{-# LANGUAGE ExistentialQuantification #-} {-# LANGUAGE NamedFieldPuns #-} {-# LANGUAGE RecordWildCards #-} {-# LANGUAGE ScopedTypeVariables #-} -- | <> -- -- /Iron/ is a cryptographic utility for sealing a JSON object using -- symmetric key encryption with message integrity verification. Or in -- other words, it lets you encrypt an object, send it around (in -- cookies, authentication credentials, etc.), then receive it back -- and decrypt it. The algorithm ensures that the message was not -- tampered with, and also provides a simple mechanism for password -- rotation. -- -- For more information about the sealing/unsealing process, as well -- as security considerations, see the -- . -- -- == Usage -- To seal an object: -- -- >>> import Data.ByteString (ByteString) -- >>> import Data.Aeson -- >>> import qualified Network.Iron as Iron -- >>> let opts = Iron.options Iron.AES256CBC Iron.SHA256 256 66666 -- >>> let Just obj = decode "{\"a\":1,\"d\":{\"e\":\"f\"},\"b\":2,\"c\":[3,4,5]}" :: Maybe Object -- >>> let secret = "some_not_random_password" :: ByteString -- >>> Just s <- Iron.seal opts (Iron.password secret) obj -- >>> print s -- "Fe26.2**3976da2bc627b3551c1ebfe40376bb791efb17f4425facc648038fdaaa2f67b2 -- *voiPExJrXAxmTWyQr7-Hvw*r_Ok7NOgy9sD2fS61t_u9z8qoszwBRze3NnA6PFmjnd06sLh0 -- 9HRDlLorNYQJeEP**f6e22615db961e5ddc2ed47d956700b2ee63f0ab6f7ae6d3471989e5 -- 4928e653*RsQNtNp4u5L-0fmZHSpPL7nbjBkqyKEyBcbOCbpEcpY" -- -- The resulting "sealed" object is a string which can be sent via -- cookies, URI query parameter, or a HTTP header attribute. -- -- To unseal the string: -- -- >>> Iron.unseal opts (onePassword secret) s :: IO (Either String Object) -- Right (Object (fromList [("a",Number 1.0), -- ("d",Object (fromList [("e",String "f")])), -- ("b",Number 2.0), -- ("c",Array [Number 3.0,Number 4.0,Number 5.0])])) module Network.Iron ( seal , unseal , options , password , passwords , passwordWithId , passwordsWithId , Password , PasswordId , LookupPassword , onePassword , Options(..) , EncryptionOpts(..) , IntegrityOpts(..) , IronCipher(..) , IronHMAC(..) , Salt(..) ) where import Control.Monad (liftM, when) import Crypto.Cipher.AES (AES128, AES256 (..)) import Crypto.Cipher.Types import Crypto.Data.Padding import Crypto.Error (CryptoFailable (..), maybeCryptoError) import qualified Crypto.Hash.Algorithms as C (SHA256 (..)) import Crypto.Hash.Algorithms (HashAlgorithm(..), SHA1 (..)) import qualified Crypto.KDF.PBKDF2 as PBKDF2 import Crypto.MAC.HMAC (Context, HMAC, finalize, hmac, hmacGetDigest, initialize, updates) import Crypto.Random import Data.Aeson import qualified Data.Aeson as JSON (eitherDecode', encode) import Data.ByteString (ByteString) import qualified Data.ByteString as BS import qualified Data.ByteString.Char8 as S8 import qualified Data.ByteString.Lazy as BL import qualified Data.ByteArray as BA import Data.ByteArray (ScrubbedBytes, ByteArrayAccess) import qualified Data.Map as M import Data.Maybe (fromJust) import Data.Monoid ((<>)) import Data.Text (Text) import Data.Text.Encoding (decodeUtf8, encodeUtf8) import Data.Char (isAscii, isAlphaNum) import Data.Time.Clock (NominalDiffTime) import Data.Time.Clock.POSIX import Network.Iron.Util import Numeric (showHex) -- | Iron options used by 'sealWith' and 'unsealWith'. data Options = Options { ironEncryption :: EncryptionOpts -- ^ Encryption options , ironIntegrity :: IntegrityOpts -- ^ Message integrity verification options , ironTTL :: NominalDiffTime -- ^ Message lifetime in seconds , ironTimestampSkew :: NominalDiffTime -- ^ Clock difference allowance in seconds , ironLocaltimeOffset :: NominalDiffTime -- ^ Clock offset in seconds } deriving Show -- | Encryption algorithms supported by Iron. data IronCipher = AES128CTR | AES256CBC deriving (Show, Read, Eq, Enum) data IronHMAC = SHA256 deriving (Show, Read, Eq, Enum) class IsIronCipher a where ivSize :: a -> Int keySize :: a -> Int ironEncrypt :: a -> ByteString -> ByteString -> ByteString -> Maybe ByteString ironDecrypt :: a -> ByteString -> ByteString -> ByteString -> Maybe ByteString class IsIronMAC a where macKeySize :: a -> Int ironMac :: a -> ByteString -> ByteString -> ByteString instance IsIronMAC IronHMAC where macKeySize SHA256 = 32 ironMac SHA256 key text = b64url $ hmacGetDigest (hmac key text :: HMAC C.SHA256) -- | Specifies the salt for password-based key generation. data Salt = Salt ByteString -- ^ Supply pre-generated salt | GenSalt Int -- ^ Generate salt of given size, in bits deriving Show {- todo: - maybe remove ieSalt/iiSalt and ieIV from opts? these values pre-generated by the user might only be necessary for unit tests. -} -- | Options controlling encryption of Iron messages. data EncryptionOpts = EncryptionOpts { ieSalt :: Salt -- ^ Salt for password-based key generation , ieAlgorithm :: IronCipher -- ^ Encryption algorithm , ieIterations :: Int -- ^ Number of iterations for password-based key generation , ieIV :: Maybe ByteString -- ^ Pre-generated initial value block } deriving Show -- | Options controlling cryptographic verification of Iron messages. data IntegrityOpts = IntegrityOpts { iiSalt :: Salt -- ^ Salt for MAC key generation , iiAlgorithm :: IronHMAC -- ^ Hash-based MAC algorithm , iiIterations :: Int -- ^ Number of iterations for MAC key generation } deriving Show encryptOptions :: IronCipher -- ^ Cipher algorithm -> Int -- ^ Number of salt bits for key generation -> Int -- ^ Number of iterations of key derivation function -> EncryptionOpts encryptOptions a s n = EncryptionOpts { ieSalt = GenSalt s , ieAlgorithm = a , ieIterations = n , ieIV = Nothing } integrityOptions :: IronHMAC -- ^ Cryptographic hash algorithm -> Int -- ^ Number of salt bits for key generation -> Int -- ^ Number of iterations of key derivation function -> IntegrityOpts integrityOptions a s n = IntegrityOpts { iiSalt = GenSalt s , iiAlgorithm = a , iiIterations = n } -- | A set of basic options. You need to choose a cipher and -- parameters for key generation. -- -- There are also some default options chosen, which are: -- * Infinite message lifetime -- * Timestamp skew: 60 seconds either way -- * Local time offset: 0 options :: IronCipher -- ^ Encryption algorithm. -> IronHMAC -- ^ Integrity check algorithm (use @SHA256@). -> Int -- ^ Number of salt bits for key generation. -> Int -- ^ Number of iterations of key derivation function. -> Options options e i s n = Options { ironEncryption = encryptOptions e s n , ironIntegrity = integrityOptions i s n , ironTTL = 0 , ironTimestampSkew = 60 , ironLocaltimeOffset = 0 } -- | Identifies the password to use when unsealing the message. type PasswordId = ByteString -- | Represents the password(s) used to seal and unseal Iron -- messages. To construct a 'Password', use one of 'password', -- 'passwords', 'passwordWithId', 'passwordsWithId'. data Password = MkPassword { passwordId :: PasswordId , encKey :: KeyPass -- ^ Encryption key/password , intKey :: KeyPass -- ^ Integrity key/password } deriving (Show, Eq) -- | Represents a key used for the cipher or message authentication -- code, or a password from which a key will be generated. data KeyPass = Key ScrubbedBytes -- ^ Pre-generated key | Password ScrubbedBytes -- ^ Key derived from password deriving (Show, Eq) -- note: ScrubbedBytes Show doesn't actually show any content -- | Constructs a 'Password'. password :: ByteArrayAccess a => a -> Password password p = passwords p p -- | Constructs a 'Password', with different encryption and integrity -- verification passwords. passwords :: ByteArrayAccess a => a -> a -> Password passwords e i = password' mempty e i -- | Constructs a 'Password'. The given identifier will be included as -- the second component of the the sealed @Fe26@ string. The -- identifier must only include alphanumeric characters and the -- underscore, otherwise nothing will be returned. passwordWithId :: ByteArrayAccess a => PasswordId -> a -> Maybe Password passwordWithId k p = passwordsWithId k p p -- | Constructs a 'Password', with different encryption and integrity -- verification passwords. The given identifier will be included as -- the second component of the the sealed @Fe26@ string. The -- identifier must only include alphanumeric characters and the -- underscore, otherwise nothing will be returned. passwordsWithId :: ByteArrayAccess a => PasswordId -> a -> a -> Maybe Password passwordsWithId k e i | validId k = Just $ password' k e i | otherwise = Nothing validId :: PasswordId -> Bool validId k = not (S8.null k) && S8.all inRange k where inRange c = isAscii c && isAlphaNum c || c == '_' passwordValid :: ByteArrayAccess a => EncryptionOpts -> a -> Bool passwordValid EncryptionOpts{..} sec = keySize ieAlgorithm <= BA.length sec password' :: ByteArrayAccess a => PasswordId -> a -> a -> Password password' k e i = MkPassword k (passwd e) (passwd i) where passwd = Password . BA.convert -- | User-supplied function to get the password corresponding to the -- identifier from the sealed message. type LookupPassword = PasswordId -> Maybe Password -- | The simple case of LookupPassword, where there is the same -- password for encryption and verification of all messages. onePassword :: ByteArrayAccess a => a -> LookupPassword onePassword = const . Just . password -- | Encodes and encrypts a 'Data.Aeson.Value' using the given -- password and 'Options'. Encryption may fail if the supplied -- options are wrong. seal :: ToJSON a => Options -> Password -> a -> IO (Maybe ByteString) seal opts p v = do s <- getSealStuff opts return $ seal' opts s p v -- | Variables necessary for sealing whose values come from the -- IO world. data SealStuff = SealStuff { ssNow :: POSIXTime , ssEncSalt :: ByteString , ssIv :: ByteString , ssIntSalt :: ByteString } deriving (Show) -- | Gets the time, generate random numbers. getSealStuff :: Options -> IO SealStuff getSealStuff opts@Options{..} = do now <- getPOSIXTime drg1 <- getSystemDRG let (encSalt, drg2) = genSaltMaybe (ieSalt ironEncryption) drg1 let (intSalt, drg3) = genSaltMaybe (iiSalt ironIntegrity) drg2 let (iv, _) = genIVMaybe (ieAlgorithm ironEncryption) (ieIV ironEncryption) drg3 return $ SealStuff (now + ironLocaltimeOffset) encSalt iv intSalt -- | Effects-pure part of sealing process. -- -- The seal process follows these general steps: -- generate encryption salt saltE -- derive an encryption key keyE using saltE and a password -- generate an integrity salt saltI -- derive an integrity (HMAC) key keyI using saltI -- generate a random initialization vector iv -- encrypt the serialized object string using keyE and iv -- mac the encrypted object along with saltE and iv -- concatenate saltE, saltI, iv, and the encrypted object into a URI-friendly string seal' :: forall a. ToJSON a => Options -> SealStuff -> Password -> a -> Maybe ByteString seal' opts SealStuff{..} sec a = encrypt a >>= fmap strCookie . mac . strEncCookie where encrypt :: a -> Maybe EncCookie encrypt obj = do key <- rightJust $ generateKey ieIterations size ssEncSalt (encKey sec) ctext <- ironEncrypt ieAlgorithm key ssIv json return $ EncCookie (passwordId sec) ssEncSalt ssIv expiration ctext where EncryptionOpts{..} = ironEncryption opts json = BL.toStrict $ JSON.encode obj expiration = expTime opts ssNow size = keySize ieAlgorithm mac :: ByteString -> Maybe Cookie mac str = Cookie str ssIntSalt <$> rightJust digest where digest = hmacWithPassword intOpts key ssIntSalt str intOpts = ironIntegrity opts key = intKey sec data EncCookie = EncCookie { ckPasswordId :: PasswordId , ckEncSalt :: ByteString , ckIv :: ByteString , ckExpiration :: Maybe NominalDiffTime , ckText :: ByteString } deriving Show data Cookie = Cookie { ckEnc :: ByteString , ckIntSalt :: ByteString , ckIntDigest :: ByteString } deriving Show strEncCookie :: EncCookie -> ByteString strEncCookie (EncCookie pid s iv e t) = cat [macPrefix, pid, s, b64url iv, b64url t, expStr e] strCookie :: Cookie -> ByteString strCookie (Cookie a b c) = cat [a, b, c] parseCookie :: ByteString -> Either String (EncCookie, Cookie) parseCookie ck = do when (length parts /= 8) $ Left "Incorrect number of sealed components" when (pfx /= macPrefix) $ Left "Wrong mac prefix" eck <- EncCookie <$> pure a <*> pure b <*> b64' c <*> exp e <*> b64' d return (eck, Cookie enc f g) where parts = uncat ck (pfx:a:b:c:d:e:f:g:[]) = parts enc = cat $ take 6 parts exp :: ByteString -> Either String (Maybe NominalDiffTime) exp "" = Right Nothing exp n = maybe (Left "Invalid expiration") (Right . Just) $ parseExpMsec n b64' = b64urldec cat :: [ByteString] -> ByteString cat = BS.intercalate (S8.singleton '*') uncat :: ByteString -> [ByteString] uncat = S8.split '*' expStr :: Maybe NominalDiffTime -> ByteString expStr = maybe "" (S8.pack . show . round) expTime :: Options -> POSIXTime -> Maybe NominalDiffTime expTime Options{ironTTL} now | ironTTL > 0 = Just ((now + ironTTL) * 1000) | otherwise = Nothing -- | Calculates the MAC of a message. The result is encoded in the -- URL-friendly variant of Base64. macWithKey :: IronHMAC -> ByteString -> ByteString -> ByteString macWithKey algo key text = ironMac algo key text generateKey :: Int -> Int -> ByteString -> KeyPass -> Either String ByteString generateKey _ s _ (Key k) | BA.length k >= s = Right (BA.convert k) | otherwise = Left "Key buffer (password) too small" generateKey n s l (Password p) | BS.null l = Left "Missing salt" | otherwise = Right (generateKey' n s l p) generateKey' :: BA.ByteArrayAccess p => Int -> Int -> ByteString -> p -> ByteString generateKey' iterations size salt p = PBKDF2.generate prf params p salt where prf = PBKDF2.prfHMAC SHA1 params = PBKDF2.Parameters iterations size -- | Calculates integrity hash. hmacWithPassword :: IntegrityOpts -> KeyPass -> ByteString -> ByteString -> Either String ByteString hmacWithPassword IntegrityOpts{..} key salt text = do key' <- generateKey iiIterations (macKeySize iiAlgorithm) salt key Right $ macWithKey iiAlgorithm key' text -- | Prepares the variables necessary to use cryptonite block cipher -- functions. aesSetup :: BlockCipher c => ByteString -> ByteString -> Maybe (c, IV c, Format) aesSetup key iv = (,,) <$> ctx <*> iv' <*> p where ctx = maybeCryptoError (cipherInit key) iv' = makeIV iv p = fmap (PKCS7 . blockSize) ctx instance IsIronCipher IronCipher where -- IV is the size of one block ivSize AES128CTR = blockSize (undefined :: AES128) ivSize AES256CBC = blockSize (undefined :: AES256) -- Iron's chosen key size -- should fall within the range of -- cryptonite cipherKeySize keySize AES128CTR = 16 keySize AES256CBC = 32 -- Encrypt with AES block counter mode ironEncrypt AES128CTR key iv text = do (ctx :: AES128, iv', p) <- aesSetup key iv return $ ctrCombine ctx iv' (pad p text) -- Encrypt with AES block chaining mode ironEncrypt AES256CBC key iv text = do (ctx :: AES256, iv', p) <- aesSetup key iv let text' = pad p text return $ cbcEncrypt ctx iv' text' -- Decrypt with AES block counter mode ironDecrypt AES128CTR key iv ctext = do (ctx :: AES128, iv', p) <- aesSetup key iv unpad p (ctrCombine ctx iv' ctext) -- Decrypt with AES block chaining mode ironDecrypt AES256CBC key iv ctext = do (ctx :: AES256, iv', p) <- aesSetup key iv let text' = cbcDecrypt ctx iv' ctext unpad p text' -- | Decrypts an Iron-encoded message 'Data.Aeson.Value' with the -- given password and 'Options'. unseal :: FromJSON a => Options -> LookupPassword -> ByteString -> IO (Either String a) unseal opts p t = do now <- getPOSIXTime return $ unseal' opts now p t -- | Effects-pure part of unsealing process. unseal' :: FromJSON a => Options -> POSIXTime -> LookupPassword -> ByteString -> Either String a unseal' opts now p cookie = do (eck, ck) <- parseCookie cookie _ <- checkExpiration now (ironTimestampSkew opts) eck MkPassword _ enc int <- getPassword opts (ckPasswordId eck) p ok <- verify ck int decrypt eck enc >>= JSON.eitherDecode' . BL.fromStrict where decrypt :: EncCookie -> KeyPass -> Either String ByteString decrypt EncCookie{..} sec = do let EncryptionOpts{..} = ironEncryption opts size = keySize ieAlgorithm key <- generateKey ieIterations size ckEncSalt sec case ironDecrypt ieAlgorithm key ckIv ckText of Just ctext -> Right ctext Nothing -> Left "Iron decryption failed" verify :: Cookie -> KeyPass -> Either String () verify Cookie{..} sec = do digest <- hmacWithPassword (ironIntegrity opts) sec ckIntSalt ckEnc if BA.constEq ckIntDigest digest then Right () else Left "Bad hmac value" checkExpiration :: NominalDiffTime -> NominalDiffTime -> EncCookie -> Either String () checkExpiration now skew EncCookie{ckExpiration} = if isExpired now skew ckExpiration then Left "Expired seal" else Right () getPassword :: Options -> PasswordId -> LookupPassword -> Either String Password getPassword opts pid lookup = case lookup pid of Just p -> Right p Nothing -> Left $ "Cannot find password: " <> S8.unpack pid isExpired :: POSIXTime -> NominalDiffTime -> Maybe POSIXTime -> Bool isExpired _ _ Nothing = False isExpired now skew (Just exp) = exp <= (now - skew) genSalt :: DRG gen => Int -> gen -> (ByteString, gen) genSalt saltBits gen = withRandomBytes gen (saltBits `quot` 8) b16 genIV :: DRG gen => Int -> gen -> (ByteString, gen) genIV size gen = withRandomBytes gen size id genSaltMaybe :: DRG gen => Salt -> gen -> (ByteString, gen) genSaltMaybe (Salt salt) = \gen -> (salt, gen) genSaltMaybe (GenSalt len) = genSalt len genIVMaybe :: DRG gen => IronCipher -> Maybe ByteString -> gen -> (ByteString, gen) genIVMaybe _ (Just iv) = \gen -> (iv, gen) genIVMaybe algo Nothing = genIV (ivSize algo) macPrefix, macFormatVersion :: ByteString macPrefix = "Fe26." <> macFormatVersion macFormatVersion = "2"