jose-0.9: JSON Object Signing and Encryption (JOSE) and JSON Web Token (JWT) library
Safe HaskellNone
LanguageHaskell2010

Crypto.JOSE.JWS

Description

JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JavaScript Object Notation (JSON) based data structures. It is defined in RFC 7515.

doJwsSign :: JWK -> L.ByteString -> IO (Either Error (GeneralJWS JWSHeader))
doJwsSign jwk payload = runExceptT $ do
  alg <- bestJWSAlg jwk
  signJWS payload [(newJWSHeader (Protected, alg), jwk)]

doJwsVerify :: JWK -> GeneralJWS JWSHeader -> IO (Either Error ())
doJwsVerify jwk jws = runExceptT $ verifyJWS' jwk jws
Synopsis

Overview

data JWS t p a Source #

JSON Web Signature data type. The payload can only be accessed by verifying the JWS.

Parameterised by the signature container type, the header ProtectionIndicator type, and the header record type.

Use encode and decode to convert a JWS to or from JSON. When encoding a JWS [] with exactly one signature, the flattened JWS JSON serialisation syntax is used, otherwise the general JWS JSON serialisation is used. When decoding a JWS [] either serialisation is accepted.

JWS Identity uses the flattened JSON serialisation or the JWS compact serialisation (see decodeCompact and encodeCompact).

Use signJWS to create a signed/MACed JWS.

Use verifyJWS to verify a JWS and extract the payload.

Instances

Instances details
Eq (t (Signature p a)) => Eq (JWS t p a) Source # 
Instance details

Defined in Crypto.JOSE.JWS

Methods

(==) :: JWS t p a -> JWS t p a -> Bool #

(/=) :: JWS t p a -> JWS t p a -> Bool #

Show (t (Signature p a)) => Show (JWS t p a) Source # 
Instance details

Defined in Crypto.JOSE.JWS

Methods

showsPrec :: Int -> JWS t p a -> ShowS #

show :: JWS t p a -> String #

showList :: [JWS t p a] -> ShowS #

(HasParams a, ProtectionIndicator p) => ToJSON (JWS [] p a) Source # 
Instance details

Defined in Crypto.JOSE.JWS

Methods

toJSON :: JWS [] p a -> Value #

toEncoding :: JWS [] p a -> Encoding #

toJSONList :: [JWS [] p a] -> Value #

toEncodingList :: [JWS [] p a] -> Encoding #

(HasParams a, ProtectionIndicator p) => ToJSON (JWS Identity p a) Source # 
Instance details

Defined in Crypto.JOSE.JWS

Methods

toJSON :: JWS Identity p a -> Value #

toEncoding :: JWS Identity p a -> Encoding #

toJSONList :: [JWS Identity p a] -> Value #

toEncodingList :: [JWS Identity p a] -> Encoding #

(HasParams a, ProtectionIndicator p) => FromJSON (JWS [] p a) Source # 
Instance details

Defined in Crypto.JOSE.JWS

Methods

parseJSON :: Value -> Parser (JWS [] p a) #

parseJSONList :: Value -> Parser [JWS [] p a] #

(HasParams a, ProtectionIndicator p) => FromJSON (JWS Identity p a) Source # 
Instance details

Defined in Crypto.JOSE.JWS

Methods

parseJSON :: Value -> Parser (JWS Identity p a) #

parseJSONList :: Value -> Parser [JWS Identity p a] #

HasParams a => ToCompact (JWS Identity () a) Source # 
Instance details

Defined in Crypto.JOSE.JWS

Methods

toCompact :: JWS Identity () a -> [ByteString] Source #

HasParams a => FromCompact (JWS Identity () a) Source # 
Instance details

Defined in Crypto.JOSE.JWS

Methods

fromCompact :: (AsError e, MonadError e m) => [ByteString] -> m (JWS Identity () a) Source #

type GeneralJWS = JWS [] Protection Source #

A JWS that allows multiple signatures, and cannot use the compact serialisation. Headers may be Protected or Unprotected.

type FlattenedJWS = JWS Identity Protection Source #

A JWS with one signature, which uses the flattened serialisation. Headers may be Protected or Unprotected.

type CompactJWS = JWS Identity () Source #

A JWS with one signature which only allows protected parameters. Can use the flattened serialisation or the compact serialisation.

Defining additional header parameters

Several specifications extend JWS with additional header parameters. The JWS type is parameterised over the header type; this library provides the JWSHeader type which encompasses all the JWS header parameters defined in RFC 7515. To define an extended header type declare the data type, and instances for HasJWSHeader and HasParams. For example:

data ACMEHeader p = ACMEHeader
  { _acmeJwsHeader :: JWSHeader p
  , _acmeNonce :: Base64Octets
  }

acmeJwsHeader :: Lens' (ACMEHeader p) (JWSHeader p)
acmeJwsHeader f s@(ACMEHeader { _acmeJwsHeader = a}) =
  fmap (\a' -> s { _acmeJwsHeader = a'}) (f a)

acmeNonce :: Lens' (ACMEHeader p) Types.Base64Octets
acmeNonce f s@(ACMEHeader { _acmeNonce = a}) =
  fmap (\a' -> s { _acmeNonce = a'}) (f a)

instance HasJWSHeader ACMEHeader where
  jwsHeader = acmeJwsHeader

instance HasParams ACMEHeader where
  parseParamsFor proxy hp hu = ACMEHeader
    <$> parseParamsFor proxy hp hu
    <*> headerRequiredProtected "nonce" hp hu
  params h =
    (True, "nonce" .= view acmeNonce h)
    : params (view acmeJwsHeader h)
  extensions = const ["nonce"]

See also:

JWS creation

newJWSHeader :: (p, Alg) -> JWSHeader p Source #

Construct a minimal header with the given algorithm and protection indicator for the alg header.

makeJWSHeader :: forall e m p. (MonadError e m, AsError e, ProtectionIndicator p) => JWK -> m (JWSHeader p) Source #

Make a JWS header for the given signing key.

Uses bestJWSAlg to choose the algorithm. If set, the JWK's "kid", "x5u", "x5c", "x5t" and "x5t#S256" parameters are copied to the JWS header (as protected parameters).

May return KeySizeTooSmall or KeyMismatch.

signJWS Source #

Arguments

:: (Cons s s Word8 Word8, HasJWSHeader a, HasParams a, MonadRandom m, AsError e, MonadError e m, Traversable t, ProtectionIndicator p) 
=> s

Payload

-> t (a p, JWK)

Traversable of header, key pairs

-> m (JWS t p a) 

Create a signed or MACed JWS with the given payload by traversing a collection of (header, key) pairs.

JWS verification

verifyJWS Source #

Arguments

:: (HasAlgorithms a, HasValidationPolicy a, AsError e, MonadError e m, HasJWSHeader h, HasParams h, VerificationKeyStore m (h p) s k, Cons s s Word8 Word8, AsEmpty s, Foldable t, ProtectionIndicator p) 
=> a

validation settings

-> k

key or key store

-> JWS t p h

JWS

-> m s 

Verify a JWS.

Signatures made with an unsupported algorithms are ignored. If the validation policy is AnyValidated, a single successfully validated signature is sufficient. If the validation policy is AllValidated then all remaining signatures (there must be at least one) must be valid.

Returns the payload if successfully verified.

verifyJWS' Source #

Arguments

:: (AsError e, MonadError e m, HasJWSHeader h, HasParams h, VerificationKeyStore m (h p) s k, Cons s s Word8 Word8, AsEmpty s, Foldable t, ProtectionIndicator p) 
=> k

key or key store

-> JWS t p h

JWS

-> m s 

Verify a JWS with the default validation settings.

See also defaultValidationSettings.

verifyJWSWithPayload Source #

Arguments

:: (HasAlgorithms a, HasValidationPolicy a, AsError e, MonadError e m, HasJWSHeader h, HasParams h, VerificationKeyStore m (h p) payload k, Cons s s Word8 Word8, AsEmpty s, Foldable t, ProtectionIndicator p) 
=> (s -> m payload)

payload decoder

-> a

validation settings

-> k

key or key store

-> JWS t p h

JWS

-> m payload 

JWS validation settings

defaultValidationSettings :: ValidationSettings Source #

The default validation settings.

  • All algorithms except "none" are acceptable.
  • All signatures must be valid (and there must be at least one signature.)

data ValidationSettings Source #

Validation settings:

  • The set of acceptable signature algorithms
  • The validation policy

Instances

Instances details
HasValidationSettings ValidationSettings Source # 
Instance details

Defined in Crypto.JOSE.JWS

Methods

validationSettings :: Lens' ValidationSettings ValidationSettings Source #

validationSettingsAlgorithms :: Lens' ValidationSettings (Set Alg) Source #

validationSettingsValidationPolicy :: Lens' ValidationSettings ValidationPolicy Source #

data ValidationPolicy Source #

Validation policy.

Constructors

AnyValidated

One successfully validated signature is sufficient

AllValidated

All signatures in all configured algorithms must be validated. No signatures in configured algorithms is also an error.

Instances

Instances details
Eq ValidationPolicy Source # 
Instance details

Defined in Crypto.JOSE.JWS

Methods

(==) :: ValidationPolicy -> ValidationPolicy -> Bool #

(/=) :: ValidationPolicy -> ValidationPolicy -> Bool #

class HasValidationSettings a where Source #

Minimal complete definition

validationSettings

Methods

validationSettings :: Lens' a ValidationSettings Source #

validationSettingsAlgorithms :: Lens' a (Set Alg) Source #

validationSettingsValidationPolicy :: Lens' a ValidationPolicy Source #

Instances

Instances details
HasJWTValidationSettings a => HasValidationSettings a Source # 
Instance details

Defined in Crypto.JWT

Methods

validationSettings :: Lens' a ValidationSettings Source #

validationSettingsAlgorithms :: Lens' a (Set Alg) Source #

validationSettingsValidationPolicy :: Lens' a ValidationPolicy Source #

HasValidationSettings ValidationSettings Source # 
Instance details

Defined in Crypto.JOSE.JWS

Methods

validationSettings :: Lens' ValidationSettings ValidationSettings Source #

validationSettingsAlgorithms :: Lens' ValidationSettings (Set Alg) Source #

validationSettingsValidationPolicy :: Lens' ValidationSettings ValidationPolicy Source #

class HasAlgorithms s where Source #

Methods

algorithms :: Lens' s (Set Alg) Source #

Instances

Instances details
HasValidationSettings a => HasAlgorithms a Source # 
Instance details

Defined in Crypto.JOSE.JWS

Methods

algorithms :: Lens' a (Set Alg) Source #

class HasValidationPolicy s where Source #

Methods

validationPolicy :: Lens' s ValidationPolicy Source #

Instances

Instances details
HasValidationSettings a => HasValidationPolicy a Source # 
Instance details

Defined in Crypto.JOSE.JWS

Methods

validationPolicy :: Lens' a ValidationPolicy Source #

Signature data

signatures :: Foldable t => Fold (JWS t p a) (Signature p a) Source #

data Signature p a Source #

Signature object containing header, and signature bytes.

If it was decoded from a serialised JWS, it "remembers" how the protected header was encoded; the remembered value is used when computing the signing input and when serialising the object.

The remembered value is not used in equality checks, i.e. two decoded signatures with differently serialised by otherwise equal protected headers, and equal signature bytes, are equal.

Instances

Instances details
Eq (a p) => Eq (Signature p a) Source # 
Instance details

Defined in Crypto.JOSE.JWS

Methods

(==) :: Signature p a -> Signature p a -> Bool #

(/=) :: Signature p a -> Signature p a -> Bool #

Show (a p) => Show (Signature p a) Source # 
Instance details

Defined in Crypto.JOSE.JWS

Methods

showsPrec :: Int -> Signature p a -> ShowS #

show :: Signature p a -> String #

showList :: [Signature p a] -> ShowS #

(HasParams a, ProtectionIndicator p) => ToJSON (Signature p a) Source # 
Instance details

Defined in Crypto.JOSE.JWS

Methods

toJSON :: Signature p a -> Value #

toEncoding :: Signature p a -> Encoding #

toJSONList :: [Signature p a] -> Value #

toEncodingList :: [Signature p a] -> Encoding #

(HasParams a, ProtectionIndicator p) => FromJSON (Signature p a) Source # 
Instance details

Defined in Crypto.JOSE.JWS

Methods

parseJSON :: Value -> Parser (Signature p a) #

parseJSONList :: Value -> Parser [Signature p a] #

header :: Getter (Signature p a) (a p) Source #

Getter for header of a signature

signature :: (Cons s s Word8 Word8, AsEmpty s) => Getter (Signature p a) s Source #

Getter for signature bytes

rawProtectedHeader :: (HasParams a, ProtectionIndicator p) => Signature p a -> ByteString Source #

Return the raw base64url-encoded protected header value. If the Signature was decoded from JSON, this returns the original string value as-is.

Application code should never need to use this. It is exposed for testing purposes.

JWS headers

data Alg Source #

RFC 7518 §3.1. "alg" (Algorithm) Header Parameters Values for JWS

Constructors

HS256 
HS384 
HS512 
RS256 
RS384 
RS512 
ES256 
ES384 
ES512 
PS256 
PS384 
PS512 
None 
EdDSA 

Instances

Instances details
Eq Alg Source # 
Instance details

Defined in Crypto.JOSE.JWA.JWS

Methods

(==) :: Alg -> Alg -> Bool #

(/=) :: Alg -> Alg -> Bool #

Ord Alg Source # 
Instance details

Defined in Crypto.JOSE.JWA.JWS

Methods

compare :: Alg -> Alg -> Ordering #

(<) :: Alg -> Alg -> Bool #

(<=) :: Alg -> Alg -> Bool #

(>) :: Alg -> Alg -> Bool #

(>=) :: Alg -> Alg -> Bool #

max :: Alg -> Alg -> Alg #

min :: Alg -> Alg -> Alg #

Show Alg Source # 
Instance details

Defined in Crypto.JOSE.JWA.JWS

Methods

showsPrec :: Int -> Alg -> ShowS #

show :: Alg -> String #

showList :: [Alg] -> ShowS #

ToJSON Alg Source # 
Instance details

Defined in Crypto.JOSE.JWA.JWS

Methods

toJSON :: Alg -> Value #

toEncoding :: Alg -> Encoding #

toJSONList :: [Alg] -> Value #

toEncodingList :: [Alg] -> Encoding #

FromJSON Alg Source # 
Instance details

Defined in Crypto.JOSE.JWA.JWS

Methods

parseJSON :: Value -> Parser Alg #

parseJSONList :: Value -> Parser [Alg] #

class HasJWSHeader a where Source #

Methods

jwsHeader :: Lens' (a p) (JWSHeader p) Source #

Instances

Instances details
HasJWSHeader JWSHeader Source # 
Instance details

Defined in Crypto.JOSE.JWS

Methods

jwsHeader :: Lens' (JWSHeader p) (JWSHeader p) Source #

data JWSHeader p Source #

JWS Header data type.

Instances

Instances details
HasParams JWSHeader Source # 
Instance details

Defined in Crypto.JOSE.JWS

Methods

params :: ProtectionIndicator p => JWSHeader p -> [(Bool, Pair)] Source #

extensions :: Proxy JWSHeader -> [Text] Source #

parseParamsFor :: forall (b :: Type -> Type) p. (HasParams b, ProtectionIndicator p) => Proxy b -> Maybe Object -> Maybe Object -> Parser (JWSHeader p) Source #

HasJWSHeader JWSHeader Source # 
Instance details

Defined in Crypto.JOSE.JWS

Methods

jwsHeader :: Lens' (JWSHeader p) (JWSHeader p) Source #

Eq p => Eq (JWSHeader p) Source # 
Instance details

Defined in Crypto.JOSE.JWS

Methods

(==) :: JWSHeader p -> JWSHeader p -> Bool #

(/=) :: JWSHeader p -> JWSHeader p -> Bool #

Show p => Show (JWSHeader p) Source # 
Instance details

Defined in Crypto.JOSE.JWS

Methods

showsPrec :: Int -> JWSHeader p -> ShowS #

show :: JWSHeader p -> String #

showList :: [JWSHeader p] -> ShowS #

module Crypto.JOSE.Error

module Crypto.JOSE.Header

module Crypto.JOSE.JWK

Orphan instances

HasJWSHeader a => HasCrit a Source # 
Instance details

Methods

crit :: Lens' (a p) (Maybe (NonEmpty Text)) Source #

HasJWSHeader a => HasCty a Source # 
Instance details

Methods

cty :: Lens' (a p) (Maybe (HeaderParam p Text)) Source #

HasJWSHeader a => HasTyp a Source # 
Instance details

Methods

typ :: Lens' (a p) (Maybe (HeaderParam p Text)) Source #

HasJWSHeader a => HasX5tS256 a Source # 
Instance details

Methods

x5tS256 :: Lens' (a p) (Maybe (HeaderParam p Base64SHA256)) Source #

HasJWSHeader a => HasX5t a Source # 
Instance details

Methods

x5t :: Lens' (a p) (Maybe (HeaderParam p Base64SHA1)) Source #

HasJWSHeader a => HasX5c a Source # 
Instance details

Methods

x5c :: Lens' (a p) (Maybe (HeaderParam p (NonEmpty SignedCertificate))) Source #

HasJWSHeader a => HasX5u a Source # 
Instance details

Methods

x5u :: Lens' (a p) (Maybe (HeaderParam p URI)) Source #

HasJWSHeader a => HasKid a Source # 
Instance details

Methods

kid :: Lens' (a p) (Maybe (HeaderParam p Text)) Source #

HasJWSHeader a => HasJwk a Source # 
Instance details

Methods

jwk :: Lens' (a p) (Maybe (HeaderParam p JWK)) Source #

HasJWSHeader a => HasJku a Source # 
Instance details

Methods

jku :: Lens' (a p) (Maybe (HeaderParam p URI)) Source #

HasJWSHeader a => HasAlg a Source # 
Instance details

Methods

alg :: Lens' (a p) (HeaderParam p Alg) Source #