Portability | unknown |
---|---|
Stability | experimental |
Maintainer | Vincent Hanquez <vincent@snarc.org> |
Safe Haskell | None |
- Types
- Common extension usually found in x509v3
- Accessor turning extension into a specific one
- Certificate Revocation List (CRL)
- Naming
- Certificate Chain
- marshall between CertificateChain and CertificateChainRaw
- Signed types and marshalling
- Parametrized Signed accessor
- Hash distinguished names related function
Read/Write X509 Certificate, CRL and their signed equivalents.
Follows RFC5280 / RFC6818
- type SignedCertificate = SignedExact Certificate
- type SignedCRL = SignedExact CRL
- data Certificate = Certificate {}
- data PubKey
- = PubKeyRSA PublicKey
- | PubKeyDSA PublicKey
- | PubKeyDH (Integer, Integer, Integer, Maybe Integer, ([Word8], Integer))
- | PubKeyECDSA CurveName ByteString
- | PubKeyUnknown OID ByteString
- data PrivKey
- pubkeyToAlg :: PubKey -> PubKeyALG
- privkeyToAlg :: PrivKey -> PubKeyALG
- data HashALG
- = HashMD2
- | HashMD5
- | HashSHA1
- | HashSHA224
- | HashSHA256
- | HashSHA384
- | HashSHA512
- data PubKeyALG
- data SignatureALG
- class Extension a where
- data ExtBasicConstraints = ExtBasicConstraints Bool (Maybe Integer)
- data ExtKeyUsage = ExtKeyUsage [ExtKeyUsageFlag]
- data ExtKeyUsageFlag
- data ExtExtendedKeyUsage = ExtExtendedKeyUsage [ExtKeyUsagePurpose]
- data ExtKeyUsagePurpose
- data ExtSubjectKeyId = ExtSubjectKeyId ByteString
- data ExtSubjectAltName = ExtSubjectAltName [AltName]
- data ExtAuthorityKeyId = ExtAuthorityKeyId ByteString
- data ExtCrlDistributionPoints = ExtCrlDistributionPoints [DistributionPoint]
- data AltName
- data DistributionPoint
- data ReasonFlag
- extensionGet :: Extension a => Extensions -> Maybe a
- extensionDecode :: Extension a => ExtensionRaw -> Maybe (Either String a)
- extensionEncode :: Extension a => Bool -> a -> ExtensionRaw
- data ExtensionRaw = ExtensionRaw {
- extRawOID :: OID
- extRawCritical :: Bool
- extRawASN1 :: [ASN1]
- newtype Extensions = Extensions (Maybe [ExtensionRaw])
- data CRL = CRL {}
- data RevokedCertificate = RevokedCertificate {}
- newtype DistinguishedName = DistinguishedName {}
- data DnElement
- data ASN1CharacterString = ASN1CharacterString {}
- getDnElement :: DnElement -> DistinguishedName -> Maybe ASN1CharacterString
- newtype CertificateChain = CertificateChain [SignedExact Certificate]
- newtype CertificateChainRaw = CertificateChainRaw [ByteString]
- decodeCertificateChain :: CertificateChainRaw -> Either (Int, String) CertificateChain
- encodeCertificateChain :: CertificateChain -> CertificateChainRaw
- data (Show a, Eq a, ASN1Object a) => Signed a = Signed {}
- data (Show a, Eq a, ASN1Object a) => SignedExact a
- getSigned :: SignedExact a -> Signed a
- getSignedData :: (Show a, Eq a, ASN1Object a) => SignedExact a -> ByteString
- objectToSignedExact :: (Show a, Eq a, ASN1Object a) => (ByteString -> (ByteString, SignatureALG, r)) -> a -> (SignedExact a, r)
- encodeSignedObject :: SignedExact a -> ByteString
- decodeSignedObject :: (Show a, Eq a, ASN1Object a) => ByteString -> Either String (SignedExact a)
- getCertificate :: SignedCertificate -> Certificate
- getCRL :: SignedCRL -> CRL
- decodeSignedCertificate :: ByteString -> Either String SignedCertificate
- decodeSignedCRL :: ByteString -> Either String SignedCRL
- hashDN :: DistinguishedName -> ByteString
- hashDN_old :: DistinguishedName -> ByteString
Types
type SignedCertificate = SignedExact CertificateSource
A Signed Certificate
type SignedCRL = SignedExact CRLSource
A Signed CRL
data Certificate Source
X.509 Certificate type.
This type doesn't include the signature, it's describe in the RFC as tbsCertificate.
Certificate | |
|
Public key types known and used in X.509
PubKeyRSA PublicKey | RSA public key |
PubKeyDSA PublicKey | DSA public key |
PubKeyDH (Integer, Integer, Integer, Maybe Integer, ([Word8], Integer)) | DH format with (p,g,q,j,(seed,pgenCounter)) |
PubKeyECDSA CurveName ByteString | |
PubKeyUnknown OID ByteString | unrecognized format |
Private key types known and used in X.509
PrivKeyRSA PrivateKey | RSA private key |
PrivKeyDSA PrivateKey | DSA private key |
pubkeyToAlg :: PubKey -> PubKeyALGSource
Convert a Public key to the Public Key Algorithm type
privkeyToAlg :: PrivKey -> PubKeyALGSource
Convert a Public key to the Public Key Algorithm type
Hash Algorithm
Public Key Algorithm
PubKeyALG_RSA | RSA Public Key algorithm |
PubKeyALG_DSA | DSA Public Key algorithm |
PubKeyALG_ECDSA | ECDSA Public Key algorithm |
PubKeyALG_DH | Diffie Hellman Public Key algorithm |
PubKeyALG_Unknown OID | Unknown Public Key algorithm |
data SignatureALG Source
Signature Algorithm often composed of a public key algorithm and a hash algorithm
Extension class.
each extension have a unique OID associated, and a way to encode and decode an ASN1 stream.
Common extension usually found in x509v3
data ExtBasicConstraints Source
Basic Constraints
data ExtKeyUsage Source
Describe key usage
data ExtKeyUsageFlag Source
key usage flag that is found in the key usage extension field.
data ExtKeyUsagePurpose Source
data ExtSubjectKeyId Source
Provide a way to identify a public key by a short hash.
data ExtSubjectAltName Source
Provide a way to supply alternate name that can be used for matching host name.
data ExtAuthorityKeyId Source
Provide a mean to identify the public key corresponding to the private key used to signed a certificate.
data ExtCrlDistributionPoints Source
Identify how CRL information is obtained
Different naming scheme use by the extension.
Not all name types are available, missing: otherName x400Address directoryName ediPartyName registeredID
data DistributionPoint Source
Distribution point as either some GeneralNames or a DN
data ReasonFlag Source
Reason flag for the CRL
Accessor turning extension into a specific one
extensionGet :: Extension a => Extensions -> Maybe aSource
Get a specific extension from a lists of raw extensions
extensionDecode :: Extension a => ExtensionRaw -> Maybe (Either String a)Source
Try to decode an ExtensionRaw.
If this function return: * Nothing, the OID doesn't match * Just Left, the OID matched, but the extension couldn't be decoded * Just Right, the OID matched, and the extension has been succesfully decoded
extensionEncode :: Extension a => Bool -> a -> ExtensionRawSource
Encode an Extension to extensionRaw
data ExtensionRaw Source
An undecoded extension
ExtensionRaw | |
|
newtype Extensions Source
a Set of ExtensionRaw
Certificate Revocation List (CRL)
Describe a Certificate revocation list
data RevokedCertificate Source
Describe a revoked certificate identifiable by serial number.
Naming
newtype DistinguishedName Source
A list of OID and strings.
Elements commonly available in a DistinguishedName
structure
DnCommonName | CN |
DnCountry | Country |
DnOrganization | O |
DnOrganizationUnit | OU |
data ASN1CharacterString
ASN1 Character String with encoding
getDnElement :: DnElement -> DistinguishedName -> Maybe ASN1CharacterStringSource
Try to get a specific element in a DistinguishedName
structure
Certificate Chain
newtype CertificateChain Source
A chain of X.509 certificates in exact form.
newtype CertificateChainRaw Source
Represent a chain of X.509 certificates in bytestring form.
marshall between CertificateChain and CertificateChainRaw
decodeCertificateChain :: CertificateChainRaw -> Either (Int, String) CertificateChainSource
Decode a CertificateChainRaw into a CertificateChain if every raw certificate are decoded correctly, otherwise return the index of the failed certificate and the error associated.
encodeCertificateChain :: CertificateChain -> CertificateChainRawSource
Convert a CertificateChain into a CertificateChainRaw
Signed types and marshalling
data (Show a, Eq a, ASN1Object a) => Signed a Source
Represent a signed object using a traditional X509 structure.
When dealing with external certificate, use the SignedExact structure not this one.
Signed | |
|
(Eq a, Show a, ASN1Object a) => Eq (Signed a) | |
(Eq a, Show a, ASN1Object a) => Show (Signed a) |
data (Show a, Eq a, ASN1Object a) => SignedExact a Source
Represent the signed object plus the raw data that we need to keep around for non compliant case to be able to verify signature.
(Eq a, Show a, ASN1Object a) => Eq (SignedExact a) | |
(Eq a, Show a, ASN1Object a) => Show (SignedExact a) |
getSigned :: SignedExact a -> Signed aSource
get the decoded Signed data
getSignedData :: (Show a, Eq a, ASN1Object a) => SignedExact a -> ByteStringSource
Get the signed data for the signature
:: (Show a, Eq a, ASN1Object a) | |
=> (ByteString -> (ByteString, SignatureALG, r)) | signature function |
-> a | object to sign |
-> (SignedExact a, r) |
Transform an object into a SignedExact
object
encodeSignedObject :: SignedExact a -> ByteStringSource
The raw representation of the whole signed structure
decodeSignedObject :: (Show a, Eq a, ASN1Object a) => ByteString -> Either String (SignedExact a)Source
Try to parse a bytestring that use the typical X509 signed structure format
Parametrized Signed accessor
getCertificate :: SignedCertificate -> CertificateSource
Get the Certificate associated to a SignedCertificate
decodeSignedCertificate :: ByteString -> Either String SignedCertificateSource
Try to decode a bytestring to a SignedCertificate
decodeSignedCRL :: ByteString -> Either String SignedCRLSource
Try to decode a bytestring to a SignedCRL
Hash distinguished names related function
hashDN :: DistinguishedName -> ByteStringSource
Make an OpenSSL style hash of distinguished name
OpenSSL algorithm is odd, and has been replicated here somewhat. only lower the case of ascii character.
hashDN_old :: DistinguishedName -> ByteStringSource
Create an openssl style old hash of distinguished name