src/Crypto/Macaroon.hs

   1 {-# LANGUAGE OverloadedStrings #-}
   2 {-|
   3 Module      : Crypto.Macaroon
   4 Copyright   : (c) 2015 Julien Tanguy
   5 License     : BSD3
   6
   7 Maintainer  : julien.tanguy@jhome.fr
   8 Stability   : experimental
   9 Portability : portable
  10
  11 Pure haskell implementations of macaroons.
  12
  13 Warning: this implementation has not been audited by security experts.
  14 Do not use in production
  15
  16
  17 References:
  18
  19 - Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud <http://research.google.com/pubs/pub41892.html>
  20 - Time for better security in NoSQL <http://hackingdistributed.com/2014/11/23/macaroons-in-hyperdex>
  21 -}
  22 module Crypto.Macaroon (
  23     -- * Types
  24       Macaroon
  25     , Caveat
  26     , Secret
  27     , Key
  28     , Location
  29     , Sig
  30     -- * Accessing functions
  31     -- ** Macaroons
  32     , location
  33     , identifier
  34     , caveats
  35     , signature
  36     -- ** Caveats
  37     , cl
  38     , cid
  39     , vid
  40
  41     -- * Create Macaroons
  42     , create
  43     , inspect
  44     , addFirstPartyCaveat
  45     -- , addThirdPartyCaveat
  46     ) where
  47
  48 -- import           Crypto.Cipher.AES
  49 import           Crypto.Hash
  50 import           Data.Byteable
  51 import qualified Data.ByteString            as BS
  52 import qualified Data.ByteString.Base64.URL as B64
  53 import qualified Data.ByteString.Char8      as B8
  54
  55 import           Crypto.Macaroon.Internal
  56
  57 -- | Create a Macaroon from its key, identifier and location
  58 create :: Secret -> Key -> Location -> Macaroon
  59 create secret ident loc = MkMacaroon loc ident [] (toBytes (hmac derivedKey ident :: HMAC SHA256))
  60   where
  61     derivedKey = toBytes (hmac "macaroons-key-generator" secret :: HMAC SHA256)
  62
  63 -- | Inspect a macaroon's contents. For debugging purposes.
  64 inspect :: Macaroon -> String
  65 inspect = show
  66
  67 -- | Add a first party Caveat to a Macaroon, with its identifier
  68 addFirstPartyCaveat :: Key -> Macaroon -> Macaroon
  69 addFirstPartyCaveat ident m = addCaveat (location m) ident BS.empty m
  70
  71 -- |Add a third party Caveat to a Macaroon, using its location, identifier and
  72 -- verification key
  73 -- addThirdPartyCaveat :: Key
  74 --                     -> Key
  75 --                     -> Location
  76 --                     -> Macaroon
  77 --                     -> Macaroon
  78 -- addThirdPartyCaveat key cid loc m = addCaveat loc cid vid m
  79 --   where
  80 --     vid = encryptECB (initAES (signature m)) key
  81
  82