Safe Haskell	Safe-Inferred
Language	Haskell2010

Servant.Auth.Hmac.Crypto

Contents

Crypto primitives
Request signing
Internals

Description

Crypto primitives for hmac signing.

Synopsis

newtype SecretKey = SecretKey {
- unSecretKey :: ByteString
}
newtype Signature = Signature {
- unSignature :: ByteString
}
sign :: forall algo. HashAlgorithm algo => SecretKey -> ByteString -> Signature
signSHA256 :: SecretKey -> ByteString -> Signature
data RequestPayload = RequestPayload {
- rpMethod :: !Method
- rpContent :: !ByteString
- rpHeaders :: !RequestHeaders
- rpRawUrl :: !ByteString
}
requestSignature :: (SecretKey -> ByteString -> Signature) -> SecretKey -> RequestPayload -> Signature
verifySignatureHmac :: (SecretKey -> ByteString -> Signature) -> SecretKey -> RequestPayload -> Maybe ByteString
whitelistHeaders :: [HeaderName]
keepWhitelistedHeaders :: [Header] -> [Header]
authHeaderName :: HeaderName

Crypto primitives

newtype SecretKey Source #

The wraper for the secret key.

Constructors

SecretKey
Fields unSecretKey :: ByteString

newtype Signature Source #

Hashed message used as the signature. Encoded in Base64.

Constructors

Signature
Fields unSignature :: ByteString

Instances

Instances details

Eq Signature Source #
Instance details Defined in Servant.Auth.Hmac.Crypto Methods (==) :: Signature -> Signature -> Bool # (/=) :: Signature -> Signature -> Bool #

sign Source #

Arguments

:: forall algo. HashAlgorithm algo
=> SecretKey	Secret key to use
-> ByteString	Message to MAC
-> Signature	Hashed message

Compute the hashed message using the supplied hashing function. And then encode the result in the Base64 encoding.

signSHA256 :: SecretKey -> ByteString -> Signature Source #

sign function specialized for SHA256 cryptographic algorithm.

Request signing

data RequestPayload Source #

Part of the HTTP request that will be signed.

Constructors

RequestPayload
Fields rpMethod :: !Method HTTP method rpContent :: !ByteString Raw content of HTTP body rpHeaders :: !RequestHeaders All headers of HTTP request rpRawUrl :: !ByteString Raw request URL with host, path pieces and parameters

Instances

Instances details

Show RequestPayload Source #
Instance details Defined in Servant.Auth.Hmac.Crypto Methods showsPrec :: Int -> RequestPayload -> ShowS # show :: RequestPayload -> String # showList :: [RequestPayload] -> ShowS #

requestSignature Source #

Arguments

:: (SecretKey -> ByteString -> Signature)	Signing function
-> SecretKey	Secret key to use
-> RequestPayload	Payload to sign
-> Signature

This function signs HTTP request according to the following algorithm:

stringToSign = HTTP-Method       ++ "n"
            ++ Content-MD5       ++ "n"
            ++ HeadersNormalized ++ "n"
            ++ RawURL

signature = encodeBase64
          $ signHmac yourSecretKey
          $ encodeUtf8 stringToSign

where HeadersNormalized are headers decapitalzed, joined, sorted alphabetically and intercalated with line break. So, if you have headers like these:

User-Agent: Mozilla/5.0
Host: foo.bar.com

the result of header normalization will look like this:

hostfoo.bar.com
user-agentMozilla/5.0

verifySignatureHmac Source #

Arguments

:: (SecretKey -> ByteString -> Signature)	Signing function
-> SecretKey	Secret key that was used for signing `Request`
-> RequestPayload
-> Maybe ByteString

This function takes signing function signer and secret key and expects that given Request has header:

Authentication: HMAC signature

It checks whether signature is true request signature. Function returns Nothing if it is true, and Just error message otherwise.

whitelistHeaders :: [HeaderName] Source #

White-listed headers. Only these headers will be taken into consideration:

```
Authentication
```
```
Host
```
```
Accept-Encoding
```

keepWhitelistedHeaders :: [Header] -> [Header] Source #

Keeps only headers from whitelistHeaders.

Internals

authHeaderName :: HeaderName Source #