x509- X509 reader and writer

MaintainerVincent Hanquez <vincent@snarc.org>
Safe HaskellNone




Read/Write X509 Certificate, CRL and their signed equivalents.

Follows RFC5280 / RFC6818



type SignedCertificate = SignedExact CertificateSource

A Signed Certificate

type SignedCRL = SignedExact CRLSource

A Signed CRL

data Certificate Source

X.509 Certificate type.

This type doesn't include the signature, it's describe in the RFC as tbsCertificate.




certVersion :: Int


certSerial :: Integer

Serial number

certSignatureAlg :: SignatureALG

Signature algorithm

certIssuerDN :: DistinguishedName

Issuer DN

certValidity :: (DateTime, DateTime)

Validity period

certSubjectDN :: DistinguishedName

Subject DN

certPubKey :: PubKey

Public key

certExtensions :: Extensions


data PubKey Source

Public key types known and used in X.509


PubKeyRSA PublicKey

RSA public key

PubKeyDSA PublicKey

DSA public key

PubKeyDH (Integer, Integer, Integer, Maybe Integer, ([Word8], Integer))

DH format with (p,g,q,j,(seed,pgenCounter))

PubKeyECDSA CurveName ByteString 
PubKeyUnknown OID ByteString

unrecognized format


data PrivKey Source

Private key types known and used in X.509


PrivKeyRSA PrivateKey

RSA private key

PrivKeyDSA PrivateKey

DSA private key


Eq PrivKey 
Show PrivKey 

pubkeyToAlg :: PubKey -> PubKeyALGSource

Convert a Public key to the Public Key Algorithm type

privkeyToAlg :: PrivKey -> PubKeyALGSource

Convert a Public key to the Public Key Algorithm type

data HashALG Source

Hash Algorithm


Eq HashALG 
Show HashALG 

data PubKeyALG Source

Public Key Algorithm



RSA Public Key algorithm


DSA Public Key algorithm


ECDSA Public Key algorithm


Diffie Hellman Public Key algorithm

PubKeyALG_Unknown OID

Unknown Public Key algorithm


data SignatureALG Source

Signature Algorithm often composed of a public key algorithm and a hash algorithm

class Extension a whereSource

Extension class.

each extension have a unique OID associated, and a way to encode and decode an ASN1 stream.


extOID :: a -> OIDSource

extEncode :: a -> [ASN1]Source

extDecode :: [ASN1] -> Either String aSource

Common extension usually found in x509v3

data ExtBasicConstraints Source

Basic Constraints


ExtBasicConstraints Bool (Maybe Integer) 

data ExtKeyUsage Source

Describe key usage

data ExtSubjectKeyId Source

Provide a way to identify a public key by a short hash.


ExtSubjectKeyId ByteString 

data ExtSubjectAltName Source

Provide a way to supply alternate name that can be used for matching host name.


ExtSubjectAltName [AltName] 

data ExtAuthorityKeyId Source

Provide a mean to identify the public key corresponding to the private key used to signed a certificate.


ExtAuthorityKeyId ByteString 

data AltName Source

Different naming scheme use by the extension.

Not all name types are available, missing: otherName x400Address directoryName ediPartyName registeredID


AltNameRFC822 String 
AltNameDNS String 
AltNameURI String 
AltNameIP ByteString 
AltNameXMPP String 
AltNameDNSSRV String 


Eq AltName 
Ord AltName 
Show AltName 

data DistributionPoint Source

Distribution point as either some GeneralNames or a DN

Accessor turning extension into a specific one

extensionGet :: Extension a => Extensions -> Maybe aSource

Get a specific extension from a lists of raw extensions

extensionGetE :: Extension a => Extensions -> Maybe (Either String a)Source

Get a specific extension from a lists of raw extensions

extensionDecode :: Extension a => ExtensionRaw -> Maybe (Either String a)Source

Try to decode an ExtensionRaw.

If this function return: * Nothing, the OID doesn't match * Just Left, the OID matched, but the extension couldn't be decoded * Just Right, the OID matched, and the extension has been succesfully decoded

extensionEncode :: Extension a => Bool -> a -> ExtensionRawSource

Encode an Extension to extensionRaw

data ExtensionRaw Source

An undecoded extension




extRawOID :: OID

OID of this extension

extRawCritical :: Bool

if this extension is critical

extRawASN1 :: [ASN1]

the associated ASN1

newtype Extensions Source

a Set of ExtensionRaw


Extensions (Maybe [ExtensionRaw]) 

Certificate Revocation List (CRL)

data CRL Source

Describe a Certificate revocation list


Show CRL 
ASN1Object CRL 

data RevokedCertificate Source

Describe a revoked certificate identifiable by serial number.


data DnElement Source

Elements commonly available in a DistinguishedName structure


data ASN1CharacterString

ASN1 Character String with encoding

getDnElement :: DnElement -> DistinguishedName -> Maybe ASN1CharacterStringSource

Try to get a specific element in a DistinguishedName structure

Certificate Chain

newtype CertificateChain Source

A chain of X.509 certificates in exact form.

newtype CertificateChainRaw Source

Represent a chain of X.509 certificates in bytestring form.


CertificateChainRaw [ByteString] 

marshall between CertificateChain and CertificateChainRaw

decodeCertificateChain :: CertificateChainRaw -> Either (Int, String) CertificateChainSource

Decode a CertificateChainRaw into a CertificateChain if every raw certificate are decoded correctly, otherwise return the index of the failed certificate and the error associated.

encodeCertificateChain :: CertificateChain -> CertificateChainRawSource

Convert a CertificateChain into a CertificateChainRaw

Signed types and marshalling

data (Show a, Eq a, ASN1Object a) => Signed a Source

Represent a signed object using a traditional X509 structure.

When dealing with external certificate, use the SignedExact structure not this one.




signedObject :: a

Object to sign

signedAlg :: SignatureALG

Signature Algorithm used

signedSignature :: ByteString

Signature as bytes


(Eq a, Show a, ASN1Object a) => Eq (Signed a) 
(Eq a, Show a, ASN1Object a) => Show (Signed a) 

data (Show a, Eq a, ASN1Object a) => SignedExact a Source

Represent the signed object plus the raw data that we need to keep around for non compliant case to be able to verify signature.


(Eq a, Show a, ASN1Object a) => Eq (SignedExact a) 
(Eq a, Show a, ASN1Object a) => Show (SignedExact a) 

getSigned :: SignedExact a -> Signed aSource

get the decoded Signed data

getSignedData :: (Show a, Eq a, ASN1Object a) => SignedExact a -> ByteStringSource

Get the signed data for the signature



:: (Show a, Eq a, ASN1Object a) 
=> (ByteString -> (ByteString, SignatureALG, r))

signature function

-> a

object to sign

-> (SignedExact a, r) 

Transform an object into a SignedExact object

encodeSignedObject :: SignedExact a -> ByteStringSource

The raw representation of the whole signed structure

decodeSignedObject :: (Show a, Eq a, ASN1Object a) => ByteString -> Either String (SignedExact a)Source

Try to parse a bytestring that use the typical X509 signed structure format

Parametrized Signed accessor

getCertificate :: SignedCertificate -> CertificateSource

Get the Certificate associated to a SignedCertificate

getCRL :: SignedCRL -> CRLSource

Get the CRL associated to a SignedCRL

decodeSignedCertificate :: ByteString -> Either String SignedCertificateSource

Try to decode a bytestring to a SignedCertificate

decodeSignedCRL :: ByteString -> Either String SignedCRLSource

Try to decode a bytestring to a SignedCRL

Hash distinguished names related function

hashDN :: DistinguishedName -> ByteStringSource

Make an OpenSSL style hash of distinguished name

OpenSSL algorithm is odd, and has been replicated here somewhat. only lower the case of ascii character.

hashDN_old :: DistinguishedName -> ByteStringSource

Create an openssl style old hash of distinguished name