Add support for sign and verify

cmd/salty/main.go

@@ -6,6 +6,7 @@ import (
 	"os"
 	"path/filepath"
 
+	"github.com/keys-pub/keys"
 	log "github.com/sirupsen/logrus"
 	flag "github.com/spf13/pflag"
 	"go.mills.io/salty"
@@ -17,6 +18,8 @@ var (
 
 	encrypt    bool
 	decrypt    bool
+	sign       bool
+	verify     bool
 	output     string
 	identity   string
 	recipients []string
@@ -28,9 +31,11 @@ func init() {
 		flag.PrintDefaults()
 	}
 	flag.BoolVarP(&help, "help", "h", false, "display help information")
-	flag.BoolVarP(&version, "version", "v", false, "display version information")
+	flag.BoolVar(&version, "version", false, "display version information")
 	flag.BoolVarP(&encrypt, "encrypt", "e", false, "Encrypt the input to the output (Default if omitted)")
 	flag.BoolVarP(&decrypt, "decrypt", "d", false, "Decrypt the input to the output")
+	flag.BoolVarP(&sign, "sign", "s", false, "Sign the input to the otput")
+	flag.BoolVarP(&verify, "verify", "v", false, "Verify the input to the output")
 	flag.StringVarP(&output, "output", "o", "", "Write the result to the file")
 	flag.StringSliceVarP(&recipients, "recipient", "r", []string{}, "Encrypt to the specified RECIPIENT (Can be repeated)")
 	flag.StringVarP(&identity, "identity", "i", "", "Use the identity file at PATH. Can be repeated.")
@@ -49,19 +54,26 @@ func main() {
 		os.Exit(0)
 	}
 
-	if !(encrypt || decrypt) {
+	if !(encrypt || decrypt) && !(sign || verify) {
 		encrypt = true
 	}
 
-	id, err := os.Open(identity)
-	if err != nil {
-		log.WithError(err).Fatalf("error opening identity file: %q", identity)
-	}
-	defer id.Close()
+	var (
+		err error
+		key *keys.EdX25519Key
+	)
 
-	key, err := salty.ParseIdentity(id)
-	if err != nil {
-		log.WithError(err).Fatalf("error reading private key: %q", identity)
+	if !verify {
+		id, err := os.Open(identity)
+		if err != nil {
+			log.WithError(err).Fatalf("error opening identity file: %q", identity)
+		}
+		defer id.Close()
+
+		key, err = salty.ParseIdentity(id)
+		if err != nil {
+			log.WithError(err).Fatalf("error reading private key: %q", identity)
+		}
 	}
 
 	in := os.Stdin
@@ -100,13 +112,14 @@ func main() {
 
 	var result []byte
 
-	if encrypt {
+	switch {
+	case encrypt:
 		encrypted, err := salty.Encrypt(key, input, recipients)
 		if err != nil {
 			log.WithError(err).Fatalf("error encrypting input")
 		}
 		result = encrypted[:]
-	} else if decrypt {
+	case decrypt:
 		out, sender, err := salty.Decrypt(key, input)
 		if err != nil {
 			log.WithError(err).Fatalf("error decrypting input")
@@ -115,7 +128,20 @@ func main() {
 			fmt.Fprintf(os.Stderr, "# signed by: %s\n", sender)
 		}
 		result = out[:]
-	} else {
+	case sign:
+		signed, err := salty.Sign(key, input)
+		if err != nil {
+			log.WithError(err).Fatalf("error signing input")
+		}
+		result = signed[:]
+	case verify:
+		out, signer, err := salty.Verify(input)
+		if err != nil {
+			log.WithError(err).Fatalf("error verifying input")
+		}
+		fmt.Fprintf(os.Stderr, "# signed by: %s\n", signer.ID().String())
+		result = out
+	default:
 		log.Fatalf("one of -e/--encrypt or -d/--decrypt modes not spplied")
 	}
 

crypto.go

@@ -22,3 +22,17 @@ func Encrypt(key *keys.EdX25519Key, input []byte, recipients []string) ([]byte,
 func Decrypt(key *keys.EdX25519Key, input []byte) ([]byte, *keys.EdX25519PublicKey, error) {
 	return saltpack.SigncryptOpen(input, true, saltpack.NewKeyring(key))
 }
+
+// Sign signs the `input` using the Private Key `key`
+// Armour serializing is used by default. The armour bytes are returned on
+// success or nil bytes and an error on failure.
+func Sign(key *keys.EdX25519Key, input []byte) ([]byte, error) {
+	return saltpack.Sign(input, true, key)
+}
+
+// Verify verifies the `input` and returns the otput as well as the key
+// used to sign the message on success, or nil bytes, an empty signer key
+// and en error on failure.
+func Verify(input []byte) ([]byte, keys.ID, error) {
+	return saltpack.Verify(input)
+}

crypto_test.go

@@ -24,4 +24,12 @@ func TestCrypto(t *testing.T) {
 	assert.NoError(err)
 	assert.Equal(pub, sender.String())
 	assert.Equal(decrypted, input)
+
+	signed, err := Sign(key, input)
+	assert.NoError(err)
+
+	out, signer, err := Verify(signed)
+	assert.NoError(err)
+	assert.Equal(signer.ID().String(), key.ID().String())
+	assert.Equal(input, out)
 }