Safe Haskell	None
Language	Haskell2010

Network.Iron

Description

Iron is a cryptographic utility for sealing a JSON object using symmetric key encryption with message integrity verification. Or in other words, it lets you encrypt an object, send it around (in cookies, authentication credentials, etc.), then receive it back and decrypt it. The algorithm ensures that the message was not tampered with, and also provides a simple mechanism for password rotation.

For more information about the sealing/unsealing process, as well as security considerations, see the Iron Website.

Usage

To seal an object:

>>> import Data.ByteString (ByteString)
>>> import Data.Aeson
>>> import qualified Network.Iron as Iron
>>> let opts = Iron.options Iron.AES256CBC Iron.SHA256 256 66666
>>> let Just obj = decode "{\"a\":1,\"d\":{\"e\":\"f\"},\"b\":2,\"c\":[3,4,5]}" :: Maybe Object
>>> let secret = "some_not_random_password" :: ByteString
>>> Just s <- Iron.seal opts (Iron.password secret) obj
>>> print s
"Fe26.2**3976da2bc627b3551c1ebfe40376bb791efb17f4425facc648038fdaaa2f67b2
*voiPExJrXAxmTWyQr7-Hvw*r_Ok7NOgy9sD2fS61t_u9z8qoszwBRze3NnA6PFmjnd06sLh0
9HRDlLorNYQJeEP**f6e22615db961e5ddc2ed47d956700b2ee63f0ab6f7ae6d3471989e5
4928e653*RsQNtNp4u5L-0fmZHSpPL7nbjBkqyKEyBcbOCbpEcpY"

The resulting "sealed" object is a string which can be sent via cookies, URI query parameter, or a HTTP header attribute.

To unseal the string:

>>> Iron.unseal opts (onePassword secret) s :: IO (Either String Object)
Right (Object (fromList [("a",Number 1.0),
("d",Object (fromList [("e",String "f")])),
("b",Number 2.0),
("c",Array [Number 3.0,Number 4.0,Number 5.0])]))

Synopsis

Documentation

seal :: ToJSON a => Options -> Password -> a -> IO (Maybe ByteString) Source #

Encodes and encrypts a Value using the given password and Options. Encryption may fail if the supplied options are wrong.

unseal :: FromJSON a => Options -> LookupPassword -> ByteString -> IO (Either String a) Source #

Decrypts an Iron-encoded message Value with the given password and Options.

options Source #

Arguments

:: IronCipher	Encryption algorithm.
-> IronHMAC	Integrity check algorithm (use `SHA256`).
-> Int	Number of salt bits for key generation.
-> Int	Number of iterations of key derivation function.
-> Options

A set of basic options. You need to choose a cipher and parameters for key generation.

There are also some default options chosen, which are: * Infinite message lifetime * Timestamp skew: 60 seconds either way * Local time offset: 0

password :: ByteArrayAccess a => a -> Password Source #

Constructs a Password.

passwords :: ByteArrayAccess a => a -> a -> Password Source #

Constructs a Password, with different encryption and integrity verification passwords.

passwordWithId :: ByteArrayAccess a => PasswordId -> a -> Maybe Password Source #

Constructs a Password. The given identifier will be included as the second component of the the sealed Fe26 string. The identifier must only include alphanumeric characters and the underscore, otherwise nothing will be returned.

passwordsWithId :: ByteArrayAccess a => PasswordId -> a -> a -> Maybe Password Source #

Constructs a Password, with different encryption and integrity verification passwords. The given identifier will be included as the second component of the the sealed Fe26 string. The identifier must only include alphanumeric characters and the underscore, otherwise nothing will be returned.

data Password Source #

Represents the password(s) used to seal and unseal Iron messages. To construct a Password, use one of password, passwords, passwordWithId, passwordsWithId.

Instances

Eq Password Source #
Methods (==) :: Password -> Password -> Bool # (/=) :: Password -> Password -> Bool #
Show Password Source #
Methods showsPrec :: Int -> Password -> ShowS # show :: Password -> String # showList :: [Password] -> ShowS #

type PasswordId = ByteString Source #

Identifies the password to use when unsealing the message.

type LookupPassword = PasswordId -> Maybe Password Source #

User-supplied function to get the password corresponding to the identifier from the sealed message.

onePassword :: ByteArrayAccess a => a -> LookupPassword Source #

The simple case of LookupPassword, where there is the same password for encryption and verification of all messages.

data Options Source #

Iron options used by sealWith and unsealWith.

Constructors

Options
Fields ironEncryption :: EncryptionOpts Encryption options ironIntegrity :: IntegrityOpts Message integrity verification options ironTTL :: NominalDiffTime Message lifetime in seconds ironTimestampSkew :: NominalDiffTime Clock difference allowance in seconds ironLocaltimeOffset :: NominalDiffTime Clock offset in seconds

Instances

Show Options Source #
Methods showsPrec :: Int -> Options -> ShowS # show :: Options -> String # showList :: [Options] -> ShowS #

data EncryptionOpts Source #

Options controlling encryption of Iron messages.

Constructors

EncryptionOpts
Fields ieSalt :: Salt Salt for password-based key generation ieAlgorithm :: IronCipher Encryption algorithm ieIterations :: Int Number of iterations for password-based key generation ieIV :: Maybe ByteString Pre-generated initial value block

Instances

Show EncryptionOpts Source #
Methods showsPrec :: Int -> EncryptionOpts -> ShowS # show :: EncryptionOpts -> String # showList :: [EncryptionOpts] -> ShowS #

data IntegrityOpts Source #

Options controlling cryptographic verification of Iron messages.

Constructors

IntegrityOpts
Fields iiSalt :: Salt Salt for MAC key generation iiAlgorithm :: IronHMAC Hash-based MAC algorithm iiIterations :: Int Number of iterations for MAC key generation

Instances

Show IntegrityOpts Source #
Methods showsPrec :: Int -> IntegrityOpts -> ShowS # show :: IntegrityOpts -> String # showList :: [IntegrityOpts] -> ShowS #

data IronCipher Source #

Encryption algorithms supported by Iron.

Constructors

AES128CTR
AES256CBC

Instances

Enum IronCipher Source #
Methods succ :: IronCipher -> IronCipher # pred :: IronCipher -> IronCipher # toEnum :: Int -> IronCipher # fromEnum :: IronCipher -> Int # enumFrom :: IronCipher -> [IronCipher] # enumFromThen :: IronCipher -> IronCipher -> [IronCipher] # enumFromTo :: IronCipher -> IronCipher -> [IronCipher] # enumFromThenTo :: IronCipher -> IronCipher -> IronCipher -> [IronCipher] #
Eq IronCipher Source #
Methods (==) :: IronCipher -> IronCipher -> Bool # (/=) :: IronCipher -> IronCipher -> Bool #
Read IronCipher Source #
Methods readsPrec :: Int -> ReadS IronCipher # readList :: ReadS [IronCipher] # readPrec :: ReadPrec IronCipher # readListPrec :: ReadPrec [IronCipher] #
Show IronCipher Source #
Methods showsPrec :: Int -> IronCipher -> ShowS # show :: IronCipher -> String # showList :: [IronCipher] -> ShowS #

data IronHMAC Source #

Constructors

SHA256

Instances

Enum IronHMAC Source #
Methods succ :: IronHMAC -> IronHMAC # pred :: IronHMAC -> IronHMAC # toEnum :: Int -> IronHMAC # fromEnum :: IronHMAC -> Int # enumFrom :: IronHMAC -> [IronHMAC] # enumFromThen :: IronHMAC -> IronHMAC -> [IronHMAC] # enumFromTo :: IronHMAC -> IronHMAC -> [IronHMAC] # enumFromThenTo :: IronHMAC -> IronHMAC -> IronHMAC -> [IronHMAC] #
Eq IronHMAC Source #
Methods (==) :: IronHMAC -> IronHMAC -> Bool # (/=) :: IronHMAC -> IronHMAC -> Bool #
Read IronHMAC Source #
Methods readsPrec :: Int -> ReadS IronHMAC # readList :: ReadS [IronHMAC] # readPrec :: ReadPrec IronHMAC # readListPrec :: ReadPrec [IronHMAC] #
Show IronHMAC Source #
Methods showsPrec :: Int -> IronHMAC -> ShowS # show :: IronHMAC -> String # showList :: [IronHMAC] -> ShowS #

data Salt Source #

Specifies the salt for password-based key generation.

Constructors

Salt ByteString	Supply pre-generated salt
GenSalt Int	Generate salt of given size, in bits

Instances

Show Salt Source #
Methods showsPrec :: Int -> Salt -> ShowS # show :: Salt -> String # showList :: [Salt] -> ShowS #