: { - publicKey: 'yMfJ8unVMWfHPoDRY23SdFnWudMXmB6pGfDgBVhRbzs=', - secretKey: 'p4iJR5B/YobjRYcIO8iiJmmsMH7YjIr4O1P4DY1lyO0=', + publicKey: 'SZ4pV0JXgj8dhFU69uHllqYcxTtliYmi+d6Ml56lnQU=', + secretKey: 'iGkfOuI6uxrlfw+7CZFFUZBwk86I+pu6v+g7EWA6qJpJnilXQleCPx2EVTr24eWWphzFO2WJiaL53oyXnqWdBQ==', }, production: { // production must never contain secret keys From 83b116674516f379d6c6a682f13cff4d7085dfa3 Mon Sep 17 00:00:00 2001 From: Antariksh Date: Thu, 17 Jun 2021 10:52:25 +0800 Subject: [PATCH 3/5] docs: add comment specifying keygen function --- src/resource/signing-keys.ts | 1 + src/resource/verification-keys.ts | 1 + 2 files changed, 2 insertions(+) diff --git a/src/resource/signing-keys.ts b/src/resource/signing-keys.ts index 19f6bbf..c7ef9fc 100644 --- a/src/resource/signing-keys.ts +++ b/src/resource/signing-keys.ts @@ -1,3 +1,4 @@ +// keys generated using nacl.sign.keyPair() export const SIGNING_KEYS = { staging: { // staging must never contain secret keys diff --git a/src/resource/verification-keys.ts b/src/resource/verification-keys.ts index bd08bd2..5104af1 100644 --- a/src/resource/verification-keys.ts +++ b/src/resource/verification-keys.ts @@ -1,3 +1,4 @@ +// keys generated using nacl.sign.keyPair() export const VERIFICATION_KEYS = { staging: { // staging must never contain secret keys From f669eac8854685e8aca333c031dd24ae0993b8eb Mon Sep 17 00:00:00 2001 From: Antariksh Date: Thu, 17 Jun 2021 10:55:46 +0800 Subject: [PATCH 4/5] docs: specify library of keygen function --- src/resource/signing-keys.ts | 2 +- src/resource/verification-keys.ts | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/src/resource/signing-keys.ts b/src/resource/signing-keys.ts index c7ef9fc..1dbc120 100644 --- a/src/resource/signing-keys.ts +++ b/src/resource/signing-keys.ts @@ -1,4 +1,4 @@ -// keys generated using nacl.sign.keyPair() +// keys generated using nacl.sign.keyPair() from tweetnacl export const SIGNING_KEYS = { staging: { // staging must never contain secret keys diff --git a/src/resource/verification-keys.ts b/src/resource/verification-keys.ts index 5104af1..5c5b99b 100644 --- a/src/resource/verification-keys.ts +++ b/src/resource/verification-keys.ts @@ -1,4 +1,4 @@ -// keys generated using nacl.sign.keyPair() +// keys generated using nacl.sign.keyPair() from tweetnacl export const VERIFICATION_KEYS = { staging: { // staging must never contain secret keys From 2d7ec33fab51bb0613f99e4438b26c5f2f11d758 Mon Sep 17 00:00:00 2001 From: Antariksh Date: Thu, 17 Jun 2021 12:42:44 +0800 Subject: [PATCH 5/5] test: add tests for key length --- spec/keys.spec.ts | 58 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 spec/keys.spec.ts diff --git a/spec/keys.spec.ts b/spec/keys.spec.ts new file mode 100644 index 0000000..1a1b8de --- /dev/null +++ b/spec/keys.spec.ts @@ -0,0 +1,58 @@ +import { SIGNING_KEYS } from '../src/resource/signing-keys' +import { VERIFICATION_KEYS } from '../src/resource/verification-keys' + +describe('Key lengths', () => { + // ED25519 key lengths in base64 + const PUBLIC_KEY_LENGTH = 44 + const SECRET_KEY_LENGTH = 88 + + describe('Verification keys', () => { + describe('Public keys', () => { + it('should have the correct length for ED25519 public keys', () => { + expect(VERIFICATION_KEYS.development.publicKey).toHaveLength( + PUBLIC_KEY_LENGTH + ) + expect(VERIFICATION_KEYS.test.publicKey).toHaveLength(PUBLIC_KEY_LENGTH) + expect(VERIFICATION_KEYS.staging.publicKey).toHaveLength( + PUBLIC_KEY_LENGTH + ) + expect(VERIFICATION_KEYS.production.publicKey).toHaveLength( + PUBLIC_KEY_LENGTH + ) + }) + }) + + describe('Secret keys', () => { + it('should have the correct length for ED25519 secret keys in test and dev mode', () => { + expect(VERIFICATION_KEYS.development.secretKey).toHaveLength( + SECRET_KEY_LENGTH + ) + expect(VERIFICATION_KEYS.test.secretKey).toHaveLength(SECRET_KEY_LENGTH) + }) + }) + }) + + describe('Signing keys', () => { + describe('Public keys', () => { + it('should have the correct length for ED25519 public keys', () => { + expect(SIGNING_KEYS.development.publicKey).toHaveLength( + PUBLIC_KEY_LENGTH + ) + expect(SIGNING_KEYS.test.publicKey).toHaveLength(PUBLIC_KEY_LENGTH) + expect(SIGNING_KEYS.staging.publicKey).toHaveLength(PUBLIC_KEY_LENGTH) + expect(SIGNING_KEYS.production.publicKey).toHaveLength( + PUBLIC_KEY_LENGTH + ) + }) + }) + + describe('Secret keys', () => { + it('should have the correct length for ED25519 secret keys in test and dev mode', () => { + expect(SIGNING_KEYS.development.secretKey).toHaveLength( + SECRET_KEY_LENGTH + ) + expect(SIGNING_KEYS.test.secretKey).toHaveLength(SECRET_KEY_LENGTH) + }) + }) + }) +})