!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ None NoneBExpression for an end guard. Arg describes type it was expecting.GBuild a catch-all guard that fails. String describes what is expected.CDerive a JOSE sum type with nullary data constructors, along with  and  instances Type name.List of JSON string values. The corresponding constructor is derived by upper-casing the first letter and converting non-alpha-numeric characters are converted to underscores. None6JWA 3.1. "alg" (Algorithm) Header Parameters for JWS     None<JWA 4.1. "alg" (Algorithm) Header Parameter Values for JWEpThis section is shuffled off into its own module to avoid circular import via Crypto.JOSE.JWK, which needs Alg. None79U'Serialising to armoured representation.&Decoding from armoured representation.gA value that can be "armoured", where the armour representation is preserved when the value is parsed.Lens for the unarmoured value.S for the armour encoding. If the armour was remembered, it is returned unchanged.1Decode an armoured value, remembering the armour.               None aConvert a JSON object into a list of pairs or the empty list if the JSON value is not an object.AProduce a parser of base64 encoded text from a bytestring parser..Convert a bytestring to a base64 encoded JSON Add appropriate base64 '=' padding. Strip base64 '=' padding.DProduce a parser of base64url encoded text from a bytestring parser.1Convert a bytestring to a base64url encoded JSON LConvert an unsigned big endian octet sequence to the integer it represents.SConvert an integer to its unsigned big endian representation as an octet sequence.   None=A base64url encoded octet sequence interpreted as an integer.#A base64 encoded X.509 certificate.MA base64url encoded SHA-256 digest. Used for X.509 certificate thumbprints.KA base64url encoded SHA-1 digest. Used for X.509 certificate thumbprints.xA base64url encoded octet sequence. Used for payloads, signatures, symmetric keys, salts, initialisation vectors, etc.A base64url encoded octet sequence interpreted as an integer and where the number of octets carries explicit bit-length information. Generate a  of the given number of bytes Parsed a  with an expected number of bytes.# !"#$%&'()*+,- !"#$%&'()*+,-NoneN.Wrap a secret.iInput size must be a multiple of 8 bytes, and at least 16 bytes. Output size is input size plus 8 bytes./Unwrap a secret.jInput size must be a multiple of 8 bytes, and at least 24 bytes. Output size is input size minus 8 bytes.Returns 0d if inherent integrity check fails. Otherwise, the chance that the key data is corrupt is 2 ^ -64.12registerstep (t) and offset (i).3registerstep (t) and offset (i)/./12.3/None All the errors that can occur.(A requested algorithm is not implemented $A requested algorithm cannot be used!Wrong type of key was given"Key size is too small#,RSA private key with >2 primes not supported$+RSA encryption, decryption or signing error%&Various cryptonite library error cases&-Cannot produce compact representation of data'$Cannot decode compact representation(JSON (Aeson) decoding error !"#$%&'()*+, !"#$%&'()*+, !"#$%&'()*+, !"#$%&'()*+,None >FLNU -%Elliptic Curve key type (Recommeded+)/RSA key type (Required)12Octet sequence (symmetric key) key type (Required)3Parameters for RSA Keys5"Parameters for Elliptic Curve Keys<RSA private key parameters@(Optional parameters for RSA private keysH#"oth" (Other Primes Info) ParameterM"crv" (Curve) ParameterSKeygen parameters.WKey material sum type.[Symmetric key parameters data.j-.4/0512634789:56789:;<=>?@ABCDEFGHIJKLMNOP;<=>?@ABCDEFGHIJKLMNQRSTUVWXYZ[\]^_`abcOPQRSdTUefgVWXYZ[\]^_`abGcdefghijklmn-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefgA-.4/0512634789:56789:;<=>?@ABCDEFGHIJKLMNOP;<=>?@ABCDEFGHIJKLMNQRSTUVWXYZ[\]^_`abcOPQRSdTUefgVWXYZ[\]^_`abNone>Lo&JWK 3.3. "alg" (Algorithm) Parameterp/JWK 3.3. "key_ops" (Key Operations) Parameterh"JWK 3. JSON Web Key (JWK) Formatq+JWK 3.2. "use" (Public Key Use) Parameterj*JWK 4. JSON Web Key Set (JWK Set) Format0orstupvwxyz{|}~hiqjklmnopqrstuvVcdefghijklmn-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvJhiopmlntqrsvujkQR-./012MNOP56789:;HIJKL@ABCDEFG<=>?34_`abdc[\]^STUVWXYZefgorstupvwxyz{|}~h iqjklmnopqrstuvNone <JWA 4.9.1. Header Parameters Used for PBES2 Key EncryptionPBKDF2 salt input)PBKDF2 iteration count ; POSITIVE integer>JWA 4.8.1. Header Parameters Used for AES GCM Key Encryption)Initialization Vector (must be 96 bits?)&Authentication Tag (must be 128 bits?):JWA 4.7.1. Header Parameters Used for ECDH Key Agreement'Ephemeral Public Key ; a JWK PUBLIC keyAgreement PartyUInfoAgreement PartyVInfoEJWA 4.2. "enc" (Encryption Method) Header Parameters Values for JWE1(None7FN{JWE Initialization Vector|JWE AAD}JWE Ciphertext~JWE Authentication Tag$JWE Per-Recipient Unprotected HeaderJWE Encrypted KeyContent Type (of object)Content Type (of payload)0wxyz{|}~message (key to wrap)plaintext key (to be encrypted) encrypted keykeymessageAADkeymessageadditional authenticated dataIV, cipertext and MACkeymessageadditional authenticated dataIV, tag and ciphertextwxyz{|}~wxyz{|}~wxyz{|}~None<>LLegacy JSON Web Key data type.None7Data that can be converted to a compact representation.6Data that can be parsed from a compact representation. Decode a compact representation.(Encode data to a compact representation.None7*Validation policy. The default policy is .2One successfully validated signature is sufficientBAll signatures for which validation is attempted must be validatedfAlgorithms for which validation will be attempted. The default value includes all algorithms except None.`JSON Web Signature data type. Consists of a payload and a (possibly empty) list of signatures.JWS Header data type. JWK Set URLinterpretation unspecifiedContent Type (of object)Content Type (of payload)3Construct a minimal header with the given algorithmConstruct a new (unsigned) JWS'Payload of a JWS, as a lazy bytestring. Create a new signature on a JWS. Verify a JWS.\Verification succeeds if any signature on the JWS is successfully validated with the given Key.;If only specific signatures need to be validated, and the y argument is not enough to express this, the caller is responsible for removing irrelevant signatures prior to calling .3 JWS to signHeader for signatureKey with which to signJWS with new signature appended$! None' ' Nonecdefghijklmn  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvNone`The JWT Claims Set represents a JSON object whose members are the claims conveyed by the JWT.The issuer claim identifies the principal that issued the JWT. The processing of this claim is generally application specific.>The subject claim identifies the principal that is the subject of the JWT. The Claims in a JWT are normally statements about the subject. The subject value MAY be scoped to be locally unique in the context of the issuer or MAY be globally unique. The processing of this claim is generally application specific.The audience claim identifies the recipients that the JWT is intended for. Each principal intended to process the JWT MUST identify itself with a value in the audience claim. If the principal processing the claim does not identify itself with a value in the audB claim when this claim is present, then the JWT MUST be rejected.The expiration time claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. The processing of exp_ claim requires that the current date/time MUST be before expiration date/time listed in the expx claim. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew.|The not before claim identifies the time before which the JWT MUST NOT be accepted for processing. The processing of the nbfm claim requires that the current date/time MUST be after or equal to the not-before date/time listed in the nbfy claim. Implementers MAY provide for some small leeway, usually no more than a few minutes, to account for clock skew.The issued at claim identifies the time at which the JWT was issued. This claim can be used to determine the age of the JWT.The JWT ID claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object. The jtiB claim can be used to prevent the JWT from being replayed. The jti" value is a case-sensitive string.7Claim Names can be defined at will by those using JWTs.)Audience data. In the general case, the audA value is an array of case-sensitive strings, each containing a B value. In the special case when the JWT has one audience, the aud; value MAY be a single case-sensitive string containing a  value.xA JSON numeric value representing the number of seconds from 1970-01-01T0:0:0Z UTC until the specified UTC date/time.A JSON string value, with the additional requirement that while arbitrary string values MAY be used, any value containing a : character MUST be a URI. Construct a  from text Construct a  from a URIGet the Get the uri from a JSON Web Token data.JOSE aspect of the JWT.Claims of the JWT.,Data representing the JOSE aspects of a JWT.Return an empty claims set.-Validate a JWT as a JWS (JSON Web Signature).Create a JWT that is a JWS.5     $$#                 ! " # $%%&&''(())**+,-./0123456789:;<==>>??@@AABCDEFGGHIJJKLMNOPQQRSTUVWXYZ[\]^_`abccdefghijklmnooppqrstuvwxyz{||}~                                  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdecdfcdgchichjcklcmncmocmpcmqcmrcmstuvwxyz{|}~jose_1h12N4IISzJ42uxLfUewdHCrypto.JOSE.TypesCrypto.JOSE.JWSCrypto.JOSE.ErrorCrypto.JOSE.JWKCrypto.JOSE.JWECrypto.JOSE.LegacyCrypto.JOSE.Compact Crypto.JWTCrypto.JOSE.Types.OrphansCrypto.JOSE.THCrypto.JOSE.JWA.JWSCrypto.JOSE.JWA.JWE.AlgCrypto.JOSE.Types.ArmourCrypto.JOSE.Types.InternalCrypto.JOSE.AESKWCrypto.JOSE.JWA.JWKCrypto.JOSE.JWA.JWECrypto.JOSE.JWS.Internal Crypto.JOSEnetwo_DarCcUHK1BCJHlIYOjXe67 Network.URIURIAlgHS256HS384HS512RS256RS384RS512ES256ES384ES512PS256PS384PS512None Base64Integer Base64X509 Base64SHA256 Base64SHA1 Base64OctetsSizedBase64Integer_Base64IntegergenSizedBase64IntegerOf checkSizeErrorAlgorithmNotImplementedAlgorithmMismatch KeyMismatchKeySizeTooSmallOtherPrimesNotSupportedRSAError CryptoErrorCompactEncodeErrorCompactDecodeErrorJSONDecodeErrorJWSMissingHeader JWSMissingAlgJWSCritUnprotectedJWSDuplicateHeaderParameterECRSAOctRSAKeyParametersECKeyParametersecKtyecCrvecXecYecDRSAPrivateKeyParametersrsaDrsaOptionalParametersRSAPrivateKeyOptionalParametersrsaPrsaQrsaDprsaDqrsaQirsaOthRSAPrivateKeyOthElemrOthdOthtOthCrvP_256P_384P_521 AsPublicKey asPublicKeyKeyMaterialGenParam ECGenParam RSAGenParam OctGenParam KeyMaterial ECKeyMaterialRSAKeyMaterialOctKeyMaterialOctKeyParametersoctKtyoctKrsaErsaKtyrsaNrsaPrivateKeyParametersgenRSA rsaPublicKeygenKeyMaterialsignverifyJWKJWKSetjwkAlg jwkKeyOpsjwkKid jwkMaterialjwkUsejwkX5cjwkX5t jwkX5tS256jwkX5ugenJWKfromKeyMaterialJWE _jweProtected_jweUnprotected_jweIv_jweAad_jweCiphertext_jweTag_jweRecipients JWEHeader_jweAlg_jweEnc_jweZip_jweJku_jweJwk_jweKid_jweX5u_jweX5c_jweX5t _jweX5tS256_jweTyp_jweCty_jweCritRSKeyParametersJWK'genJWK'toJWK ToCompact toCompact FromCompact fromCompact decodeCompact encodeCompactValidationPolicy AnyValidated AllValidatedValidationAlgorithmsJWS JWSHeader headerAlg headerJku headerJwk headerKid headerX5u headerX5c headerX5t headerX5tS256 headerTyp headerCty headerCrit newJWSHeadernewJWS jwsPayloadsignJWS verifyJWS ClaimsSet _claimIss _claimSub _claimAud _claimExp _claimNbf _claimIat _claimJti_unregisteredClaimsAudienceGeneralSpecial NumericDate StringOrURI fromStringfromURI getStringgetURIJWT jwtCrypto jwtClaimsSetclaimAudclaimExpclaimIatclaimIssclaimJticlaimNbfclaimSubunregisteredClaimsemptyClaimsSetaddClaimvalidateJWSJWT createJWSJWT$fArbitraryNonEmpty $fToJSONURI $fFromJSONURI$fToJSONNonEmpty$fFromJSONNonEmpty endGuardExpendGuardderiveJOSETypeaeson_Ks1XHzbIVxSH3D4r6wYTSBData.Aeson.Types.ClassToJSONFromJSON capitalizesanitizeconize guardPredguardExpguard endGuardPred guardedBodyparseJSONClauseQ parseJSONFun toJSONClause toJSONFun aesonInstance $fToJSONAlgRSA1_5RSA_OAEP RSA_OAEP_256A128KWA192KWA256KWDirECDH_ESECDH_ES_A128KWECDH_ES_A192KWECDH_ES_A256KW A128GCMKW A192GCMKW A256GCMKWPBES2_HS256_A128KWPBES2_HS384_A192KWPBES2_HS512_A256KWToArmour FromArmourArmourvaluearmourlens_CQGTvKhRr3o7ECIQ5skDMYControl.Lens.TypeGetter decodeArmourtoArmour parseArmourArmoured Unarmoured$fFromJSONArmour $fEqArmour objectPairsparseB64 encodeB64baseGHC.BaseStringpadunpad parseB64Url encodeB64Url bsToInteger integerToBSsizedIntegerToBSgenByteStringOf$fToJSONBase64X509$fFromJSONBase64X509$fArbitraryBase64SHA256$fToJSONBase64SHA256$fFromJSONBase64SHA256$fArbitraryBase64SHA1$fToJSONBase64SHA1$fFromJSONBase64SHA1$fArbitraryBase64Octets$fToJSONBase64Octets$fFromJSONBase64Octets$fByteableBase64Octets$fToJSONSizedBase64Integer$fFromJSONSizedBase64Integer$fArbitrarySizedBase64Integer$fEqSizedBase64Integer$fArbitraryBase64Integer$fToJSONBase64Integer$fFromJSONBase64Integer aesKeyWrap aesKeyUnwrapNothingivaesKeyWrapStepaesKeyUnwrapStep $fToJSONEC $fToJSONRSA $fToJSONOct_rsaKty_rsaN_rsaE_rsaPrivateKeyParameterssignECverifyECcurvepoint ecCoordBytesecDBytes$fArbitraryECKeyParameters$fToJSONECKeyParameters$fFromJSONECKeyParameters"$fArbitraryRSAPrivateKeyParameters$fToJSONRSAPrivateKeyParameters!$fFromJSONRSAPrivateKeyParameters*$fArbitraryRSAPrivateKeyOptionalParameters'$fToJSONRSAPrivateKeyOptionalParameters)$fFromJSONRSAPrivateKeyOptionalParameters$fArbitraryRSAPrivateKeyOthElem$fToJSONRSAPrivateKeyOthElem$fFromJSONRSAPrivateKeyOthElem$fArbitraryCrv $fToJSONCrv signPKCS15 verifyPKCS15signPSS verifyPSS rsaPrivateKeysignOct showKeyType$fAsPublicKeyKeyMaterial$fAsPublicKeyECKeyParameters$fAsPublicKeyRSAKeyParameters$fAsPublicKeyOctKeyParameters$fArbitraryKeyMaterial$fToJSONKeyMaterial$fFromJSONKeyMaterial$fArbitraryOctKeyParameters$fToJSONOctKeyParameters$fFromJSONOctKeyParameters$fArbitraryRSAKeyParameters$fToJSONRSAKeyParameters$fFromJSONRSAKeyParameterscrypt_8tOVQjMArS579icds1NXMc Crypto.RandomwithRandomBytes drgNewTestdrgNewCrypto.Random.SystemDRG getSystemDRG SystemDRGCrypto.Random.ChaChaDRG ChaChaDRGCrypto.Random.TypeswithDRGgetRandomBytes MonadRandomrandomBytesGenerateDRGMonadPseudoRandomKeyOpKeyUseJWSAlgJWEAlg $fFromJSONAlgSignVerifyEncryptDecryptWrapKey UnwrapKey DeriveKey DeriveBits $fToJSONKeyOp _jwkMaterial_jwkUse _jwkKeyOps_jwkAlg_jwkKid_jwkX5u_jwkX5c_jwkX5t _jwkX5tS256SigEnc$fToJSONKeyUse$fFromJSONJWKSet$fAsPublicKeyJWK$fArbitraryJWK $fToJSONJWK $fFromJSONJWKPBES2Parameters_p2s_p2cAESGCMParameters_iv_tagECDHParameters_epk_apu_apv AlgWithParams algObjectalgWithParamsObject$fToJSONPBES2Parameters$fFromJSONPBES2Parameters$fToJSONAESGCMParameters$fFromJSONAESGCMParameters$fToJSONECDHParameters$fFromJSONECDHParameters$fToJSONAlgWithParams$fFromJSONAlgWithParams A128CBC_HS256 A192CBC_HS384 A256CBC_HS512A128GCMA192GCMA256GCM $fToJSONEnc _jweHeader_jweEncryptedKey JWERecipientCritParameterscritInvalidNamescritObjectParser parseCrit newJWEHeaderwrap wrapAESKW wrapAESGCMencrypt _cbcHmacEnc_gcmEnc $fFromJSONJWE$fFromJSONJWERecipient$fToArmourTextJWEHeader$fFromArmourTextErrorJWEHeader$fToJSONJWEHeader$fFromJSONJWEHeader$fToJSONCritParameters$fFromJSONCritParametersStringifiedInteger_StringifiedIntegerb64Iso sizedB64Iso$fToJSONStringifiedInteger$fFromJSONStringifiedIntegerRS $fToJSONRS_RSKeyParameters$fToJSONRSKeyParameters$fFromJSONRSKeyParameters_JWK'$fAsPublicKeyJWK' $fToJSONJWK'$fFromJSONJWK' Signature algorithm checkHeaders signingInput verifySig$fDefaultValidationPolicy$fDefaultValidationAlgorithms$fFromCompactJWS$fToCompactJWS $fToJSONJWS $fFromJSONJWS$fToJSONSignature$fFromJSONSignature$fDefaultJWSHeader$fToJSONJWSHeader$fFromJSONJWSHeader$fToArmourTextJWSHeader$fFromArmourTextErrorJWSHeader JWTCrypto ArbitraryOrURI$fToJSONAudience$fFromJSONAudience$fToJSONNumericDate$fFromJSONNumericDate$fToJSONStringOrURI$fFromJSONStringOrURIJWTJWSfilterUnregistered$fToCompactJWT$fFromCompactJWT$fToCompactJWTCrypto$fFromCompactJWTCrypto$fToJSONClaimsSet$fFromJSONClaimsSet