x509-1.7.5: X509 reader and writer

LicenseBSD-style
MaintainerVincent Hanquez <vincent@snarc.org>
Stabilityexperimental
Portabilityunknown
Safe HaskellNone
LanguageHaskell2010

Data.X509

Contents

Description

Read/Write X509 Certificate, CRL and their signed equivalents.

Follows RFC5280 / RFC6818

Synopsis

Types

type SignedCertificate = SignedExact Certificate #

A Signed Certificate

type SignedCRL = SignedExact CRL #

A Signed CRL

data Certificate #

X.509 Certificate type.

This type doesn't include the signature, it's describe in the RFC as tbsCertificate.

Constructors

Certificate 

Fields

Instances
Eq Certificate # 
Instance details

Defined in Data.X509.Cert

Show Certificate # 
Instance details

Defined in Data.X509.Cert

ASN1Object Certificate # 
Instance details

Defined in Data.X509.Cert

data PubKey #

Public key types known and used in X.509

Constructors

PubKeyRSA PublicKey

RSA public key

PubKeyDSA PublicKey

DSA public key

PubKeyDH (Integer, Integer, Integer, Maybe Integer, ([Word8], Integer))

DH format with (p,g,q,j,(seed,pgenCounter))

PubKeyEC PubKeyEC

EC public key

PubKeyX25519 PublicKey

X25519 public key

PubKeyX448 PublicKey

X448 public key

PubKeyEd25519 PublicKey

Ed25519 public key

PubKeyEd448 PublicKey

Ed448 public key

PubKeyUnknown OID ByteString

unrecognized format

Instances
Eq PubKey # 
Instance details

Defined in Data.X509.PublicKey

Methods

(==) :: PubKey -> PubKey -> Bool #

(/=) :: PubKey -> PubKey -> Bool #

Show PubKey # 
Instance details

Defined in Data.X509.PublicKey

ASN1Object PubKey # 
Instance details

Defined in Data.X509.PublicKey

data PubKeyEC #

Elliptic Curve Public Key

TODO: missing support for binary curve.

Instances
Eq PubKeyEC # 
Instance details

Defined in Data.X509.PublicKey

Show PubKeyEC # 
Instance details

Defined in Data.X509.PublicKey

newtype SerializedPoint #

Serialized Elliptic Curve Point

data PrivKey #

Private key types known and used in X.509

Constructors

PrivKeyRSA PrivateKey

RSA private key

PrivKeyDSA PrivateKey

DSA private key

PrivKeyEC PrivKeyEC

EC private key

PrivKeyX25519 SecretKey

X25519 private key

PrivKeyX448 SecretKey

X448 private key

PrivKeyEd25519 SecretKey

Ed25519 private key

PrivKeyEd448 SecretKey

Ed448 private key

Instances
Eq PrivKey # 
Instance details

Defined in Data.X509.PrivateKey

Methods

(==) :: PrivKey -> PrivKey -> Bool #

(/=) :: PrivKey -> PrivKey -> Bool #

Show PrivKey # 
Instance details

Defined in Data.X509.PrivateKey

ASN1Object PrivKey # 
Instance details

Defined in Data.X509.PrivateKey

data PrivKeyEC #

Elliptic Curve Private Key

TODO: missing support for binary curve.

Instances
Eq PrivKeyEC # 
Instance details

Defined in Data.X509.PrivateKey

Show PrivKeyEC # 
Instance details

Defined in Data.X509.PrivateKey

pubkeyToAlg :: PubKey -> PubKeyALG #

Convert a Public key to the Public Key Algorithm type

privkeyToAlg :: PrivKey -> PubKeyALG #

Convert a Private key to the Public Key Algorithm type

data HashALG #

Hash Algorithm

Instances
Eq HashALG # 
Instance details

Defined in Data.X509.AlgorithmIdentifier

Methods

(==) :: HashALG -> HashALG -> Bool #

(/=) :: HashALG -> HashALG -> Bool #

Show HashALG # 
Instance details

Defined in Data.X509.AlgorithmIdentifier

data PubKeyALG #

Public Key Algorithm

Constructors

PubKeyALG_RSA

RSA Public Key algorithm

PubKeyALG_RSAPSS

RSA PSS Key algorithm (RFC 3447)

PubKeyALG_DSA

DSA Public Key algorithm

PubKeyALG_EC

ECDSA & ECDH Public Key algorithm

PubKeyALG_X25519

ECDH 25519 key agreement

PubKeyALG_X448

ECDH 448 key agreement

PubKeyALG_Ed25519

EdDSA 25519 signature algorithm

PubKeyALG_Ed448

EdDSA 448 signature algorithm

PubKeyALG_DH

Diffie Hellman Public Key algorithm

PubKeyALG_Unknown OID

Unknown Public Key algorithm

Instances
Eq PubKeyALG # 
Instance details

Defined in Data.X509.AlgorithmIdentifier

Show PubKeyALG # 
Instance details

Defined in Data.X509.AlgorithmIdentifier

OIDable PubKeyALG # 
Instance details

Defined in Data.X509.AlgorithmIdentifier

Methods

getObjectID :: PubKeyALG -> OID #

data SignatureALG #

Signature Algorithm, often composed of a public key algorithm and a hash algorithm. For some signature algorithms the hash algorithm is intrinsic to the public key algorithm and is not needed in the data type.

class Extension a where #

Extension class.

each extension have a unique OID associated, and a way to encode and decode an ASN1 stream.

Errata: turns out, the content is not necessarily ASN1, it could be data that is only parsable by the extension e.g. raw ascii string. Add method to parse and encode with ByteString

Minimal complete definition

extOID, extHasNestedASN1, extEncode, extDecode

Instances
Extension ExtNetscapeComment # 
Instance details

Defined in Data.X509.Ext

Extension ExtCrlDistributionPoints # 
Instance details

Defined in Data.X509.Ext

Extension ExtAuthorityKeyId # 
Instance details

Defined in Data.X509.Ext

Extension ExtSubjectAltName # 
Instance details

Defined in Data.X509.Ext

Extension ExtSubjectKeyId # 
Instance details

Defined in Data.X509.Ext

Extension ExtExtendedKeyUsage # 
Instance details

Defined in Data.X509.Ext

Extension ExtKeyUsage # 
Instance details

Defined in Data.X509.Ext

Extension ExtBasicConstraints # 
Instance details

Defined in Data.X509.Ext

Common extension usually found in x509v3

data ExtKeyUsageFlag #

key usage flag that is found in the key usage extension field.

data AltName #

Different naming scheme use by the extension.

Not all name types are available, missing: otherName x400Address directoryName ediPartyName registeredID

Instances
Eq AltName # 
Instance details

Defined in Data.X509.Ext

Methods

(==) :: AltName -> AltName -> Bool #

(/=) :: AltName -> AltName -> Bool #

Ord AltName # 
Instance details

Defined in Data.X509.Ext

Show AltName # 
Instance details

Defined in Data.X509.Ext

data DistributionPoint #

Distribution point as either some GeneralNames or a DN

Accessor turning extension into a specific one

extensionGet :: Extension a => Extensions -> Maybe a #

Get a specific extension from a lists of raw extensions

extensionGetE :: Extension a => Extensions -> Maybe (Either String a) #

Get a specific extension from a lists of raw extensions

extensionDecode :: forall a. Extension a => ExtensionRaw -> Maybe (Either String a) #

Try to decode an ExtensionRaw.

If this function return: * Nothing, the OID doesn't match * Just Left, the OID matched, but the extension couldn't be decoded * Just Right, the OID matched, and the extension has been succesfully decoded

extensionEncode :: forall a. Extension a => Bool -> a -> ExtensionRaw #

Encode an Extension to extensionRaw

data ExtensionRaw #

An undecoded extension

Constructors

ExtensionRaw 

Fields

extRawASN1 :: ExtensionRaw -> [ASN1] #

Deprecated: use tryExtRawASN1 instead

newtype Extensions #

a Set of ExtensionRaw

Constructors

Extensions (Maybe [ExtensionRaw]) 
Instances
Eq Extensions # 
Instance details

Defined in Data.X509.ExtensionRaw

Show Extensions # 
Instance details

Defined in Data.X509.ExtensionRaw

ASN1Object Extensions # 
Instance details

Defined in Data.X509.ExtensionRaw

Certificate Revocation List (CRL)

data CRL #

Describe a Certificate revocation list

Instances
Eq CRL # 
Instance details

Defined in Data.X509.CRL

Methods

(==) :: CRL -> CRL -> Bool #

(/=) :: CRL -> CRL -> Bool #

Show CRL # 
Instance details

Defined in Data.X509.CRL

Methods

showsPrec :: Int -> CRL -> ShowS #

show :: CRL -> String #

showList :: [CRL] -> ShowS #

ASN1Object CRL # 
Instance details

Defined in Data.X509.CRL

Methods

toASN1 :: CRL -> ASN1S #

fromASN1 :: [ASN1] -> Either String (CRL, [ASN1]) #

Naming

newtype DistinguishedName #

A list of OID and strings.

Instances
Eq DistinguishedName # 
Instance details

Defined in Data.X509.DistinguishedName

Ord DistinguishedName # 
Instance details

Defined in Data.X509.DistinguishedName

Show DistinguishedName # 
Instance details

Defined in Data.X509.DistinguishedName

Semigroup DistinguishedName # 
Instance details

Defined in Data.X509.DistinguishedName

Monoid DistinguishedName # 
Instance details

Defined in Data.X509.DistinguishedName

ASN1Object DistinguishedName # 
Instance details

Defined in Data.X509.DistinguishedName

data DnElement #

Elements commonly available in a DistinguishedName structure

Constructors

DnCommonName

CN

DnCountry

Country

DnOrganization

O

DnOrganizationUnit

OU

DnEmailAddress

Email Address (legacy)

Instances
Eq DnElement # 
Instance details

Defined in Data.X509.DistinguishedName

Show DnElement # 
Instance details

Defined in Data.X509.DistinguishedName

OIDable DnElement # 
Instance details

Defined in Data.X509.DistinguishedName

Methods

getObjectID :: DnElement -> OID #

getDnElement :: DnElement -> DistinguishedName -> Maybe ASN1CharacterString #

Try to get a specific element in a DistinguishedName structure

Certificate Chain

newtype CertificateChain #

A chain of X.509 certificates in exact form.

newtype CertificateChainRaw #

Represent a chain of X.509 certificates in bytestring form.

marshall between CertificateChain and CertificateChainRaw

decodeCertificateChain :: CertificateChainRaw -> Either (Int, String) CertificateChain #

Decode a CertificateChainRaw into a CertificateChain if every raw certificate are decoded correctly, otherwise return the index of the failed certificate and the error associated.

encodeCertificateChain :: CertificateChain -> CertificateChainRaw #

Convert a CertificateChain into a CertificateChainRaw

Signed types and marshalling

data (Show a, Eq a, ASN1Object a) => Signed a #

Represent a signed object using a traditional X509 structure.

When dealing with external certificate, use the SignedExact structure not this one.

Constructors

Signed 

Fields

Instances
(Show a, Eq a, ASN1Object a) => Eq (Signed a) # 
Instance details

Defined in Data.X509.Signed

Methods

(==) :: Signed a -> Signed a -> Bool #

(/=) :: Signed a -> Signed a -> Bool #

(Show a, Eq a, ASN1Object a) => Show (Signed a) # 
Instance details

Defined in Data.X509.Signed

Methods

showsPrec :: Int -> Signed a -> ShowS #

show :: Signed a -> String #

showList :: [Signed a] -> ShowS #

data (Show a, Eq a, ASN1Object a) => SignedExact a #

Represent the signed object plus the raw data that we need to keep around for non compliant case to be able to verify signature.

Instances
(Show a, Eq a, ASN1Object a) => Eq (SignedExact a) # 
Instance details

Defined in Data.X509.Signed

(Show a, Eq a, ASN1Object a) => Show (SignedExact a) # 
Instance details

Defined in Data.X509.Signed

getSigned :: SignedExact a -> Signed a #

get the decoded Signed data

getSignedData :: (Show a, Eq a, ASN1Object a) => SignedExact a -> ByteString #

Get the signed data for the signature

objectToSignedExact #

Arguments

:: (Show a, Eq a, ASN1Object a) 
=> (ByteString -> (ByteString, SignatureALG, r))

signature function

-> a

object to sign

-> (SignedExact a, r) 

Transform an object into a SignedExact object

objectToSignedExactF #

Arguments

:: (Functor f, Show a, Eq a, ASN1Object a) 
=> (ByteString -> f (ByteString, SignatureALG))

signature function

-> a

object to sign

-> f (SignedExact a) 

A generalization of objectToSignedExact where the signature function runs in an arbitrary functor. This allows for example to sign using an algorithm needing random values.

encodeSignedObject :: SignedExact a -> ByteString #

The raw representation of the whole signed structure

decodeSignedObject :: (Show a, Eq a, ASN1Object a) => ByteString -> Either String (SignedExact a) #

Try to parse a bytestring that use the typical X509 signed structure format

Parametrized Signed accessor

getCertificate :: SignedCertificate -> Certificate #

Get the Certificate associated to a SignedCertificate

getCRL :: SignedCRL -> CRL #

Get the CRL associated to a SignedCRL

decodeSignedCertificate :: ByteString -> Either String SignedCertificate #

Try to decode a bytestring to a SignedCertificate

decodeSignedCRL :: ByteString -> Either String SignedCRL #

Try to decode a bytestring to a SignedCRL

Hash distinguished names related function

hashDN :: DistinguishedName -> ByteString #

Make an OpenSSL style hash of distinguished name

OpenSSL algorithm is odd, and has been replicated here somewhat. only lower the case of ascii character.

hashDN_old :: DistinguishedName -> ByteString #

Create an openssl style old hash of distinguished name