cryptostore-0.3.1.0: Serialization of cryptographic data types
LicenseBSD-style
MaintainerOlivier Chéron <olivier.cheron@gmail.com>
Stabilityexperimental
Portabilityunknown
Safe HaskellSafe-Inferred
LanguageHaskell2010

Crypto.Store.CMS

Description

Cryptographic Message Syntax

  • RFC 5652: Cryptographic Message Syntax (CMS)
  • RFC 3370: Cryptographic Message Syntax (CMS) Algorithms
  • RFC 3560: Use of the RSAES-OAEP Key Transport Algorithm in the Cryptographic Message Syntax (CMS)
  • RFC 4056: Use of the RSASSA-PSS Signature Algorithm in Cryptographic Message Syntax (CMS)
  • RFC 3565: Use of the Advanced Encryption Standard (AES) Encryption Algorithm in Cryptographic Message Syntax (CMS)
  • RFC 5753: Use of Elliptic Curve Cryptography (ECC) Algorithms in Cryptographic Message Syntax (CMS)
  • RFC 5754: Using SHA2 Algorithms with Cryptographic Message Syntax
  • RFC 3211: Password-based Encryption for CMS
  • RFC 5083: Cryptographic Message Syntax (CMS) Authenticated-Enveloped-Data Content Type
  • RFC 5084: Using AES-CCM and AES-GCM Authenticated Encryption in the Cryptographic Message Syntax (CMS)
  • RFC 6476: Using Message Authentication Code (MAC) Encryption in the Cryptographic Message Syntax (CMS)
  • RFC 8103: Using ChaCha20-Poly1305 Authenticated Encryption in the Cryptographic Message Syntax (CMS)
  • RFC 8418: Use of the Elliptic Curve Diffie-Hellman Key Agreement Algorithm with X25519 and X448 in the Cryptographic Message Syntax (CMS)
  • RFC 8419: Use of Edwards-Curve Digital Signature Algorithm (EdDSA) Signatures in the Cryptographic Message Syntax (CMS)
  • RFC 8702: Use of the SHAKE One-Way Hash Functions in the Cryptographic Message Syntax (CMS)
Synopsis

Documentation

data ContentType Source #

CMS content information type.

Constructors

DataType

Arbitrary octet string

SignedDataType

Signed content info

EnvelopedDataType

Enveloped content info

DigestedDataType

Content info with associated digest

EncryptedDataType

Encrypted content info

AuthenticatedDataType

Authenticated content info

AuthEnvelopedDataType

Authenticated-enveloped content info

Instances

Instances details
OIDNameable ContentType Source # 
Instance details

Defined in Crypto.Store.CMS.Type

OIDable ContentType Source # 
Instance details

Defined in Crypto.Store.CMS.Type

Show ContentType Source # 
Instance details

Defined in Crypto.Store.CMS.Type

Eq ContentType Source # 
Instance details

Defined in Crypto.Store.CMS.Type

data ContentInfo Source #

CMS content information.

Constructors

DataCI ByteString

Arbitrary octet string

SignedDataCI (SignedData (Encap EncapsulatedContent))

Signed content info

EnvelopedDataCI (EnvelopedData (Encap EncryptedContent))

Enveloped content info

DigestedDataCI (DigestedData (Encap EncapsulatedContent))

Content info with associated digest

EncryptedDataCI (EncryptedData (Encap EncryptedContent))

Encrypted content info

AuthenticatedDataCI (AuthenticatedData (Encap EncapsulatedContent))

Authenticatedcontent info

AuthEnvelopedDataCI (AuthEnvelopedData (Encap EncryptedContent))

Authenticated-enveloped content info

Instances

Instances details
Show ContentInfo Source # 
Instance details

Defined in Crypto.Store.CMS.Info

Eq ContentInfo Source # 
Instance details

Defined in Crypto.Store.CMS.Info

getContentType :: ContentInfo -> ContentType Source #

Get the type of a content info.

Reading and writing PEM files

readCMSFile :: FilePath -> IO [ContentInfo] Source #

Read content info elements from a PEM file.

readCMSFileFromMemory :: ByteString -> [ContentInfo] Source #

Read content info elements from a bytearray in PEM format.

berToContentInfo :: ByteString -> Either StoreError ContentInfo Source #

Read a content info from a bytearray in BER format.

pemToContentInfo :: [Maybe ContentInfo] -> PEM -> [Maybe ContentInfo] Source #

Read a content info from a PEM element and add it to the accumulator list.

writeCMSFile :: FilePath -> [ContentInfo] -> IO () Source #

Write content info elements to a PEM file.

writeCMSFileToMemory :: [ContentInfo] -> ByteString Source #

Write content info elements to a bytearray in PEM format.

contentInfoToDER :: ContentInfo -> ByteString Source #

Generate a bytearray in DER format for a content info.

contentInfoToPEM :: ContentInfo -> PEM Source #

Generate PEM for a content info.

Content encapsulation

data Encap a Source #

Denote the state of encapsulated content in a CMS data structure. This type is isomorphic to Maybe.

Constructors

Detached

Content is stored externally to the structure

Attached a

Content is stored inside the CMS struture

Instances

Instances details
Foldable Encap Source # 
Instance details

Defined in Crypto.Store.CMS.Type

Methods

fold :: Monoid m => Encap m -> m #

foldMap :: Monoid m => (a -> m) -> Encap a -> m #

foldMap' :: Monoid m => (a -> m) -> Encap a -> m #

foldr :: (a -> b -> b) -> b -> Encap a -> b #

foldr' :: (a -> b -> b) -> b -> Encap a -> b #

foldl :: (b -> a -> b) -> b -> Encap a -> b #

foldl' :: (b -> a -> b) -> b -> Encap a -> b #

foldr1 :: (a -> a -> a) -> Encap a -> a #

foldl1 :: (a -> a -> a) -> Encap a -> a #

toList :: Encap a -> [a] #

null :: Encap a -> Bool #

length :: Encap a -> Int #

elem :: Eq a => a -> Encap a -> Bool #

maximum :: Ord a => Encap a -> a #

minimum :: Ord a => Encap a -> a #

sum :: Num a => Encap a -> a #

product :: Num a => Encap a -> a #

Traversable Encap Source # 
Instance details

Defined in Crypto.Store.CMS.Type

Methods

traverse :: Applicative f => (a -> f b) -> Encap a -> f (Encap b) #

sequenceA :: Applicative f => Encap (f a) -> f (Encap a) #

mapM :: Monad m => (a -> m b) -> Encap a -> m (Encap b) #

sequence :: Monad m => Encap (m a) -> m (Encap a) #

Applicative Encap Source # 
Instance details

Defined in Crypto.Store.CMS.Type

Methods

pure :: a -> Encap a #

(<*>) :: Encap (a -> b) -> Encap a -> Encap b #

liftA2 :: (a -> b -> c) -> Encap a -> Encap b -> Encap c #

(*>) :: Encap a -> Encap b -> Encap b #

(<*) :: Encap a -> Encap b -> Encap a #

Functor Encap Source # 
Instance details

Defined in Crypto.Store.CMS.Type

Methods

fmap :: (a -> b) -> Encap a -> Encap b #

(<$) :: a -> Encap b -> Encap a #

Show a => Show (Encap a) Source # 
Instance details

Defined in Crypto.Store.CMS.Type

Methods

showsPrec :: Int -> Encap a -> ShowS #

show :: Encap a -> String #

showList :: [Encap a] -> ShowS #

Eq a => Eq (Encap a) Source # 
Instance details

Defined in Crypto.Store.CMS.Type

Methods

(==) :: Encap a -> Encap a -> Bool #

(/=) :: Encap a -> Encap a -> Bool #

fromEncap :: b -> (a -> b) -> Encap a -> b Source #

Fold over an Encap value. This is similar to function maybe. If the content is detached, the first argument is returned. Otherwise the second argument is applied to the content.

class Encapsulates struct Source #

Class of data structures with inner content that may be stored externally. This class has instances for each CMS content type containing other encapsulated or encrypted content info.

Functions fromAttached and fromDetached are used to introspect encapsulation state (attached or detached), and recover a data structure with actionable content.

Functions toAttachedCI and toDetachedCI are needed to decide about the outer encapsulation state and build a ContentInfo.

Minimal complete definition

lens, toCI

Instances

Instances details
Encapsulates AuthEnvelopedData Source # 
Instance details

Defined in Crypto.Store.CMS.Info

Encapsulates AuthenticatedData Source # 
Instance details

Defined in Crypto.Store.CMS.Info

Encapsulates DigestedData Source # 
Instance details

Defined in Crypto.Store.CMS.Info

Methods

lens :: Functor f => (a -> f b) -> DigestedData a -> f (DigestedData b)

toCI :: DigestedData (Encap ByteString) -> ContentInfo

Encapsulates EncryptedData Source # 
Instance details

Defined in Crypto.Store.CMS.Info

Methods

lens :: Functor f => (a -> f b) -> EncryptedData a -> f (EncryptedData b)

toCI :: EncryptedData (Encap ByteString) -> ContentInfo

Encapsulates EnvelopedData Source # 
Instance details

Defined in Crypto.Store.CMS.Info

Methods

lens :: Functor f => (a -> f b) -> EnvelopedData a -> f (EnvelopedData b)

toCI :: EnvelopedData (Encap ByteString) -> ContentInfo

Encapsulates SignedData Source # 
Instance details

Defined in Crypto.Store.CMS.Info

Methods

lens :: Functor f => (a -> f b) -> SignedData a -> f (SignedData b)

toCI :: SignedData (Encap ByteString) -> ContentInfo

isAttached :: Encapsulates struct => struct (Encap a) -> Bool Source #

Return True when the encapsulated content is attached.

fromAttached :: (MonadFail m, Encapsulates struct) => struct (Encap a) -> m (struct a) Source #

Unwrap the encapsulation, assuming the inner content is inside the data structure. The monadic computation fails if the content was detached.

toAttachedCI :: Encapsulates struct => struct ByteString -> ContentInfo Source #

Transform the data structure into a content info, keeping the encapsulated content attached. May be applied to structures with EncapsulatedContent or EncryptedContent.

isDetached :: Encapsulates struct => struct (Encap a) -> Bool Source #

Return True when the encapsulated content is detached.

fromDetached :: (MonadFail m, Encapsulates struct) => b -> struct (Encap a) -> m (struct b) Source #

Recover the original data structure from a detached encapsulation and the external content. The monadic computation fails if the content was attached.

toDetachedCI :: Encapsulates struct => struct ByteString -> (ByteString, ContentInfo) Source #

Transform the data structure into a content info, detaching the encapsulated content. May be applied to structures with EncapsulatedContent or EncryptedContent.

Signed data

type SignatureValue = ByteString Source #

Signature value.

data SignatureAlg Source #

CMS signature algorithms and associated parameters.

Instances

Instances details
Show SignatureAlg Source # 
Instance details

Defined in Crypto.Store.CMS.Algorithms

Eq SignatureAlg Source # 
Instance details

Defined in Crypto.Store.CMS.Algorithms

type EncapsulatedContent = ByteString Source #

Encapsulated content.

data SignedData content Source #

Signed content information.

Constructors

SignedData 

Fields

Instances

Instances details
Encapsulates SignedData Source # 
Instance details

Defined in Crypto.Store.CMS.Info

Methods

lens :: Functor f => (a -> f b) -> SignedData a -> f (SignedData b)

toCI :: SignedData (Encap ByteString) -> ContentInfo

Show content => Show (SignedData content) Source # 
Instance details

Defined in Crypto.Store.CMS.Signed

Methods

showsPrec :: Int -> SignedData content -> ShowS #

show :: SignedData content -> String #

showList :: [SignedData content] -> ShowS #

Eq content => Eq (SignedData content) Source # 
Instance details

Defined in Crypto.Store.CMS.Signed

Methods

(==) :: SignedData content -> SignedData content -> Bool #

(/=) :: SignedData content -> SignedData content -> Bool #

signData :: Applicative f => [ProducerOfSI f] -> ContentInfo -> f (Either StoreError (SignedData EncapsulatedContent)) Source #

Add a signed-data layer on the specified content info. The content is processed by one or several ProducerOfSI functions to create signer info elements.

verifySignedData :: Monad m => ConsumerOfSI m -> SignedData EncapsulatedContent -> m (Either StoreError ContentInfo) Source #

Verify a signed content info using the specified ConsumerOfSI function. Verification of at least one signer info must be successful in order to return the inner content info.

Signer information

data SignerInfo Source #

Information related to a signer of a SignedData. An element contains the signature material that was produced.

Constructors

SignerInfo 

Fields

Instances

Instances details
Show SignerInfo Source # 
Instance details

Defined in Crypto.Store.CMS.Signed

Eq SignerInfo Source # 
Instance details

Defined in Crypto.Store.CMS.Signed

data SignerIdentifier Source #

Union type related to identification of the signer certificate.

Constructors

SignerIASN IssuerAndSerialNumber

Issuer and Serial Number

SignerSKI ByteString

Subject Key Identifier

data IssuerAndSerialNumber Source #

Identification of a certificate using the issuer DN and serial number.

Constructors

IssuerAndSerialNumber 

Fields

certSigner :: MonadRandom m => SignatureAlg -> PrivKey -> CertificateChain -> Maybe [Attribute] -> [Attribute] -> ProducerOfSI m Source #

Create a signer info with the specified signature algorithm and credentials.

Two lists of optional attributes can be provided. The attributes will be part of message signature when provided in the first list.

When the first list of attributes is provided, even empty list, signature is computed from a digest of the content. When the list of attributes is Nothing, no intermediate digest is used and the signature is computed from the full message.

withPublicKey :: Applicative f => PubKey -> ConsumerOfSI f Source #

Verify that the signature was produced from the specified public key. Ignores all certificates and CRLs contained in the signed data.

withSignerKey :: Applicative f => ConsumerOfSI f Source #

Verify that the signature is valid with one of the X.509 certificates contained in the signed data, but does not validate that the certificates are valid. All transmitted certificates are implicitely trusted and all CRLs are ignored.

withSignerCertificate :: Applicative f => (Maybe DateTime -> CertificateChain -> f Bool) -> ConsumerOfSI f Source #

Verify that the signature is valid with one of the X.509 certificates contained in the signed data, and verify that the signer certificate is valid using the validation function supplied. All CRLs are ignored.

Enveloped data

type EncryptedKey = ByteString Source #

Encrypted key.

data KeyEncryptionParams Source #

Key encryption algorithm with associated parameters (i.e. the underlying encryption algorithm).

Constructors

PWRIKEK ContentEncryptionParams

PWRI-KEK key wrap algorithm

AES128_WRAP

AES-128 key wrap

AES192_WRAP

AES-192 key wrap

AES256_WRAP

AES-256 key wrap

AES128_WRAP_PAD

AES-128 extended key wrap

AES192_WRAP_PAD

AES-192 extended key wrap

AES256_WRAP_PAD

AES-256 extended key wrap

DES_EDE3_WRAP

Triple-DES key wrap

RC2_WRAP Int

RC2 key wrap with effective key length

data KeyTransportParams Source #

Key transport algorithm with associated parameters.

Constructors

RSAES

RSAES-PKCS1

RSAESOAEP OAEPParams

RSAES-OAEP

data KeyAgreementParams Source #

Key agreement algorithm with associated parameters.

Constructors

StdDH KeyAgreementKDF KeyEncryptionParams

1-Pass D-H with Stardard ECDH

CofactorDH KeyAgreementKDF KeyEncryptionParams

1-Pass D-H with Cofactor ECDH

data KeyAgreementKDF Source #

Key derivation function used for key agreement.

Constructors

forall hashAlg.HashAlgorithm hashAlg => KA_X963_KDF (DigestProxy hashAlg)

ANSI-X9.63-KDF key derivation function

forall hashAlg.HashAlgorithm hashAlg => KA_HKDF (DigestProxy hashAlg)

Extract-and-Expand HMAC-based key derivation function

data RecipientInfo Source #

Information for a recipient of an EnvelopedData. An element contains the content-encryption key in encrypted form.

Constructors

KTRI KTRecipientInfo

Recipient using key transport

KARI KARecipientInfo

Recipient using key agreement

KEKRI KEKRecipientInfo

Recipient using key encryption

PasswordRI PasswordRecipientInfo

Recipient using password-based protection

Instances

Instances details
Show RecipientInfo Source # 
Instance details

Defined in Crypto.Store.CMS.Enveloped

Eq RecipientInfo Source # 
Instance details

Defined in Crypto.Store.CMS.Enveloped

data EnvelopedData content Source #

Enveloped content information.

Constructors

EnvelopedData 

Fields

Instances

Instances details
Encapsulates EnvelopedData Source # 
Instance details

Defined in Crypto.Store.CMS.Info

Methods

lens :: Functor f => (a -> f b) -> EnvelopedData a -> f (EnvelopedData b)

toCI :: EnvelopedData (Encap ByteString) -> ContentInfo

Show content => Show (EnvelopedData content) Source # 
Instance details

Defined in Crypto.Store.CMS.Enveloped

Methods

showsPrec :: Int -> EnvelopedData content -> ShowS #

show :: EnvelopedData content -> String #

showList :: [EnvelopedData content] -> ShowS #

Eq content => Eq (EnvelopedData content) Source # 
Instance details

Defined in Crypto.Store.CMS.Enveloped

Methods

(==) :: EnvelopedData content -> EnvelopedData content -> Bool #

(/=) :: EnvelopedData content -> EnvelopedData content -> Bool #

envelopData :: Applicative f => OriginatorInfo -> ContentEncryptionKey -> ContentEncryptionParams -> [ProducerOfRI f] -> [Attribute] -> ContentInfo -> f (Either StoreError (EnvelopedData EncryptedContent)) Source #

Add an enveloped-data layer on the specified content info. The content is encrypted with specified key and algorithm. The key is then processed by one or several ProducerOfRI functions to create recipient info elements.

Some optional attributes can be added but will not be encrypted.

openEnvelopedData :: Monad m => ConsumerOfRI m -> EnvelopedData EncryptedContent -> m (Either StoreError ContentInfo) Source #

Recover an enveloped content info using the specified ConsumerOfRI function.

Key Transport recipients

data KTRecipientInfo Source #

Recipient using key transport.

Constructors

KTRecipientInfo 

Fields

data RecipientIdentifier Source #

Union type related to identification of the recipient.

Constructors

RecipientIASN IssuerAndSerialNumber

Issuer and Serial Number

RecipientSKI ByteString

Subject Key Identifier

forKeyTransRecipient :: MonadRandom m => SignedCertificate -> KeyTransportParams -> ProducerOfRI m Source #

Generate a Key Transport recipient from a certificate and desired algorithm. The recipient will contain certificate identifier.

This function can be used as parameter to envelopData.

withRecipientKeyTrans :: MonadRandom m => PrivKey -> ConsumerOfRI m Source #

Use a Key Transport recipient, knowing the private key.

This function can be used as parameter to openEnvelopedData.

Key Agreement recipients

data KARecipientInfo Source #

Recipient using key agreement.

Constructors

KARecipientInfo 

Fields

data OriginatorPublicKey Source #

Originator public key used for key-agreement. Contrary to PubKey the domain parameters are not used and may be left empty.

data RecipientEncryptedKey Source #

Encrypted key for a recipient in a key-agreement RI.

Constructors

RecipientEncryptedKey 

Fields

type UserKeyingMaterial = ByteString Source #

User keying material.

forKeyAgreeRecipient :: MonadRandom m => SignedCertificate -> KeyAgreementParams -> ProducerOfRI m Source #

Generate a Key Agreement recipient from a certificate and desired algorithm. The recipient info will contain an ephemeral public key.

This function can be used as parameter to envelopData.

To avoid decreasing the security strength, Key Encryption parameters should use a key size equal or greater than the content encryption key.

withRecipientKeyAgree :: MonadRandom m => PrivKey -> SignedCertificate -> ConsumerOfRI m Source #

Use a Key Agreement recipient, knowing the recipient private key. The recipient certificate is also required to locate which encrypted key to use.

This function can be used as parameter to openEnvelopedData.

Key Encryption Key recipients

data KEKRecipientInfo Source #

Recipient using key encryption.

Constructors

KEKRecipientInfo 

Fields

data KeyIdentifier Source #

Key identifier and optional attributes.

Constructors

KeyIdentifier 

Fields

Instances

Instances details
Show KeyIdentifier Source # 
Instance details

Defined in Crypto.Store.CMS.Enveloped

Eq KeyIdentifier Source # 
Instance details

Defined in Crypto.Store.CMS.Enveloped

data OtherKeyAttribute Source #

Additional information in a KeyIdentifier.

Constructors

OtherKeyAttribute 

Fields

type KeyEncryptionKey = ByteString Source #

Key used for key encryption.

forKeyRecipient :: MonadRandom m => KeyEncryptionKey -> KeyIdentifier -> KeyEncryptionParams -> ProducerOfRI m Source #

Generate a Key Encryption Key recipient from a key encryption key and desired algorithm. The recipient may identify the KEK that was used with the supplied identifier.

This function can be used as parameter to envelopData.

To avoid decreasing the security strength, Key Encryption parameters should use a key size equal or greater than the content encryption key.

withRecipientKey :: Applicative f => KeyEncryptionKey -> ConsumerOfRI f Source #

Use a Key Encryption Key recipient, knowing the key encryption key.

This function can be used as parameter to openEnvelopedData.

Password recipients

data PasswordRecipientInfo Source #

Recipient using password-based protection.

Constructors

PasswordRecipientInfo 

Fields

forPasswordRecipient :: MonadRandom m => Password -> KeyDerivationFunc -> KeyEncryptionParams -> ProducerOfRI m Source #

Generate a password recipient from a password.

This function can be used as parameter to envelopData.

withRecipientPassword :: Applicative f => Password -> ConsumerOfRI f Source #

Use a password recipient, knowing the password.

This function can be used as parameter to openEnvelopedData.

Digested data

data DigestProxy hashAlg where Source #

CMS digest proxy. Acts like Proxy, i.e. provides a hash algorithm as type parameter. The GADT constructors map to known algorithms.

Constructors

MD2 :: DigestProxy MD2

MD2

MD4 :: DigestProxy MD4

MD4

MD5 :: DigestProxy MD5

MD5

SHA1 :: DigestProxy SHA1

SHA-1

SHA224 :: DigestProxy SHA224

SHA-224

SHA256 :: DigestProxy SHA256

SHA-256

SHA384 :: DigestProxy SHA384

SHA-384

SHA512 :: DigestProxy SHA512

SHA-512

SHAKE128_256 :: DigestProxy (SHAKE128 256)

SHAKE128 (256 bits)

SHAKE256_512 :: DigestProxy (SHAKE256 512)

SHAKE256 (512 bits)

SHAKE128 :: KnownNat n => Proxy n -> DigestProxy (SHAKE128 n)

SHAKE128 (variable size)

SHAKE256 :: KnownNat n => Proxy n -> DigestProxy (SHAKE256 n)

SHAKE256 (variable size)

Instances

Instances details
Show (DigestProxy hashAlg) Source # 
Instance details

Defined in Crypto.Store.CMS.Algorithms

Methods

showsPrec :: Int -> DigestProxy hashAlg -> ShowS #

show :: DigestProxy hashAlg -> String #

showList :: [DigestProxy hashAlg] -> ShowS #

Eq (DigestProxy hashAlg) Source # 
Instance details

Defined in Crypto.Store.CMS.Algorithms

Methods

(==) :: DigestProxy hashAlg -> DigestProxy hashAlg -> Bool #

(/=) :: DigestProxy hashAlg -> DigestProxy hashAlg -> Bool #

data DigestAlgorithm Source #

CMS digest algorithm.

Constructors

forall hashAlg.HashAlgorithm hashAlg => DigestAlgorithm (DigestProxy hashAlg) 

data DigestedData content Source #

Digested content information.

Constructors

forall hashAlg.HashAlgorithm hashAlg => DigestedData 

Fields

Instances

Instances details
Encapsulates DigestedData Source # 
Instance details

Defined in Crypto.Store.CMS.Info

Methods

lens :: Functor f => (a -> f b) -> DigestedData a -> f (DigestedData b)

toCI :: DigestedData (Encap ByteString) -> ContentInfo

Show content => Show (DigestedData content) Source # 
Instance details

Defined in Crypto.Store.CMS.Digested

Methods

showsPrec :: Int -> DigestedData content -> ShowS #

show :: DigestedData content -> String #

showList :: [DigestedData content] -> ShowS #

Eq content => Eq (DigestedData content) Source # 
Instance details

Defined in Crypto.Store.CMS.Digested

Methods

(==) :: DigestedData content -> DigestedData content -> Bool #

(/=) :: DigestedData content -> DigestedData content -> Bool #

digestData :: DigestAlgorithm -> ContentInfo -> DigestedData EncapsulatedContent Source #

Add a digested-data layer on the specified content info.

digestVerify :: DigestedData EncapsulatedContent -> Either StoreError ContentInfo Source #

Return the inner content info but only if the digest is valid.

Encrypted data

type ContentEncryptionKey = ByteString Source #

Key used for content encryption.

data ContentEncryptionCipher cipher where Source #

CMS content encryption cipher.

Constructors

DES :: ContentEncryptionCipher DES

DES

DES_EDE2 :: ContentEncryptionCipher DES_EDE2

Triple-DES with 2 keys used in alternative direction

DES_EDE3 :: ContentEncryptionCipher DES_EDE3

Triple-DES with 3 keys used in alternative direction

AES128 :: ContentEncryptionCipher AES128

AES with 128-bit key

AES192 :: ContentEncryptionCipher AES192

AES with 192-bit key

AES256 :: ContentEncryptionCipher AES256

AES with 256-bit key

CAST5 :: ContentEncryptionCipher CAST5

CAST5 (aka CAST-128) with key between 40 and 128 bits

Camellia128 :: ContentEncryptionCipher Camellia128

Camellia with 128-bit key

Instances

Instances details
Show (ContentEncryptionCipher cipher) Source # 
Instance details

Defined in Crypto.Store.CMS.Algorithms

Eq (ContentEncryptionCipher cipher) Source # 
Instance details

Defined in Crypto.Store.CMS.Algorithms

data ContentEncryptionAlg Source #

Cipher and mode of operation for content encryption.

Constructors

forall c.BlockCipher c => ECB (ContentEncryptionCipher c)

Electronic Codebook

forall c.BlockCipher c => CBC (ContentEncryptionCipher c)

Cipher Block Chaining

CBC_RC2

RC2 in CBC mode

forall c.BlockCipher c => CFB (ContentEncryptionCipher c)

Cipher Feedback

forall c.BlockCipher c => CTR (ContentEncryptionCipher c)

Counter

type EncryptedContent = ByteString Source #

Encrypted content.

data EncryptedData content Source #

Encrypted content information.

Constructors

EncryptedData 

Fields

Instances

Instances details
Encapsulates EncryptedData Source # 
Instance details

Defined in Crypto.Store.CMS.Info

Methods

lens :: Functor f => (a -> f b) -> EncryptedData a -> f (EncryptedData b)

toCI :: EncryptedData (Encap ByteString) -> ContentInfo

Show content => Show (EncryptedData content) Source # 
Instance details

Defined in Crypto.Store.CMS.Encrypted

Methods

showsPrec :: Int -> EncryptedData content -> ShowS #

show :: EncryptedData content -> String #

showList :: [EncryptedData content] -> ShowS #

Eq content => Eq (EncryptedData content) Source # 
Instance details

Defined in Crypto.Store.CMS.Encrypted

Methods

(==) :: EncryptedData content -> EncryptedData content -> Bool #

(/=) :: EncryptedData content -> EncryptedData content -> Bool #

generateEncryptionParams :: MonadRandom m => ContentEncryptionAlg -> m ContentEncryptionParams Source #

Generate random parameters for the specified content encryption algorithm.

generateRC2EncryptionParams :: MonadRandom m => Int -> m ContentEncryptionParams Source #

Generate random RC2 parameters with the specified effective key length (in bits).

encryptData :: ContentEncryptionKey -> ContentEncryptionParams -> [Attribute] -> ContentInfo -> Either StoreError (EncryptedData EncryptedContent) Source #

Add an encrypted-data layer on the specified content info. The content is encrypted with specified key and algorithm.

Some optional attributes can be added but will not be encrypted.

decryptData :: ContentEncryptionKey -> EncryptedData EncryptedContent -> Either StoreError ContentInfo Source #

Decrypt an encrypted content info using the specified key.

Authenticated data

type AuthenticationKey = ContentEncryptionKey Source #

Key used for authentication.

data MACAlgorithm Source #

Message Authentication Code (MAC) Algorithm.

Constructors

forall hashAlg.HashAlgorithm hashAlg => HMAC (DigestProxy hashAlg) 
forall n.KnownNat n => KMAC_SHAKE128 (Proxy n) ByteString 
forall n.KnownNat n => KMAC_SHAKE256 (Proxy n) ByteString 

type MessageAuthenticationCode = AuthTag Source #

Message authentication code. Equality is time constant.

data AuthenticatedData content Source #

Authenticated content information.

Constructors

AuthenticatedData 

Fields

Instances

Instances details
Encapsulates AuthenticatedData Source # 
Instance details

Defined in Crypto.Store.CMS.Info

Show content => Show (AuthenticatedData content) Source # 
Instance details

Defined in Crypto.Store.CMS.Authenticated

Methods

showsPrec :: Int -> AuthenticatedData content -> ShowS #

show :: AuthenticatedData content -> String #

showList :: [AuthenticatedData content] -> ShowS #

Eq content => Eq (AuthenticatedData content) Source # 
Instance details

Defined in Crypto.Store.CMS.Authenticated

Methods

(==) :: AuthenticatedData content -> AuthenticatedData content -> Bool #

(/=) :: AuthenticatedData content -> AuthenticatedData content -> Bool #

generateAuthenticatedData :: Applicative f => OriginatorInfo -> AuthenticationKey -> MACAlgorithm -> Maybe DigestAlgorithm -> [ProducerOfRI f] -> [Attribute] -> [Attribute] -> ContentInfo -> f (Either StoreError (AuthenticatedData EncapsulatedContent)) Source #

Add an authenticated-data layer on the specified content info. The content is MACed with the specified key and algorithms. The key is then processed by one or several ProducerOfRI functions to create recipient info elements.

Two lists of optional attributes can be provided. The attributes will be part of message authentication when provided in the first list.

verifyAuthenticatedData :: Monad m => ConsumerOfRI m -> AuthenticatedData EncapsulatedContent -> m (Either StoreError ContentInfo) Source #

Verify the integrity of an authenticated content info using the specified ConsumerOfRI function. The inner content info is returned only if the MAC could be verified.

Authenticated-enveloped data

data AuthContentEncryptionAlg Source #

Cipher and mode of operation for authenticated-content encryption.

Constructors

AUTH_ENC_128

authEnc with 128-bit key

AUTH_ENC_256

authEnc with 256-bit key

CHACHA20_POLY1305

ChaCha20-Poly1305 Authenticated Encryption

forall c.BlockCipher c => CCM (ContentEncryptionCipher c)

Counter with CBC-MAC

forall c.BlockCipher c => GCM (ContentEncryptionCipher c)

Galois Counter Mode

data AuthEnvelopedData content Source #

Authenticated-enveloped content information.

Constructors

AuthEnvelopedData 

Fields

Instances

Instances details
Encapsulates AuthEnvelopedData Source # 
Instance details

Defined in Crypto.Store.CMS.Info

Show content => Show (AuthEnvelopedData content) Source # 
Instance details

Defined in Crypto.Store.CMS.AuthEnveloped

Methods

showsPrec :: Int -> AuthEnvelopedData content -> ShowS #

show :: AuthEnvelopedData content -> String #

showList :: [AuthEnvelopedData content] -> ShowS #

Eq content => Eq (AuthEnvelopedData content) Source # 
Instance details

Defined in Crypto.Store.CMS.AuthEnveloped

Methods

(==) :: AuthEnvelopedData content -> AuthEnvelopedData content -> Bool #

(/=) :: AuthEnvelopedData content -> AuthEnvelopedData content -> Bool #

generateAuthEnc128Params :: MonadRandom m => PBKDF2_PRF -> ContentEncryptionAlg -> MACAlgorithm -> m AuthContentEncryptionParams Source #

Generate random AUTH_ENC_128 parameters with the specified algorithms.

generateAuthEnc256Params :: MonadRandom m => PBKDF2_PRF -> ContentEncryptionAlg -> MACAlgorithm -> m AuthContentEncryptionParams Source #

Generate random AUTH_ENC_256 parameters with the specified algorithms.

generateCCMParams :: (MonadRandom m, BlockCipher c) => ContentEncryptionCipher c -> CCM_M -> CCM_L -> m AuthContentEncryptionParams Source #

Generate random CCM parameters for the specified cipher.

generateGCMParams :: (MonadRandom m, BlockCipher c) => ContentEncryptionCipher c -> Int -> m AuthContentEncryptionParams Source #

Generate random GCM parameters for the specified cipher.

authEnvelopData :: Applicative f => OriginatorInfo -> ContentEncryptionKey -> AuthContentEncryptionParams -> [ProducerOfRI f] -> [Attribute] -> [Attribute] -> ContentInfo -> f (Either StoreError (AuthEnvelopedData EncryptedContent)) Source #

Add an authenticated-enveloped-data layer on the specified content info. The content is encrypted with specified key and algorithm. The key is then processed by one or several ProducerOfRI functions to create recipient info elements.

Some attributes can be added but will not be encrypted. The attributes will be part of message authentication when provided in the first list.

openAuthEnvelopedData :: Monad m => ConsumerOfRI m -> AuthEnvelopedData EncryptedContent -> m (Either StoreError ContentInfo) Source #

Recover an authenticated-enveloped content info using the specified ConsumerOfRI function.

Key derivation

type Salt = ByteString Source #

Salt value used for key derivation.

generateSalt :: MonadRandom m => Int -> m Salt Source #

Generate a random salt with the specified length in bytes. To be most effective, the length should be at least 8 bytes.

data KeyDerivationFunc Source #

Key derivation algorithm and associated parameters.

Constructors

PBKDF2

Key derivation with PBKDF2

Fields

Scrypt

Key derivation with Scrypt

Fields

data PBKDF2_PRF Source #

Pseudorandom function used for PBKDF2.

Constructors

PBKDF2_SHA1

hmacWithSHA1

PBKDF2_SHA256

hmacWithSHA256

PBKDF2_SHA512

hmacWithSHA512

Instances

Instances details
OIDNameable PBKDF2_PRF Source # 
Instance details

Defined in Crypto.Store.CMS.Algorithms

OIDable PBKDF2_PRF Source # 
Instance details

Defined in Crypto.Store.CMS.Algorithms

Show PBKDF2_PRF Source # 
Instance details

Defined in Crypto.Store.CMS.Algorithms

Eq PBKDF2_PRF Source # 
Instance details

Defined in Crypto.Store.CMS.Algorithms

Secret-key algorithms

class HasKeySize params where Source #

Algorithms that are based on a secret key. This includes ciphers but also MAC algorithms.

Methods

getKeySizeSpecifier :: params -> KeySizeSpecifier Source #

Get a specification of the key sizes allowed by the algorithm.

generateKey :: (HasKeySize params, MonadRandom m, ByteArray key) => params -> m key Source #

Generate a random key suitable for the specified algorithm. This uses the maximum size allowed by the parameters.

RSA padding modes

newtype MaskGenerationFunc Source #

Mask Generation Functions (MGF) and associated parameters.

Constructors

MGF1 DigestAlgorithm 

data OAEPParams Source #

Encryption parameters for RSAES-OAEP.

Constructors

OAEPParams 

Fields

Instances

Instances details
Show OAEPParams Source # 
Instance details

Defined in Crypto.Store.CMS.Algorithms

Eq OAEPParams Source # 
Instance details

Defined in Crypto.Store.CMS.Algorithms

data PSSParams Source #

Signature parameters for RSASSA-PSS.

Constructors

PSSParams 

Fields

Instances

Instances details
Show PSSParams Source # 
Instance details

Defined in Crypto.Store.CMS.Algorithms

Eq PSSParams Source # 
Instance details

Defined in Crypto.Store.CMS.Algorithms

CMS attributes

data Attribute Source #

An attribute extending the parent structure with arbitrary data.

Constructors

Attribute 

Fields

Instances

Instances details
Show Attribute Source # 
Instance details

Defined in Crypto.Store.CMS.Attribute

Eq Attribute Source # 
Instance details

Defined in Crypto.Store.CMS.Attribute

findAttribute :: OID -> [Attribute] -> Maybe [ASN1] Source #

Return the values for the first attribute with the specified type.

setAttribute :: OID -> [ASN1] -> [Attribute] -> [Attribute] Source #

Add or replace an attribute in a list of attributes.

filterAttributes :: (OID -> Bool) -> [Attribute] -> [Attribute] Source #

Filter a list of attributes based on a predicate applied to attribute type.

CMS standard attributes

getSigningTimeAttr :: [Attribute] -> Maybe DateTime Source #

Return the value of the signingTime attribute.

setSigningTimeAttr :: DateTime -> [Attribute] -> [Attribute] Source #

Add or replace the signingTime attribute in a list of attributes.

setSigningTimeAttrCurrent :: MonadIO m => [Attribute] -> m [Attribute] Source #

Add or replace the signingTime attribute in a list of attributes with the current time. This is equivalent to calling setSigningTimeAttr with the result of dateCurrent.

Originator information

data OriginatorInfo Source #

Information about the originator of the content info, to be used when a key management algorithm requires this information.

Constructors

OriginatorInfo 

Fields

data OtherCertificateFormat Source #

Certificate information in a format not supported natively.

Constructors

OtherCertificateFormat 

Fields

ASN.1 representation

data ASN1ObjectExact a Source #

An ASN.1 object associated with the raw data it was parsed from.

Instances

Instances details
Show a => Show (ASN1ObjectExact a) Source # 
Instance details

Defined in Crypto.Store.CMS.Util

Eq a => Eq (ASN1ObjectExact a) Source # 
Instance details

Defined in Crypto.Store.CMS.Util