Safe Haskell | None |
---|---|
Language | Haskell2010 |
Iron is a cryptographic utility for sealing a JSON object using symmetric key encryption with message integrity verification. Or in other words, it lets you encrypt an object, send it around (in cookies, authentication credentials, etc.), then receive it back and decrypt it. The algorithm ensures that the message was not tampered with, and also provides a simple mechanism for password rotation.
For more information about the sealing/unsealing process, as well as security considerations, see the Iron Website.
Usage
To seal an object:
>>>
import Data.ByteString (ByteString)
>>>
import Data.Aeson
>>>
import qualified Network.Iron as Iron
>>>
let Just obj = decode "{\"a\":1,\"d\":{\"e\":\"f\"},\"b\":2,\"c\":[3,4,5]}" :: Maybe Object
>>>
let secret = "some_not_random_password" :: ByteString
>>>
s <- Iron.seal (Iron.password secret) obj
>>>
print s
"Fe26.2**3976da2bc627b3551c1ebfe40376bb791efb17f4425facc648038fdaaa2f67b2 *voiPExJrXAxmTWyQr7-Hvw*r_Ok7NOgy9sD2fS61t_u9z8qoszwBRze3NnA6PFmjnd06sLh0 9HRDlLorNYQJeEP**f6e22615db961e5ddc2ed47d956700b2ee63f0ab6f7ae6d3471989e5 4928e653*RsQNtNp4u5L-0fmZHSpPL7nbjBkqyKEyBcbOCbpEcpY"
The resulting "sealed" object is a string which can be sent via cookies, URI query parameter, or a HTTP header attribute.
To unseal the string:
>>>
Iron.unseal (onePassword secret) s :: IO (Either String Object)
Right (Object (fromList [("a",Number 1.0), ("d",Object (fromList [("e",String "f")])), ("b",Number 2.0), ("c",Array [Number 3.0,Number 4.0,Number 5.0])]))
- seal :: ToJSON a => Password -> a -> IO ByteString
- sealWith :: ToJSON a => Options -> Password -> a -> IO (Maybe ByteString)
- unseal :: FromJSON a => LookupPassword -> ByteString -> IO (Either String a)
- unsealWith :: FromJSON a => Options -> LookupPassword -> ByteString -> IO (Either String a)
- password :: ToSecureMem a => a -> Password
- passwords :: ToSecureMem a => a -> a -> Password
- passwordWithId :: ToSecureMem a => PasswordId -> a -> Maybe Password
- passwordsWithId :: ToSecureMem a => PasswordId -> a -> a -> Maybe Password
- data Password
- type PasswordId = ByteString
- type LookupPassword = PasswordId -> Maybe Password
- onePassword :: ToSecureMem a => a -> LookupPassword
- data Options = Options {}
- data EncryptionOpts = EncryptionOpts {}
- data IntegrityOpts = IntegrityOpts {
- iiSalt :: IronSalt
- iiAlgorithm :: IronMAC
- iiIterations :: Int
- data IronCipher
- data IronMAC = (IsIronMAC alg, Show alg) => IronMAC alg
- data SHA256 :: * = SHA256
- data IronSalt
- urlSafeBase64 :: ByteString -> ByteString
Documentation
seal :: ToJSON a => Password -> a -> IO ByteString Source #
Encodes and encrypts a Value
using the given
password.
unseal :: FromJSON a => LookupPassword -> ByteString -> IO (Either String a) Source #
Decrypts an Iron-encoded message Value
with the
given password.
unsealWith :: FromJSON a => Options -> LookupPassword -> ByteString -> IO (Either String a) Source #
passwords :: ToSecureMem a => a -> a -> Password Source #
Constructs a Password
, with different encryption and integrity
verification passwords.
passwordWithId :: ToSecureMem a => PasswordId -> a -> Maybe Password Source #
Constructs a Password
. The given identifier will be included as
the second component of the the sealed Fe26
string. The
identifier must only include alphanumeric characters and the
underscore, otherwise nothing will be returned.
passwordsWithId :: ToSecureMem a => PasswordId -> a -> a -> Maybe Password Source #
Constructs a Password
, with different encryption and integrity
verification passwords. The given identifier will be included as
the second component of the the sealed Fe26
string. The
identifier must only include alphanumeric characters and the
underscore, otherwise nothing will be returned.
Represents the password(s) used to seal and unseal Iron
messages. To construct a Password
, use one of password
,
passwords
, passwordWithId
, passwordsWithId
.
type PasswordId = ByteString Source #
Identifies the password to use when unsealing the message.
type LookupPassword = PasswordId -> Maybe Password Source #
User-supplied function to get the password corresponding to the identifier from the sealed message.
onePassword :: ToSecureMem a => a -> LookupPassword Source #
The simple case of LookupPassword, where there is the same password for encryption and verification of all messages.
Iron options used by sealWith
and unsealWith
. The
default options are:
Options | |
|
data EncryptionOpts Source #
Options controlling encryption of Iron messages.
EncryptionOpts | |
|
data IntegrityOpts Source #
Options controlling cryptographic verification of Iron messages.
IntegrityOpts | |
|
data IronCipher Source #
Encryption algorithms supported by Iron.
Integrity checking algorithm supported by Iron. At present, there
is only one. Use IronMAC SHA256
.
SHA256 cryptographic hash algorithm
Specifies the salt for password-based key generation.
IronSalt ByteString | Supply pre-generated salt |
IronGenSalt Int | Generate salt of given size, in bits |
urlSafeBase64 :: ByteString -> ByteString Source #
Fixes up a Base64 encoded string so that it's more convenient to
include in URLs. The padding =
signs are removed, and the
characters +
and /
are replaced with -
and _
.