src/Crypto/Macaroon.hs

   1 {-# LANGUAGE OverloadedStrings #-}
   2 {-|
   3 Module      : Crypto.Macaroon
   4 Copyright   : (c) 2015 Julien Tanguy
   5 License     : BSD3
   6
   7 Maintainer  : julien.tanguy@jhome.fr
   8 Stability   : experimental
   9 Portability : portable
  10
  11 Pure haskell implementations of macaroons.
  12
  13 Warning: this implementation has not been audited by security experts.
  14 Do not use in production
  15
  16
  17 References:
  18
  19 - Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud <http://research.google.com/pubs/pub41892.html>
  20 - Time for better security in NoSQL <http://hackingdistributed.com/2014/11/23/macaroons-in-hyperdex>
  21 -}
  22 module Crypto.Macaroon (
  23     -- * Types
  24       Macaroon
  25     , Caveat
  26     , Key
  27     , Location
  28     , Sig
  29     -- * Accessing functions
  30     -- ** Macaroons
  31     , location
  32     , identifier
  33     , caveats
  34     , signature
  35     -- ** Caveats
  36     , caveatLoc
  37     , caveatId
  38     , caveatVId
  39
  40     -- * Create Macaroons
  41     , create
  42     , inspect
  43     , addFirstPartyCaveat
  44     -- , addThirdPartyCaveat
  45     ) where
  46
  47 import           Crypto.Cipher.AES
  48 import           Crypto.Hash
  49 import           Data.Byteable
  50 import qualified Data.ByteString            as BS
  51 import qualified Data.ByteString.Base64.URL as B64
  52 import qualified Data.ByteString.Char8      as B8
  53
  54 import           Crypto.Macaroon.Internal
  55
  56 -- | Create a Macaroon from its key, identifier and location
  57 create :: Key -> Key -> Location -> Macaroon
  58 create secret ident loc = MkMacaroon loc ident [] (toBytes (hmac derivedKey ident :: HMAC SHA256))
  59   where
  60     derivedKey = toBytes (hmac "macaroons-key-generator" secret :: HMAC SHA256)
  61
  62 -- | Caveat target location
  63 caveatLoc :: Caveat -> Location
  64 caveatLoc = cl
  65
  66 -- | Caveat identifier
  67 caveatId :: Caveat -> Key
  68 caveatId = cid
  69
  70 -- | Caveat verification identifier
  71 caveatVId :: Caveat -> Key
  72 caveatVId = vid
  73
  74 -- | Inspect a macaroon's contents. For debugging purposes.
  75 inspect :: Macaroon -> String
  76 inspect = show
  77
  78 -- | Add a first party Caveat to a Macaroon, with its identifier
  79 addFirstPartyCaveat :: Key -> Macaroon -> Macaroon
  80 addFirstPartyCaveat ident m = addCaveat (location m) ident BS.empty m
  81
  82 -- |Add a third party Caveat to a Macaroon, using its location, identifier and
  83 -- verification key
  84 addThirdPartyCaveat :: Key
  85                     -> Key
  86                     -> Location
  87                     -> Macaroon
  88                     -> Macaroon
  89 addThirdPartyCaveat key cid loc m = addCaveat loc cid vid m
  90   where
  91     vid = encryptECB (initAES (signature m)) key
  92
  93