-- Hoogle documentation, generated by Haddock
-- See Hoogle, http://www.haskell.org/hoogle/
-- | (Part of) OpenSSL binding for Haskell
--
-- HsOpenSSL is a (part of) OpenSSL binding for Haskell. It can generate
-- RSA and DSA keys, read and write PEM files, generate message digests,
-- sign and verify messages, encrypt and decrypt messages.
@package HsOpenSSL
@version 0.5
-- | PRNG services See http://www.openssl.org/docs/crypto/rand.html
-- For random Integer generation, see OpenSSL.BN
module OpenSSL.Random
-- | Return a bytestring consisting of the given number of strongly random
-- bytes
randBytes :: Int -> IO ByteString
-- | Return a bytestring consisting of the given number of pseudo random
-- bytes
prandBytes :: Int -> IO ByteString
-- | Add data to the entropy pool. It's safe to add sensitive information
-- (e.g. user passwords etc) to the pool. Also, adding data with an
-- entropy of 0 can never hurt.
add :: ByteString -> Int -> IO ()
-- | This module interfaces to some of the OpenSSL ciphers without using
-- EVP (see OpenSSL.EVP.Cipher). The EVP ciphers are easier to use,
-- however, in some cases you cannot do without using the OpenSSL
-- fuctions directly.
--
-- One of these cases (and the motivating example for this module) is
-- that the EVP CBC functions try to encode the length of the input
-- string in the output (thus hiding the fact that the cipher is, in
-- fact, block based and needs padding). This means that the EVP CBC
-- functions cannot, in some cases, interface with other users which
-- don't use that system (like SSH).
module OpenSSL.Cipher
data Mode
Encrypt :: Mode
Decrypt :: Mode
-- | Construct a new context which holds the key schedule and IV.
newAESCtx :: Mode -> ByteString -> ByteString -> IO AESCtx
-- | Encrypt some number of blocks using CBC. This is an IO function
-- because the context is destructivly updated.
aesCBC :: AESCtx -> ByteString -> IO ByteString
-- | Encrypt some number of bytes using CTR mode. This is an IO function
-- because the context is destructivly updated.
aesCTR :: AESCtx -> ByteString -> IO ByteString
instance Eq Mode
instance Show Mode
-- | An interface to message digest algorithms.
module OpenSSL.EVP.Digest
-- | Digest is an opaque object that represents an algorithm of
-- message digest.
data Digest
data EVP_MD
withMDPtr :: Digest -> (Ptr EVP_MD -> IO a) -> IO a
-- | getDigestByName name returns a message digest
-- algorithm whose name is name. If no algorithms are found, the
-- result is Nothing.
getDigestByName :: String -> IO (Maybe Digest)
-- | getDigestNames returns a list of name of message
-- digest algorithms.
getDigestNames :: IO [String]
data DigestCtx
data EVP_MD_CTX
withDigestCtxPtr :: DigestCtx -> (Ptr EVP_MD_CTX -> IO a) -> IO a
digestStrictly :: Digest -> ByteString -> IO DigestCtx
digestLazily :: Digest -> ByteString -> IO DigestCtx
-- | digest digests a stream of data. The string must not
-- contain any letters which aren't in the range of U+0000 - U+00FF.
digest :: Digest -> String -> String
-- | digestBS digests a chunk of data.
digestBS :: Digest -> ByteString -> String
digestBS' :: Digest -> ByteString -> ByteString
-- | digestLBS digests a stream of data.
digestLBS :: Digest -> ByteString -> String
-- | Perform a private key signing using the HMAC template with a given
-- hash
hmacBS :: Digest -> ByteString -> ByteString -> ByteString
pkcs5_pbkdf2_hmac_sha1 :: ByteString -> ByteString -> Int -> Int -> ByteString
-- | An interface to symmetric cipher algorithms.
module OpenSSL.EVP.Cipher
-- | Cipher is an opaque object that represents an algorithm of
-- symmetric cipher.
data Cipher
data EVP_CIPHER
withCipherPtr :: Cipher -> (Ptr EVP_CIPHER -> IO a) -> IO a
-- | getCipherByName name returns a symmetric cipher
-- algorithm whose name is name. If no algorithms are found, the
-- result is Nothing.
getCipherByName :: String -> IO (Maybe Cipher)
-- | getCipherNames returns a list of name of symmetric
-- cipher algorithms.
getCipherNames :: IO [String]
cipherIvLength :: Cipher -> Int
data CipherCtx
data EVP_CIPHER_CTX
newCtx :: IO CipherCtx
withCipherCtxPtr :: CipherCtx -> (Ptr EVP_CIPHER_CTX -> IO a) -> IO a
-- | CryptoMode represents instruction to cipher and such
-- like.
data CryptoMode
Encrypt :: CryptoMode
Decrypt :: CryptoMode
cipherStrictly :: CipherCtx -> ByteString -> IO ByteString
cipherLazily :: CipherCtx -> ByteString -> IO ByteString
-- | cipher lazilly encrypts or decrypts a stream of data.
-- The input string doesn't necessarily have to be finite.
cipher :: Cipher -> String -> String -> CryptoMode -> String -> IO String
-- | cipherBS strictly encrypts or decrypts a chunk of
-- data.
cipherBS :: Cipher -> String -> String -> CryptoMode -> ByteString -> IO ByteString
-- | cipherLBS lazilly encrypts or decrypts a stream of
-- data. The input string doesn't necessarily have to be finite.
cipherLBS :: Cipher -> String -> String -> CryptoMode -> ByteString -> IO ByteString
-- | An interface to Base64 codec.
module OpenSSL.EVP.Base64
-- | encodeBase64 str lazilly encodes a stream of data to
-- Base64. The string doesn't have to be finite. Note that the string
-- must not contain any letters which aren't in the range of U+0000 -
-- U+00FF.
encodeBase64 :: String -> String
-- | encodeBase64BS bs strictly encodes a chunk of data to
-- Base64.
encodeBase64BS :: ByteString -> ByteString
-- | encodeBase64LBS lbs lazilly encodes a stream of data
-- to Base64. The string doesn't have to be finite.
encodeBase64LBS :: ByteString -> ByteString
-- | decodeBase64 str lazilly decodes a stream of data from
-- Base64. The string doesn't have to be finite.
decodeBase64 :: String -> String
-- | decodeBase64BS bs strictly decodes a chunk of data
-- from Base64.
decodeBase64BS :: ByteString -> ByteString
-- | decodeBase64LBS lbs lazilly decodes a stream of data
-- from Base64. The string doesn't have to be finite.
decodeBase64LBS :: ByteString -> ByteString
-- | BN - multiprecision integer arithmetics
module OpenSSL.BN
-- | BigNum is an opaque object representing a big number.
data BigNum
data BIGNUM
-- | allocaBN f allocates a BigNum and computes
-- f. Then it frees the BigNum.
allocaBN :: (BigNum -> IO a) -> IO a
-- | withBN n f converts n to a BigNum and computes
-- f. Then it frees the BigNum.
withBN :: Integer -> (BigNum -> IO a) -> IO a
-- | This is an alias to integerToBN.
newBN :: Integer -> IO BigNum
wrapBN :: Ptr BIGNUM -> BigNum
unwrapBN :: BigNum -> Ptr BIGNUM
-- | This is an alias to bnToInteger.
peekBN :: BigNum -> IO Integer
-- | This is a GHC specific, fast conversion between Integers and OpenSSL
-- bignums. It returns a malloced BigNum.
integerToBN :: Integer -> IO BigNum
-- | Convert a BIGNUM to an Integer
bnToInteger :: BigNum -> IO Integer
-- | Convert an Integer to an MPI. SEe bnToMPI for the format
integerToMPI :: Integer -> IO ByteString
-- | Convert an MPI to an Integer. SEe bnToMPI for the format
mpiToInteger :: ByteString -> IO Integer
-- | modexp a p m computes a to the p-th
-- power modulo m.
modexp :: Integer -> Integer -> Integer -> Integer
-- | Return a strongly random number in the range 0 <= x < n where
-- the given filter function returns true.
randIntegerUptoNMinusOneSuchThat :: (Integer -> Bool) -> Integer -> IO Integer
-- | Return a random number in the range 0 <= x < n where the given
-- filter function returns true.
prandIntegerUptoNMinusOneSuchThat :: (Integer -> Bool) -> Integer -> IO Integer
-- | Return a strongly random number in the range 0 <= x < n
randIntegerZeroToNMinusOne :: Integer -> IO Integer
-- | Return a random number in the range 0 <= x < n
prandIntegerZeroToNMinusOne :: Integer -> IO Integer
-- | Return a strongly random number in the range 0 < x < n
randIntegerOneToNMinusOne :: Integer -> IO Integer
-- | Return a random number in the range 0 < x < n
prandIntegerOneToNMinusOne :: Integer -> IO Integer
-- | The Digital Signature Algorithm (FIPS 186-2). See
-- http://www.openssl.org/docs/crypto/dsa.html
module OpenSSL.DSA
-- | The type of a DSA key, includes parameters p, q, g.
data DSA
data DSA_
withDSAPtr :: DSA -> (Ptr DSA_ -> IO a) -> IO a
-- | Generate DSA parameters (*not* a key, but required for a key). This is
-- a compute intensive operation. See FIPS 186-2, app 2. This agrees with
-- the test vectors given in FIP 186-2, app 5
generateParameters :: Int -> Maybe ByteString -> IO (Int, Int, Integer, Integer, Integer)
-- | Generate a new DSA key, given valid parameters
generateKey :: Integer -> Integer -> Integer -> IO DSA
-- | A utility function to generate both the parameters and the key pair at
-- the same time. Saves serialising and deserialising the parameters too
generateParametersAndKey :: Int -> Maybe ByteString -> IO DSA
-- | Sign pre-digested data. The DSA specs call for SHA1 to be used so, if
-- you use anything else, YMMV. Returns a pair of Integers which,
-- together, are the signature
signDigestedData :: DSA -> ByteString -> IO (Integer, Integer)
-- | Verify pre-digested data given a signature.
verifyDigestedData :: DSA -> ByteString -> (Integer, Integer) -> IO Bool
-- | Return the public prime number of the key.
dsaP :: DSA -> IO (Maybe Integer)
-- | Return the public 160-bit subprime, q | p-1 of the key.
dsaQ :: DSA -> IO (Maybe Integer)
-- | Return the public generator of subgroup of the key.
dsaG :: DSA -> IO (Maybe Integer)
-- | Return the private key x.
dsaPrivate :: DSA -> IO (Maybe Integer)
-- | Return the public key y = g^x.
dsaPublic :: DSA -> IO (Maybe Integer)
-- | Convert a DSA object to a tuple of its members in the order p, q, g,
-- public, private. If this is a public key, private will be Nothing
dsaToTuple :: DSA -> IO (Integer, Integer, Integer, Integer, Maybe Integer)
-- | Convert a tuple of members (in the same format as from dsaToTuple)
-- into a DSA object
tupleToDSA :: (Integer, Integer, Integer, Integer, Maybe Integer) -> IO DSA
-- | An interface to RSA public key generator.
module OpenSSL.RSA
-- | RSA is an opaque object that represents either RSA
-- public key or public/private keypair.
data RSA
data RSA_
withRSAPtr :: RSA -> (Ptr RSA_ -> IO a) -> IO a
-- | RSAGenKeyCallback represents a callback function to
-- get informed the progress of RSA key generation.
--
--
-- - callback 0 i is called after generating the i-th
-- potential prime number.
-- - While the number is being tested for primality, callback 1
-- j is called after the j-th iteration (j = 0, 1,
-- ...).
-- - When the n-th randomly generated prime is rejected as not
-- suitable for the key, callback 2 n is called.
-- - When a random p has been found with p-1
-- relatively prime to e, it is called as callback 3
-- 0.
-- - The process is then repeated for prime q with
-- callback 3 1.
--
type RSAGenKeyCallback = Int -> Int -> IO ()
-- | generateKey generates an RSA keypair.
generateKey :: Int -> Int -> Maybe RSAGenKeyCallback -> IO RSA
-- | rsaN pubKey returns the public modulus of the key.
rsaN :: RSA -> IO Integer
-- | rsaE pubKey returns the public exponent of the key.
rsaE :: RSA -> IO Integer
-- | rsaD privKey returns the private exponent of the key.
-- If privKey is not really a private key, the result is
-- Nothing.
rsaD :: RSA -> IO (Maybe Integer)
-- | rsaP privkey returns the secret prime factor
-- p of the key.
rsaP :: RSA -> IO (Maybe Integer)
-- | rsaQ privkey returns the secret prime factor
-- q of the key.
rsaQ :: RSA -> IO (Maybe Integer)
-- | rsaDMP1 privkey returns d mod (p-1) of the
-- key.
rsaDMP1 :: RSA -> IO (Maybe Integer)
-- | rsaDMQ1 privkey returns d mod (q-1) of the
-- key.
rsaDMQ1 :: RSA -> IO (Maybe Integer)
-- | rsaIQMP privkey returns q^-1 mod p of the
-- key.
rsaIQMP :: RSA -> IO (Maybe Integer)
-- | An interface to asymmetric cipher keypair.
module OpenSSL.EVP.PKey
-- | PKey is an opaque object that represents either public key or
-- public/private keypair. The concrete algorithm of asymmetric cipher is
-- hidden in the object.
data PKey
data EVP_PKEY
wrapPKeyPtr :: Ptr EVP_PKEY -> IO PKey
withPKeyPtr :: PKey -> (Ptr EVP_PKEY -> IO a) -> IO a
unsafePKeyToPtr :: PKey -> Ptr EVP_PKEY
touchPKey :: PKey -> IO ()
pkeySize :: PKey -> IO Int
pkeyDefaultMD :: PKey -> IO Digest
-- | newPKeyRSA rsa encapsulates an RSA key into
-- PKey.
newPKeyRSA :: RSA -> PKey
-- | newPKeyDSA dsa encapsulates an DSA key into
-- PKey.
newPKeyDSA :: DSA -> PKey
-- | Asymmetric cipher decryption using encrypted symmetric key. This is an
-- opposite of OpenSSL.EVP.Seal.
module OpenSSL.EVP.Open
-- | open lazilly decrypts a stream of data. The input
-- string doesn't necessarily have to be finite.
open :: Cipher -> String -> String -> PKey -> String -> String
-- | openBS decrypts a chunk of data.
openBS :: Cipher -> String -> String -> PKey -> ByteString -> ByteString
-- | openLBS lazilly decrypts a stream of data. The input
-- string doesn't necessarily have to be finite.
openLBS :: Cipher -> String -> String -> PKey -> ByteString -> ByteString
-- | Asymmetric cipher decryption using encrypted symmetric key. This is an
-- opposite of OpenSSL.EVP.Open.
module OpenSSL.EVP.Seal
-- | seal lazilly encrypts a stream of data. The input
-- string doesn't necessarily have to be finite.
seal :: Cipher -> [PKey] -> String -> IO (String, [String], String)
-- | sealBS strictly encrypts a chunk of data.
sealBS :: Cipher -> [PKey] -> ByteString -> IO (ByteString, [String], String)
-- | sealLBS lazilly encrypts a stream of data. The input
-- string doesn't necessarily have to be finite.
sealLBS :: Cipher -> [PKey] -> ByteString -> IO (ByteString, [String], String)
-- | Message signing using asymmetric cipher and message digest algorithm.
-- This is an opposite of OpenSSL.EVP.Verify.
module OpenSSL.EVP.Sign
-- | sign generates a signature from a stream of data. The
-- string must not contain any letters which aren't in the range of
-- U+0000 - U+00FF.
sign :: Digest -> PKey -> String -> IO String
-- | signBS generates a signature from a chunk of data.
signBS :: Digest -> PKey -> ByteString -> IO String
-- | signLBS generates a signature from a stream of data.
signLBS :: Digest -> PKey -> ByteString -> IO String
-- | Message verification using asymmetric cipher and message digest
-- algorithm. This is an opposite of OpenSSL.EVP.Sign.
module OpenSSL.EVP.Verify
-- | VerifyStatus represents a result of verification.
data VerifyStatus
VerifySuccess :: VerifyStatus
VerifyFailure :: VerifyStatus
-- | verify verifies a signature and a stream of data. The
-- string must not contain any letters which aren't in the range of
-- U+0000 - U+00FF.
verify :: Digest -> String -> PKey -> String -> IO VerifyStatus
-- | verifyBS verifies a signature and a chunk of data.
verifyBS :: Digest -> String -> PKey -> ByteString -> IO VerifyStatus
-- | verifyLBS verifies a signature of a stream of data.
verifyLBS :: Digest -> String -> PKey -> ByteString -> IO VerifyStatus
instance Typeable VerifyStatus
instance Show VerifyStatus
instance Eq VerifyStatus
-- | An interface to X.509 certificate.
module OpenSSL.X509
-- | X509 is an opaque object that represents X.509
-- certificate.
data X509
data X509_
-- | newX509 creates an empty certificate. You must set the
-- following properties to and sign it (see signX509) to actually
-- use the certificate.
--
--
newX509 :: IO X509
wrapX509 :: Ptr X509_ -> IO X509
withX509Ptr :: X509 -> (Ptr X509_ -> IO a) -> IO a
withX509Stack :: [X509] -> (Ptr STACK -> IO a) -> IO a
unsafeX509ToPtr :: X509 -> Ptr X509_
touchX509 :: X509 -> IO ()
-- | compareX509 cert1 cert2 compares two certificates.
compareX509 :: X509 -> X509 -> IO Ordering
-- | signX509 signs a certificate with an issuer private
-- key.
signX509 :: X509 -> PKey -> Maybe Digest -> IO ()
-- | verifyX509 verifies a signature of certificate with an
-- issuer public key.
verifyX509 :: X509 -> PKey -> IO VerifyStatus
-- | printX509 cert translates a certificate into
-- human-readable format.
printX509 :: X509 -> IO String
-- | getVersion cert returns the version number of
-- certificate. It seems the number is 0-origin: version 2 means X.509
-- v3.
getVersion :: X509 -> IO Int
-- | setVersion cert ver updates the version number of
-- certificate.
setVersion :: X509 -> Int -> IO ()
-- | getSerialNumber cert returns the serial number of
-- certificate.
getSerialNumber :: X509 -> IO Integer
-- | setSerialNumber cert num updates the serial number of
-- certificate.
setSerialNumber :: X509 -> Integer -> IO ()
-- | getIssuerName returns the issuer name of certificate.
getIssuerName :: X509 -> Bool -> IO [(String, String)]
-- | setIssuerName cert name updates the issuer name of
-- certificate. Keys of each parts may be of either long form or short
-- form. See getIssuerName.
setIssuerName :: X509 -> [(String, String)] -> IO ()
-- | getSubjectName cert wantLongName returns the subject
-- name of certificate. See getIssuerName.
getSubjectName :: X509 -> Bool -> IO [(String, String)]
-- | setSubjectName cert name updates the subject name of
-- certificate. See setIssuerName.
setSubjectName :: X509 -> [(String, String)] -> IO ()
-- | getNotBefore cert returns the time when the
-- certificate begins to be valid.
getNotBefore :: X509 -> IO UTCTime
-- | setNotBefore cert utc updates the time when the
-- certificate begins to be valid.
setNotBefore :: X509 -> UTCTime -> IO ()
-- | getNotAfter cert returns the time when the certificate
-- expires.
getNotAfter :: X509 -> IO UTCTime
-- | setNotAfter cert utc updates the time when the
-- certificate expires.
setNotAfter :: X509 -> UTCTime -> IO ()
-- | getPublicKey cert returns the public key of the
-- subject of certificate.
getPublicKey :: X509 -> IO PKey
-- | setPublicKey cert pubkey updates the public key of the
-- subject of certificate.
setPublicKey :: X509 -> PKey -> IO ()
-- | getSubjectEmail cert returns every subject email
-- addresses in the certificate.
getSubjectEmail :: X509 -> IO [String]
-- | Functions for handling SSL connections. These functions use GHC
-- specific calls to cooperative the with the scheduler so that blocking
-- functions only actually block the Haskell thread, not a whole OS
-- thread.
module OpenSSL.Session
-- | An SSL context. Contexts carry configuration such as a server's
-- private key, root CA certiifcates etc. Contexts are stateful IO
-- objects; they start empty and various options are set on them by the
-- functions in this module. Note that an empty context will pretty much
-- cause any operation to fail since it doesn't even have any ciphers
-- enabled.
--
-- Contexts are not thread safe so they carry a QSem with them which only
-- lets a single thread work inside them at a time. Thus, one must always
-- use withContext, not withForeignPtr directly.
data SSLContext
-- | Create a new SSL context.
context :: IO SSLContext
-- | Install a private key file in a context. The key is given as a path to
-- the file which contains the key. The file is parsed first as PEM and,
-- if that fails, as ASN1. If both fail, an exception is raised.
contextSetPrivateKeyFile :: SSLContext -> FilePath -> IO ()
-- | Install a certificate (public key) file in a context. The key is given
-- as a path to the file which contains the key. The file is parsed first
-- as PEM and, if that fails, as ASN1. If both fail, an exception is
-- raised.
contextSetCertificateFile :: SSLContext -> FilePath -> IO ()
-- | Set the ciphers to be used by the given context. The string argument
-- is a list of ciphers, comma separated, as given at
-- http:www.openssl.orgdocsapps/ciphers.html
--
-- Unrecognised ciphers are ignored. If no ciphers from the list are
-- recognised, an exception is raised.
contextSetCiphers :: SSLContext -> String -> IO ()
contextSetDefaultCiphers :: SSLContext -> IO ()
-- | Return true iff the private key installed in the given context matches
-- the certificate also installed.
contextCheckPrivateKey :: SSLContext -> IO Bool
-- | See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
data VerificationMode
VerifyNone :: VerificationMode
VerifyPeer :: Bool -> Bool -> VerificationMode
-- | is a certificate required
vpFailIfNoPeerCert :: VerificationMode -> Bool
-- | only request once per connection
vpClientOnce :: VerificationMode -> Bool
contextSetVerificationMode :: SSLContext -> VerificationMode -> IO ()
-- | Set the location of a PEM encoded list of CA certificates to be used
-- when verifying a server's certificate
contextSetCAFile :: SSLContext -> FilePath -> IO ()
-- | Set the path to a directory which contains the PEM encoded CA root
-- certificates. This is an alternative to contextSetCAFile. See
-- http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html
-- for details of the file naming scheme
contextSetCADirectory :: SSLContext -> FilePath -> IO ()
-- | This is the type of an SSL connection
--
-- SSL objects are not thread safe, so they carry a QSem around with them
-- which only lets a single thread work inside them at a time. Thus, one
-- must always use withSSL, rather than withForeignPtr directly.
--
-- IO with SSL objects is non-blocking and many SSL functions return a
-- error code which signifies that it needs to read or write more data.
-- We handle these calls and call threadWaitRead and threadWaitWrite at
-- the correct times. Thus multiple OS threads can be blocked inside IO
-- in the same SSL object at a time, because they aren't really in the
-- SSL object, they are waiting for the RTS to wake the Haskell thread.
data SSL
-- | Wrap a Socket in an SSL connection. Reading and writing to the Socket
-- after this will cause weird errors in the SSL code. The SSL object
-- carries a handle to the Socket so you need not worry about the garbage
-- collector closing the file descriptor out from under you.
connection :: SSLContext -> Socket -> IO SSL
-- | Perform an SSL server handshake
accept :: SSL -> IO ()
-- | Perform an SSL client handshake
connect :: SSL -> IO ()
-- | Try the read the given number of bytes from an SSL connection. On EOF
-- an empty ByteString is returned. If the connection dies without a
-- graceful SSL shutdown, an exception is raised.
read :: SSL -> Int -> IO ByteString
-- | Write a given ByteString to the SSL connection. Either all the data is
-- written or an exception is raised because of an error
write :: SSL -> ByteString -> IO ()
-- | Cleanly shutdown an SSL connection. Note that SSL has a concept of a
-- secure shutdown, which is distinct from just closing the TCP
-- connection. This performs the former and should always be preferred.
--
-- This can either just send a shutdown, or can send and wait for the
-- peer's shutdown message.
shutdown :: SSL -> ShutdownType -> IO ()
data ShutdownType
-- | wait for the peer to also shutdown
Bidirectional :: ShutdownType
-- | only send our shutdown
Unidirectional :: ShutdownType
-- | After a successful connection, get the certificate of the other party.
-- If this is a server connection, you probably won't get a certificate
-- unless you asked for it with contextSetVerificationMode
getPeerCertificate :: SSL -> IO (Maybe X509)
-- | Get the result of verifing the peer's certificate. This is mostly for
-- clients to verify the certificate of the server that they have
-- connected it. You must set a list of root CA certificates with
-- contextSetCA... for this to make sense.
--
-- Note that this returns True iff the peer's certificate has a valid
-- chain to a root CA. You also need to check that the certificate is
-- correct (i.e. has the correct hostname in it) with getPeerCertificate.
getVerifyResult :: SSL -> IO Bool
-- | Get the socket underlying an SSL connection
sslSocket :: SSL -> Socket
instance Eq SSLIOResult
-- | An interface to Certificate Revocation List.
module OpenSSL.X509.Revocation
-- | CRL is an opaque object that represents Certificate
-- Revocation List.
data CRL
data X509_CRL
-- | RevokedCertificate represents a revoked certificate in
-- a list. Each certificates are supposed to be distinguishable by issuer
-- name and serial number, so it is sufficient to have only serial number
-- on each entries.
data RevokedCertificate
RevokedCertificate :: Integer -> UTCTime -> RevokedCertificate
revSerialNumber :: RevokedCertificate -> Integer
revRevocationDate :: RevokedCertificate -> UTCTime
-- | newCRL creates an empty revocation list. You must set
-- the following properties to and sign it (see signCRL) to
-- actually use the revocation list. If you have any certificates to be
-- listed, you must of course add them (see addRevoked) before
-- signing the list.
--
--
newCRL :: IO CRL
wrapCRL :: Ptr X509_CRL -> IO CRL
withCRLPtr :: CRL -> (Ptr X509_CRL -> IO a) -> IO a
-- | signCRL signs a revocation list with an issuer private
-- key.
signCRL :: CRL -> PKey -> Maybe Digest -> IO ()
-- | verifyCRL verifies a signature of revocation list with
-- an issuer public key.
verifyCRL :: CRL -> PKey -> IO VerifyStatus
-- | printCRL translates a revocation list into
-- human-readable format.
printCRL :: CRL -> IO String
-- | sortCRL crl sorts the certificates in the revocation
-- list.
sortCRL :: CRL -> IO ()
-- | getVersion crl returns the version number of
-- revocation list.
getVersion :: CRL -> IO Int
-- | setVersion crl ver updates the version number of
-- revocation list.
setVersion :: CRL -> Int -> IO ()
-- | getLastUpdate crl returns the time when the revocation
-- list has last been updated.
getLastUpdate :: CRL -> IO UTCTime
-- | setLastUpdate crl utc updates the time when the
-- revocation list has last been updated.
setLastUpdate :: CRL -> UTCTime -> IO ()
-- | getNextUpdate crl returns the time when the revocation
-- list will next be updated.
getNextUpdate :: CRL -> IO UTCTime
-- | setNextUpdate crl utc updates the time when the
-- revocation list will next be updated.
setNextUpdate :: CRL -> UTCTime -> IO ()
-- | getIssuerName crl wantLongName returns the issuer name
-- of revocation list. See OpenSSL.X509.getIssuerName of
-- OpenSSL.X509.
getIssuerName :: CRL -> Bool -> IO [(String, String)]
-- | setIssuerName crl name updates the issuer name of
-- revocation list. See OpenSSL.X509.setIssuerName of
-- OpenSSL.X509.
setIssuerName :: CRL -> [(String, String)] -> IO ()
-- | getRevokedList crl returns the list of revoked
-- certificates.
getRevokedList :: CRL -> IO [RevokedCertificate]
-- | addRevoked crl revoked add the certificate to the
-- revocation list.
addRevoked :: CRL -> RevokedCertificate -> IO ()
instance Typeable RevokedCertificate
instance Show RevokedCertificate
instance Eq RevokedCertificate
-- | An interface to X.509 certificate store.
module OpenSSL.X509.Store
-- | X509Store is an opaque object that represents X.509
-- certificate store. The certificate store is usually used for chain
-- verification.
data X509Store
data X509_STORE
-- | newX509Store creates an empty X.509 certificate store.
newX509Store :: IO X509Store
withX509StorePtr :: X509Store -> (Ptr X509_STORE -> IO a) -> IO a
-- | addCertToStore store cert adds a certificate to store.
addCertToStore :: X509Store -> X509 -> IO ()
-- | addCRLToStore store crl adds a revocation list to
-- store.
addCRLToStore :: X509Store -> CRL -> IO ()
-- | An interface to PKCS#7 structure and S/MIME message.
module OpenSSL.PKCS7
-- | Pkcs7 represents an abstract PKCS#7 structure. The
-- concrete type of structure is hidden in the object: such polymorphism
-- isn't very haskellish but please get it out of your mind since OpenSSL
-- is written in C.
data Pkcs7
data PKCS7
-- | Pkcs7Flag is a set of flags that are used in many
-- operations related to PKCS#7.
data Pkcs7Flag
Pkcs7Text :: Pkcs7Flag
Pkcs7NoCerts :: Pkcs7Flag
Pkcs7NoSigs :: Pkcs7Flag
Pkcs7NoChain :: Pkcs7Flag
Pkcs7NoIntern :: Pkcs7Flag
Pkcs7NoVerify :: Pkcs7Flag
Pkcs7Detached :: Pkcs7Flag
Pkcs7Binary :: Pkcs7Flag
Pkcs7NoAttr :: Pkcs7Flag
Pkcs7NoSmimeCap :: Pkcs7Flag
Pkcs7NoOldMimeType :: Pkcs7Flag
Pkcs7CRLFEOL :: Pkcs7Flag
-- | Pkcs7VerifyStatus represents a result of PKCS#7
-- verification. See pkcs7Verify.
data Pkcs7VerifyStatus
-- | Nothing if the PKCS#7 signature was a detached signature, and Just
-- content if it wasn't.
Pkcs7VerifySuccess :: (Maybe String) -> Pkcs7VerifyStatus
Pkcs7VerifyFailure :: Pkcs7VerifyStatus
wrapPkcs7Ptr :: Ptr PKCS7 -> IO Pkcs7
withPkcs7Ptr :: Pkcs7 -> (Ptr PKCS7 -> IO a) -> IO a
-- | pkcs7Sign creates a PKCS#7 signedData structure.
pkcs7Sign :: X509 -> PKey -> [X509] -> String -> [Pkcs7Flag] -> IO Pkcs7
-- | pkcs7Verify verifies a PKCS#7 signedData structure.
pkcs7Verify :: Pkcs7 -> [X509] -> X509Store -> Maybe String -> [Pkcs7Flag] -> IO Pkcs7VerifyStatus
-- | pkcs7Encrypt creates a PKCS#7 envelopedData structure.
pkcs7Encrypt :: [X509] -> String -> Cipher -> [Pkcs7Flag] -> IO Pkcs7
-- | pkcs7Decrypt decrypts content from PKCS#7
-- envelopedData structure.
pkcs7Decrypt :: Pkcs7 -> PKey -> X509 -> [Pkcs7Flag] -> IO String
-- | writeSmime writes PKCS#7 structure to S/MIME message.
writeSmime :: Pkcs7 -> Maybe String -> [Pkcs7Flag] -> IO String
-- | readSmime parses S/MIME message.
readSmime :: String -> IO (Pkcs7, Maybe String)
instance Typeable Pkcs7VerifyStatus
instance Typeable Pkcs7Flag
instance Show Pkcs7VerifyStatus
instance Eq Pkcs7VerifyStatus
instance Show Pkcs7Flag
instance Eq Pkcs7Flag
-- | An interface to PKCS#10 certificate request.
module OpenSSL.X509.Request
-- | X509Req is an opaque object that represents PKCS#10
-- certificate request.
data X509Req
data X509_REQ
-- | newX509Req creates an empty certificate request. You
-- must set the following properties to and sign it (see
-- signX509Req) to actually use the certificate request.
--
--
newX509Req :: IO X509Req
wrapX509Req :: Ptr X509_REQ -> IO X509Req
withX509ReqPtr :: X509Req -> (Ptr X509_REQ -> IO a) -> IO a
-- | signX509Req signs a certificate request with a subject
-- private key.
signX509Req :: X509Req -> PKey -> Maybe Digest -> IO ()
-- | verifyX509Req verifies a signature of certificate
-- request with a subject public key.
verifyX509Req :: X509Req -> PKey -> IO VerifyStatus
-- | printX509Req req translates a certificate request into
-- human-readable format.
printX509Req :: X509Req -> IO String
-- | makeX509FromReq req cert creates an empty X.509
-- certificate and copies as much data from the request as possible. The
-- resulting certificate doesn't have the following data and it isn't
-- signed so you must fill them and sign it yourself.
--
--
-- - Serial number
-- - Validity (Not Before and Not After)
--
--
-- Example:
--
--
-- import Data.Time.Clock
--
-- genCert :: X509 -> EvpPKey -> Integer -> Int -> X509Req -> IO X509
-- genCert caCert caKey serial days req
-- = do cert <- makeX509FromReq req caCert
-- now <- getCurrentTime
-- setSerialNumber cert serial
-- setNotBefore cert $ addUTCTime (-1) now
-- setNotAfter cert $ addUTCTime (days * 24 * 60 * 60) now
-- signX509 cert caKey Nothing
-- return cert
--
makeX509FromReq :: X509Req -> X509 -> IO X509
-- | getVersion req returns the version number of
-- certificate request.
getVersion :: X509Req -> IO Int
-- | setVersion req ver updates the version number of
-- certificate request.
setVersion :: X509Req -> Int -> IO ()
-- | getSubjectName req wantLongName returns the subject
-- name of certificate request. See OpenSSL.X509.getSubjectName of
-- OpenSSL.X509.
getSubjectName :: X509Req -> Bool -> IO [(String, String)]
-- | setSubjectName req name updates the subject name of
-- certificate request. See OpenSSL.X509.setSubjectName of
-- OpenSSL.X509.
setSubjectName :: X509Req -> [(String, String)] -> IO ()
-- | getPublicKey req returns the public key of the subject
-- of certificate request.
getPublicKey :: X509Req -> IO PKey
-- | setPublicKey req updates the public key of the subject
-- of certificate request.
setPublicKey :: X509Req -> PKey -> IO ()
-- | An interface to PEM routines.
module OpenSSL.PEM
-- | PemPasswordCallback represents a callback function to
-- supply a password.
--
--
-- - Int The maximum length of the password to be
-- accepted.
-- - PemPasswordRWState The context.
-- - IO String The resulting password.
--
type PemPasswordCallback = Int -> PemPasswordRWState -> IO String
-- | PemPasswordRWState represents a context of
-- PemPasswordCallback.
data PemPasswordRWState
-- | The callback was called to get a password to read something encrypted.
PwRead :: PemPasswordRWState
-- | The callback was called to get a password to encrypt something.
PwWrite :: PemPasswordRWState
-- | PemPasswordSupply represents a way to supply password.
--
-- FIXME: using PwTTY causes an error but I don't know why:
-- "error:0906406D:PEM routines:DEF_CALLBACK:problems getting password"
data PemPasswordSupply
-- | no password
PwNone :: PemPasswordSupply
-- | password in a static string
PwStr :: String -> PemPasswordSupply
-- | get a password by a callback
PwCallback :: PemPasswordCallback -> PemPasswordSupply
-- | read a password from TTY
PwTTY :: PemPasswordSupply
-- | writePKCS8PrivateKey writes a private key to PEM
-- string in PKCS#8 format.
writePKCS8PrivateKey :: PKey -> Maybe (Cipher, PemPasswordSupply) -> IO String
-- | readPrivateKey pem supply reads a private key in PEM
-- string.
readPrivateKey :: String -> PemPasswordSupply -> IO PKey
-- | writePublicKey pubkey writes a public to PEM string.
writePublicKey :: PKey -> IO String
-- | readPublicKey pem reads a public key in PEM string.
readPublicKey :: String -> IO PKey
-- | writeX509 cert writes an X.509 certificate to PEM
-- string.
writeX509 :: X509 -> IO String
-- | readX509 pem reads an X.509 certificate in PEM string.
readX509 :: String -> IO X509
-- | PemX509ReqFormat represents format of PKCS#10
-- certificate request.
data PemX509ReqFormat
-- | The new format, whose header is "NEW CERTIFICATE REQUEST".
ReqNewFormat :: PemX509ReqFormat
-- | The old format, whose header is "CERTIFICATE REQUEST".
ReqOldFormat :: PemX509ReqFormat
-- | writeX509Req writes a PKCS#10 certificate request to
-- PEM string.
writeX509Req :: X509Req -> PemX509ReqFormat -> IO String
-- | readX509Req reads a PKCS#10 certificate request in PEM
-- string.
readX509Req :: String -> IO X509Req
-- | writeCRL crl writes a Certificate Revocation List to
-- PEM string.
writeCRL :: CRL -> IO String
-- | readCRL pem reads a Certificate Revocation List in PEM
-- string.
readCRL :: String -> IO CRL
-- | writePkcs7 p7 writes a PKCS#7 structure to PEM string.
writePkcs7 :: Pkcs7 -> IO String
-- | readPkcs7 pem reads a PKCS#7 structure in PEM string.
readPkcs7 :: String -> IO Pkcs7
-- | HsOpenSSL is a (part of) OpenSSL binding for Haskell. It can generate
-- RSA and DSA keys, read and write PEM files, generate message digests,
-- sign and verify messages, encrypt and decrypt messages. But since
-- OpenSSL is a very large library, it is uneasy to cover everything in
-- it.
--
-- Features that aren't (yet) supported:
--
--
-- - TLS\SSL network connection/ ssl(3) functionalities
-- aren't fully covered yet.
-- - Complete coverage of Low-level API to symmetric
-- ciphers Only high-level APIs (EVP and BIO) are fully
-- available. But I believe no one will be lost without functions like
-- DES_set_odd_parity.
-- - Low-level API to asymmetric ciphers Only a
-- high-level API (EVP) is available. But I believe no one will complain
-- about the absence of functions like RSA_public_encrypt.
-- - Key generation of Diffie-Hellman algorithm Only RSA
-- and DSA keys can currently be generated.
-- - X.509 v3 extension handling It should be supported
-- in the future.
-- - Low-level API to message digest functions Just use
-- EVP instead of something like MD5_Update.
-- - API to PKCS\#12 functionality It should be covered
-- someday.
-- - BIO BIO isn't needed because we are Haskell hackers.
-- Though HsOpenSSL itself uses BIO internally.
-- - ENGINE cryptographic module The default
-- implementations work very well, don't they?
--
--
-- So if you find out any features you want aren't supported, you must
-- write your own patch (or take over the HsOpenSSL project). Happy
-- hacking.
module OpenSSL
-- | Computation of withOpenSSL action initializes the
-- OpenSSL library and computes action. Every applications that
-- use HsOpenSSL must wrap any operations related to OpenSSL with
-- withOpenSSL, or they might crash.
--
--
-- module Main where
-- import OpenSSL
--
-- main :: IO ()
-- main = withOpenSSL $
-- do ...
--
withOpenSSL :: IO a -> IO a