x509-1.7.2: X509 reader and writer

LicenseBSD-style
MaintainerVincent Hanquez <vincent@snarc.org>
Stabilityexperimental
Portabilityunknown
Safe HaskellNone
LanguageHaskell2010

Data.X509

Contents

Description

Read/Write X509 Certificate, CRL and their signed equivalents.

Follows RFC5280 / RFC6818

Synopsis

Types

type SignedCertificate = SignedExact Certificate Source #

A Signed Certificate

type SignedCRL = SignedExact CRL Source #

A Signed CRL

data Certificate Source #

X.509 Certificate type.

This type doesn't include the signature, it's describe in the RFC as tbsCertificate.

Constructors

Certificate 

Fields

Instances

data PubKey Source #

Public key types known and used in X.509

Constructors

PubKeyRSA PublicKey

RSA public key

PubKeyDSA PublicKey

DSA public key

PubKeyDH (Integer, Integer, Integer, Maybe Integer, ([Word8], Integer))

DH format with (p,g,q,j,(seed,pgenCounter))

PubKeyEC PubKeyEC

EC public key

PubKeyUnknown OID ByteString

unrecognized format

Instances

data PubKeyEC Source #

Elliptic Curve Public Key

TODO: missing support for binary curve.

Constructors

PubKeyEC_Prime 

Fields

PubKeyEC_Named 

Fields

Instances

newtype SerializedPoint Source #

Serialized Elliptic Curve Point

Constructors

SerializedPoint ByteString 

Instances

data PrivKey Source #

Private key types known and used in X.509

Constructors

PrivKeyRSA PrivateKey

RSA private key

PrivKeyDSA PrivateKey

DSA private key

PrivKeyEC PrivKeyEC

EC private key

Instances

data PrivKeyEC Source #

Elliptic Curve Private Key

TODO: missing support for binary curve.

Constructors

PrivKeyEC_Prime 

Fields

PrivKeyEC_Named 

Fields

Instances

pubkeyToAlg :: PubKey -> PubKeyALG Source #

Convert a Public key to the Public Key Algorithm type

privkeyToAlg :: PrivKey -> PubKeyALG Source #

Convert a Private key to the Public Key Algorithm type

data HashALG Source #

Hash Algorithm

Constructors

HashMD2 
HashMD5 
HashSHA1 
HashSHA224 
HashSHA256 
HashSHA384 
HashSHA512 

Instances

data PubKeyALG Source #

Public Key Algorithm

Constructors

PubKeyALG_RSA

RSA Public Key algorithm

PubKeyALG_RSAPSS

RSA PSS Key algorithm (RFC 3447)

PubKeyALG_DSA

DSA Public Key algorithm

PubKeyALG_EC

ECDSA & ECDH Public Key algorithm

PubKeyALG_DH

Diffie Hellman Public Key algorithm

PubKeyALG_Unknown OID

Unknown Public Key algorithm

Instances

data SignatureALG Source #

Signature Algorithm often composed of a public key algorithm and a hash algorithm

Constructors

SignatureALG HashALG PubKeyALG 
SignatureALG_Unknown OID 

Instances

class Extension a where Source #

Extension class.

each extension have a unique OID associated, and a way to encode and decode an ASN1 stream.

Errata: turns out, the content is not necessarily ASN1, it could be data that is only parsable by the extension e.g. raw ascii string. Add method to parse and encode with ByteString

Minimal complete definition

extOID, extHasNestedASN1, extEncode, extDecode

Methods

extOID :: a -> OID Source #

extHasNestedASN1 :: Proxy a -> Bool Source #

extEncode :: a -> [ASN1] Source #

extDecode :: [ASN1] -> Either String a Source #

extDecodeBs :: ByteString -> Either String a Source #

extEncodeBs :: a -> ByteString Source #

Instances

Extension ExtNetscapeComment Source # 
Extension ExtCrlDistributionPoints Source # 
Extension ExtAuthorityKeyId Source # 
Extension ExtSubjectAltName Source # 
Extension ExtSubjectKeyId Source # 
Extension ExtExtendedKeyUsage Source # 
Extension ExtKeyUsage Source # 
Extension ExtBasicConstraints Source # 

Common extension usually found in x509v3

data ExtBasicConstraints Source #

Basic Constraints

Constructors

ExtBasicConstraints Bool (Maybe Integer) 

Instances

data ExtKeyUsage Source #

Describe key usage

Constructors

ExtKeyUsage [ExtKeyUsageFlag] 

Instances

data ExtKeyUsageFlag Source #

key usage flag that is found in the key usage extension field.

Constructors

KeyUsage_digitalSignature 
KeyUsage_nonRepudiation 
KeyUsage_keyEncipherment 
KeyUsage_dataEncipherment 
KeyUsage_keyAgreement 
KeyUsage_keyCertSign 
KeyUsage_cRLSign 
KeyUsage_encipherOnly 
KeyUsage_decipherOnly 

Instances

data ExtExtendedKeyUsage Source #

Extended key usage extension

Constructors

ExtExtendedKeyUsage [ExtKeyUsagePurpose] 

Instances

data ExtKeyUsagePurpose Source #

Key usage purposes for the ExtendedKeyUsage extension

Constructors

KeyUsagePurpose_ServerAuth 
KeyUsagePurpose_ClientAuth 
KeyUsagePurpose_CodeSigning 
KeyUsagePurpose_EmailProtection 
KeyUsagePurpose_TimeStamping 
KeyUsagePurpose_OCSPSigning 
KeyUsagePurpose_Unknown OID 

Instances

data ExtSubjectKeyId Source #

Provide a way to identify a public key by a short hash.

Constructors

ExtSubjectKeyId ByteString 

Instances

data ExtSubjectAltName Source #

Provide a way to supply alternate name that can be used for matching host name.

Constructors

ExtSubjectAltName [AltName] 

Instances

data ExtAuthorityKeyId Source #

Provide a mean to identify the public key corresponding to the private key used to signed a certificate.

Constructors

ExtAuthorityKeyId ByteString 

Instances

data ExtCrlDistributionPoints Source #

Identify how CRL information is obtained

Constructors

ExtCrlDistributionPoints [DistributionPoint] 

Instances

data ExtNetscapeComment Source #

Constructors

ExtNetscapeComment ByteString 

Instances

data AltName Source #

Different naming scheme use by the extension.

Not all name types are available, missing: otherName x400Address directoryName ediPartyName registeredID

Constructors

AltNameRFC822 String 
AltNameDNS String 
AltNameURI String 
AltNameIP ByteString 
AltNameXMPP String 
AltNameDNSSRV String 

Instances

data DistributionPoint Source #

Distribution point as either some GeneralNames or a DN

Constructors

DistributionPointFullName [AltName] 
DistributionNameRelative DistinguishedName 

Instances

data ReasonFlag Source #

Reason flag for the CRL

Constructors

Reason_Unused 
Reason_KeyCompromise 
Reason_CACompromise 
Reason_AffiliationChanged 
Reason_Superseded 
Reason_CessationOfOperation 
Reason_CertificateHold 
Reason_PrivilegeWithdrawn 
Reason_AACompromise 

Instances

Accessor turning extension into a specific one

extensionGet :: Extension a => Extensions -> Maybe a Source #

Get a specific extension from a lists of raw extensions

extensionGetE :: Extension a => Extensions -> Maybe (Either String a) Source #

Get a specific extension from a lists of raw extensions

extensionDecode :: forall a. Extension a => ExtensionRaw -> Maybe (Either String a) Source #

Try to decode an ExtensionRaw.

If this function return: * Nothing, the OID doesn't match * Just Left, the OID matched, but the extension couldn't be decoded * Just Right, the OID matched, and the extension has been succesfully decoded

extensionEncode :: forall a. Extension a => Bool -> a -> ExtensionRaw Source #

Encode an Extension to extensionRaw

data ExtensionRaw Source #

An undecoded extension

Constructors

ExtensionRaw 

Fields

Instances

tryExtRawASN1 :: ExtensionRaw -> Either String [ASN1] Source #

extRawASN1 :: ExtensionRaw -> [ASN1] Source #

Deprecated: use tryExtRawASN1 instead

newtype Extensions Source #

a Set of ExtensionRaw

Constructors

Extensions (Maybe [ExtensionRaw]) 

Instances

Certificate Revocation List (CRL)

data CRL Source #

Describe a Certificate revocation list

Constructors

CRL 

Fields

Instances

Eq CRL Source # 

Methods

(==) :: CRL -> CRL -> Bool #

(/=) :: CRL -> CRL -> Bool #

Show CRL Source # 

Methods

showsPrec :: Int -> CRL -> ShowS #

show :: CRL -> String #

showList :: [CRL] -> ShowS #

ASN1Object CRL Source # 

Methods

toASN1 :: CRL -> ASN1S #

fromASN1 :: [ASN1] -> Either String (CRL, [ASN1]) #

data RevokedCertificate Source #

Describe a revoked certificate identifiable by serial number.

Constructors

RevokedCertificate 

Fields

Instances

Naming

newtype DistinguishedName Source #

A list of OID and strings.

Constructors

DistinguishedName 

Fields

Instances

data DnElement Source #

Elements commonly available in a DistinguishedName structure

Constructors

DnCommonName

CN

DnCountry

Country

DnOrganization

O

DnOrganizationUnit

OU

DnEmailAddress

Email Address (legacy)

Instances

data ASN1CharacterString :: * #

ASN1 Character String with encoding

Constructors

ASN1CharacterString 

Fields

Instances

getDnElement :: DnElement -> DistinguishedName -> Maybe ASN1CharacterString Source #

Try to get a specific element in a DistinguishedName structure

Certificate Chain

newtype CertificateChain Source #

A chain of X.509 certificates in exact form.

Constructors

CertificateChain [SignedExact Certificate] 

Instances

newtype CertificateChainRaw Source #

Represent a chain of X.509 certificates in bytestring form.

Constructors

CertificateChainRaw [ByteString] 

Instances

marshall between CertificateChain and CertificateChainRaw

decodeCertificateChain :: CertificateChainRaw -> Either (Int, String) CertificateChain Source #

Decode a CertificateChainRaw into a CertificateChain if every raw certificate are decoded correctly, otherwise return the index of the failed certificate and the error associated.

encodeCertificateChain :: CertificateChain -> CertificateChainRaw Source #

Convert a CertificateChain into a CertificateChainRaw

Signed types and marshalling

data (Show a, Eq a, ASN1Object a) => Signed a Source #

Represent a signed object using a traditional X509 structure.

When dealing with external certificate, use the SignedExact structure not this one.

Constructors

Signed 

Fields

Instances

(ASN1Object a, Eq a, Show a) => Eq (Signed a) Source # 

Methods

(==) :: Signed a -> Signed a -> Bool #

(/=) :: Signed a -> Signed a -> Bool #

(ASN1Object a, Eq a, Show a) => Show (Signed a) Source # 

Methods

showsPrec :: Int -> Signed a -> ShowS #

show :: Signed a -> String #

showList :: [Signed a] -> ShowS #

data (Show a, Eq a, ASN1Object a) => SignedExact a Source #

Represent the signed object plus the raw data that we need to keep around for non compliant case to be able to verify signature.

Instances

getSigned :: SignedExact a -> Signed a Source #

get the decoded Signed data

getSignedData :: (Show a, Eq a, ASN1Object a) => SignedExact a -> ByteString Source #

Get the signed data for the signature

objectToSignedExact Source #

Arguments

:: (Show a, Eq a, ASN1Object a) 
=> (ByteString -> (ByteString, SignatureALG, r))

signature function

-> a

object to sign

-> (SignedExact a, r) 

Transform an object into a SignedExact object

objectToSignedExactF Source #

Arguments

:: (Functor f, Show a, Eq a, ASN1Object a) 
=> (ByteString -> f (ByteString, SignatureALG))

signature function

-> a

object to sign

-> f (SignedExact a) 

A generalization of objectToSignedExact where the signature function runs in an arbitrary functor. This allows for example to sign using an algorithm needing random values.

encodeSignedObject :: SignedExact a -> ByteString Source #

The raw representation of the whole signed structure

decodeSignedObject :: (Show a, Eq a, ASN1Object a) => ByteString -> Either String (SignedExact a) Source #

Try to parse a bytestring that use the typical X509 signed structure format

Parametrized Signed accessor

getCertificate :: SignedCertificate -> Certificate Source #

Get the Certificate associated to a SignedCertificate

getCRL :: SignedCRL -> CRL Source #

Get the CRL associated to a SignedCRL

decodeSignedCertificate :: ByteString -> Either String SignedCertificate Source #

Try to decode a bytestring to a SignedCertificate

decodeSignedCRL :: ByteString -> Either String SignedCRL Source #

Try to decode a bytestring to a SignedCRL

Hash distinguished names related function

hashDN :: DistinguishedName -> ByteString Source #

Make an OpenSSL style hash of distinguished name

OpenSSL algorithm is odd, and has been replicated here somewhat. only lower the case of ascii character.

hashDN_old :: DistinguishedName -> ByteString Source #

Create an openssl style old hash of distinguished name