]>
Commit | Line | Data |
---|---|---|
f6781456 JT |
1 | {-# LANGUAGE OverloadedStrings #-} |
2 | {-| | |
3 | Module : Crypto.Macaroon | |
4 | Copyright : (c) 2015 Julien Tanguy | |
5 | License : BSD3 | |
6 | ||
7 | Maintainer : julien.tanguy@jhome.fr | |
8 | Stability : experimental | |
9 | Portability : portable | |
10 | ||
f6781456 JT |
11 | Pure haskell implementations of macaroons. |
12 | ||
13 | Warning: this implementation has not been audited by security experts. | |
2aede11a | 14 | Do not use in production |
f6781456 JT |
15 | |
16 | ||
17 | References: | |
18 | ||
19 | - Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud <http://research.google.com/pubs/pub41892.html> | |
20 | - Time for better security in NoSQL <http://hackingdistributed.com/2014/11/23/macaroons-in-hyperdex> | |
f6781456 JT |
21 | -} |
22 | module Crypto.Macaroon ( | |
23 | -- * Types | |
24 | Macaroon | |
25 | , Caveat | |
26 | , Key | |
27 | , Location | |
1971e224 | 28 | , Sig |
f6781456 JT |
29 | -- * Accessing functions |
30 | -- ** Macaroons | |
31 | , location | |
32 | , identifier | |
33 | , caveats | |
34 | , signature | |
35 | -- ** Caveats | |
36 | , caveatLoc | |
37 | , caveatId | |
38 | , caveatVId | |
39 | ||
40 | -- * Create Macaroons | |
41 | , create | |
42 | , inspect | |
43 | , addFirstPartyCaveat | |
26d38f73 | 44 | -- , addThirdPartyCaveat |
f6781456 JT |
45 | ) where |
46 | ||
8505c3d3 | 47 | -- import Crypto.Cipher.AES |
f6781456 JT |
48 | import Crypto.Hash |
49 | import Data.Byteable | |
50 | import qualified Data.ByteString as BS | |
51 | import qualified Data.ByteString.Base64.URL as B64 | |
52 | import qualified Data.ByteString.Char8 as B8 | |
f6781456 JT |
53 | |
54 | import Crypto.Macaroon.Internal | |
55 | ||
56 | -- | Create a Macaroon from its key, identifier and location | |
57 | create :: Key -> Key -> Location -> Macaroon | |
58 | create secret ident loc = MkMacaroon loc ident [] (toBytes (hmac derivedKey ident :: HMAC SHA256)) | |
59 | where | |
2aede11a | 60 | derivedKey = toBytes (hmac "macaroons-key-generator" secret :: HMAC SHA256) |
f6781456 | 61 | |
1971e224 | 62 | -- | Caveat target location |
f6781456 JT |
63 | caveatLoc :: Caveat -> Location |
64 | caveatLoc = cl | |
65 | ||
1971e224 | 66 | -- | Caveat identifier |
f6781456 JT |
67 | caveatId :: Caveat -> Key |
68 | caveatId = cid | |
69 | ||
1971e224 | 70 | -- | Caveat verification identifier |
f6781456 JT |
71 | caveatVId :: Caveat -> Key |
72 | caveatVId = vid | |
73 | ||
1971e224 | 74 | -- | Inspect a macaroon's contents. For debugging purposes. |
f6781456 | 75 | inspect :: Macaroon -> String |
2aede11a | 76 | inspect = show |
f6781456 | 77 | |
f6781456 JT |
78 | -- | Add a first party Caveat to a Macaroon, with its identifier |
79 | addFirstPartyCaveat :: Key -> Macaroon -> Macaroon | |
80 | addFirstPartyCaveat ident m = addCaveat (location m) ident BS.empty m | |
81 | ||
82 | -- |Add a third party Caveat to a Macaroon, using its location, identifier and | |
83 | -- verification key | |
8505c3d3 JT |
84 | -- addThirdPartyCaveat :: Key |
85 | -- -> Key | |
86 | -- -> Location | |
87 | -- -> Macaroon | |
88 | -- -> Macaroon | |
89 | -- addThirdPartyCaveat key cid loc m = addCaveat loc cid vid m | |
90 | -- where | |
91 | -- vid = encryptECB (initAES (signature m)) key | |
f6781456 JT |
92 | |
93 |