1 {-# LANGUAGE OverloadedStrings #-}
3 Module : Crypto.Macaroon
4 Copyright : (c) 2015 Julien Tanguy
7 Maintainer : julien.tanguy@jhome.fr
8 Stability : experimental
11 Pure haskell implementations of macaroons.
13 Warning: this implementation has not been audited by security experts.
14 Do not use in production
19 - Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud <http://research.google.com/pubs/pub41892.html>
20 - Time for better security in NoSQL <http://hackingdistributed.com/2014/11/23/macaroons-in-hyperdex>
22 module Crypto.Macaroon (
29 -- * Accessing functions
44 -- , addThirdPartyCaveat
47 -- import Crypto.Cipher.AES
50 import qualified Data.ByteString as BS
51 import qualified Data.ByteString.Base64.URL as B64
52 import qualified Data.ByteString.Char8 as B8
54 import Crypto.Macaroon.Internal
56 -- | Create a Macaroon from its key, identifier and location
57 create :: Key -> Key -> Location -> Macaroon
58 create secret ident loc = MkMacaroon loc ident [] (toBytes (hmac derivedKey ident :: HMAC SHA256))
60 derivedKey = toBytes (hmac "macaroons-key-generator" secret :: HMAC SHA256)
62 -- | Caveat target location
63 caveatLoc :: Caveat -> Location
66 -- | Caveat identifier
67 caveatId :: Caveat -> Key
70 -- | Caveat verification identifier
71 caveatVId :: Caveat -> Key
74 -- | Inspect a macaroon's contents. For debugging purposes.
75 inspect :: Macaroon -> String
78 -- | Add a first party Caveat to a Macaroon, with its identifier
79 addFirstPartyCaveat :: Key -> Macaroon -> Macaroon
80 addFirstPartyCaveat ident m = addCaveat (location m) ident BS.empty m
82 -- |Add a third party Caveat to a Macaroon, using its location, identifier and
84 -- addThirdPartyCaveat :: Key
89 -- addThirdPartyCaveat key cid loc m = addCaveat loc cid vid m
91 -- vid = encryptECB (initAES (signature m)) key