src/Crypto/Macaroon.hs

   1 {-# LANGUAGE OverloadedStrings #-}
   2 {-|
   3 Module      : Crypto.Macaroon
   4 Copyright   : (c) 2015 Julien Tanguy
   5 License     : BSD3
   6
   7 Maintainer  : julien.tanguy@jhome.fr
   8 Stability   : experimental
   9 Portability : portable
  10
  11 Pure haskell implementations of macaroons.
  12
  13 Warning: this implementation has not been audited by security experts.
  14 Do not use in production
  15
  16
  17 References:
  18
  19 - Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud <http://research.google.com/pubs/pub41892.html>
  20 - Time for better security in NoSQL <http://hackingdistributed.com/2014/11/23/macaroons-in-hyperdex>
  21 -}
  22 module Crypto.Macaroon (
  23     -- * Types
  24       Macaroon
  25     , Caveat
  26     , Secret
  27     , Key
  28     , Location
  29     , Sig
  30     -- * Accessing functions
  31     -- ** Macaroons
  32     , location
  33     , identifier
  34     , caveats
  35     , signature
  36     -- ** Caveats
  37     , cl
  38     , cid
  39     , vid
  40
  41     -- * Create Macaroons
  42     , create
  43     , inspect
  44     , addFirstPartyCaveat
  45     -- , addThirdPartyCaveat
  46     -- * Serialize
  47     , module Crypto.Macaroon.Serializer.Base64
  48     -- * Verify
  49     , module Crypto.Macaroon.Verifier
  50     ) where
  51
  52 -- import           Crypto.Cipher.AES
  53 import           Crypto.Hash
  54 import           Data.Byteable
  55 import qualified Data.ByteString                   as BS
  56
  57 import           Crypto.Macaroon.Internal
  58 import           Crypto.Macaroon.Serializer.Base64
  59 import           Crypto.Macaroon.Verifier
  60
  61 -- | Create a Macaroon from its key, identifier and location
  62 create :: Secret -> Key -> Location -> Macaroon
  63 create secret ident loc = MkMacaroon loc ident [] (toBytes (hmac derivedKey ident :: HMAC SHA256))
  64   where
  65     derivedKey = toBytes (hmac "macaroons-key-generator" secret :: HMAC SHA256)
  66
  67 -- | Inspect a macaroon's contents. For debugging purposes.
  68 inspect :: Macaroon -> String
  69 inspect = show
  70
  71 -- | Add a first party Caveat to a Macaroon, with its identifier
  72 addFirstPartyCaveat :: Key -> Macaroon -> Macaroon
  73 addFirstPartyCaveat ident m = addCaveat (location m) ident BS.empty m
  74
  75 -- |Add a third party Caveat to a Macaroon, using its location, identifier and
  76 -- verification key
  77 -- addThirdPartyCaveat :: Key
  78 --                     -> Key
  79 --                     -> Location
  80 --                     -> Macaroon
  81 --                     -> Macaroon
  82 -- addThirdPartyCaveat key cid loc m = addCaveat loc cid vid m
  83 --   where
  84 --     vid = encryptECB (initAES (signature m)) key