HsOpenSSL-0.11.4.14: Partial OpenSSL binding for Haskell

Safe HaskellNone
LanguageHaskell2010

OpenSSL.PKCS7

Contents

Description

An interface to PKCS#7 structure and S/MIME message.

Synopsis

Types

data Pkcs7 Source #

Pkcs7 represents an abstract PKCS#7 structure. The concrete type of structure is hidden in the object: such polymorphism isn't very haskellish but please get it out of your mind since OpenSSL is written in C.

data Pkcs7VerifyStatus Source #

Pkcs7VerifyStatus represents a result of PKCS#7 verification. See pkcs7Verify.

Constructors

Pkcs7VerifySuccess (Maybe String)

Nothing if the PKCS#7 signature was a detached signature, and Just content if it wasn't.

Pkcs7VerifyFailure 

Encryption and Signing

pkcs7Sign Source #

Arguments

:: KeyPair key 
=> X509

certificate to sign with

-> key

corresponding private key

-> [X509]

optional additional set of certificates to include in the PKCS#7 structure (for example any intermediate CAs in the chain)

-> String

data to be signed

-> [Pkcs7Flag]

An optional set of flags:

Pkcs7Text
Many S/MIME clients expect the signed content to include valid MIME headers. If the Pkcs7Text flag is set MIME headers for type "text/plain" are prepended to the data.
Pkcs7NoCerts
If Pkcs7NoCerts is set the signer's certificate will not be included in the PKCS#7 structure, the signer's certificate must still be supplied in the parameter though. This can reduce the size of the signature if the signer's certificate can be obtained by other means: for example a previously signed message.
Pkcs7Detached
The data being signed is included in the PKCS#7 structure, unless Pkcs7Detached is set in which case it is ommited. This is used for PKCS#7 detached signatures which are used in S/MIME plaintext signed message for example.
Pkcs7Binary
Normally the supplied content is translated into MIME canonical format (as required by the S/MIME specifications) but if Pkcs7Binary is set no translation occurs. This option should be uesd if the supplied data is in binary format otherwise the translation will corrupt it.
Pkcs7NoAttr
Pkcs7NoSmimeCap
The signedData structure includes several PKCS#7 authenticatedAttributes including the signing time, the PKCS#7 content type and the supported list of ciphers in an SMIMECapabilities attribute. If Pkcs7NoAttr is set then no authenticatedAttributes will be used. If Pkcs7NoSmimeCap is set then just the SMIMECapabilities are omitted.
-> IO Pkcs7 

pkcs7Sign creates a PKCS#7 signedData structure.

pkcs7Verify Source #

Arguments

:: Pkcs7

A PKCS#7 structure to verify.

-> [X509]

Set of certificates in which to search for the signer's certificate.

-> X509Store

Trusted certificate store (used for chain verification).

-> Maybe String

Signed data if the content is not present in the PKCS#7 structure (that is it is detached).

-> [Pkcs7Flag]

An optional set of flags:

Pkcs7NoIntern
If Pkcs7NoIntern is set the certificates in the message itself are not searched when locating the signer's certificate. This means that all the signers certificates must be in the second argument ([X509]).
Pkcs7Text
If the Pkcs7Text flag is set MIME headers for type "text/plain" are deleted from the content. If the content is not of type "text/plain" then an error is returned.
Pkcs7NoVerify
If Pkcs7NoVerify is set the signer's certificates are not chain verified.
Pkcs7NoChain
If Pkcs7NoChain is set then the certificates contained in the message are not used as untrusted CAs. This means that the whole verify chain (apart from the signer's certificate) must be contained in the trusted store.
Pkcs7NoSigs
If Pkcs7NoSigs is set then the signatures on the data are not checked.
-> IO Pkcs7VerifyStatus 

pkcs7Verify verifies a PKCS#7 signedData structure.

pkcs7Encrypt Source #

Arguments

:: [X509]

A list of recipient certificates.

-> String

The content to be encrypted.

-> Cipher

The symmetric cipher to use.

-> [Pkcs7Flag]

An optional set of flags:

Pkcs7Text
If the Pkcs7Text flag is set MIME headers for type "text/plain" are prepended to the data.
Pkcs7Binary
Normally the supplied content is translated into MIME canonical format (as required by the S/MIME specifications) if Pkcs7Binary is set no translation occurs. This option should be used if the supplied data is in binary format otherwise the translation will corrupt it. If Pkcs7Binary is set then Pkcs7Text is ignored.
-> IO Pkcs7 

pkcs7Encrypt creates a PKCS#7 envelopedData structure.

pkcs7Decrypt Source #

Arguments

:: KeyPair key 
=> Pkcs7

The PKCS#7 structure to decrypt.

-> key

The private key of the recipient.

-> X509

The recipient's certificate.

-> [Pkcs7Flag]

An optional set of flags:

Pkcs7Text
If the Pkcs7Text flag is set MIME headers for type "text/plain" are deleted from the content. If the content is not of type "text/plain" then an error is thrown.
-> IO String

The decrypted content.

pkcs7Decrypt decrypts content from PKCS#7 envelopedData structure.

S/MIME

writeSmime Source #

Arguments

:: Pkcs7

A PKCS#7 structure to be written.

-> Maybe String

If cleartext signing (multipart/signed) is being used then the signed data must be supplied here.

-> [Pkcs7Flag]

An optional set of flags:

Pkcs7Detached
If Pkcs7Detached is set then cleartext signing will be used, this option only makes sense for signedData where Pkcs7Detached is also set when pkcs7Sign is also called.
Pkcs7Text
If the Pkcs7Text flag is set MIME headers for type "text/plain" are added to the content, this only makes sense if Pkcs7Detached is also set.
-> IO String

The result S/MIME message.

writeSmime writes PKCS#7 structure to S/MIME message.

readSmime Source #

Arguments

:: String

The message to be read.

-> IO (Pkcs7, Maybe String)

(The result PKCS#7 structure, Just content if the PKCS#7 structure was a cleartext signature and Nothing if it wasn't.)

readSmime parses S/MIME message.