| Safe Haskell | None |
|---|---|
| Language | Haskell2010 |
Network.Fernet
Description
Fernet generates and verifies HMAC-based authentication tokens.
Originally designed for use within OpenStack clusters, it was intended to be fast and light-weight, with non-persistent tokens. Integrity and confidentiality of the token contents are implemented with HMAC SHA256 and AES128 CBC.
See the Fernet Spec for a little more information.
Usage
To encrypt a token:
>>>import Network.Fernet>>>k <- generateKey>>>keyToBase64 k"JQAeL3iFN9wIW_hMKiIzA1EiG_EZNivnMPBOOJn2wZc=">>>token <- encrypt k "secret text">>>print token"gAAAAABY0H9kx7ihkcj6ZF_bQ73Lvc7aG-ZlEtjx24io-DQy5tCjLbq1JvVY27uAe6BuwG8css-4LDIywOJRyY_zetq7aLPPag=="
The resulting token can be distributed to clients. To check and decrypt the token, use the same key:
>>>decrypt k 60 tokenRight "secret text"
When decrypting, a TTL value is supplied to determine whether the
token has expired. The timestamp is stored in plain text and can
also be checked with hasExpired.
Related Modules
- encrypt :: Key -> ByteString -> IO ByteString
- decrypt :: Key -> NominalDiffTime -> ByteString -> IO (Either DecryptError ByteString)
- encrypt' :: Key -> POSIXTime -> ByteString -> ByteString -> ByteString
- decrypt' :: Key -> NominalDiffTime -> POSIXTime -> ByteString -> Either DecryptError ByteString
- data DecryptError
- isExpired :: NominalDiffTime -> ByteString -> POSIXTime -> Either String Bool
- hasExpired :: NominalDiffTime -> ByteString -> IO (Either String Bool)
- data Key
- key :: ByteArrayAccess a => a -> a -> Maybe Key
- generateKey :: IO Key
- generateKeyFromPassword :: Byteable p => Int -> p -> IO (Key, ByteString)
- keyFromBase64 :: ByteString -> Either String Key
- keyToBase64 :: Key -> ByteString
- version :: Word8
Tokens
Arguments
| :: Key | The encryption and signing keys. |
| -> ByteString | Token contents. |
| -> IO ByteString | An encoded Fernet token. |
Encrypts, encodes, and signs the given token contents with the given key.
Its timestamp is set to the current time and stored unencrypted in the token.
Arguments
| :: Key | The encryption and signing keys. |
| -> NominalDiffTime | Token TTL. |
| -> ByteString | The encoded token. |
| -> IO (Either DecryptError ByteString) | Token contents, or an error. |
Decodes, checks, and decrypts, the given Fernet token.
If the token's age (determined by its timestamp) exceeds the given TTL, then this function will fail.
Arguments
| :: Key | The encryption and signing keys. |
| -> POSIXTime | Timestamp |
| -> ByteString | Initialization Vector. |
| -> ByteString | Token contents. |
| -> ByteString | An encoded Fernet token. |
Encrypts, encodes, and signs the given token contents with the given key.
The provided timestamp is stored unencrypted in the token.
The given IV (initialization vector) string should be a random sequence of exactly 128 bits.
Arguments
| :: Key | The encryption and signing keys. |
| -> NominalDiffTime | Token TTL. |
| -> POSIXTime | The current time, used to determine token age. |
| -> ByteString | The encoded token. |
| -> Either DecryptError ByteString | Token contents, or an error. |
Decodes, checks, and decrypts, the given Fernet token.
If the token's age (determined by its timestamp) exceeds the given TTL, then this function will fail.
data DecryptError Source #
Some of the reasons why decryption can fail.
Constructors
| TokenMalformed | The token could not be decoded into fields. |
| TokenInvalid | Signature verification failed. |
| TokenExpired | Token age exceeded given TTL value. |
| UnacceptableClockSkew | Token timestamp is too far in the future. |
| KeySizeInvalid | The key was not suitable for decryption. |
| InvalidBlockSize | The ciphertext length was not a multiple of the block size. |
| UnsupportedVersion | The version was not 0x80. |
Instances
Arguments
| :: NominalDiffTime | TTL value. |
| -> ByteString | Encoded token. |
| -> POSIXTime | The time to consider. |
| -> Either String Bool |
Returns Right True if the token is expired at the given time,
Left _ if the token could not be parsed.
Arguments
| :: NominalDiffTime | TTL value. |
| -> ByteString | Encoded token. |
| -> IO (Either String Bool) |
Returns Right True if the token has expired,
Left _ if the token could not be parsed.
Keys
Contains the signing key and encryption key. Create one with
key, keyFromBase64, or generateKeyFromPassword.
Arguments
| :: ByteArrayAccess a | |
| => a | Signing Key |
| -> a | Encryption Key |
| -> Maybe Key |
Constructs a pair of signing and encryption keys. Each key must be exactly 16 bytes long or this will fail.
generateKey :: IO Key Source #
Generates new keys from the PRNG.
generateKeyFromPassword Source #
Arguments
| :: Byteable p | |
| => Int | Number of key derivation function iterations. |
| -> p | The password. |
| -> IO (Key, ByteString) | The key and random salt used. |
Stretches the given password into a Key using PBKDF2.
Arguments
| :: ByteString | URL-safe base64. |
| -> Either String Key |
Decodes urlsafe base64-encoded bytes into a key. This will fail if the input is not exactly 256 bits long (43 characters in base64).
Arguments
| :: Key | |
| -> ByteString | URL-safe base64. |
Encodes the given key as urlsafe base64.