jose-jwt-0.8.0: JSON Object Signing and Encryption Library

Safe HaskellNone
LanguageHaskell2010

Jose.Internal.Crypto

Description

Internal functions for encrypting and signing / decrypting and verifying JWT content.

Synopsis

Documentation

hmacSign Source #

Arguments

:: JwsAlg

HMAC algorithm to use

-> ByteString

Key

-> ByteString

The message/content

-> Either JwtError ByteString

HMAC output

Sign a message with an HMAC key.

hmacVerify Source #

Arguments

:: JwsAlg

HMAC Algorithm to use

-> ByteString

Key

-> ByteString

The message/content

-> ByteString

The signature to check

-> Bool

Whether the signature is correct

Verify the HMAC for a given message. Returns false if the MAC is incorrect or the Alg is not an HMAC.

rsaSign Source #

Arguments

:: Maybe Blinder

RSA blinder

-> JwsAlg

Algorithm to use. Must be one of RSA256, RSA384 or RSA512

-> PrivateKey

Private key to sign with

-> ByteString

Message to sign

-> Either JwtError ByteString

The signature

Sign a message using an RSA private key.

The failure condition should only occur if the algorithm is not an RSA algorithm, or the RSA key is too small, causing the padding of the signature to fail. With real-world RSA keys this shouldn't happen in practice.

rsaVerify Source #

Arguments

:: JwsAlg

The signature algorithm. Used to obtain the hash function.

-> PublicKey

The key to check the signature with

-> ByteString

The message/content

-> ByteString

The signature to check

-> Bool

Whether the signature is correct

Verify the signature for a message using an RSA public key.

Returns false if the check fails or if the Alg value is not an RSA signature algorithm.

rsaEncrypt Source #

Arguments

:: (MonadRandom m, ByteArray msg, ByteArray out) 
=> PublicKey

The encryption key

-> JweAlg

The algorithm (RSA1_5, RSA_OAEP, or RSA_OAEP_256)

-> msg

The message to encrypt

-> m (Either JwtError out)

The encrypted message

Encrypts a message (typically a symmetric key) using RSA.

rsaDecrypt Source #

Arguments

:: ByteArray ct 
=> Maybe Blinder 
-> PrivateKey

The decryption key

-> JweAlg

The RSA algorithm to use

-> ct

The encrypted content

-> Either JwtError ScrubbedBytes

The decrypted key

Decrypts an RSA encrypted message.

ecVerify Source #

Arguments

:: JwsAlg

The signature algorithm. Used to obtain the hash function.

-> PublicKey

The key to check the signature with

-> ByteString

The message/content

-> ByteString

The signature to check

-> Bool

Whether the signature is correct

Verify the signature for a message using an EC public key.

Returns false if the check fails or if the Alg value is not an EC signature algorithm.

encryptPayload Source #

Arguments

:: (ByteArray ba, ByteArray iv) 
=> Enc

Encryption algorithm

-> ScrubbedBytes

Content management key

-> iv

IV

-> ba

Additional authenticated data

-> ba

The message/JWT claims

-> Maybe (AuthTag, ba)

Ciphertext claims and signature tag

Encrypt a message using AES.

decryptPayload Source #

Arguments

:: ByteArray ba 
=> Enc

Encryption algorithm

-> ScrubbedBytes

Content encryption key

-> IV

IV

-> ba

Additional authentication data

-> Tag

The integrity protection value to be checked

-> ba

The encrypted JWT payload

-> Maybe ba 

Decrypt an AES encrypted message.

generateCmkAndIV Source #

Arguments

:: MonadRandom m 
=> Enc

The encryption algorithm to be used

-> m (ScrubbedBytes, ScrubbedBytes)

The key, IV

Generates the symmetric key (content management key) and IV

Used to encrypt a message.

keyWrap :: ByteArray ba => JweAlg -> ScrubbedBytes -> ScrubbedBytes -> Either JwtError ba Source #

https://tools.ietf.org/html/rfc3394#section-2.2.1