]>
Commit | Line | Data |
---|---|---|
f6781456 JT |
1 | {-# LANGUAGE OverloadedStrings #-} |
2 | {-| | |
3 | Module : Crypto.Macaroon | |
4 | Copyright : (c) 2015 Julien Tanguy | |
5 | License : BSD3 | |
6 | ||
7 | Maintainer : julien.tanguy@jhome.fr | |
8 | Stability : experimental | |
9 | Portability : portable | |
10 | ||
f6781456 JT |
11 | Pure haskell implementations of macaroons. |
12 | ||
13 | Warning: this implementation has not been audited by security experts. | |
2aede11a | 14 | Do not use in production |
f6781456 JT |
15 | |
16 | ||
17 | References: | |
18 | ||
19 | - Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud <http://research.google.com/pubs/pub41892.html> | |
20 | - Time for better security in NoSQL <http://hackingdistributed.com/2014/11/23/macaroons-in-hyperdex> | |
f6781456 JT |
21 | -} |
22 | module Crypto.Macaroon ( | |
23 | -- * Types | |
24 | Macaroon | |
25 | , Caveat | |
86f38823 | 26 | , Secret |
f6781456 JT |
27 | , Key |
28 | , Location | |
1971e224 | 29 | , Sig |
f6781456 JT |
30 | -- * Accessing functions |
31 | -- ** Macaroons | |
32 | , location | |
33 | , identifier | |
34 | , caveats | |
35 | , signature | |
36 | -- ** Caveats | |
86f38823 JT |
37 | , cl |
38 | , cid | |
39 | , vid | |
f6781456 JT |
40 | |
41 | -- * Create Macaroons | |
42 | , create | |
43 | , inspect | |
44 | , addFirstPartyCaveat | |
26d38f73 | 45 | -- , addThirdPartyCaveat |
f6781456 JT |
46 | ) where |
47 | ||
8505c3d3 | 48 | -- import Crypto.Cipher.AES |
f6781456 JT |
49 | import Crypto.Hash |
50 | import Data.Byteable | |
51 | import qualified Data.ByteString as BS | |
52 | import qualified Data.ByteString.Base64.URL as B64 | |
53 | import qualified Data.ByteString.Char8 as B8 | |
f6781456 JT |
54 | |
55 | import Crypto.Macaroon.Internal | |
56 | ||
57 | -- | Create a Macaroon from its key, identifier and location | |
86f38823 | 58 | create :: Secret -> Key -> Location -> Macaroon |
f6781456 JT |
59 | create secret ident loc = MkMacaroon loc ident [] (toBytes (hmac derivedKey ident :: HMAC SHA256)) |
60 | where | |
2aede11a | 61 | derivedKey = toBytes (hmac "macaroons-key-generator" secret :: HMAC SHA256) |
f6781456 | 62 | |
1971e224 | 63 | -- | Inspect a macaroon's contents. For debugging purposes. |
f6781456 | 64 | inspect :: Macaroon -> String |
2aede11a | 65 | inspect = show |
f6781456 | 66 | |
f6781456 JT |
67 | -- | Add a first party Caveat to a Macaroon, with its identifier |
68 | addFirstPartyCaveat :: Key -> Macaroon -> Macaroon | |
69 | addFirstPartyCaveat ident m = addCaveat (location m) ident BS.empty m | |
70 | ||
71 | -- |Add a third party Caveat to a Macaroon, using its location, identifier and | |
72 | -- verification key | |
8505c3d3 JT |
73 | -- addThirdPartyCaveat :: Key |
74 | -- -> Key | |
75 | -- -> Location | |
76 | -- -> Macaroon | |
77 | -- -> Macaroon | |
78 | -- addThirdPartyCaveat key cid loc m = addCaveat loc cid vid m | |
79 | -- where | |
80 | -- vid = encryptECB (initAES (signature m)) key | |
f6781456 JT |
81 | |
82 |