tessl/npm-tweetnacl
Port of TweetNaCl cryptographic library to JavaScript providing comprehensive cryptographic primitives
—
Pending
sign.mddocs/
Digital Signatures
Digital signatures using ed25519. Create and verify cryptographic signatures for message authentication, integrity, and non-repudiation. Ed25519 provides fast signature generation and verification with strong security guarantees.
Capabilities
Signing and Verification
Create and verify digital signatures for messages.
/**
* Signs a message using the secret key and returns a signed message
* @param {Uint8Array} message - The message to sign
* @param {Uint8Array} secretKey - The signing secret key (64 bytes)
* @returns {Uint8Array} Signed message (original message + 64-byte signature)
*/
nacl.sign(message, secretKey): Uint8Array
/**
* Verifies a signed message and returns the original message
* @param {Uint8Array} signedMessage - The signed message to verify
* @param {Uint8Array} publicKey - The signer's public key (32 bytes)
* @returns {Uint8Array | null} Original message if valid, null if verification fails
*/
nacl.sign.open(signedMessage, publicKey): Uint8Array | nullUsage Example:
const nacl = require('tweetnacl');
// Generate a key pair for signing
const keyPair = nacl.sign.keyPair();
// Sign a message
const message = new TextEncoder().encode("This is a signed message");
const signedMessage = nacl.sign(message, keyPair.secretKey);
// Verify the signature
const verified = nacl.sign.open(signedMessage, keyPair.publicKey);
if (verified) {
console.log(new TextDecoder().decode(verified)); // "This is a signed message"
} else {
console.log("Signature verification failed");
}Detached Signatures
Create and verify detached signatures that are separate from the message.
/**
* Creates a detached signature for a message
* @param {Uint8Array} message - The message to sign
* @param {Uint8Array} secretKey - The signing secret key (64 bytes)
* @returns {Uint8Array} The signature (64 bytes)
*/
nacl.sign.detached(message, secretKey): Uint8Array
/**
* Verifies a detached signature for a message
* @param {Uint8Array} message - The original message
* @param {Uint8Array} signature - The signature to verify (64 bytes)
* @param {Uint8Array} publicKey - The signer's public key (32 bytes)
* @returns {boolean} True if signature is valid, false otherwise
*/
nacl.sign.detached.verify(message, signature, publicKey): booleanUsage Example:
const nacl = require('tweetnacl');
const keyPair = nacl.sign.keyPair();
const message = new TextEncoder().encode("Document to be signed");
// Create detached signature
const signature = nacl.sign.detached(message, keyPair.secretKey);
// Verify detached signature
const isValid = nacl.sign.detached.verify(message, signature, keyPair.publicKey);
console.log(isValid); // true
// Signatures can be stored/transmitted separately from the message
console.log(`Message: ${message.length} bytes`);
console.log(`Signature: ${signature.length} bytes`); // Always 64 bytesKey Generation
Generate key pairs for digital signatures.
/**
* Generates a new random key pair for signing
* @returns {{publicKey: Uint8Array, secretKey: Uint8Array}} Key pair object
*/
nacl.sign.keyPair(): {publicKey: Uint8Array, secretKey: Uint8Array}
/**
* Derives a signing key pair from an existing 64-byte secret key
* @param {Uint8Array} secretKey - The secret key (64 bytes)
* @returns {{publicKey: Uint8Array, secretKey: Uint8Array}} Key pair with corresponding public key
*/
nacl.sign.keyPair.fromSecretKey(secretKey): {publicKey: Uint8Array, secretKey: Uint8Array}
/**
* Generates a deterministic key pair from a 32-byte seed
* @param {Uint8Array} seed - Cryptographically secure seed (32 bytes)
* @returns {{publicKey: Uint8Array, secretKey: Uint8Array}} Deterministic key pair
*/
nacl.sign.keyPair.fromSeed(seed): {publicKey: Uint8Array, secretKey: Uint8Array}Usage Examples:
const nacl = require('tweetnacl');
// Generate a new random key pair
const randomKeyPair = nacl.sign.keyPair();
console.log(randomKeyPair.publicKey.length); // 32
console.log(randomKeyPair.secretKey.length); // 64
// Derive key pair from existing secret key
const derivedKeyPair = nacl.sign.keyPair.fromSecretKey(randomKeyPair.secretKey);
// derivedKeyPair.publicKey will be identical to randomKeyPair.publicKey
// Generate deterministic key pair from seed
const seed = nacl.randomBytes(nacl.sign.seedLength);
const seedKeyPair = nacl.sign.keyPair.fromSeed(seed);
// Same seed always produces the same key pair
const seedKeyPair2 = nacl.sign.keyPair.fromSeed(seed);
console.log(seedKeyPair.publicKey.every((byte, i) => byte === seedKeyPair2.publicKey[i])); // trueConstants
nacl.sign.publicKeyLength: number // 32 - Length of public key in bytes
nacl.sign.secretKeyLength: number // 64 - Length of secret key in bytes
nacl.sign.seedLength: number // 32 - Length of seed for deterministic key generation
nacl.sign.signatureLength: number // 64 - Length of signature in bytesSecurity Considerations
- Secret Key Security: Keep signing secret keys absolutely confidential. Anyone with the secret key can create valid signatures.
- Message Integrity: If signature verification fails, the message was either tampered with or signed by a different key.
- Non-repudiation: Valid signatures provide cryptographic proof that the holder of the secret key signed the message.
- Deterministic Generation: Only use
fromSeedwith cryptographically secure seeds. Never use predictable values. - Key Lifecycle: Rotate signing keys periodically and revoke compromised keys through your application's key management system.
Use Cases
- API Authentication: Sign API requests to prove authenticity
- Document Signing: Create tamper-evident digital documents
- Software Distribution: Sign software packages to verify publisher identity
- Blockchain Transactions: Sign cryptocurrency transactions
- Message Authentication: Prove message origin in communication systems
Install with Tessl CLI
npx tessl i tessl/npm-tweetnacl