-- Hoogle documentation, generated by Haddock
-- See Hoogle, http://www.haskell.org/hoogle/
-- | (Incomplete) OpenSSL binding for Haskell
--
-- HsOpenSSL is an (incomplete) OpenSSL binding for Haskell. It can
-- generate RSA and DSA keys, read and write PEM files, generate message
-- digests, sign and verify messages, encrypt and decrypt messages.
@package HsOpenSSL
@version 0.6.2
-- | PRNG services See http://www.openssl.org/docs/crypto/rand.html
-- For random Integer generation, see OpenSSL.BN
module OpenSSL.Random
-- | Return a bytestring consisting of the given number of strongly random
-- bytes
randBytes :: Int -> IO ByteString
-- | Return a bytestring consisting of the given number of pseudo random
-- bytes
prandBytes :: Int -> IO ByteString
-- | Add data to the entropy pool. It's safe to add sensitive information
-- (e.g. user passwords etc) to the pool. Also, adding data with an
-- entropy of 0 can never hurt.
add :: ByteString -> Int -> IO ()
-- | This module interfaces to some of the OpenSSL ciphers without using
-- EVP (see OpenSSL.EVP.Cipher). The EVP ciphers are easier to use,
-- however, in some cases you cannot do without using the OpenSSL
-- fuctions directly.
--
-- One of these cases (and the motivating example for this module) is
-- that the EVP CBC functions try to encode the length of the input
-- string in the output (thus hiding the fact that the cipher is, in
-- fact, block based and needs padding). This means that the EVP CBC
-- functions cannot, in some cases, interface with other users which
-- don't use that system (like SSH).
module OpenSSL.Cipher
data Mode
Encrypt :: Mode
Decrypt :: Mode
-- | Construct a new context which holds the key schedule and IV.
newAESCtx :: Mode -> ByteString -> ByteString -> IO AESCtx
-- | Encrypt some number of blocks using CBC. This is an IO function
-- because the context is destructivly updated.
aesCBC :: AESCtx -> ByteString -> IO ByteString
-- | Encrypt some number of bytes using CTR mode. This is an IO function
-- because the context is destructivly updated.
aesCTR :: AESCtx -> ByteString -> IO ByteString
instance Eq Mode
instance Show Mode
-- | An interface to message digest algorithms.
module OpenSSL.EVP.Digest
-- | Digest is an opaque object that represents an algorithm of
-- message digest.
data Digest
-- | getDigestByName name returns a message digest
-- algorithm whose name is name. If no algorithms are found, the
-- result is Nothing.
getDigestByName :: String -> IO (Maybe Digest)
-- | getDigestNames returns a list of name of message
-- digest algorithms.
getDigestNames :: IO [String]
-- | digest digests a stream of data. The string must not
-- contain any letters which aren't in the range of U+0000 - U+00FF.
digest :: Digest -> String -> String
-- | digestBS digests a chunk of data.
digestBS :: Digest -> ByteString -> String
-- | digestLBS digests a stream of data.
digestLBS :: Digest -> ByteString -> String
-- | Perform a private key signing using the HMAC template with a given
-- hash
hmacBS :: Digest -> ByteString -> ByteString -> ByteString
-- | An interface to symmetric cipher algorithms.
module OpenSSL.EVP.Cipher
-- | Cipher is an opaque object that represents an algorithm of
-- symmetric cipher.
data Cipher
-- | getCipherByName name returns a symmetric cipher
-- algorithm whose name is name. If no algorithms are found, the
-- result is Nothing.
getCipherByName :: String -> IO (Maybe Cipher)
-- | getCipherNames returns a list of name of symmetric
-- cipher algorithms.
getCipherNames :: IO [String]
-- | CryptoMode represents instruction to cipher and such
-- like.
data CryptoMode
Encrypt :: CryptoMode
Decrypt :: CryptoMode
-- | cipher lazilly encrypts or decrypts a stream of data.
-- The input string doesn't necessarily have to be finite.
cipher :: Cipher -> String -> String -> CryptoMode -> String -> IO String
-- | cipherBS strictly encrypts or decrypts a chunk of
-- data.
cipherBS :: Cipher -> String -> String -> CryptoMode -> ByteString -> IO ByteString
-- | cipherLBS lazilly encrypts or decrypts a stream of
-- data. The input string doesn't necessarily have to be finite.
cipherLBS :: Cipher -> String -> String -> CryptoMode -> ByteString -> IO ByteString
-- | An interface to Base64 codec.
module OpenSSL.EVP.Base64
-- | encodeBase64 str lazilly encodes a stream of data to
-- Base64. The string doesn't have to be finite. Note that the string
-- must not contain any letters which aren't in the range of U+0000 -
-- U+00FF.
encodeBase64 :: String -> String
-- | encodeBase64BS bs strictly encodes a chunk of data to
-- Base64.
encodeBase64BS :: ByteString -> ByteString
-- | encodeBase64LBS lbs lazilly encodes a stream of data
-- to Base64. The string doesn't have to be finite.
encodeBase64LBS :: ByteString -> ByteString
-- | decodeBase64 str lazilly decodes a stream of data from
-- Base64. The string doesn't have to be finite.
decodeBase64 :: String -> String
-- | decodeBase64BS bs strictly decodes a chunk of data
-- from Base64.
decodeBase64BS :: ByteString -> ByteString
-- | decodeBase64LBS lbs lazilly decodes a stream of data
-- from Base64. The string doesn't have to be finite.
decodeBase64LBS :: ByteString -> ByteString
-- | BN - multiprecision integer arithmetics
module OpenSSL.BN
-- | BigNum is an opaque object representing a big number.
data BigNum
-- | allocaBN f allocates a BigNum and computes
-- f. Then it frees the BigNum.
allocaBN :: (BigNum -> IO a) -> IO a
-- | withBN n f converts n to a BigNum and computes
-- f. Then it frees the BigNum.
withBN :: Integer -> (BigNum -> IO a) -> IO a
-- | This is an alias to integerToBN.
newBN :: Integer -> IO BigNum
-- | This is an alias to bnToInteger.
peekBN :: BigNum -> IO Integer
-- | This is a GHC specific, fast conversion between Integers and OpenSSL
-- bignums. It returns a malloced BigNum.
integerToBN :: Integer -> IO BigNum
-- | Convert a BIGNUM to an Integer
bnToInteger :: BigNum -> IO Integer
-- | Convert an Integer to an MPI. SEe bnToMPI for the format
integerToMPI :: Integer -> IO ByteString
-- | Convert an MPI to an Integer. SEe bnToMPI for the format
mpiToInteger :: ByteString -> IO Integer
-- | modexp a p m computes a to the p-th
-- power modulo m.
modexp :: Integer -> Integer -> Integer -> Integer
-- | Return a strongly random number in the range 0 <= x < n where
-- the given filter function returns true.
randIntegerUptoNMinusOneSuchThat :: (Integer -> Bool) -> Integer -> IO Integer
-- | Return a random number in the range 0 <= x < n where the given
-- filter function returns true.
prandIntegerUptoNMinusOneSuchThat :: (Integer -> Bool) -> Integer -> IO Integer
-- | Return a strongly random number in the range 0 <= x < n
randIntegerZeroToNMinusOne :: Integer -> IO Integer
-- | Return a random number in the range 0 <= x < n
prandIntegerZeroToNMinusOne :: Integer -> IO Integer
-- | Return a strongly random number in the range 0 < x < n
randIntegerOneToNMinusOne :: Integer -> IO Integer
-- | Return a random number in the range 0 < x < n
prandIntegerOneToNMinusOne :: Integer -> IO Integer
-- | The Digital Signature Algorithm (FIPS 186-2). See
-- http://www.openssl.org/docs/crypto/dsa.html
module OpenSSL.DSA
-- | DSAKey a is either DSAPubKey or
-- DSAKeyPair.
class DSAKey k
dsaSize :: (DSAKey k) => k -> Int
dsaP :: (DSAKey k) => k -> Integer
dsaQ :: (DSAKey k) => k -> Integer
dsaG :: (DSAKey k) => k -> Integer
dsaPublic :: (DSAKey k) => k -> Integer
withDSAPtr :: (DSAKey k) => k -> (Ptr DSA -> IO a) -> IO a
peekDSAPtr :: (DSAKey k) => Ptr DSA -> IO (Maybe k)
absorbDSAPtr :: (DSAKey k) => Ptr DSA -> IO (Maybe k)
-- | The type of a DSA public key, includes parameters p, q, g and public.
data DSAPubKey
-- | The type of a DSA keypair, includes parameters p, q, g, public and
-- private.
data DSAKeyPair
-- | Generate DSA parameters (*not* a key, but required for a key). This is
-- a compute intensive operation. See FIPS 186-2, app 2. This agrees with
-- the test vectors given in FIP 186-2, app 5
generateDSAParameters :: Int -> Maybe ByteString -> IO (Int, Int, Integer, Integer, Integer)
-- | Generate a new DSA keypair, given valid parameters
generateDSAKey :: Integer -> Integer -> Integer -> IO DSAKeyPair
-- | A utility function to generate both the parameters and the key pair at
-- the same time. Saves serialising and deserialising the parameters too
generateDSAParametersAndKey :: Int -> Maybe ByteString -> IO DSAKeyPair
-- | Sign pre-digested data. The DSA specs call for SHA1 to be used so, if
-- you use anything else, YMMV. Returns a pair of Integers which,
-- together, are the signature
signDigestedDataWithDSA :: DSAKeyPair -> ByteString -> IO (Integer, Integer)
-- | Verify pre-digested data given a signature.
verifyDigestedDataWithDSA :: (DSAKey k) => k -> ByteString -> (Integer, Integer) -> IO Bool
-- | Return the private key x.
dsaPrivate :: DSAKeyPair -> Integer
-- | Convert a DSAPubKey object to a tuple of its members in the order p,
-- q, g, and public.
dsaPubKeyToTuple :: DSAKeyPair -> (Integer, Integer, Integer, Integer)
-- | Convert a DSAKeyPair object to a tuple of its members in the order p,
-- q, g, public and private.
dsaKeyPairToTuple :: DSAKeyPair -> (Integer, Integer, Integer, Integer, Integer)
-- | Convert a tuple of members (in the same format as from
-- dsaPubKeyToTuple) into a DSAPubKey object
tupleToDSAPubKey :: (Integer, Integer, Integer, Integer) -> DSAPubKey
-- | Convert a tuple of members (in the same format as from
-- dsaPubKeyToTuple) into a DSAPubKey object
tupleToDSAKeyPair :: (Integer, Integer, Integer, Integer, Integer) -> DSAKeyPair
instance Typeable DSAKeyPair
instance Typeable DSAPubKey
instance Show DSAKeyPair
instance Show DSAPubKey
instance Ord DSAKeyPair
instance Ord DSAPubKey
instance Eq DSAKeyPair
instance Eq DSAPubKey
instance DSAKey DSAKeyPair
instance DSAKey DSAPubKey
-- | An interface to RSA public key generator.
module OpenSSL.RSA
-- | RSAKey a is either RSAPubKey or
-- RSAKeyPair.
class RSAKey k
rsaSize :: (RSAKey k) => k -> Int
rsaN :: (RSAKey k) => k -> Integer
rsaE :: (RSAKey k) => k -> Integer
withRSAPtr :: (RSAKey k) => k -> (Ptr RSA -> IO a) -> IO a
peekRSAPtr :: (RSAKey k) => Ptr RSA -> IO (Maybe k)
absorbRSAPtr :: (RSAKey k) => Ptr RSA -> IO (Maybe k)
-- | RSAPubKey is an opaque object that represents RSA
-- public key.
data RSAPubKey
-- | RSAKeyPair is an opaque object that represents RSA
-- keypair.
data RSAKeyPair
-- | RSAGenKeyCallback represents a callback function to
-- get informed the progress of RSA key generation.
--
--
-- - callback 0 i is called after generating the i-th
-- potential prime number.
-- - While the number is being tested for primality, callback 1
-- j is called after the j-th iteration (j = 0, 1,
-- ...).
-- - When the n-th randomly generated prime is rejected as not
-- suitable for the key, callback 2 n is called.
-- - When a random p has been found with p-1
-- relatively prime to e, it is called as callback 3
-- 0.
-- - The process is then repeated for prime q with
-- callback 3 1.
--
type RSAGenKeyCallback = Int -> Int -> IO ()
-- | generateRSAKey generates an RSA keypair.
generateRSAKey :: Int -> Int -> Maybe RSAGenKeyCallback -> IO RSAKeyPair
-- | A simplified alternative to generateRSAKey
generateRSAKey' :: Int -> Int -> IO RSAKeyPair
-- | rsaD privKey returns the private exponent of the key.
rsaD :: RSAKeyPair -> Integer
-- | rsaP privkey returns the secret prime factor
-- p of the key.
rsaP :: RSAKeyPair -> Integer
-- | rsaQ privkey returns the secret prime factor
-- q of the key.
rsaQ :: RSAKeyPair -> Integer
-- | rsaDMP1 privkey returns d mod (p-1) of the
-- key.
rsaDMP1 :: RSAKeyPair -> Maybe Integer
-- | rsaDMQ1 privkey returns d mod (q-1) of the
-- key.
rsaDMQ1 :: RSAKeyPair -> Maybe Integer
-- | rsaIQMP privkey returns q^-1 mod p of the
-- key.
rsaIQMP :: RSAKeyPair -> Maybe Integer
instance Typeable RSAKeyPair
instance Typeable RSAPubKey
instance Show RSAKeyPair
instance Show RSAPubKey
instance Ord RSAKeyPair
instance Ord RSAPubKey
instance Eq RSAKeyPair
instance Eq RSAPubKey
instance RSAKey RSAKeyPair
instance RSAKey RSAPubKey
-- | An interface to asymmetric cipher keypair.
module OpenSSL.EVP.PKey
-- | Instances of this class has at least public portion of a keypair. They
-- might or might not have the private key.
class (Eq k, Typeable k, PKey k) => PublicKey k
fromPublicKey :: (PublicKey k) => k -> SomePublicKey
toPublicKey :: (PublicKey k) => SomePublicKey -> Maybe k
-- | Instances of this class has both of public and private portions of a
-- keypair.
class (PublicKey a) => KeyPair a
fromKeyPair :: (KeyPair a) => a -> SomeKeyPair
toKeyPair :: (KeyPair a) => SomeKeyPair -> Maybe a
-- | This is an opaque type to hold an arbitrary public key in it. The
-- actual key type can be safelly type-casted using toPublicKey.
data SomePublicKey
-- | This is an opaque type to hold an arbitrary keypair in it. The actual
-- key type can be safelly type-casted using toKeyPair.
data SomeKeyPair
instance Typeable SomeKeyPair
instance Typeable SomePublicKey
instance PKey DSAKeyPair
instance PublicKey DSAKeyPair
instance KeyPair DSAKeyPair
instance PKey DSAPubKey
instance PublicKey DSAPubKey
instance PKey RSAKeyPair
instance PublicKey RSAKeyPair
instance KeyPair RSAKeyPair
instance PKey RSAPubKey
instance PublicKey RSAPubKey
instance PKey SomeKeyPair
instance KeyPair SomeKeyPair
instance PublicKey SomeKeyPair
instance Eq SomeKeyPair
instance PKey SomePublicKey
instance PublicKey SomePublicKey
instance Eq SomePublicKey
-- | Asymmetric cipher decryption using encrypted symmetric key. This is an
-- opposite of OpenSSL.EVP.Seal.
module OpenSSL.EVP.Open
-- | open lazilly decrypts a stream of data. The input
-- string doesn't necessarily have to be finite.
open :: (KeyPair key) => Cipher -> String -> String -> key -> String -> String
-- | openBS decrypts a chunk of data.
openBS :: (KeyPair key) => Cipher -> String -> String -> key -> ByteString -> ByteString
-- | openLBS lazilly decrypts a stream of data. The input
-- string doesn't necessarily have to be finite.
openLBS :: (KeyPair key) => Cipher -> String -> String -> key -> ByteString -> ByteString
-- | Asymmetric cipher decryption using encrypted symmetric key. This is an
-- opposite of OpenSSL.EVP.Open.
module OpenSSL.EVP.Seal
-- | seal lazilly encrypts a stream of data. The input
-- string doesn't necessarily have to be finite.
seal :: Cipher -> [SomePublicKey] -> String -> IO (String, [String], String)
-- | sealBS strictly encrypts a chunk of data.
sealBS :: Cipher -> [SomePublicKey] -> ByteString -> IO (ByteString, [String], String)
-- | sealLBS lazilly encrypts a stream of data. The input
-- string doesn't necessarily have to be finite.
sealLBS :: Cipher -> [SomePublicKey] -> ByteString -> IO (ByteString, [String], String)
-- | Message signing using asymmetric cipher and message digest algorithm.
-- This is an opposite of OpenSSL.EVP.Verify.
module OpenSSL.EVP.Sign
-- | sign generates a signature from a stream of data. The
-- string must not contain any letters which aren't in the range of
-- U+0000 - U+00FF.
sign :: (KeyPair key) => Digest -> key -> String -> IO String
-- | signBS generates a signature from a chunk of data.
signBS :: (KeyPair key) => Digest -> key -> ByteString -> IO String
-- | signLBS generates a signature from a stream of data.
signLBS :: (KeyPair key) => Digest -> key -> ByteString -> IO String
-- | Message verification using asymmetric cipher and message digest
-- algorithm. This is an opposite of OpenSSL.EVP.Sign.
module OpenSSL.EVP.Verify
-- | VerifyStatus represents a result of verification.
data VerifyStatus
VerifySuccess :: VerifyStatus
VerifyFailure :: VerifyStatus
-- | verify verifies a signature and a stream of data. The
-- string must not contain any letters which aren't in the range of
-- U+0000 - U+00FF.
verify :: (PublicKey key) => Digest -> String -> key -> String -> IO VerifyStatus
-- | verifyBS verifies a signature and a chunk of data.
verifyBS :: (PublicKey key) => Digest -> String -> key -> ByteString -> IO VerifyStatus
-- | verifyLBS verifies a signature of a stream of data.
verifyLBS :: (PublicKey key) => Digest -> String -> key -> ByteString -> IO VerifyStatus
instance Typeable VerifyStatus
instance Show VerifyStatus
instance Eq VerifyStatus
-- | An interface to X.509 certificate.
module OpenSSL.X509
-- | X509 is an opaque object that represents X.509
-- certificate.
data X509
-- | newX509 creates an empty certificate. You must set the
-- following properties to and sign it (see signX509) to actually
-- use the certificate.
--
--
newX509 :: IO X509
-- | compareX509 cert1 cert2 compares two certificates.
compareX509 :: X509 -> X509 -> IO Ordering
-- | signX509 signs a certificate with an issuer private
-- key.
signX509 :: (KeyPair key) => X509 -> key -> Maybe Digest -> IO ()
-- | verifyX509 verifies a signature of certificate with an
-- issuer public key.
verifyX509 :: (PublicKey key) => X509 -> key -> IO VerifyStatus
-- | printX509 cert translates a certificate into
-- human-readable format.
printX509 :: X509 -> IO String
-- | getVersion cert returns the version number of
-- certificate. It seems the number is 0-origin: version 2 means X.509
-- v3.
getVersion :: X509 -> IO Int
-- | setVersion cert ver updates the version number of
-- certificate.
setVersion :: X509 -> Int -> IO ()
-- | getSerialNumber cert returns the serial number of
-- certificate.
getSerialNumber :: X509 -> IO Integer
-- | setSerialNumber cert num updates the serial number of
-- certificate.
setSerialNumber :: X509 -> Integer -> IO ()
-- | getIssuerName returns the issuer name of certificate.
getIssuerName :: X509 -> Bool -> IO [(String, String)]
-- | setIssuerName cert name updates the issuer name of
-- certificate. Keys of each parts may be of either long form or short
-- form. See getIssuerName.
setIssuerName :: X509 -> [(String, String)] -> IO ()
-- | getSubjectName cert wantLongName returns the subject
-- name of certificate. See getIssuerName.
getSubjectName :: X509 -> Bool -> IO [(String, String)]
-- | setSubjectName cert name updates the subject name of
-- certificate. See setIssuerName.
setSubjectName :: X509 -> [(String, String)] -> IO ()
-- | getNotBefore cert returns the time when the
-- certificate begins to be valid.
getNotBefore :: X509 -> IO UTCTime
-- | setNotBefore cert utc updates the time when the
-- certificate begins to be valid.
setNotBefore :: X509 -> UTCTime -> IO ()
-- | getNotAfter cert returns the time when the certificate
-- expires.
getNotAfter :: X509 -> IO UTCTime
-- | setNotAfter cert utc updates the time when the
-- certificate expires.
setNotAfter :: X509 -> UTCTime -> IO ()
-- | getPublicKey cert returns the public key of the
-- subject of certificate.
getPublicKey :: X509 -> IO SomePublicKey
-- | setPublicKey cert pubkey updates the public key of the
-- subject of certificate.
setPublicKey :: (PublicKey key) => X509 -> key -> IO ()
-- | getSubjectEmail cert returns every subject email
-- addresses in the certificate.
getSubjectEmail :: X509 -> IO [String]
-- | An interface to Certificate Revocation List.
module OpenSSL.X509.Revocation
-- | CRL is an opaque object that represents Certificate
-- Revocation List.
data CRL
-- | RevokedCertificate represents a revoked certificate in
-- a list. Each certificates are supposed to be distinguishable by issuer
-- name and serial number, so it is sufficient to have only serial number
-- on each entries.
data RevokedCertificate
RevokedCertificate :: Integer -> UTCTime -> RevokedCertificate
revSerialNumber :: RevokedCertificate -> Integer
revRevocationDate :: RevokedCertificate -> UTCTime
-- | newCRL creates an empty revocation list. You must set
-- the following properties to and sign it (see signCRL) to
-- actually use the revocation list. If you have any certificates to be
-- listed, you must of course add them (see addRevoked) before
-- signing the list.
--
--
newCRL :: IO CRL
-- | signCRL signs a revocation list with an issuer private
-- key.
signCRL :: (KeyPair key) => CRL -> key -> Maybe Digest -> IO ()
-- | verifyCRL verifies a signature of revocation list with
-- an issuer public key.
verifyCRL :: (PublicKey key) => CRL -> key -> IO VerifyStatus
-- | printCRL translates a revocation list into
-- human-readable format.
printCRL :: CRL -> IO String
-- | sortCRL crl sorts the certificates in the revocation
-- list.
sortCRL :: CRL -> IO ()
-- | getVersion crl returns the version number of
-- revocation list.
getVersion :: CRL -> IO Int
-- | setVersion crl ver updates the version number of
-- revocation list.
setVersion :: CRL -> Int -> IO ()
-- | getLastUpdate crl returns the time when the revocation
-- list has last been updated.
getLastUpdate :: CRL -> IO UTCTime
-- | setLastUpdate crl utc updates the time when the
-- revocation list has last been updated.
setLastUpdate :: CRL -> UTCTime -> IO ()
-- | getNextUpdate crl returns the time when the revocation
-- list will next be updated.
getNextUpdate :: CRL -> IO UTCTime
-- | setNextUpdate crl utc updates the time when the
-- revocation list will next be updated.
setNextUpdate :: CRL -> UTCTime -> IO ()
-- | getIssuerName crl wantLongName returns the issuer name
-- of revocation list. See OpenSSL.X509.getIssuerName of
-- OpenSSL.X509.
getIssuerName :: CRL -> Bool -> IO [(String, String)]
-- | setIssuerName crl name updates the issuer name of
-- revocation list. See OpenSSL.X509.setIssuerName of
-- OpenSSL.X509.
setIssuerName :: CRL -> [(String, String)] -> IO ()
-- | getRevokedList crl returns the list of revoked
-- certificates.
getRevokedList :: CRL -> IO [RevokedCertificate]
-- | addRevoked crl revoked add the certificate to the
-- revocation list.
addRevoked :: CRL -> RevokedCertificate -> IO ()
instance Typeable RevokedCertificate
instance Show RevokedCertificate
instance Eq RevokedCertificate
-- | An interface to X.509 certificate store.
module OpenSSL.X509.Store
-- | X509Store is an opaque object that represents X.509
-- certificate store. The certificate store is usually used for chain
-- verification.
data X509Store
-- | newX509Store creates an empty X.509 certificate store.
newX509Store :: IO X509Store
-- | addCertToStore store cert adds a certificate to store.
addCertToStore :: X509Store -> X509 -> IO ()
-- | addCRLToStore store crl adds a revocation list to
-- store.
addCRLToStore :: X509Store -> CRL -> IO ()
-- | An interface to PKCS#7 structure and S/MIME message.
module OpenSSL.PKCS7
-- | Pkcs7 represents an abstract PKCS#7 structure. The
-- concrete type of structure is hidden in the object: such polymorphism
-- isn't very haskellish but please get it out of your mind since OpenSSL
-- is written in C.
data Pkcs7
data PKCS7
-- | Pkcs7Flag is a set of flags that are used in many
-- operations related to PKCS#7.
data Pkcs7Flag
Pkcs7Text :: Pkcs7Flag
Pkcs7NoCerts :: Pkcs7Flag
Pkcs7NoSigs :: Pkcs7Flag
Pkcs7NoChain :: Pkcs7Flag
Pkcs7NoIntern :: Pkcs7Flag
Pkcs7NoVerify :: Pkcs7Flag
Pkcs7Detached :: Pkcs7Flag
Pkcs7Binary :: Pkcs7Flag
Pkcs7NoAttr :: Pkcs7Flag
Pkcs7NoSmimeCap :: Pkcs7Flag
Pkcs7NoOldMimeType :: Pkcs7Flag
Pkcs7CRLFEOL :: Pkcs7Flag
-- | Pkcs7VerifyStatus represents a result of PKCS#7
-- verification. See pkcs7Verify.
data Pkcs7VerifyStatus
-- | Nothing if the PKCS#7 signature was a detached signature, and Just
-- content if it wasn't.
Pkcs7VerifySuccess :: (Maybe String) -> Pkcs7VerifyStatus
Pkcs7VerifyFailure :: Pkcs7VerifyStatus
wrapPkcs7Ptr :: Ptr PKCS7 -> IO Pkcs7
withPkcs7Ptr :: Pkcs7 -> (Ptr PKCS7 -> IO a) -> IO a
-- | pkcs7Sign creates a PKCS#7 signedData structure.
pkcs7Sign :: (KeyPair key) => X509 -> key -> [X509] -> String -> [Pkcs7Flag] -> IO Pkcs7
-- | pkcs7Verify verifies a PKCS#7 signedData structure.
pkcs7Verify :: Pkcs7 -> [X509] -> X509Store -> Maybe String -> [Pkcs7Flag] -> IO Pkcs7VerifyStatus
-- | pkcs7Encrypt creates a PKCS#7 envelopedData structure.
pkcs7Encrypt :: [X509] -> String -> Cipher -> [Pkcs7Flag] -> IO Pkcs7
-- | pkcs7Decrypt decrypts content from PKCS#7
-- envelopedData structure.
pkcs7Decrypt :: (KeyPair key) => Pkcs7 -> key -> X509 -> [Pkcs7Flag] -> IO String
-- | writeSmime writes PKCS#7 structure to S/MIME message.
writeSmime :: Pkcs7 -> Maybe String -> [Pkcs7Flag] -> IO String
-- | readSmime parses S/MIME message.
readSmime :: String -> IO (Pkcs7, Maybe String)
instance Typeable Pkcs7VerifyStatus
instance Typeable Pkcs7Flag
instance Show Pkcs7VerifyStatus
instance Eq Pkcs7VerifyStatus
instance Show Pkcs7Flag
instance Eq Pkcs7Flag
-- | Functions for handling SSL connections. These functions use GHC
-- specific calls to cooperative the with the scheduler so that blocking
-- functions only actually block the Haskell thread, not a whole OS
-- thread.
module OpenSSL.Session
-- | An SSL context. Contexts carry configuration such as a server's
-- private key, root CA certiifcates etc. Contexts are stateful IO
-- objects; they start empty and various options are set on them by the
-- functions in this module. Note that an empty context will pretty much
-- cause any operation to fail since it doesn't even have any ciphers
-- enabled.
--
-- Contexts are not thread safe so they carry a QSem with them which only
-- lets a single thread work inside them at a time. Thus, one must always
-- use withContext, not withForeignPtr directly.
data SSLContext
-- | Create a new SSL context.
context :: IO SSLContext
-- | Install a private key into a context.
contextSetPrivateKey :: (KeyPair k) => SSLContext -> k -> IO ()
-- | Install a certificate (public key) into a context.
contextSetCertificate :: SSLContext -> X509 -> IO ()
-- | Install a private key file in a context. The key is given as a path to
-- the file which contains the key. The file is parsed first as PEM and,
-- if that fails, as ASN1. If both fail, an exception is raised.
contextSetPrivateKeyFile :: SSLContext -> FilePath -> IO ()
-- | Install a certificate (public key) file in a context. The key is given
-- as a path to the file which contains the key. The file is parsed first
-- as PEM and, if that fails, as ASN1. If both fail, an exception is
-- raised.
contextSetCertificateFile :: SSLContext -> FilePath -> IO ()
-- | Set the ciphers to be used by the given context. The string argument
-- is a list of ciphers, comma separated, as given at
-- http:www.openssl.orgdocsapps/ciphers.html
--
-- Unrecognised ciphers are ignored. If no ciphers from the list are
-- recognised, an exception is raised.
contextSetCiphers :: SSLContext -> String -> IO ()
contextSetDefaultCiphers :: SSLContext -> IO ()
-- | Return true iff the private key installed in the given context matches
-- the certificate also installed.
contextCheckPrivateKey :: SSLContext -> IO Bool
-- | See http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html
data VerificationMode
VerifyNone :: VerificationMode
VerifyPeer :: Bool -> Bool -> VerificationMode
-- | is a certificate required
vpFailIfNoPeerCert :: VerificationMode -> Bool
-- | only request once per connection
vpClientOnce :: VerificationMode -> Bool
contextSetVerificationMode :: SSLContext -> VerificationMode -> IO ()
-- | Set the location of a PEM encoded list of CA certificates to be used
-- when verifying a server's certificate
contextSetCAFile :: SSLContext -> FilePath -> IO ()
-- | Set the path to a directory which contains the PEM encoded CA root
-- certificates. This is an alternative to contextSetCAFile. See
-- http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html
-- for details of the file naming scheme
contextSetCADirectory :: SSLContext -> FilePath -> IO ()
-- | Get a reference to, not a copy of, the X.509 certificate storage in
-- the SSL context.
contextGetCAStore :: SSLContext -> IO X509Store
-- | This is the type of an SSL connection
--
-- SSL objects are not thread safe, so they carry a QSem around with them
-- which only lets a single thread work inside them at a time. Thus, one
-- must always use withSSL, rather than withForeignPtr directly.
--
-- IO with SSL objects is non-blocking and many SSL functions return a
-- error code which signifies that it needs to read or write more data.
-- We handle these calls and call threadWaitRead and threadWaitWrite at
-- the correct times. Thus multiple OS threads can be blocked inside IO
-- in the same SSL object at a time, because they aren't really in the
-- SSL object, they are waiting for the RTS to wake the Haskell thread.
data SSL
-- | Wrap a Socket in an SSL connection. Reading and writing to the Socket
-- after this will cause weird errors in the SSL code. The SSL object
-- carries a handle to the Socket so you need not worry about the garbage
-- collector closing the file descriptor out from under you.
connection :: SSLContext -> Socket -> IO SSL
-- | Perform an SSL server handshake
accept :: SSL -> IO ()
-- | Perform an SSL client handshake
connect :: SSL -> IO ()
-- | Try the read the given number of bytes from an SSL connection. On EOF
-- an empty ByteString is returned. If the connection dies without a
-- graceful SSL shutdown, an exception is raised.
read :: SSL -> Int -> IO ByteString
-- | Write a given ByteString to the SSL connection. Either all the data is
-- written or an exception is raised because of an error
write :: SSL -> ByteString -> IO ()
-- | Lazily read all data until reaching EOF. If the connection dies
-- without a graceful SSL shutdown, an exception is raised.
lazyRead :: SSL -> IO ByteString
-- | Write a lazy ByteString to the SSL connection. In contrast to
-- write, there is a chance that the string is written partway and
-- then an exception is raised for an error. The string doesn't
-- necessarily have to be finite.
lazyWrite :: SSL -> ByteString -> IO ()
-- | Cleanly shutdown an SSL connection. Note that SSL has a concept of a
-- secure shutdown, which is distinct from just closing the TCP
-- connection. This performs the former and should always be preferred.
--
-- This can either just send a shutdown, or can send and wait for the
-- peer's shutdown message.
shutdown :: SSL -> ShutdownType -> IO ()
data ShutdownType
-- | wait for the peer to also shutdown
Bidirectional :: ShutdownType
-- | only send our shutdown
Unidirectional :: ShutdownType
-- | After a successful connection, get the certificate of the other party.
-- If this is a server connection, you probably won't get a certificate
-- unless you asked for it with contextSetVerificationMode
getPeerCertificate :: SSL -> IO (Maybe X509)
-- | Get the result of verifing the peer's certificate. This is mostly for
-- clients to verify the certificate of the server that they have
-- connected it. You must set a list of root CA certificates with
-- contextSetCA... for this to make sense.
--
-- Note that this returns True iff the peer's certificate has a valid
-- chain to a root CA. You also need to check that the certificate is
-- correct (i.e. has the correct hostname in it) with getPeerCertificate.
getVerifyResult :: SSL -> IO Bool
-- | Get the socket underlying an SSL connection
sslSocket :: SSL -> Socket
instance Eq SSLIOResult
-- | An interface to PKCS#10 certificate request.
module OpenSSL.X509.Request
-- | X509Req is an opaque object that represents PKCS#10
-- certificate request.
data X509Req
-- | newX509Req creates an empty certificate request. You
-- must set the following properties to and sign it (see
-- signX509Req) to actually use the certificate request.
--
--
newX509Req :: IO X509Req
-- | signX509Req signs a certificate request with a subject
-- private key.
signX509Req :: (KeyPair key) => X509Req -> key -> Maybe Digest -> IO ()
-- | verifyX509Req verifies a signature of certificate
-- request with a subject public key.
verifyX509Req :: (PublicKey key) => X509Req -> key -> IO VerifyStatus
-- | printX509Req req translates a certificate request into
-- human-readable format.
printX509Req :: X509Req -> IO String
-- | makeX509FromReq req cert creates an empty X.509
-- certificate and copies as much data from the request as possible. The
-- resulting certificate doesn't have the following data and it isn't
-- signed so you must fill them and sign it yourself.
--
--
-- - Serial number
-- - Validity (Not Before and Not After)
--
--
-- Example:
--
--
-- import Data.Time.Clock
--
-- genCert :: X509 -> EvpPKey -> Integer -> Int -> X509Req -> IO X509
-- genCert caCert caKey serial days req
-- = do cert <- makeX509FromReq req caCert
-- now <- getCurrentTime
-- setSerialNumber cert serial
-- setNotBefore cert $ addUTCTime (-1) now
-- setNotAfter cert $ addUTCTime (days * 24 * 60 * 60) now
-- signX509 cert caKey Nothing
-- return cert
--
makeX509FromReq :: X509Req -> X509 -> IO X509
-- | getVersion req returns the version number of
-- certificate request.
getVersion :: X509Req -> IO Int
-- | setVersion req ver updates the version number of
-- certificate request.
setVersion :: X509Req -> Int -> IO ()
-- | getSubjectName req wantLongName returns the subject
-- name of certificate request. See OpenSSL.X509.getSubjectName of
-- OpenSSL.X509.
getSubjectName :: X509Req -> Bool -> IO [(String, String)]
-- | setSubjectName req name updates the subject name of
-- certificate request. See OpenSSL.X509.setSubjectName of
-- OpenSSL.X509.
setSubjectName :: X509Req -> [(String, String)] -> IO ()
-- | getPublicKey req returns the public key of the subject
-- of certificate request.
getPublicKey :: X509Req -> IO SomePublicKey
-- | setPublicKey req updates the public key of the subject
-- of certificate request.
setPublicKey :: (PublicKey key) => X509Req -> key -> IO ()
-- | An interface to PEM routines.
module OpenSSL.PEM
-- | PemPasswordCallback represents a callback function to
-- supply a password.
--
--
-- - Int The maximum length of the password to be
-- accepted.
-- - PemPasswordRWState The context.
-- - IO String The resulting password.
--
type PemPasswordCallback = Int -> PemPasswordRWState -> IO String
-- | PemPasswordRWState represents a context of
-- PemPasswordCallback.
data PemPasswordRWState
-- | The callback was called to get a password to read something encrypted.
PwRead :: PemPasswordRWState
-- | The callback was called to get a password to encrypt something.
PwWrite :: PemPasswordRWState
-- | PemPasswordSupply represents a way to supply password.
--
-- FIXME: using PwTTY causes an error but I don't know why:
-- "error:0906406D:PEM routines:DEF_CALLBACK:problems getting password"
data PemPasswordSupply
-- | no password
PwNone :: PemPasswordSupply
-- | password in a static string
PwStr :: String -> PemPasswordSupply
-- | get a password by a callback
PwCallback :: PemPasswordCallback -> PemPasswordSupply
-- | read a password from TTY
PwTTY :: PemPasswordSupply
-- | writePKCS8PrivateKey writes a private key to PEM
-- string in PKCS#8 format.
writePKCS8PrivateKey :: (KeyPair key) => key -> Maybe (Cipher, PemPasswordSupply) -> IO String
-- | readPrivateKey pem supply reads a private key in PEM
-- string.
readPrivateKey :: String -> PemPasswordSupply -> IO SomeKeyPair
-- | writePublicKey pubkey writes a public to PEM string.
writePublicKey :: (PublicKey key) => key -> IO String
-- | readPublicKey pem reads a public key in PEM string.
readPublicKey :: String -> IO SomePublicKey
-- | writeX509 cert writes an X.509 certificate to PEM
-- string.
writeX509 :: X509 -> IO String
-- | readX509 pem reads an X.509 certificate in PEM string.
readX509 :: String -> IO X509
-- | PemX509ReqFormat represents format of PKCS#10
-- certificate request.
data PemX509ReqFormat
-- | The new format, whose header is "NEW CERTIFICATE REQUEST".
ReqNewFormat :: PemX509ReqFormat
-- | The old format, whose header is "CERTIFICATE REQUEST".
ReqOldFormat :: PemX509ReqFormat
-- | writeX509Req writes a PKCS#10 certificate request to
-- PEM string.
writeX509Req :: X509Req -> PemX509ReqFormat -> IO String
-- | readX509Req reads a PKCS#10 certificate request in PEM
-- string.
readX509Req :: String -> IO X509Req
-- | writeCRL crl writes a Certificate Revocation List to
-- PEM string.
writeCRL :: CRL -> IO String
-- | readCRL pem reads a Certificate Revocation List in PEM
-- string.
readCRL :: String -> IO CRL
-- | writePkcs7 p7 writes a PKCS#7 structure to PEM string.
writePkcs7 :: Pkcs7 -> IO String
-- | readPkcs7 pem reads a PKCS#7 structure in PEM string.
readPkcs7 :: String -> IO Pkcs7
-- | HsOpenSSL is an (incomplete) OpenSSL binding for Haskell. It can
-- generate RSA and DSA keys, read and write PEM files, generate message
-- digests, sign and verify messages, encrypt and decrypt messages. But
-- since OpenSSL is a very large library, it is uneasy to cover every
-- parts of it.
--
-- Features that aren't (yet) supported:
--
--
-- - SSL network connection ssl(3) functionalities aren't
-- fully covered yet. See OpenSSL.Session.
-- - Complete coverage of Low-level API to symmetric
-- ciphers Only high-level APIs (EVP and BIO) are fully
-- available. But I believe no one will be lost without functions like
-- DES_set_odd_parity.
-- - Low-level API to asymmetric ciphers Only a
-- high-level API (EVP) is available. But I believe no one will complain
-- about the absence of functions like RSA_public_encrypt.
-- - Key generation of Diffie-Hellman algorithm Only RSA
-- and DSA keys can currently be generated.
-- - X.509 v3 extension handling It should be supported
-- in the future.
-- - Low-level API to message digest functions Just use
-- EVP instead of something like MD5_Update.
-- - API to PKCS#12 functionality It should be covered
-- someday.
-- - BIO BIO isn't needed because we are Haskell hackers.
-- Though HsOpenSSL itself uses BIO internally.
-- - ENGINE cryptographic module The default
-- implementations work very well, don't they?
--
--
-- So if you find out any features you want aren't supported, you must
-- write your own patch (or take over the HsOpenSSL project). Happy
-- hacking.
module OpenSSL
-- | Computation of withOpenSSL action initializes the
-- OpenSSL library and computes action. Every applications that
-- use HsOpenSSL must wrap any operations related to OpenSSL with
-- withOpenSSL, or they might crash.
--
--
-- module Main where
-- import OpenSSL
--
-- main :: IO ()
-- main = withOpenSSL $
-- do ...
--
withOpenSSL :: IO a -> IO a