src/Network/Iron.hs

{-# LANGUAGE ExistentialQuantification #-}
{-# LANGUAGE NamedFieldPuns            #-}
{-# LANGUAGE RecordWildCards           #-}
{-# LANGUAGE ScopedTypeVariables       #-}

-- | <<images/iron-logo.png>>
--
-- /Iron/ is a cryptographic utility for sealing a JSON object using
-- symmetric key encryption with message integrity verification. Or in
-- other words, it lets you encrypt an object, send it around (in
-- cookies, authentication credentials, etc.), then receive it back
-- and decrypt it. The algorithm ensures that the message was not
-- tampered with, and also provides a simple mechanism for password
-- rotation.
--
-- For more information about the sealing/unsealing process, as well
-- as security considerations, see the
-- <https://github.com/hueniverse/iron Iron Website>.
--
-- == Usage
-- To seal an object:
--
-- >>> import Data.ByteString (ByteString)
-- >>> import Data.Aeson
-- >>> import qualified Network.Iron as Iron
-- >>> let opts = Iron.options Iron.AES256CBC Iron.SHA256 256 66666
-- >>> let Just obj = decode "{\"a\":1,\"d\":{\"e\":\"f\"},\"b\":2,\"c\":[3,4,5]}" :: Maybe Object
-- >>> let secret = "some_not_random_password" :: ByteString
-- >>> Just s <- Iron.seal opts (Iron.password secret) obj
-- >>> print s
-- "Fe26.2**3976da2bc627b3551c1ebfe40376bb791efb17f4425facc648038fdaaa2f67b2
-- *voiPExJrXAxmTWyQr7-Hvw*r_Ok7NOgy9sD2fS61t_u9z8qoszwBRze3NnA6PFmjnd06sLh0
-- 9HRDlLorNYQJeEP**f6e22615db961e5ddc2ed47d956700b2ee63f0ab6f7ae6d3471989e5
-- 4928e653*RsQNtNp4u5L-0fmZHSpPL7nbjBkqyKEyBcbOCbpEcpY"
--
-- The resulting "sealed" object is a string which can be sent via
-- cookies, URI query parameter, or a HTTP header attribute.
--
-- To unseal the string:
--
-- >>> Iron.unseal opts (onePassword secret) s :: IO (Either String Object)
-- Right (Object (fromList [("a",Number 1.0),
-- ("d",Object (fromList [("e",String "f")])),
-- ("b",Number 2.0),
-- ("c",Array [Number 3.0,Number 4.0,Number 5.0])]))

module Network.Iron
  ( seal
  , unseal
  , options
  , password
  , passwords
  , passwordWithId
  , passwordsWithId
  , Password
  , PasswordId
  , LookupPassword
  , onePassword
  , Options(..)
  , EncryptionOpts(..)
  , IntegrityOpts(..)
  , IronCipher(..)
  , IronHMAC(..)
  , Salt(..)
  ) where

import           Control.Monad          (liftM, when)
import           Crypto.Cipher.AES      (AES128, AES256 (..))
import           Crypto.Cipher.Types
import           Crypto.Data.Padding
import           Crypto.Error           (CryptoFailable (..), maybeCryptoError)
import qualified Crypto.Hash.Algorithms as C (SHA256 (..))
import           Crypto.Hash.Algorithms (HashAlgorithm(..), SHA1 (..))
import qualified Crypto.KDF.PBKDF2      as PBKDF2
import           Crypto.MAC.HMAC        (Context, HMAC, finalize, hmac,
                                         hmacGetDigest, initialize, updates)
import           Crypto.Random
import           Data.Aeson
import qualified Data.Aeson             as JSON (eitherDecode', encode)
import           Data.ByteString        (ByteString)
import qualified Data.ByteString        as BS
import qualified Data.ByteString.Char8  as S8
import qualified Data.ByteString.Lazy   as BL
import qualified Data.ByteArray         as BA
import           Data.ByteArray         (ScrubbedBytes, ByteArrayAccess)
import qualified Data.Map               as M
import           Data.Maybe             (fromJust)
import           Data.Monoid            ((<>))
import           Data.Text              (Text)
import           Data.Text.Encoding     (decodeUtf8, encodeUtf8)
import           Data.Char              (isAscii, isAlphaNum)
import           Data.Time.Clock        (NominalDiffTime)
import           Data.Time.Clock.POSIX
import           Network.Iron.Util
import           Numeric                (showHex)

-- | Iron options used by 'sealWith' and 'unsealWith'.
data Options = Options
  { ironEncryption      :: EncryptionOpts  -- ^ Encryption options
  , ironIntegrity       :: IntegrityOpts   -- ^ Message integrity verification options
  , ironTTL             :: NominalDiffTime -- ^ Message lifetime in seconds
  , ironTimestampSkew   :: NominalDiffTime -- ^ Clock difference allowance in seconds
  , ironLocaltimeOffset :: NominalDiffTime -- ^ Clock offset in seconds
  } deriving Show

-- | Encryption algorithms supported by Iron.
data IronCipher = AES128CTR | AES256CBC  deriving (Show, Read, Eq, Enum)
data IronHMAC = SHA256 deriving (Show, Read, Eq, Enum)

class IsIronCipher a where
  ivSize :: a -> Int
  keySize :: a -> Int
  ironEncrypt :: a -> ByteString -> ByteString -> ByteString -> Maybe ByteString
  ironDecrypt :: a -> ByteString -> ByteString -> ByteString -> Maybe ByteString

class IsIronMAC a where
  macKeySize :: a -> Int
  ironMac :: a -> ByteString -> ByteString -> ByteString

instance IsIronMAC IronHMAC where
  macKeySize SHA256 = 32
  ironMac SHA256 key text = b64url $ hmacGetDigest (hmac key text :: HMAC C.SHA256)

-- | Specifies the salt for password-based key generation.
data Salt = Salt ByteString -- ^ Supply pre-generated salt
          | GenSalt Int     -- ^ Generate salt of given size, in bits
  deriving Show

{-
todo:
 - maybe remove ieSalt/iiSalt and ieIV from opts? these values
   pre-generated by the user might only be necessary for unit tests.
-}

-- | Options controlling encryption of Iron messages.
data EncryptionOpts = EncryptionOpts
  { ieSalt       :: Salt -- ^ Salt for password-based key generation
  , ieAlgorithm  :: IronCipher -- ^ Encryption algorithm
  , ieIterations :: Int -- ^ Number of iterations for password-based key generation
  , ieIV         :: Maybe ByteString -- ^ Pre-generated initial value block
  } deriving Show

-- | Options controlling cryptographic verification of Iron messages.
data IntegrityOpts = IntegrityOpts
  { iiSalt       :: Salt -- ^ Salt for MAC key generation
  , iiAlgorithm  :: IronHMAC -- ^ Hash-based MAC algorithm
  , iiIterations :: Int -- ^ Number of iterations for MAC key generation
  } deriving Show

encryptOptions :: IronCipher -- ^ Cipher algorithm
               -> Int -- ^ Number of salt bits for key generation
               -> Int -- ^ Number of iterations of key derivation function
               -> EncryptionOpts
encryptOptions a s n = EncryptionOpts
                       { ieSalt = GenSalt s
                       , ieAlgorithm = a
                       , ieIterations = n
                       , ieIV = Nothing }

integrityOptions :: IronHMAC -- ^ Cryptographic hash algorithm
                 -> Int -- ^ Number of salt bits for key generation
                 -> Int -- ^ Number of iterations of key derivation function
                 -> IntegrityOpts
integrityOptions a s n = IntegrityOpts
                         { iiSalt = GenSalt s
                         , iiAlgorithm = a
                         , iiIterations = n }

-- | A set of basic options. You need to choose a cipher and
-- parameters for key generation.
--
-- There are also some default options chosen, which are:
-- * Infinite message lifetime
-- * Timestamp skew: 60 seconds either way
-- * Local time offset: 0
options :: IronCipher -- ^ Encryption algorithm.
        -> IronHMAC    -- ^ Integrity check algorithm (use @SHA256@).
        -> Int        -- ^ Number of salt bits for key generation.
        -> Int        -- ^ Number of iterations of key derivation function.
        -> Options
options e i s n = Options
  { ironEncryption = encryptOptions e s n
  , ironIntegrity = integrityOptions i s n
  , ironTTL = 0
  , ironTimestampSkew = 60
  , ironLocaltimeOffset = 0
  }

-- | Identifies the password to use when unsealing the message.
type PasswordId = ByteString

-- | Represents the password(s) used to seal and unseal Iron
-- messages. To construct a 'Password', use one of 'password',
-- 'passwords', 'passwordWithId', 'passwordsWithId'.
data Password = MkPassword
  { passwordId :: PasswordId
  , encKey     :: KeyPass -- ^ Encryption key/password
  , intKey     :: KeyPass -- ^ Integrity key/password
  } deriving (Show, Eq)

-- | Represents a key used for the cipher or message authentication
-- code, or a password from which a key will be generated.
data KeyPass = Key ScrubbedBytes      -- ^ Pre-generated key
             | Password ScrubbedBytes -- ^ Key derived from password
             deriving (Show, Eq)
             -- note: ScrubbedBytes Show doesn't actually show any content

-- | Constructs a 'Password'.
password :: ByteArrayAccess a => a -> Password
password p = passwords p p

-- | Constructs a 'Password', with different encryption and integrity
-- verification passwords.
passwords :: ByteArrayAccess a => a -> a -> Password
passwords e i = password' mempty e i

-- | Constructs a 'Password'. The given identifier will be included as
-- the second component of the the sealed @Fe26@ string. The
-- identifier must only include alphanumeric characters and the
-- underscore, otherwise nothing will be returned.
passwordWithId :: ByteArrayAccess a => PasswordId -> a -> Maybe Password
passwordWithId k p = passwordsWithId k p p

-- | Constructs a 'Password', with different encryption and integrity
-- verification passwords. The given identifier will be included as
-- the second component of the the sealed @Fe26@ string. The
-- identifier must only include alphanumeric characters and the
-- underscore, otherwise nothing will be returned.
passwordsWithId :: ByteArrayAccess a => PasswordId -> a -> a -> Maybe Password
passwordsWithId k e i | validId k = Just $ password' k e i
                      | otherwise = Nothing

validId :: PasswordId -> Bool
validId k = not (S8.null k) && S8.all inRange k
  where inRange c = isAscii c && isAlphaNum c || c == '_'

passwordValid :: ByteArrayAccess a => EncryptionOpts -> a -> Bool
passwordValid EncryptionOpts{..} sec = keySize ieAlgorithm <= BA.length sec

password' :: ByteArrayAccess a => PasswordId -> a -> a -> Password
password' k e i = MkPassword k (passwd e) (passwd i)
  where passwd = Password . BA.convert

-- | User-supplied function to get the password corresponding to the
-- identifier from the sealed message.
type LookupPassword = PasswordId -> Maybe Password

-- | The simple case of LookupPassword, where there is the same
-- password for encryption and verification of all messages.
onePassword :: ByteArrayAccess a => a -> LookupPassword
onePassword = const . Just . password

-- | Encodes and encrypts a 'Data.Aeson.Value' using the given
-- password and 'Options'. Encryption may fail if the supplied
-- options are wrong.
seal :: ToJSON a => Options -> Password -> a -> IO (Maybe ByteString)
seal opts p v = do
  s <- getSealStuff opts
  return $ seal' opts s p v

-- | Variables necessary for sealing whose values come from the
-- IO world.
data SealStuff = SealStuff
  { ssNow     :: POSIXTime
  , ssEncSalt :: ByteString
  , ssIv      :: ByteString
  , ssIntSalt :: ByteString
  } deriving (Show)

-- | Gets the time, generate random numbers.
getSealStuff :: Options -> IO SealStuff
getSealStuff opts@Options{..} = do
  now <- getPOSIXTime
  drg1 <- getSystemDRG
  let (encSalt, drg2) = genSaltMaybe (ieSalt ironEncryption) drg1
  let (intSalt, drg3) = genSaltMaybe (iiSalt ironIntegrity) drg2
  let (iv, _) = genIVMaybe (ieAlgorithm ironEncryption) (ieIV ironEncryption) drg3
  return $ SealStuff (now + ironLocaltimeOffset) encSalt iv intSalt


-- | Effects-pure part of sealing process.
--
-- The seal process follows these general steps:
--   generate encryption salt saltE
--   derive an encryption key keyE using saltE and a password
--   generate an integrity salt saltI
--   derive an integrity (HMAC) key keyI using saltI
--   generate a random initialization vector iv
--   encrypt the serialized object string using keyE and iv
--   mac the encrypted object along with saltE and iv
--   concatenate saltE, saltI, iv, and the encrypted object into a URI-friendly string
seal' :: forall a. ToJSON a => Options -> SealStuff -> Password -> a -> Maybe ByteString
seal' opts SealStuff{..} sec a = encrypt a >>= fmap strCookie . mac . strEncCookie
  where
    encrypt :: a -> Maybe EncCookie
    encrypt obj = do
      key <- rightJust $ generateKey ieIterations size ssEncSalt (encKey sec)
      ctext <- ironEncrypt ieAlgorithm key ssIv json
      return $ EncCookie (passwordId sec) ssEncSalt ssIv expiration ctext
      where
        EncryptionOpts{..} = ironEncryption opts
        json = BL.toStrict $ JSON.encode obj
        expiration = expTime opts ssNow
        size = keySize ieAlgorithm

    mac :: ByteString -> Maybe Cookie
    mac str = Cookie str ssIntSalt <$> rightJust digest
      where
        digest = hmacWithPassword intOpts key ssIntSalt str
        intOpts = ironIntegrity opts
        key = intKey sec

data EncCookie = EncCookie
  { ckPasswordId :: PasswordId
  , ckEncSalt    :: ByteString
  , ckIv         :: ByteString
  , ckExpiration :: Maybe NominalDiffTime
  , ckText       :: ByteString
  } deriving Show

data Cookie = Cookie
  { ckEnc       :: ByteString
  , ckIntSalt   :: ByteString
  , ckIntDigest :: ByteString
  } deriving Show

strEncCookie :: EncCookie -> ByteString
strEncCookie (EncCookie pid s iv e t) = cat [macPrefix, pid, s, b64url iv, b64url t, expStr e]

strCookie :: Cookie -> ByteString
strCookie (Cookie a b c) = cat [a, b, c]

parseCookie :: ByteString -> Either String (EncCookie, Cookie)
parseCookie ck = do
  when (length parts /= 8) $ Left "Incorrect number of sealed components"
  when (pfx /= macPrefix) $ Left "Wrong mac prefix"
  eck <- EncCookie <$> pure a <*> pure b <*> b64' c <*> exp e <*> b64' d
  return (eck, Cookie enc f g)
  where
    parts = uncat ck
    (pfx:a:b:c:d:e:f:g:[]) = parts
    enc = cat $ take 6 parts
    exp :: ByteString -> Either String (Maybe NominalDiffTime)
    exp "" = Right Nothing
    exp n = maybe (Left "Invalid expiration") (Right . Just) $ parseExpMsec n
    b64' = b64urldec

cat :: [ByteString] -> ByteString
cat = BS.intercalate (S8.singleton '*')

uncat :: ByteString -> [ByteString]
uncat = S8.split '*'

expStr :: Maybe NominalDiffTime -> ByteString
expStr = maybe "" (S8.pack . show . round)

expTime :: Options -> POSIXTime -> Maybe NominalDiffTime
expTime Options{ironTTL} now | ironTTL > 0 = Just ((now + ironTTL) * 1000)
                              | otherwise = Nothing

-- | Calculates the MAC of a message. The result is encoded in the
-- URL-friendly variant of Base64.
macWithKey :: IronHMAC -> ByteString -> ByteString -> ByteString
macWithKey algo key text = ironMac algo key text

generateKey :: Int -> Int -> ByteString -> KeyPass -> Either String ByteString
generateKey _ s _ (Key k) | BA.length k >= s = Right (BA.convert k)
                          | otherwise = Left "Key buffer (password) too small"
generateKey n s l (Password p) | BS.null l = Left "Missing salt"
                               | otherwise = Right (generateKey' n s l p)

generateKey' :: BA.ByteArrayAccess p => Int -> Int -> ByteString -> p -> ByteString
generateKey' iterations size salt p = PBKDF2.generate prf params p salt
  where
    prf = PBKDF2.prfHMAC SHA1
    params = PBKDF2.Parameters iterations size

-- | Calculates integrity hash.
hmacWithPassword :: IntegrityOpts -> KeyPass -> ByteString -> ByteString
                 -> Either String ByteString
hmacWithPassword IntegrityOpts{..} key salt text = do
  key' <- generateKey iiIterations (macKeySize iiAlgorithm) salt key
  Right $ macWithKey iiAlgorithm key' text

-- | Prepares the variables necessary to use cryptonite block cipher
-- functions.
aesSetup :: BlockCipher c => ByteString -> ByteString -> Maybe (c, IV c, Format)
aesSetup key iv = (,,) <$> ctx <*> iv' <*> p
  where
    ctx = maybeCryptoError (cipherInit key)
    iv' = makeIV iv
    p = fmap (PKCS7 . blockSize) ctx

instance IsIronCipher IronCipher where
  -- IV is the size of one block
  ivSize AES128CTR = blockSize (undefined :: AES128)
  ivSize AES256CBC = blockSize (undefined :: AES256)

  -- Iron's chosen key size -- should fall within the range of
  -- cryptonite cipherKeySize
  keySize AES128CTR = 16
  keySize AES256CBC = 32

  -- Encrypt with AES block counter mode
  ironEncrypt AES128CTR key iv text = do
    (ctx :: AES128, iv', p) <- aesSetup key iv
    return $ ctrCombine ctx iv' (pad p text)

  -- Encrypt with AES block chaining mode
  ironEncrypt AES256CBC key iv text = do
    (ctx :: AES256, iv', p) <- aesSetup key iv
    let text' = pad p text
    return $ cbcEncrypt ctx iv' text'

  -- Decrypt with AES block counter mode
  ironDecrypt AES128CTR key iv ctext = do
    (ctx :: AES128, iv', p) <- aesSetup key iv
    unpad p (ctrCombine ctx iv' ctext)

  -- Decrypt with AES block chaining mode
  ironDecrypt AES256CBC key iv ctext = do
    (ctx :: AES256, iv', p) <- aesSetup key iv
    let text' = cbcDecrypt ctx iv' ctext
    unpad p text'

-- | Decrypts an Iron-encoded message 'Data.Aeson.Value' with the
-- given password and 'Options'.
unseal :: FromJSON a => Options -> LookupPassword -> ByteString -> IO (Either String a)
unseal opts p t = do
  now <- getPOSIXTime
  return $ unseal' opts now p t

-- | Effects-pure part of unsealing process.
unseal' :: FromJSON a => Options -> POSIXTime -> LookupPassword -> ByteString -> Either String a
unseal' opts now p cookie = do
  (eck, ck) <- parseCookie cookie
  _ <- checkExpiration now (ironTimestampSkew opts) eck
  MkPassword _ enc int <- getPassword opts (ckPasswordId eck) p
  ok <- verify ck int
  decrypt eck enc >>= JSON.eitherDecode' . BL.fromStrict
  where
    decrypt :: EncCookie -> KeyPass -> Either String ByteString
    decrypt EncCookie{..} sec = do
      let EncryptionOpts{..} = ironEncryption opts
          size = keySize ieAlgorithm
      key <- generateKey ieIterations size ckEncSalt sec
      case ironDecrypt ieAlgorithm key ckIv ckText of
        Just ctext -> Right ctext
        Nothing -> Left "Iron decryption failed"

    verify :: Cookie -> KeyPass -> Either String ()
    verify Cookie{..} sec = do
      digest <- hmacWithPassword (ironIntegrity opts) sec ckIntSalt ckEnc
      if BA.constEq ckIntDigest digest
        then Right ()
        else Left "Bad hmac value"

    checkExpiration :: NominalDiffTime -> NominalDiffTime -> EncCookie -> Either String ()
    checkExpiration now skew EncCookie{ckExpiration} = if isExpired now skew ckExpiration
                                                          then Left "Expired seal"
                                                          else Right ()

    getPassword :: Options -> PasswordId -> LookupPassword -> Either String Password
    getPassword opts pid lookup = case lookup pid of
                                    Just p -> Right p
                                    Nothing -> Left $ "Cannot find password: " <> S8.unpack pid

isExpired :: POSIXTime -> NominalDiffTime -> Maybe POSIXTime -> Bool
isExpired _ _ Nothing         = False
isExpired now skew (Just exp) = exp <= (now - skew)

genSalt :: DRG gen => Int -> gen -> (ByteString, gen)
genSalt saltBits gen = withRandomBytes gen (saltBits `quot` 8) b16

genIV :: DRG gen => Int -> gen -> (ByteString, gen)
genIV size gen = withRandomBytes gen size id

genSaltMaybe :: DRG gen => Salt -> gen -> (ByteString, gen)
genSaltMaybe (Salt salt)   = \gen -> (salt, gen)
genSaltMaybe (GenSalt len) = genSalt len

genIVMaybe :: DRG gen => IronCipher -> Maybe ByteString -> gen -> (ByteString, gen)
genIVMaybe _ (Just iv)  = \gen -> (iv, gen)
genIVMaybe algo Nothing = genIV (ivSize algo)

macPrefix, macFormatVersion :: ByteString
macPrefix = "Fe26." <> macFormatVersion
macFormatVersion = "2"