-- Hoogle documentation, generated by Haddock
-- See Hoogle, http://www.haskell.org/hoogle/
-- | JSON Object Signing and Encryption (JOSE) and JSON Web Token (JWT) library
--
-- An implementation of the Javascript Object Signing and Encryption
-- (JOSE) and JSON Web Token (JWT; RFC 7519) formats.
--
-- The JSON Web Signature (JWS; RFC 7515) implementation is complete.
--
-- EdDSA signatures (RFC 8037) are supported (Ed25519 only).
--
-- JWK Thumbprint (RFC 7638) is supported.
--
-- JSON Web Encryption (JWE; RFC 7516) is not yet implemented.
--
-- The ECDSA implementation is vulnerable to timing attacks and
-- should only be used for verification.
@package jose
@version 0.9
-- | Advanced Encryption Standard (AES) Key Wrap Algorithm;
-- https://https://tools.ietf.org/html/rfc3394.
module Crypto.JOSE.AESKW
-- | Wrap a secret.
--
-- Input size must be a multiple of 8 bytes, and at least 16 bytes.
-- Output size is input size plus 8 bytes.
aesKeyWrap :: (ByteArrayAccess m, ByteArray c, BlockCipher128 cipher) => cipher -> m -> c
-- | Unwrap a secret.
--
-- Input size must be a multiple of 8 bytes, and at least 24 bytes.
-- Output size is input size minus 8 bytes.
--
-- Returns Nothing if inherent integrity check fails. Otherwise,
-- the chance that the key data is corrupt is 2 ^ -64.
aesKeyUnwrap :: (ByteArrayAccess c, ByteArray m, BlockCipher128 cipher) => cipher -> c -> Maybe m
-- | JOSE error types.
module Crypto.JOSE.Error
-- | All the errors that can occur.
data Error
-- | A requested algorithm is not implemented
AlgorithmNotImplemented :: Error
-- | A requested algorithm cannot be used
AlgorithmMismatch :: String -> Error
-- | Wrong type of key was given
KeyMismatch :: Text -> Error
-- | Key size is too small
KeySizeTooSmall :: Error
-- | RSA private key with >2 primes not supported
OtherPrimesNotSupported :: Error
-- | RSA encryption, decryption or signing error
RSAError :: Error -> Error
-- | Various cryptonite library error cases
CryptoError :: CryptoError -> Error
-- | Wrong number of parts in compact serialisation
CompactDecodeError :: CompactDecodeError -> Error
-- | JSON (Aeson) decoding error
JSONDecodeError :: String -> Error
-- | No usable keys were found in the key store
NoUsableKeys :: Error
JWSCritUnprotected :: Error
-- | AnyValidated policy active, and no valid signature
-- encountered
JWSNoValidSignatures :: Error
-- | AllValidated policy active, and invalid signature encountered
JWSInvalidSignature :: Error
-- | AllValidated policy active, and there were no signatures on
-- object that matched the allowed algorithms
JWSNoSignatures :: Error
class AsError r_aevE
_Error :: AsError r_aevE => Prism' r_aevE Error
_AlgorithmNotImplemented :: AsError r_aevE => Prism' r_aevE ()
_AlgorithmMismatch :: AsError r_aevE => Prism' r_aevE String
_KeyMismatch :: AsError r_aevE => Prism' r_aevE Text
_KeySizeTooSmall :: AsError r_aevE => Prism' r_aevE ()
_OtherPrimesNotSupported :: AsError r_aevE => Prism' r_aevE ()
_RSAError :: AsError r_aevE => Prism' r_aevE Error
_CryptoError :: AsError r_aevE => Prism' r_aevE CryptoError
_CompactDecodeError :: AsError r_aevE => Prism' r_aevE CompactDecodeError
_JSONDecodeError :: AsError r_aevE => Prism' r_aevE String
_NoUsableKeys :: AsError r_aevE => Prism' r_aevE ()
_JWSCritUnprotected :: AsError r_aevE => Prism' r_aevE ()
_JWSNoValidSignatures :: AsError r_aevE => Prism' r_aevE ()
_JWSInvalidSignature :: AsError r_aevE => Prism' r_aevE ()
_JWSNoSignatures :: AsError r_aevE => Prism' r_aevE ()
-- | The wrong number of parts were found when decoding a compact JOSE
-- object.
data InvalidNumberOfParts
-- | expected vs actual parts
InvalidNumberOfParts :: Natural -> Natural -> InvalidNumberOfParts
-- | Get the expected or actual number of parts.
expectedParts :: Getter InvalidNumberOfParts Natural
-- | Get the expected or actual number of parts.
actualParts :: Getter InvalidNumberOfParts Natural
-- | Bad UTF-8 data in a compact object, at the specified index
data CompactTextError
CompactTextError :: Natural -> UnicodeException -> CompactTextError
-- | An error when decoding a JOSE compact object. JSON decoding errors
-- that occur during compact object processing throw
-- JSONDecodeError.
data CompactDecodeError
CompactInvalidNumberOfParts :: InvalidNumberOfParts -> CompactDecodeError
CompactInvalidText :: CompactTextError -> CompactDecodeError
_CompactInvalidNumberOfParts :: Prism' CompactDecodeError InvalidNumberOfParts
_CompactInvalidText :: Prism' CompactDecodeError CompactTextError
instance Crypto.JOSE.Error.AsError Crypto.JOSE.Error.Error
instance (Crypto.Random.Types.MonadRandom m, Control.Monad.Trans.Class.MonadTrans t, GHC.Base.Functor (t m), GHC.Base.Monad (t m)) => Crypto.Random.Types.MonadRandom (t m)
instance GHC.Show.Show Crypto.JOSE.Error.Error
instance GHC.Classes.Eq Crypto.JOSE.Error.Error
instance GHC.Show.Show Crypto.JOSE.Error.CompactDecodeError
instance GHC.Classes.Eq Crypto.JOSE.Error.InvalidNumberOfParts
instance GHC.Classes.Eq Crypto.JOSE.Error.CompactTextError
instance GHC.Classes.Eq Crypto.JOSE.Error.CompactDecodeError
instance GHC.Show.Show Crypto.JOSE.Error.CompactTextError
instance GHC.Show.Show Crypto.JOSE.Error.InvalidNumberOfParts
-- | JWS, JWE and some related specifications provide for "compact"
-- representations of certain types. This module defines classes and
-- functions for working with such data.
module Crypto.JOSE.Compact
-- | Data that can be parsed from a compact representation.
class FromCompact a
fromCompact :: (FromCompact a, AsError e, MonadError e m) => [ByteString] -> m a
-- | Decode a compact representation.
decodeCompact :: (FromCompact a, AsError e, MonadError e m) => ByteString -> m a
-- | Data that can be converted to a compact representation.
class ToCompact a
toCompact :: ToCompact a => a -> [ByteString]
-- | Encode data to a compact representation.
encodeCompact :: ToCompact a => a -> ByteString
-- | JSON Web Signature algorithms.
module Crypto.JOSE.JWA.JWS
-- | RFC 7518 §3.1. "alg" (Algorithm) Header Parameters Values for JWS
data Alg
HS256 :: Alg
HS384 :: Alg
HS512 :: Alg
RS256 :: Alg
RS384 :: Alg
RS512 :: Alg
ES256 :: Alg
ES384 :: Alg
ES512 :: Alg
PS256 :: Alg
PS384 :: Alg
PS512 :: Alg
None :: Alg
EdDSA :: Alg
instance GHC.Show.Show Crypto.JOSE.JWA.JWS.Alg
instance GHC.Classes.Ord Crypto.JOSE.JWA.JWS.Alg
instance GHC.Classes.Eq Crypto.JOSE.JWA.JWS.Alg
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.JWA.JWS.Alg
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.JWA.JWS.Alg
-- | JSON Web Encryption algorithms.
module Crypto.JOSE.JWA.JWE.Alg
-- | RFC 7518 §4.1. "alg" (Algorithm) Header Parameter Values for JWE
--
-- This section is shuffled off into its own module to avoid circular
-- import via Crypto.JOSE.JWK, which needs Alg.
data Alg
RSA1_5 :: Alg
RSA_OAEP :: Alg
RSA_OAEP_256 :: Alg
A128KW :: Alg
A192KW :: Alg
A256KW :: Alg
Dir :: Alg
ECDH_ES :: Alg
ECDH_ES_A128KW :: Alg
ECDH_ES_A192KW :: Alg
ECDH_ES_A256KW :: Alg
A128GCMKW :: Alg
A192GCMKW :: Alg
A256GCMKW :: Alg
PBES2_HS256_A128KW :: Alg
PBES2_HS384_A192KW :: Alg
PBES2_HS512_A256KW :: Alg
instance GHC.Show.Show Crypto.JOSE.JWA.JWE.Alg.Alg
instance GHC.Classes.Ord Crypto.JOSE.JWA.JWE.Alg.Alg
instance GHC.Classes.Eq Crypto.JOSE.JWA.JWE.Alg.Alg
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.JWA.JWE.Alg.Alg
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.JWA.JWE.Alg.Alg
-- | Data types for the JOSE library.
module Crypto.JOSE.Types
-- | A base64url encoded octet sequence interpreted as an integer.
--
-- The value is encoded in the minimum number of octets (no leading
-- zeros) with the exception of 0 which is encoded as
-- AA. A leading zero when decoding is an error.
newtype Base64Integer
Base64Integer :: Integer -> Base64Integer
_Base64Integer :: Iso' Base64Integer Integer
-- | A base64url encoded octet sequence interpreted as an integer and where
-- the number of octets carries explicit bit-length information.
data SizedBase64Integer
SizedBase64Integer :: Int -> Integer -> SizedBase64Integer
-- | Create a SizedBase64Integer' from an Integer.
makeSizedBase64Integer :: Integer -> SizedBase64Integer
-- | Generate a SizedBase64Integer of the given number of bytes
genSizedBase64IntegerOf :: Int -> Gen SizedBase64Integer
-- | Parsed a SizedBase64Integer with an expected number of
-- bytes.
checkSize :: Int -> SizedBase64Integer -> Parser SizedBase64Integer
-- | A base64url encoded octet sequence. Used for payloads, signatures,
-- symmetric keys, salts, initialisation vectors, etc.
newtype Base64Octets
Base64Octets :: ByteString -> Base64Octets
-- | A base64url encoded SHA-1 digest. Used for X.509 certificate
-- thumbprints.
newtype Base64SHA1
Base64SHA1 :: ByteString -> Base64SHA1
-- | A base64url encoded SHA-256 digest. Used for X.509 certificate
-- thumbprints.
newtype Base64SHA256
Base64SHA256 :: ByteString -> Base64SHA256
-- | A base64 encoded X.509 certificate.
newtype Base64X509
Base64X509 :: SignedCertificate -> Base64X509
-- | A Signed Certificate
type SignedCertificate = SignedExact Certificate
-- | Represents a general universal resource identifier using its component
-- parts.
--
-- For example, for the URI
--
--
-- foo://anonymous@www.haskell.org:42/ghc?query#frag
--
--
-- the components are:
data URI
-- | Prism for encoding / decoding base64url.
--
-- To encode, review base64url. To decode,
-- preview base64url.
--
-- Works with any combinations of strict/lazy ByteString.
base64url :: (AsEmpty s1, AsEmpty s2, Cons s1 s1 Word8 Word8, Cons s2 s2 Word8 Word8) => Prism' s1 s2
instance GHC.Show.Show Crypto.JOSE.Types.SizedBase64Integer
instance GHC.Show.Show Crypto.JOSE.Types.Base64Octets
instance GHC.Classes.Eq Crypto.JOSE.Types.Base64Octets
instance GHC.Show.Show Crypto.JOSE.Types.Base64SHA1
instance GHC.Classes.Eq Crypto.JOSE.Types.Base64SHA1
instance GHC.Show.Show Crypto.JOSE.Types.Base64SHA256
instance GHC.Classes.Eq Crypto.JOSE.Types.Base64SHA256
instance GHC.Show.Show Crypto.JOSE.Types.Base64X509
instance GHC.Classes.Eq Crypto.JOSE.Types.Base64X509
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.Types.Base64X509
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.Types.Base64X509
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.Types.Base64SHA256
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.Types.Base64SHA256
instance Test.QuickCheck.Arbitrary.Arbitrary Crypto.JOSE.Types.Base64SHA256
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.Types.Base64SHA1
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.Types.Base64SHA1
instance Test.QuickCheck.Arbitrary.Arbitrary Crypto.JOSE.Types.Base64SHA1
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.Types.Base64Octets
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.Types.Base64Octets
instance Test.QuickCheck.Arbitrary.Arbitrary Crypto.JOSE.Types.Base64Octets
instance GHC.Classes.Eq Crypto.JOSE.Types.SizedBase64Integer
instance Test.QuickCheck.Arbitrary.Arbitrary Crypto.JOSE.Types.SizedBase64Integer
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.Types.SizedBase64Integer
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.Types.SizedBase64Integer
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.Types.Base64Integer
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.Types.Base64Integer
instance Test.QuickCheck.Arbitrary.Arbitrary Crypto.JOSE.Types.Base64Integer
instance GHC.Show.Show Crypto.JOSE.Types.Base64Integer
instance GHC.Classes.Eq Crypto.JOSE.Types.Base64Integer
-- | Cryptographic Algorithms for Keys.
module Crypto.JOSE.JWA.JWK
-- | Keys that may have have public material
class AsPublicKey k
-- | Get the public key
asPublicKey :: AsPublicKey k => Getter k (Maybe k)
-- | "crv" (Curve) Parameter
data Crv
P_256 :: Crv
P_384 :: Crv
P_521 :: Crv
-- | Parameters for Elliptic Curve Keys
data ECKeyParameters
ecCrv :: Getter ECKeyParameters Crv
ecX :: Getter ECKeyParameters SizedBase64Integer
ecY :: Getter ECKeyParameters SizedBase64Integer
ecD :: Getter ECKeyParameters (Maybe SizedBase64Integer)
curve :: Crv -> Curve
point :: ECKeyParameters -> Point
ecPrivateKey :: (MonadError e m, AsError e) => ECKeyParameters -> m Integer
ecParametersFromX509 :: PubKeyEC -> Maybe ECKeyParameters
-- | "oth" (Other Primes Info) Parameter
data RSAPrivateKeyOthElem
RSAPrivateKeyOthElem :: Base64Integer -> Base64Integer -> Base64Integer -> RSAPrivateKeyOthElem
[rOth] :: RSAPrivateKeyOthElem -> Base64Integer
[dOth] :: RSAPrivateKeyOthElem -> Base64Integer
[tOth] :: RSAPrivateKeyOthElem -> Base64Integer
-- | Optional parameters for RSA private keys
data RSAPrivateKeyOptionalParameters
RSAPrivateKeyOptionalParameters :: Base64Integer -> Base64Integer -> Base64Integer -> Base64Integer -> Base64Integer -> Maybe (NonEmpty RSAPrivateKeyOthElem) -> RSAPrivateKeyOptionalParameters
[rsaP] :: RSAPrivateKeyOptionalParameters -> Base64Integer
[rsaQ] :: RSAPrivateKeyOptionalParameters -> Base64Integer
[rsaDp] :: RSAPrivateKeyOptionalParameters -> Base64Integer
[rsaDq] :: RSAPrivateKeyOptionalParameters -> Base64Integer
[rsaQi] :: RSAPrivateKeyOptionalParameters -> Base64Integer
[rsaOth] :: RSAPrivateKeyOptionalParameters -> Maybe (NonEmpty RSAPrivateKeyOthElem)
-- | RSA private key parameters
data RSAPrivateKeyParameters
RSAPrivateKeyParameters :: Base64Integer -> Maybe RSAPrivateKeyOptionalParameters -> RSAPrivateKeyParameters
[rsaD] :: RSAPrivateKeyParameters -> Base64Integer
[rsaOptionalParameters] :: RSAPrivateKeyParameters -> Maybe RSAPrivateKeyOptionalParameters
-- | Parameters for RSA Keys
data RSAKeyParameters
RSAKeyParameters :: Base64Integer -> Base64Integer -> Maybe RSAPrivateKeyParameters -> RSAKeyParameters
toRSAKeyParameters :: PrivateKey -> RSAKeyParameters
toRSAPublicKeyParameters :: PublicKey -> RSAKeyParameters
rsaE :: Lens' RSAKeyParameters Base64Integer
rsaN :: Lens' RSAKeyParameters Base64Integer
rsaPrivateKeyParameters :: Lens' RSAKeyParameters (Maybe RSAPrivateKeyParameters)
rsaPublicKey :: RSAKeyParameters -> PublicKey
genRSA :: MonadRandom m => Int -> m RSAKeyParameters
-- | Symmetric key parameters data.
newtype OctKeyParameters
OctKeyParameters :: Base64Octets -> OctKeyParameters
octK :: Iso' OctKeyParameters Base64Octets
data OKPKeyParameters
Ed25519Key :: PublicKey -> Maybe SecretKey -> OKPKeyParameters
X25519Key :: PublicKey -> Maybe SecretKey -> OKPKeyParameters
data OKPCrv
Ed25519 :: OKPCrv
X25519 :: OKPCrv
-- | Keygen parameters.
data KeyMaterialGenParam
-- | Generate an EC key with specified curve.
ECGenParam :: Crv -> KeyMaterialGenParam
-- | Generate an RSA key with specified size in bytes.
RSAGenParam :: Int -> KeyMaterialGenParam
-- | Generate a symmetric key with specified size in bytes.
OctGenParam :: Int -> KeyMaterialGenParam
-- | Generate an EdDSA or Edwards ECDH key with specified curve.
OKPGenParam :: OKPCrv -> KeyMaterialGenParam
-- | Key material sum type.
data KeyMaterial
ECKeyMaterial :: ECKeyParameters -> KeyMaterial
RSAKeyMaterial :: RSAKeyParameters -> KeyMaterial
OctKeyMaterial :: OctKeyParameters -> KeyMaterial
OKPKeyMaterial :: OKPKeyParameters -> KeyMaterial
genKeyMaterial :: MonadRandom m => KeyMaterialGenParam -> m KeyMaterial
sign :: (MonadRandom m, MonadError e m, AsError e) => Alg -> KeyMaterial -> ByteString -> m ByteString
verify :: (MonadError e m, AsError e) => Alg -> KeyMaterial -> ByteString -> ByteString -> m Bool
instance GHC.Show.Show Crypto.JOSE.JWA.JWK.OctKeyParameters
instance GHC.Classes.Eq Crypto.JOSE.JWA.JWK.OctKeyParameters
instance GHC.Classes.Eq Crypto.JOSE.JWA.JWK.OKPKeyParameters
instance GHC.Show.Show Crypto.JOSE.JWA.JWK.OKPCrv
instance GHC.Classes.Eq Crypto.JOSE.JWA.JWK.OKPCrv
instance GHC.Show.Show Crypto.JOSE.JWA.JWK.KeyMaterial
instance GHC.Classes.Eq Crypto.JOSE.JWA.JWK.KeyMaterial
instance GHC.Show.Show Crypto.JOSE.JWA.JWK.KeyMaterialGenParam
instance GHC.Classes.Eq Crypto.JOSE.JWA.JWK.KeyMaterialGenParam
instance Crypto.JOSE.JWA.JWK.AsPublicKey Crypto.JOSE.JWA.JWK.RSAKeyParameters
instance Crypto.JOSE.JWA.JWK.AsPublicKey Crypto.JOSE.JWA.JWK.ECKeyParameters
instance Crypto.JOSE.JWA.JWK.AsPublicKey Crypto.JOSE.JWA.JWK.OKPKeyParameters
instance Crypto.JOSE.JWA.JWK.AsPublicKey Crypto.JOSE.JWA.JWK.KeyMaterial
instance Test.QuickCheck.Arbitrary.Arbitrary Crypto.JOSE.JWA.JWK.KeyMaterialGenParam
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.JWA.JWK.KeyMaterial
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.JWA.JWK.KeyMaterial
instance Test.QuickCheck.Arbitrary.Arbitrary Crypto.JOSE.JWA.JWK.KeyMaterial
instance Test.QuickCheck.Arbitrary.Arbitrary Crypto.JOSE.JWA.JWK.OKPCrv
instance GHC.Show.Show Crypto.JOSE.JWA.JWK.OKPKeyParameters
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.JWA.JWK.OKPKeyParameters
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.JWA.JWK.OKPKeyParameters
instance Test.QuickCheck.Arbitrary.Arbitrary Crypto.JOSE.JWA.JWK.OKPKeyParameters
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.JWA.JWK.OctKeyParameters
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.JWA.JWK.OctKeyParameters
instance Test.QuickCheck.Arbitrary.Arbitrary Crypto.JOSE.JWA.JWK.OctKeyParameters
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.JWA.JWK.RSAKeyParameters
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.JWA.JWK.RSAKeyParameters
instance Test.QuickCheck.Arbitrary.Arbitrary Crypto.JOSE.JWA.JWK.RSAKeyParameters
instance GHC.Show.Show Crypto.JOSE.JWA.JWK.Crv
instance GHC.Classes.Ord Crypto.JOSE.JWA.JWK.Crv
instance GHC.Classes.Eq Crypto.JOSE.JWA.JWK.Crv
instance GHC.Show.Show Crypto.JOSE.JWA.JWK.RSAPrivateKeyOthElem
instance GHC.Classes.Eq Crypto.JOSE.JWA.JWK.RSAPrivateKeyOthElem
instance GHC.Show.Show Crypto.JOSE.JWA.JWK.RSAPrivateKeyOptionalParameters
instance GHC.Classes.Eq Crypto.JOSE.JWA.JWK.RSAPrivateKeyOptionalParameters
instance GHC.Show.Show Crypto.JOSE.JWA.JWK.RSAPrivateKeyParameters
instance GHC.Classes.Eq Crypto.JOSE.JWA.JWK.RSAPrivateKeyParameters
instance GHC.Show.Show Crypto.JOSE.JWA.JWK.ECKeyParameters
instance GHC.Classes.Eq Crypto.JOSE.JWA.JWK.ECKeyParameters
instance GHC.Show.Show Crypto.JOSE.JWA.JWK.RSAKeyParameters
instance GHC.Classes.Eq Crypto.JOSE.JWA.JWK.RSAKeyParameters
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.JWA.JWK.ECKeyParameters
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.JWA.JWK.ECKeyParameters
instance Test.QuickCheck.Arbitrary.Arbitrary Crypto.JOSE.JWA.JWK.ECKeyParameters
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.JWA.JWK.RSAPrivateKeyParameters
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.JWA.JWK.RSAPrivateKeyParameters
instance Test.QuickCheck.Arbitrary.Arbitrary Crypto.JOSE.JWA.JWK.RSAPrivateKeyParameters
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.JWA.JWK.RSAPrivateKeyOptionalParameters
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.JWA.JWK.RSAPrivateKeyOptionalParameters
instance Test.QuickCheck.Arbitrary.Arbitrary Crypto.JOSE.JWA.JWK.RSAPrivateKeyOptionalParameters
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.JWA.JWK.RSAPrivateKeyOthElem
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.JWA.JWK.RSAPrivateKeyOthElem
instance Test.QuickCheck.Arbitrary.Arbitrary Crypto.JOSE.JWA.JWK.RSAPrivateKeyOthElem
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.JWA.JWK.Crv
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.JWA.JWK.Crv
instance Test.QuickCheck.Arbitrary.Arbitrary Crypto.JOSE.JWA.JWK.Crv
-- | A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data
-- structure that represents a cryptographic key. This module also
-- defines a JSON Web Key Set (JWK Set) JSON data structure for
-- representing a set of JWKs.
--
--
-- -- Generate RSA JWK and set "kid" param to
-- -- base64url-encoded SHA-256 thumbprint of key.
-- --
-- doGen :: IO JWK
-- doGen = do
-- jwk <- genJWK (RSAGenParam (4096 `div` 8))
-- let
-- h = view thumbprint jwk :: Digest SHA256
-- kid = view (re (base64url . digest) . utf8) h
-- pure $ set jwkKid (Just kid) jwk
--
module Crypto.JOSE.JWK
-- | Generate a JWK. Apart from key parameters, no other parameters are
-- set.
genJWK :: MonadRandom m => KeyMaterialGenParam -> m JWK
-- | Keygen parameters.
data KeyMaterialGenParam
-- | Generate an EC key with specified curve.
ECGenParam :: Crv -> KeyMaterialGenParam
-- | Generate an RSA key with specified size in bytes.
RSAGenParam :: Int -> KeyMaterialGenParam
-- | Generate a symmetric key with specified size in bytes.
OctGenParam :: Int -> KeyMaterialGenParam
-- | Generate an EdDSA or Edwards ECDH key with specified curve.
OKPGenParam :: OKPCrv -> KeyMaterialGenParam
-- | "crv" (Curve) Parameter
data Crv
P_256 :: Crv
P_384 :: Crv
P_521 :: Crv
data OKPCrv
Ed25519 :: OKPCrv
X25519 :: OKPCrv
-- | RFC 7517 §4. JSON Web Key (JWK) Format
data JWK
-- | Keys that may have have public material
class AsPublicKey k
-- | Get the public key
asPublicKey :: AsPublicKey k => Getter k (Maybe k)
jwkMaterial :: Lens' JWK KeyMaterial
jwkUse :: Lens' JWK (Maybe KeyUse)
-- | RFC 7517 §4.2. "use" (Public Key Use) Parameter
data KeyUse
Sig :: KeyUse
Enc :: KeyUse
jwkKeyOps :: Lens' JWK (Maybe [KeyOp])
-- | RFC 7517 §4.3. "key_ops" (Key Operations) Parameter
data KeyOp
Sign :: KeyOp
Verify :: KeyOp
Encrypt :: KeyOp
Decrypt :: KeyOp
WrapKey :: KeyOp
UnwrapKey :: KeyOp
DeriveKey :: KeyOp
DeriveBits :: KeyOp
jwkAlg :: Lens' JWK (Maybe JWKAlg)
-- | RFC 7517 §4.4. "alg" (Algorithm) Parameter
--
-- See also RFC 7518 §6.4. which states that for "oct" keys, an "alg"
-- member SHOULD be present to identify the algorithm intended to be used
-- with the key, unless the application uses another means or convention
-- to determine the algorithm used.
data JWKAlg
JWSAlg :: Alg -> JWKAlg
JWEAlg :: Alg -> JWKAlg
jwkKid :: Lens' JWK (Maybe Text)
jwkX5u :: Lens' JWK (Maybe URI)
-- | Get the certificate chain. Not a lens, because the key of the first
-- certificate in the chain must correspond be the public key of the JWK.
-- To set the certificate chain use setJWKX5c.
jwkX5c :: Getter JWK (Maybe (NonEmpty SignedCertificate))
-- | Set the "x5c" Certificate Chain parameter. If setting the
-- list, checks that the key in the first certificate matches the JWK;
-- returns Nothing if it does not.
setJWKX5c :: Maybe (NonEmpty SignedCertificate) -> JWK -> Maybe JWK
jwkX5t :: Lens' JWK (Maybe Base64SHA1)
jwkX5tS256 :: Lens' JWK (Maybe Base64SHA256)
fromKeyMaterial :: KeyMaterial -> JWK
-- | Convert RSA private key into a JWK
fromRSA :: PrivateKey -> JWK
-- | Convert octet string into a JWK
fromOctets :: Cons s s Word8 Word8 => s -> JWK
-- | Convert an X.509 certificate into a JWK.
--
-- Only RSA keys are supported. Other key types will throw
-- KeyMismatch.
--
-- The "x5c" field of the resulting JWK contains the
-- certificate.
fromX509Certificate :: (AsError e, MonadError e m) => SignedCertificate -> m JWK
-- | Compute the JWK Thumbprint of a JWK
thumbprint :: HashAlgorithm a => Getter JWK (Digest a)
-- | Prism from ByteString to HashAlgorithm a => Digest a.
--
-- Use re digest to view the bytes of a digest
digest :: HashAlgorithm a => Prism' ByteString (Digest a)
-- | Prism for encoding / decoding base64url.
--
-- To encode, review base64url. To decode,
-- preview base64url.
--
-- Works with any combinations of strict/lazy ByteString.
base64url :: (AsEmpty s1, AsEmpty s2, Cons s1 s1 Word8 Word8, Cons s2 s2 Word8 Word8) => Prism' s1 s2
-- | RFC 7517 §5. JWK Set Format
newtype JWKSet
JWKSet :: [JWK] -> JWKSet
-- | Choose the cryptographically strongest JWS algorithm for a given key.
-- The JWK "alg" algorithm parameter is ignored.
bestJWSAlg :: (MonadError e m, AsError e) => JWK -> m Alg
instance GHC.Show.Show Crypto.JOSE.JWK.JWKSet
instance GHC.Classes.Eq Crypto.JOSE.JWK.JWKSet
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.JWK.JWKSet
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.JWK.JWKSet
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.JWK.JWK
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.JWK.JWK
instance Test.QuickCheck.Arbitrary.Arbitrary Crypto.JOSE.JWK.JWK
instance Crypto.JOSE.JWA.JWK.AsPublicKey Crypto.JOSE.JWK.JWK
instance GHC.Show.Show Crypto.JOSE.JWK.KeyUse
instance GHC.Classes.Ord Crypto.JOSE.JWK.KeyUse
instance GHC.Classes.Eq Crypto.JOSE.JWK.KeyUse
instance GHC.Show.Show Crypto.JOSE.JWK.JWK
instance GHC.Classes.Eq Crypto.JOSE.JWK.JWK
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.JWK.KeyUse
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.JWK.KeyUse
instance GHC.Show.Show Crypto.JOSE.JWK.KeyOp
instance GHC.Classes.Ord Crypto.JOSE.JWK.KeyOp
instance GHC.Classes.Eq Crypto.JOSE.JWK.KeyOp
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.JWK.KeyOp
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.JWK.KeyOp
instance GHC.Show.Show Crypto.JOSE.JWK.JWKAlg
instance GHC.Classes.Eq Crypto.JOSE.JWK.JWKAlg
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.JWK.JWKAlg
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.JWK.JWKAlg
-- | Key stores. Instances are provided for JWK and JWKSet.
-- These instances ignore the header and payload and just return the
-- JWK/s they contain. More complex scenarios, such as efficient key
-- lookup by "kid" or searching a database, can be implemented
-- by writing a new instance.
--
-- For example, the following instance looks in a filesystem directory
-- for keys based on either the JWS Header's "kid" parameter, or
-- the "iss" claim in a JWT Claims Set:
--
--
-- -- | A KeyDB is just a filesystem directory
-- newtype KeyDB = KeyDB FilePath
--
-- instance (MonadIO m, HasKid h)
-- => VerificationKeyStore m (h p) ClaimsSet KeyDB where
-- getVerificationKeys h claims (KeyDB dir) = liftIO $
-- fmap catMaybes . traverse findKey $ catMaybes
-- [ preview (kid . _Just . param) h
-- , preview (claimIss . _Just . string) claims]
-- where
-- findKey :: T.Text -> IO (Maybe JWK)
-- findKey s =
-- let path = dir <> "/" <> T.unpack s <> ".jwk"
-- in handle
-- (\(_ :: IOException) -> pure Nothing)
-- (decode <$> L.readFile path)
--
--
-- The next example shows how to retrieve public keys from a JWK Set
-- (/.well-known/jwks.json) resource. For production use, it
-- would be a good idea to cache the HTTP response. Thanks to Steve Mao
-- for this example.
--
--
-- -- | URI of JWK Set
-- newtype JWKsURI = JWKsURI String
--
-- instance (MonadIO m, HasKid h)
-- => VerificationKeyStore m (h p) ClaimsSet JWKsURI where
-- getVerificationKeys h claims (JWKsURI url) = liftIO $
-- maybe [] (:[]) . join
-- <$> traverse findKey (preview (kid . _Just . param) h)
-- where
-- findKey :: T.Text -> IO (Maybe JWK)
-- findKey kid' =
-- handle (\(_ :: SomeException) -> pure Nothing) $ do
-- request <- setRequestCheckStatus <$> parseRequest url
-- response <- getResponseBody <$> httpJSON request
-- keys <- getVerificationKeys h claims response
-- pure $ find (\j -> view jwkKid j == Just kid') keys
--
module Crypto.JOSE.JWK.Store
-- | Verification keys. Lookup operates in effect m with access to
-- the JWS header of type h and a payload of type s.
--
-- The returned keys are not guaranteed to be used, e.g. if the JWK
-- "use" or "key_ops" field does not allow use for
-- verification.
class VerificationKeyStore m h s a
-- | Look up verification keys by JWS header and payload.
getVerificationKeys :: VerificationKeyStore m h s a => h -> s -> a -> m [JWK]
instance GHC.Base.Applicative m => Crypto.JOSE.JWK.Store.VerificationKeyStore m h s Crypto.JOSE.JWK.JWK
instance GHC.Base.Applicative m => Crypto.JOSE.JWK.Store.VerificationKeyStore m h s Crypto.JOSE.JWK.JWKSet
-- | JSON Web Encryption data types specified under JSON Web Algorithms.
module Crypto.JOSE.JWA.JWE
-- | RFC 7518 §4. Cryptographic Algorithms for Key Management
data AlgWithParams
RSA1_5 :: AlgWithParams
RSA_OAEP :: AlgWithParams
RSA_OAEP_256 :: AlgWithParams
A128KW :: AlgWithParams
A192KW :: AlgWithParams
A256KW :: AlgWithParams
Dir :: AlgWithParams
ECDH_ES :: ECDHParameters -> AlgWithParams
ECDH_ES_A128KW :: ECDHParameters -> AlgWithParams
ECDH_ES_A192KW :: ECDHParameters -> AlgWithParams
ECDH_ES_A256KW :: ECDHParameters -> AlgWithParams
A128GCMKW :: AESGCMParameters -> AlgWithParams
A192GCMKW :: AESGCMParameters -> AlgWithParams
A256GCMKW :: AESGCMParameters -> AlgWithParams
PBES2_HS256_A128KW :: PBES2Parameters -> AlgWithParams
PBES2_HS384_A192KW :: PBES2Parameters -> AlgWithParams
PBES2_HS512_A256KW :: PBES2Parameters -> AlgWithParams
algObject :: Value -> Value
algWithParamsObject :: ToJSON a => a -> Value -> Value
-- | RFC 7518 §4.6.1. Header Parameters Used for ECDH Key Agreement
data ECDHParameters
ECDHParameters :: JWK -> Maybe Base64Octets -> Maybe Base64Octets -> ECDHParameters
-- | Ephemeral Public Key ; a JWK PUBLIC key
[_epk] :: ECDHParameters -> JWK
-- | Agreement PartyUInfo
[_apu] :: ECDHParameters -> Maybe Base64Octets
-- | Agreement PartyVInfo
[_apv] :: ECDHParameters -> Maybe Base64Octets
-- | RFC 7518 §4.7.1. Header Parameters Used for AES GCM Key Encryption
data AESGCMParameters
AESGCMParameters :: Base64Octets -> Base64Octets -> AESGCMParameters
-- | Initialization Vector (must be 96 bits?)
[_iv] :: AESGCMParameters -> Base64Octets
-- | Authentication Tag (must be 128 bits?)
[_tag] :: AESGCMParameters -> Base64Octets
-- | RFC 7518 §4.8.1. Header Parameters Used for PBES2 Key Encryption
data PBES2Parameters
PBES2Parameters :: Base64Octets -> Int -> PBES2Parameters
-- | PBKDF2 salt input
[_p2s] :: PBES2Parameters -> Base64Octets
-- | PBKDF2 iteration count ; POSITIVE integer
[_p2c] :: PBES2Parameters -> Int
-- | RFC 7518 §5 Cryptographic Algorithms for Content Encryption
data Enc
A128CBC_HS256 :: Enc
A192CBC_HS384 :: Enc
A256CBC_HS512 :: Enc
A128GCM :: Enc
A192GCM :: Enc
A256GCM :: Enc
instance GHC.Show.Show Crypto.JOSE.JWA.JWE.Enc
instance GHC.Classes.Ord Crypto.JOSE.JWA.JWE.Enc
instance GHC.Classes.Eq Crypto.JOSE.JWA.JWE.Enc
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.JWA.JWE.Enc
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.JWA.JWE.Enc
instance GHC.Show.Show Crypto.JOSE.JWA.JWE.ECDHParameters
instance GHC.Classes.Eq Crypto.JOSE.JWA.JWE.ECDHParameters
instance GHC.Show.Show Crypto.JOSE.JWA.JWE.AESGCMParameters
instance GHC.Classes.Eq Crypto.JOSE.JWA.JWE.AESGCMParameters
instance GHC.Show.Show Crypto.JOSE.JWA.JWE.PBES2Parameters
instance GHC.Classes.Eq Crypto.JOSE.JWA.JWE.PBES2Parameters
instance GHC.Show.Show Crypto.JOSE.JWA.JWE.AlgWithParams
instance GHC.Classes.Eq Crypto.JOSE.JWA.JWE.AlgWithParams
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.JWA.JWE.AlgWithParams
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.JWA.JWE.AlgWithParams
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.JWA.JWE.PBES2Parameters
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.JWA.JWE.PBES2Parameters
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.JWA.JWE.AESGCMParameters
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.JWA.JWE.AESGCMParameters
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JOSE.JWA.JWE.ECDHParameters
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JOSE.JWA.JWE.ECDHParameters
-- | Types and functions for working with JOSE header parameters.
module Crypto.JOSE.Header
-- | A header value, along with a protection indicator.
data HeaderParam p a
HeaderParam :: p -> a -> HeaderParam p a
class Eq a => ProtectionIndicator a
-- | Get a value for indicating protection.
getProtected :: ProtectionIndicator a => a
-- | Get a Just a value for indicating no protection, or
-- Nothing if the type does not support unprotected headers.
getUnprotected :: ProtectionIndicator a => Maybe a
-- | Whether a header is protected or unprotected
data Protection
Protected :: Protection
Unprotected :: Protection
-- | Lens for the Protection of a HeaderParam
protection :: Lens' (HeaderParam p a) p
-- | Getter for whether a parameter is protected
isProtected :: ProtectionIndicator p => Getter (HeaderParam p a) Bool
-- | Lens for a HeaderParam value
param :: Lens' (HeaderParam p a) a
-- | A thing with parameters.
class HasParams (a :: Type -> Type)
-- | Return a list of parameters, each paired with whether it is protected
-- or not.
params :: (HasParams a, ProtectionIndicator p) => a p -> [(Bool, Pair)]
-- | List of "known extensions", i.e. keys that may appear in the "crit"
-- header parameter.
extensions :: HasParams a => Proxy a -> [Text]
parseParamsFor :: (HasParams a, HasParams b, ProtectionIndicator p) => Proxy b -> Maybe Object -> Maybe Object -> Parser (a p)
-- | Parse a required parameter that may be carried in either the protected
-- or the unprotected header.
headerRequired :: (FromJSON a, ProtectionIndicator p) => Text -> Maybe Object -> Maybe Object -> Parser (HeaderParam p a)
-- | Parse a required parameter that MUST be carried in the protected
-- header.
headerRequiredProtected :: FromJSON a => Text -> Maybe Object -> Maybe Object -> Parser a
-- | Parse an optional parameter that may be carried in either the
-- protected or the unprotected header.
headerOptional :: (FromJSON a, ProtectionIndicator p) => Text -> Maybe Object -> Maybe Object -> Parser (Maybe (HeaderParam p a))
-- | Parse an optional parameter that, if present, MUST be carried in the
-- protected header.
headerOptionalProtected :: FromJSON a => Text -> Maybe Object -> Maybe Object -> Parser (Maybe a)
-- | Parse a pair of objects (protected and unprotected header)
--
-- This internally invokes parseParamsFor applied to a proxy for
-- the target type. (This allows the parsing of the "crit" parameter to
-- access "known extensions" understood by the target type.)
parseParams :: forall a p. (HasParams a, ProtectionIndicator p) => Maybe Object -> Maybe Object -> Parser (a p)
-- | Parse a "crit" header param
--
-- Fails if:
--
--
-- - any reserved header appears in "crit" header
-- - any value in "crit" is not a recognised extension
-- - any value in "crit" does not have a corresponding key in the
-- object
--
parseCrit :: (Foldable t0, Foldable t1, Traversable t2, Traversable t3, MonadFail m) => t0 Text -> t1 Text -> Object -> t2 (t3 Text) -> m (t2 (t3 Text))
-- | Return the base64url-encoded protected parameters
protectedParamsEncoded :: (HasParams a, ProtectionIndicator p) => a p -> ByteString
-- | Return unprotected params as a JSON Value (always an object)
unprotectedParams :: (HasParams a, ProtectionIndicator p) => a p -> Maybe Value
class HasAlg a
alg :: HasAlg a => Lens' (a p) (HeaderParam p Alg)
class HasJku a
jku :: HasJku a => Lens' (a p) (Maybe (HeaderParam p URI))
class HasJwk a
jwk :: HasJwk a => Lens' (a p) (Maybe (HeaderParam p JWK))
class HasKid a
kid :: HasKid a => Lens' (a p) (Maybe (HeaderParam p Text))
class HasX5u a
x5u :: HasX5u a => Lens' (a p) (Maybe (HeaderParam p URI))
class HasX5c a
x5c :: HasX5c a => Lens' (a p) (Maybe (HeaderParam p (NonEmpty SignedCertificate)))
class HasX5t a
x5t :: HasX5t a => Lens' (a p) (Maybe (HeaderParam p Base64SHA1))
class HasX5tS256 a
x5tS256 :: HasX5tS256 a => Lens' (a p) (Maybe (HeaderParam p Base64SHA256))
class HasTyp a
typ :: HasTyp a => Lens' (a p) (Maybe (HeaderParam p Text))
class HasCty a
cty :: HasCty a => Lens' (a p) (Maybe (HeaderParam p Text))
class HasCrit a
crit :: HasCrit a => Lens' (a p) (Maybe (NonEmpty Text))
instance GHC.Show.Show Crypto.JOSE.Header.Protection
instance GHC.Classes.Eq Crypto.JOSE.Header.Protection
instance (GHC.Show.Show p, GHC.Show.Show a) => GHC.Show.Show (Crypto.JOSE.Header.HeaderParam p a)
instance (GHC.Classes.Eq p, GHC.Classes.Eq a) => GHC.Classes.Eq (Crypto.JOSE.Header.HeaderParam p a)
instance GHC.Base.Functor (Crypto.JOSE.Header.HeaderParam p)
instance Crypto.JOSE.Header.ProtectionIndicator Crypto.JOSE.Header.Protection
instance Crypto.JOSE.Header.ProtectionIndicator ()
-- | JSON Web Signature (JWS) represents content secured with digital
-- signatures or Message Authentication Codes (MACs) using JavaScript
-- Object Notation (JSON) based data structures. It is defined in RFC
-- 7515.
--
--
-- doJwsSign :: JWK -> L.ByteString -> IO (Either Error (GeneralJWS JWSHeader))
-- doJwsSign jwk payload = runExceptT $ do
-- alg <- bestJWSAlg jwk
-- signJWS payload [(newJWSHeader (Protected, alg), jwk)]
--
-- doJwsVerify :: JWK -> GeneralJWS JWSHeader -> IO (Either Error ())
-- doJwsVerify jwk jws = runExceptT $ verifyJWS' jwk jws
--
module Crypto.JOSE.JWS
-- | JSON Web Signature data type. The payload can only be accessed by
-- verifying the JWS.
--
-- Parameterised by the signature container type, the header
-- ProtectionIndicator type, and the header record type.
--
-- Use encode and decode to convert a JWS to or from JSON.
-- When encoding a JWS [] with exactly one signature, the
-- flattened JWS JSON serialisation syntax is used, otherwise the
-- general JWS JSON serialisation is used. When decoding a
-- JWS [] either serialisation is accepted.
--
-- JWS Identity uses the flattened JSON
-- serialisation or the JWS compact serialisation (see
-- decodeCompact and encodeCompact).
--
-- Use signJWS to create a signed/MACed JWS.
--
-- Use verifyJWS to verify a JWS and extract the payload.
data JWS t p a
-- | A JWS that allows multiple signatures, and cannot use the compact
-- serialisation. Headers may be Protected or
-- Unprotected.
type GeneralJWS = JWS [] Protection
-- | A JWS with one signature, which uses the flattened
-- serialisation. Headers may be Protected or
-- Unprotected.
type FlattenedJWS = JWS Identity Protection
-- | A JWS with one signature which only allows protected parameters. Can
-- use the flattened serialisation or the compact
-- serialisation.
type CompactJWS = JWS Identity ()
-- | Construct a minimal header with the given algorithm and protection
-- indicator for the alg header.
newJWSHeader :: (p, Alg) -> JWSHeader p
-- | Make a JWS header for the given signing key.
--
-- Uses bestJWSAlg to choose the algorithm. If set, the JWK's
-- "kid", "x5u", "x5c", "x5t" and
-- "x5t#S256" parameters are copied to the JWS header (as
-- protected parameters).
--
-- May return KeySizeTooSmall or KeyMismatch.
makeJWSHeader :: forall e m p. (MonadError e m, AsError e, ProtectionIndicator p) => JWK -> m (JWSHeader p)
-- | Create a signed or MACed JWS with the given payload by traversing a
-- collection of (header, key) pairs.
signJWS :: (Cons s s Word8 Word8, HasJWSHeader a, HasParams a, MonadRandom m, AsError e, MonadError e m, Traversable t, ProtectionIndicator p) => s -> t (a p, JWK) -> m (JWS t p a)
-- | Verify a JWS.
--
-- Signatures made with an unsupported algorithms are ignored. If the
-- validation policy is AnyValidated, a single successfully
-- validated signature is sufficient. If the validation policy is
-- AllValidated then all remaining signatures (there must be at
-- least one) must be valid.
--
-- Returns the payload if successfully verified.
verifyJWS :: (HasAlgorithms a, HasValidationPolicy a, AsError e, MonadError e m, HasJWSHeader h, HasParams h, VerificationKeyStore m (h p) s k, Cons s s Word8 Word8, AsEmpty s, Foldable t, ProtectionIndicator p) => a -> k -> JWS t p h -> m s
-- | Verify a JWS with the default validation settings.
--
-- See also defaultValidationSettings.
verifyJWS' :: (AsError e, MonadError e m, HasJWSHeader h, HasParams h, VerificationKeyStore m (h p) s k, Cons s s Word8 Word8, AsEmpty s, Foldable t, ProtectionIndicator p) => k -> JWS t p h -> m s
verifyJWSWithPayload :: (HasAlgorithms a, HasValidationPolicy a, AsError e, MonadError e m, HasJWSHeader h, HasParams h, VerificationKeyStore m (h p) payload k, Cons s s Word8 Word8, AsEmpty s, Foldable t, ProtectionIndicator p) => (s -> m payload) -> a -> k -> JWS t p h -> m payload
-- | The default validation settings.
--
--
-- - All algorithms except "none" are acceptable.
-- - All signatures must be valid (and there must be at least one
-- signature.)
--
defaultValidationSettings :: ValidationSettings
-- | Validation settings:
--
--
-- - The set of acceptable signature algorithms
-- - The validation policy
--
data ValidationSettings
-- | Validation policy.
data ValidationPolicy
-- | One successfully validated signature is sufficient
AnyValidated :: ValidationPolicy
-- | All signatures in all configured algorithms must be validated. No
-- signatures in configured algorithms is also an error.
AllValidated :: ValidationPolicy
class HasValidationSettings a
validationSettings :: HasValidationSettings a => Lens' a ValidationSettings
validationSettingsAlgorithms :: HasValidationSettings a => Lens' a (Set Alg)
validationSettingsValidationPolicy :: HasValidationSettings a => Lens' a ValidationPolicy
class HasAlgorithms s
algorithms :: HasAlgorithms s => Lens' s (Set Alg)
class HasValidationPolicy s
validationPolicy :: HasValidationPolicy s => Lens' s ValidationPolicy
signatures :: Foldable t => Fold (JWS t p a) (Signature p a)
-- | Signature object containing header, and signature bytes.
--
-- If it was decoded from a serialised JWS, it "remembers" how the
-- protected header was encoded; the remembered value is used when
-- computing the signing input and when serialising the object.
--
-- The remembered value is not used in equality checks, i.e. two decoded
-- signatures with differently serialised by otherwise equal protected
-- headers, and equal signature bytes, are equal.
data Signature p a
-- | Getter for header of a signature
header :: Getter (Signature p a) (a p)
-- | Getter for signature bytes
signature :: (Cons s s Word8 Word8, AsEmpty s) => Getter (Signature p a) s
-- | Return the raw base64url-encoded protected header value. If the
-- Signature was decoded from JSON, this returns the original string
-- value as-is.
--
-- Application code should never need to use this. It is exposed for
-- testing purposes.
rawProtectedHeader :: (HasParams a, ProtectionIndicator p) => Signature p a -> ByteString
-- | RFC 7518 §3.1. "alg" (Algorithm) Header Parameters Values for JWS
data Alg
HS256 :: Alg
HS384 :: Alg
HS512 :: Alg
RS256 :: Alg
RS384 :: Alg
RS512 :: Alg
ES256 :: Alg
ES384 :: Alg
ES512 :: Alg
PS256 :: Alg
PS384 :: Alg
PS512 :: Alg
None :: Alg
EdDSA :: Alg
class HasJWSHeader a
jwsHeader :: HasJWSHeader a => Lens' (a p) (JWSHeader p)
-- | JWS Header data type.
data JWSHeader p
instance GHC.Show.Show p => GHC.Show.Show (Crypto.JOSE.JWS.JWSHeader p)
instance GHC.Classes.Eq p => GHC.Classes.Eq (Crypto.JOSE.JWS.JWSHeader p)
instance GHC.Show.Show (a p) => GHC.Show.Show (Crypto.JOSE.JWS.Signature p a)
instance GHC.Classes.Eq Crypto.JOSE.JWS.ValidationPolicy
instance Crypto.JOSE.JWS.HasValidationSettings a => Crypto.JOSE.JWS.HasValidationPolicy a
instance Crypto.JOSE.JWS.HasValidationSettings a => Crypto.JOSE.JWS.HasAlgorithms a
instance Crypto.JOSE.JWS.HasValidationSettings Crypto.JOSE.JWS.ValidationSettings
instance GHC.Classes.Eq (t (Crypto.JOSE.JWS.Signature p a)) => GHC.Classes.Eq (Crypto.JOSE.JWS.JWS t p a)
instance GHC.Show.Show (t (Crypto.JOSE.JWS.Signature p a)) => GHC.Show.Show (Crypto.JOSE.JWS.JWS t p a)
instance (Crypto.JOSE.Header.HasParams a, Crypto.JOSE.Header.ProtectionIndicator p) => Data.Aeson.Types.FromJSON.FromJSON (Crypto.JOSE.JWS.JWS [] p a)
instance (Crypto.JOSE.Header.HasParams a, Crypto.JOSE.Header.ProtectionIndicator p) => Data.Aeson.Types.FromJSON.FromJSON (Crypto.JOSE.JWS.JWS Data.Functor.Identity.Identity p a)
instance (Crypto.JOSE.Header.HasParams a, Crypto.JOSE.Header.ProtectionIndicator p) => Data.Aeson.Types.ToJSON.ToJSON (Crypto.JOSE.JWS.JWS [] p a)
instance (Crypto.JOSE.Header.HasParams a, Crypto.JOSE.Header.ProtectionIndicator p) => Data.Aeson.Types.ToJSON.ToJSON (Crypto.JOSE.JWS.JWS Data.Functor.Identity.Identity p a)
instance Crypto.JOSE.Header.HasParams a => Crypto.JOSE.Compact.ToCompact (Crypto.JOSE.JWS.JWS Data.Functor.Identity.Identity () a)
instance Crypto.JOSE.Header.HasParams a => Crypto.JOSE.Compact.FromCompact (Crypto.JOSE.JWS.JWS Data.Functor.Identity.Identity () a)
instance GHC.Classes.Eq (a p) => GHC.Classes.Eq (Crypto.JOSE.JWS.Signature p a)
instance (Crypto.JOSE.Header.HasParams a, Crypto.JOSE.Header.ProtectionIndicator p) => Data.Aeson.Types.FromJSON.FromJSON (Crypto.JOSE.JWS.Signature p a)
instance (Crypto.JOSE.Header.HasParams a, Crypto.JOSE.Header.ProtectionIndicator p) => Data.Aeson.Types.ToJSON.ToJSON (Crypto.JOSE.JWS.Signature p a)
instance Crypto.JOSE.JWS.HasJWSHeader Crypto.JOSE.JWS.JWSHeader
instance Crypto.JOSE.JWS.HasJWSHeader a => Crypto.JOSE.Header.HasAlg a
instance Crypto.JOSE.JWS.HasJWSHeader a => Crypto.JOSE.Header.HasJku a
instance Crypto.JOSE.JWS.HasJWSHeader a => Crypto.JOSE.Header.HasJwk a
instance Crypto.JOSE.JWS.HasJWSHeader a => Crypto.JOSE.Header.HasKid a
instance Crypto.JOSE.JWS.HasJWSHeader a => Crypto.JOSE.Header.HasX5u a
instance Crypto.JOSE.JWS.HasJWSHeader a => Crypto.JOSE.Header.HasX5c a
instance Crypto.JOSE.JWS.HasJWSHeader a => Crypto.JOSE.Header.HasX5t a
instance Crypto.JOSE.JWS.HasJWSHeader a => Crypto.JOSE.Header.HasX5tS256 a
instance Crypto.JOSE.JWS.HasJWSHeader a => Crypto.JOSE.Header.HasTyp a
instance Crypto.JOSE.JWS.HasJWSHeader a => Crypto.JOSE.Header.HasCty a
instance Crypto.JOSE.JWS.HasJWSHeader a => Crypto.JOSE.Header.HasCrit a
instance Crypto.JOSE.Header.HasParams Crypto.JOSE.JWS.JWSHeader
-- | Prelude for the library.
module Crypto.JOSE
-- | aeson supports multiple map implementations. The implementation
-- using Data.HashMap from *unordered-containers* is vulnerable
-- to hash-flooding DoS attacks. If your program processes JOSE objects
-- from untrusted sources, you can check this value to find out if the
-- *aeson* build uses a secure map implementation, or not.
vulnerableToHashFlood :: Bool
module Crypto.JOSE.JWE
data JWEHeader p
JWEHeader :: Maybe AlgWithParams -> HeaderParam p Enc -> Maybe Text -> Maybe (HeaderParam p URI) -> Maybe (HeaderParam p JWK) -> Maybe (HeaderParam p Text) -> Maybe (HeaderParam p URI) -> Maybe (HeaderParam p (NonEmpty SignedCertificate)) -> Maybe (HeaderParam p Base64SHA1) -> Maybe (HeaderParam p Base64SHA256) -> Maybe (HeaderParam p Text) -> Maybe (HeaderParam p Text) -> Maybe (NonEmpty Text) -> JWEHeader p
[_jweAlg] :: JWEHeader p -> Maybe AlgWithParams
[_jweEnc] :: JWEHeader p -> HeaderParam p Enc
[_jweZip] :: JWEHeader p -> Maybe Text
[_jweJku] :: JWEHeader p -> Maybe (HeaderParam p URI)
[_jweJwk] :: JWEHeader p -> Maybe (HeaderParam p JWK)
[_jweKid] :: JWEHeader p -> Maybe (HeaderParam p Text)
[_jweX5u] :: JWEHeader p -> Maybe (HeaderParam p URI)
[_jweX5c] :: JWEHeader p -> Maybe (HeaderParam p (NonEmpty SignedCertificate))
[_jweX5t] :: JWEHeader p -> Maybe (HeaderParam p Base64SHA1)
[_jweX5tS256] :: JWEHeader p -> Maybe (HeaderParam p Base64SHA256)
-- | Content Type (of object)
[_jweTyp] :: JWEHeader p -> Maybe (HeaderParam p Text)
-- | Content Type (of payload)
[_jweCty] :: JWEHeader p -> Maybe (HeaderParam p Text)
[_jweCrit] :: JWEHeader p -> Maybe (NonEmpty Text)
data JWE a p
JWE :: Maybe Text -> Maybe Base64Octets -> Maybe Base64Octets -> Base64Octets -> Maybe Base64Octets -> [JWERecipient a p] -> JWE a p
-- | Encoded protected header, if available
[_protectedRaw] :: JWE a p -> Maybe Text
-- | JWE Initialization Vector
[_jweIv] :: JWE a p -> Maybe Base64Octets
-- | JWE AAD
[_jweAad] :: JWE a p -> Maybe Base64Octets
-- | JWE Ciphertext
[_jweCiphertext] :: JWE a p -> Base64Octets
-- | JWE Authentication Tag
[_jweTag] :: JWE a p -> Maybe Base64Octets
[_jweRecipients] :: JWE a p -> [JWERecipient a p]
instance GHC.Show.Show Crypto.JOSE.JWE.CritParameters
instance GHC.Classes.Eq Crypto.JOSE.JWE.CritParameters
instance GHC.Show.Show p => GHC.Show.Show (Crypto.JOSE.JWE.JWEHeader p)
instance GHC.Classes.Eq p => GHC.Classes.Eq (Crypto.JOSE.JWE.JWEHeader p)
instance (Crypto.JOSE.Header.HasParams a, Crypto.JOSE.Header.ProtectionIndicator p) => Data.Aeson.Types.FromJSON.FromJSON (Crypto.JOSE.JWE.JWE a p)
instance Data.Aeson.Types.FromJSON.FromJSON (Crypto.JOSE.JWE.JWERecipient a p)
instance Crypto.JOSE.Header.HasParams Crypto.JOSE.JWE.JWEHeader
-- | JSON Web Token implementation (RFC 7519). A JWT is a JWS with a
-- payload of claims to be transferred between two parties.
--
-- JWTs use the JWS compact serialisation. See
-- Crypto.JOSE.Compact for details.
--
--
-- mkClaims :: IO ClaimsSet
-- mkClaims = do
-- t <- currentTime
-- pure $ emptyClaimsSet
-- & claimIss ?~ "alice"
-- & claimAud ?~ Audience ["bob"]
-- & claimIat ?~ NumericDate t
--
-- doJwtSign :: JWK -> ClaimsSet -> IO (Either JWTError SignedJWT)
-- doJwtSign jwk claims = runExceptT $ do
-- alg <- bestJWSAlg jwk
-- signClaims jwk (newJWSHeader ((), alg)) claims
--
-- doJwtVerify :: JWK -> SignedJWT -> IO (Either JWTError ClaimsSet)
-- doJwtVerify jwk jwt = runExceptT $ do
-- let config = defaultJWTValidationSettings (== "bob")
-- verifyClaims config jwk jwt
--
--
-- Some JWT libraries have a function that takes two strings: the
-- "secret" (a symmetric key) and the raw JWT. The following function
-- achieves the same:
--
--
-- verify :: L.ByteString -> L.ByteString -> IO (Either JWTError ClaimsSet)
-- verify k s = runExceptT $ do
-- let
-- k' = fromOctets k -- turn raw secret into symmetric JWK
-- audCheck = const True -- should be a proper audience check
-- s' <- decodeCompact s -- decode JWT
-- verifyClaims (defaultJWTValidationSettings audCheck) k' s'
--
module Crypto.JWT
-- | Create a JWS JWT
signClaims :: (MonadRandom m, MonadError e m, AsError e) => JWK -> JWSHeader () -> ClaimsSet -> m SignedJWT
-- | A digitally signed or MACed JWT
type SignedJWT = CompactJWS JWSHeader
-- | Acquire the default validation settings.
--
-- RFC 7519 §4.1.3. states that applications MUST identify itself
-- with a value in the audience claim, therefore a predicate must be
-- supplied.
--
-- The other defaults are:
--
--
-- - defaultValidationSettings for JWS verification
-- - Zero clock skew tolerance when validating nbf, exp
-- and iat claims
-- - iat claim is checked
-- - issuer claim is not checked
--
defaultJWTValidationSettings :: (StringOrURI -> Bool) -> JWTValidationSettings
-- | Cryptographically verify a JWS JWT, then validate the Claims Set,
-- returning it if valid.
--
-- This is the only way to get at the claims of a JWS JWT, enforcing that
-- the claims are cryptographically and semantically valid before the
-- application can use them.
--
-- See also verifyClaimsAt which allows you to explicitly specify
-- the time.
verifyClaims :: (MonadTime m, HasAllowedSkew a, HasAudiencePredicate a, HasIssuerPredicate a, HasCheckIssuedAt a, HasValidationSettings a, AsError e, AsJWTError e, MonadError e m, VerificationKeyStore m (JWSHeader ()) ClaimsSet k) => a -> k -> SignedJWT -> m ClaimsSet
-- | Cryptographically verify a JWS JWT, then validate the Claims Set,
-- returning it if valid.
--
-- This is the same as verifyClaims except that the time is
-- explicitly provided. If you process many requests per second this will
-- allow you to avoid unnecessary repeat system calls.
verifyClaimsAt :: (HasAllowedSkew a, HasAudiencePredicate a, HasIssuerPredicate a, HasCheckIssuedAt a, HasValidationSettings a, AsError e, AsJWTError e, MonadError e m, VerificationKeyStore (ReaderT WrappedUTCTime m) (JWSHeader ()) ClaimsSet k) => a -> k -> UTCTime -> SignedJWT -> m ClaimsSet
-- | Maximum allowed skew when validating the nbf, exp and
-- iat claims.
class HasAllowedSkew s
allowedSkew :: HasAllowedSkew s => Lens' s NominalDiffTime
-- | Predicate for checking values in the aud claim.
class HasAudiencePredicate s
audiencePredicate :: HasAudiencePredicate s => Lens' s (StringOrURI -> Bool)
-- | Predicate for checking the iss claim.
class HasIssuerPredicate s
issuerPredicate :: HasIssuerPredicate s => Lens' s (StringOrURI -> Bool)
-- | Whether to check that the iat claim is not in the future.
class HasCheckIssuedAt s
checkIssuedAt :: HasCheckIssuedAt s => Lens' s Bool
data JWTValidationSettings
class HasJWTValidationSettings c_a14hv
jWTValidationSettings :: HasJWTValidationSettings c_a14hv => Lens' c_a14hv JWTValidationSettings
jwtValidationSettingsAllowedSkew :: HasJWTValidationSettings c_a14hv => Lens' c_a14hv NominalDiffTime
jwtValidationSettingsAudiencePredicate :: HasJWTValidationSettings c_a14hv => Lens' c_a14hv (StringOrURI -> Bool)
jwtValidationSettingsCheckIssuedAt :: HasJWTValidationSettings c_a14hv => Lens' c_a14hv Bool
jwtValidationSettingsIssuerPredicate :: HasJWTValidationSettings c_a14hv => Lens' c_a14hv (StringOrURI -> Bool)
jwtValidationSettingsValidationSettings :: HasJWTValidationSettings c_a14hv => Lens' c_a14hv ValidationSettings
-- | The JWT Claims Set represents a JSON object whose members are the
-- registered claims defined by RFC 7519. Unrecognised claims are
-- gathered into the unregisteredClaims map.
data ClaimsSet
-- | The audience claim identifies the recipients that the JWT is intended
-- for. Each principal intended to process the JWT MUST identify itself
-- with a value in the audience claim. If the principal processing the
-- claim does not identify itself with a value in the aud claim
-- when this claim is present, then the JWT MUST be rejected.
claimAud :: Lens' ClaimsSet (Maybe Audience)
-- | The expiration time claim identifies the expiration time on or after
-- which the JWT MUST NOT be accepted for processing. The processing of
-- exp claim requires that the current date/time MUST be before
-- expiration date/time listed in the exp claim. Implementers MAY
-- provide for some small leeway, usually no more than a few minutes, to
-- account for clock skew.
claimExp :: Lens' ClaimsSet (Maybe NumericDate)
-- | The issued at claim identifies the time at which the JWT was issued.
-- This claim can be used to determine the age of the JWT.
claimIat :: Lens' ClaimsSet (Maybe NumericDate)
-- | The issuer claim identifies the principal that issued the JWT. The
-- processing of this claim is generally application specific.
claimIss :: Lens' ClaimsSet (Maybe StringOrURI)
-- | The JWT ID claim provides a unique identifier for the JWT. The
-- identifier value MUST be assigned in a manner that ensures that there
-- is a negligible probability that the same value will be accidentally
-- assigned to a different data object. The jti claim can be used
-- to prevent the JWT from being replayed. The jti value is a
-- case-sensitive string.
claimJti :: Lens' ClaimsSet (Maybe Text)
-- | The not before claim identifies the time before which the JWT MUST NOT
-- be accepted for processing. The processing of the nbf claim
-- requires that the current date/time MUST be after or equal to the
-- not-before date/time listed in the nbf claim. Implementers MAY
-- provide for some small leeway, usually no more than a few minutes, to
-- account for clock skew.
claimNbf :: Lens' ClaimsSet (Maybe NumericDate)
-- | The subject claim identifies the principal that is the subject of the
-- JWT. The Claims in a JWT are normally statements about the subject.
-- The subject value MAY be scoped to be locally unique in the context of
-- the issuer or MAY be globally unique. The processing of this claim is
-- generally application specific.
claimSub :: Lens' ClaimsSet (Maybe StringOrURI)
-- | Claim Names can be defined at will by those using JWTs.
unregisteredClaims :: Lens' ClaimsSet (Map Text Value)
addClaim :: Text -> Value -> ClaimsSet -> ClaimsSet
-- | Return an empty claims set.
emptyClaimsSet :: ClaimsSet
-- | Validate the claims made by a ClaimsSet.
--
-- These checks are performed by verifyClaims, which also
-- validates any signatures, so you shouldn't need to use this function
-- directly.
validateClaimsSet :: (MonadTime m, HasAllowedSkew a, HasAudiencePredicate a, HasIssuerPredicate a, HasCheckIssuedAt a, AsJWTError e, MonadError e m) => a -> ClaimsSet -> m ClaimsSet
data JWTError
-- | A JOSE error occurred while processing the JWT
JWSError :: Error -> JWTError
-- | The JWT payload is not a JWT Claims Set
JWTClaimsSetDecodeError :: String -> JWTError
JWTExpired :: JWTError
JWTNotYetValid :: JWTError
JWTNotInIssuer :: JWTError
JWTNotInAudience :: JWTError
JWTIssuedAtFuture :: JWTError
class AsJWTError r_a13yx
_JWTError :: AsJWTError r_a13yx => Prism' r_a13yx JWTError
_JWSError :: AsJWTError r_a13yx => Prism' r_a13yx Error
_JWTClaimsSetDecodeError :: AsJWTError r_a13yx => Prism' r_a13yx String
_JWTExpired :: AsJWTError r_a13yx => Prism' r_a13yx ()
_JWTNotYetValid :: AsJWTError r_a13yx => Prism' r_a13yx ()
_JWTNotInIssuer :: AsJWTError r_a13yx => Prism' r_a13yx ()
_JWTNotInAudience :: AsJWTError r_a13yx => Prism' r_a13yx ()
_JWTIssuedAtFuture :: AsJWTError r_a13yx => Prism' r_a13yx ()
-- | Audience data. In the general case, the aud value is an array
-- of case-sensitive strings, each containing a StringOrURI value.
-- In the special case when the JWT has one audience, the aud
-- value MAY be a single case-sensitive string containing a
-- StringOrURI value.
--
-- The ToJSON instance formats an Audience with one value
-- as a string (some non-compliant implementations require this.)
newtype Audience
Audience :: [StringOrURI] -> Audience
-- | A JSON string value, with the additional requirement that while
-- arbitrary string values MAY be used, any value containing a :
-- character MUST be a URI.
--
-- Note: the IsString instance will fail if the string
-- contains a : but does not parse as a URI. Use
-- stringOrUri directly in this situation.
data StringOrURI
stringOrUri :: (Cons s s Char Char, AsEmpty s) => Prism' s StringOrURI
string :: Prism' StringOrURI Text
uri :: Prism' StringOrURI URI
-- | A JSON numeric value representing the number of seconds from
-- 1970-01-01T0:0:0Z UTC until the specified UTC date/time.
newtype NumericDate
NumericDate :: UTCTime -> NumericDate
instance GHC.Base.Monad m => Control.Monad.Time.MonadTime (Control.Monad.Trans.Reader.ReaderT Crypto.JWT.WrappedUTCTime m)
instance Crypto.JWT.HasJWTValidationSettings a => Crypto.JWT.HasCheckIssuedAt a
instance Crypto.JWT.HasJWTValidationSettings a => Crypto.JWT.HasIssuerPredicate a
instance Crypto.JWT.HasJWTValidationSettings a => Crypto.JWT.HasAudiencePredicate a
instance Crypto.JWT.HasJWTValidationSettings a => Crypto.JWT.HasAllowedSkew a
instance Crypto.JWT.HasJWTValidationSettings Crypto.JWT.JWTValidationSettings
instance Crypto.JWT.HasJWTValidationSettings a => Crypto.JOSE.JWS.HasValidationSettings a
instance GHC.Show.Show Crypto.JWT.ClaimsSet
instance GHC.Classes.Eq Crypto.JWT.ClaimsSet
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JWT.ClaimsSet
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JWT.ClaimsSet
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JWT.Audience
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JWT.Audience
instance GHC.Show.Show Crypto.JWT.Audience
instance GHC.Classes.Eq Crypto.JWT.Audience
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JWT.NumericDate
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JWT.NumericDate
instance GHC.Show.Show Crypto.JWT.StringOrURI
instance GHC.Classes.Eq Crypto.JWT.StringOrURI
instance GHC.Show.Show Crypto.JWT.NumericDate
instance GHC.Classes.Ord Crypto.JWT.NumericDate
instance GHC.Classes.Eq Crypto.JWT.NumericDate
instance Data.String.IsString Crypto.JWT.StringOrURI
instance Data.Aeson.Types.FromJSON.FromJSON Crypto.JWT.StringOrURI
instance Data.Aeson.Types.ToJSON.ToJSON Crypto.JWT.StringOrURI
instance Crypto.JWT.AsJWTError Crypto.JWT.JWTError
instance Crypto.JOSE.Error.AsError Crypto.JWT.JWTError
instance GHC.Show.Show Crypto.JWT.JWTError
instance GHC.Classes.Eq Crypto.JWT.JWTError