-- Hoogle documentation, generated by Haddock
-- See Hoogle, http://www.haskell.org/hoogle/


-- | X509 reader and writer
--   
--   X509 reader and writer
@package x509
@version 1.4.5


-- | Read/Write X509 Certificate, CRL and their signed equivalents.
--   
--   Follows RFC5280 / RFC6818
module Data.X509

-- | A Signed Certificate
type SignedCertificate = SignedExact Certificate

-- | A Signed CRL
type SignedCRL = SignedExact CRL

-- | X.509 Certificate type.
--   
--   This type doesn't include the signature, it's describe in the RFC as
--   tbsCertificate.
data Certificate
Certificate :: Int -> Integer -> SignatureALG -> DistinguishedName -> (UTCTime, UTCTime) -> DistinguishedName -> PubKey -> Extensions -> Certificate

-- | Version
certVersion :: Certificate -> Int

-- | Serial number
certSerial :: Certificate -> Integer

-- | Signature algorithm
certSignatureAlg :: Certificate -> SignatureALG

-- | Issuer DN
certIssuerDN :: Certificate -> DistinguishedName

-- | Validity period
certValidity :: Certificate -> (UTCTime, UTCTime)

-- | Subject DN
certSubjectDN :: Certificate -> DistinguishedName

-- | Public key
certPubKey :: Certificate -> PubKey

-- | Extensions
certExtensions :: Certificate -> Extensions

-- | Public key types known and used in X.509
data PubKey

-- | RSA public key
PubKeyRSA :: PublicKey -> PubKey

-- | DSA public key
PubKeyDSA :: PublicKey -> PubKey

-- | DH format with (p,g,q,j,(seed,pgenCounter))
PubKeyDH :: (Integer, Integer, Integer, Maybe Integer, ([Word8], Integer)) -> PubKey
PubKeyECDSA :: CurveName -> ByteString -> PubKey

-- | unrecognized format
PubKeyUnknown :: OID -> ByteString -> PubKey

-- | Private key types known and used in X.509
data PrivKey

-- | RSA private key
PrivKeyRSA :: PrivateKey -> PrivKey

-- | DSA private key
PrivKeyDSA :: PrivateKey -> PrivKey

-- | Convert a Public key to the Public Key Algorithm type
pubkeyToAlg :: PubKey -> PubKeyALG

-- | Convert a Public key to the Public Key Algorithm type
privkeyToAlg :: PrivKey -> PubKeyALG

-- | Hash Algorithm
data HashALG
HashMD2 :: HashALG
HashMD5 :: HashALG
HashSHA1 :: HashALG
HashSHA224 :: HashALG
HashSHA256 :: HashALG
HashSHA384 :: HashALG
HashSHA512 :: HashALG

-- | Public Key Algorithm
data PubKeyALG

-- | RSA Public Key algorithm
PubKeyALG_RSA :: PubKeyALG

-- | DSA Public Key algorithm
PubKeyALG_DSA :: PubKeyALG

-- | ECDSA Public Key algorithm
PubKeyALG_ECDSA :: PubKeyALG

-- | Diffie Hellman Public Key algorithm
PubKeyALG_DH :: PubKeyALG

-- | Unknown Public Key algorithm
PubKeyALG_Unknown :: OID -> PubKeyALG

-- | Signature Algorithm often composed of a public key algorithm and a
--   hash algorithm
data SignatureALG
SignatureALG :: HashALG -> PubKeyALG -> SignatureALG
SignatureALG_Unknown :: OID -> SignatureALG

-- | Extension class.
--   
--   each extension have a unique OID associated, and a way to encode and
--   decode an ASN1 stream.
class Extension a
extOID :: Extension a => a -> OID
extEncode :: Extension a => a -> [ASN1]
extDecode :: Extension a => [ASN1] -> Either String a

-- | Basic Constraints
data ExtBasicConstraints
ExtBasicConstraints :: Bool -> (Maybe Integer) -> ExtBasicConstraints

-- | Describe key usage
data ExtKeyUsage
ExtKeyUsage :: [ExtKeyUsageFlag] -> ExtKeyUsage

-- | key usage flag that is found in the key usage extension field.
data ExtKeyUsageFlag
KeyUsage_digitalSignature :: ExtKeyUsageFlag
KeyUsage_nonRepudiation :: ExtKeyUsageFlag
KeyUsage_keyEncipherment :: ExtKeyUsageFlag
KeyUsage_dataEncipherment :: ExtKeyUsageFlag
KeyUsage_keyAgreement :: ExtKeyUsageFlag
KeyUsage_keyCertSign :: ExtKeyUsageFlag
KeyUsage_cRLSign :: ExtKeyUsageFlag
KeyUsage_encipherOnly :: ExtKeyUsageFlag
KeyUsage_decipherOnly :: ExtKeyUsageFlag

-- | Provide a way to identify a public key by a short hash.
data ExtSubjectKeyId
ExtSubjectKeyId :: ByteString -> ExtSubjectKeyId

-- | Provide a way to supply alternate name that can be used for matching
--   host name.
data ExtSubjectAltName
ExtSubjectAltName :: [AltName] -> ExtSubjectAltName

-- | Provide a mean to identify the public key corresponding to the private
--   key used to signed a certificate.
data ExtAuthorityKeyId
ExtAuthorityKeyId :: ByteString -> ExtAuthorityKeyId

-- | Identify how CRL information is obtained
data ExtCrlDistributionPoints
ExtCrlDistributionPoints :: [DistributionPoint] -> ExtCrlDistributionPoints

-- | Different naming scheme use by the extension.
--   
--   Not all name types are available, missing: otherName x400Address
--   directoryName ediPartyName registeredID
data AltName
AltNameRFC822 :: String -> AltName
AltNameDNS :: String -> AltName
AltNameURI :: String -> AltName
AltNameIP :: ByteString -> AltName

-- | Distribution point as either some GeneralNames or a DN
data DistributionPoint
DistributionPointFullName :: [AltName] -> DistributionPoint
DistributionNameRelative :: DistinguishedName -> DistributionPoint

-- | Reason flag for the CRL
data ReasonFlag
Reason_Unused :: ReasonFlag
Reason_KeyCompromise :: ReasonFlag
Reason_CACompromise :: ReasonFlag
Reason_AffiliationChanged :: ReasonFlag
Reason_Superseded :: ReasonFlag
Reason_CessationOfOperation :: ReasonFlag
Reason_CertificateHold :: ReasonFlag
Reason_PrivilegeWithdrawn :: ReasonFlag
Reason_AACompromise :: ReasonFlag

-- | Get a specific extension from a lists of raw extensions
extensionGet :: Extension a => Extensions -> Maybe a

-- | Try to decode an ExtensionRaw.
--   
--   If this function return: * Nothing, the OID doesn't match * Just Left,
--   the OID matched, but the extension couldn't be decoded * Just Right,
--   the OID matched, and the extension has been succesfully decoded
extensionDecode :: Extension a => ExtensionRaw -> Maybe (Either String a)

-- | An undecoded extension
data ExtensionRaw
ExtensionRaw :: OID -> Bool -> [ASN1] -> ExtensionRaw

-- | OID of this extension
extRawOID :: ExtensionRaw -> OID

-- | if this extension is critical
extRawCritical :: ExtensionRaw -> Bool

-- | the associated ASN1
extRawASN1 :: ExtensionRaw -> [ASN1]

-- | a Set of <a>ExtensionRaw</a>
newtype Extensions
Extensions :: (Maybe [ExtensionRaw]) -> Extensions

-- | Describe a Certificate revocation list
data CRL
CRL :: Integer -> SignatureALG -> DistinguishedName -> UTCTime -> Maybe UTCTime -> [RevokedCertificate] -> Extensions -> CRL
crlVersion :: CRL -> Integer
crlSignatureAlg :: CRL -> SignatureALG
crlIssuer :: CRL -> DistinguishedName
crlThisUpdate :: CRL -> UTCTime
crlNextUpdate :: CRL -> Maybe UTCTime
crlRevokedCertificates :: CRL -> [RevokedCertificate]
crlExtensions :: CRL -> Extensions

-- | Describe a revoked certificate identifiable by serial number.
data RevokedCertificate
RevokedCertificate :: Integer -> UTCTime -> Extensions -> RevokedCertificate
revokedSerialNumber :: RevokedCertificate -> Integer
revokedDate :: RevokedCertificate -> UTCTime
revokedExtensions :: RevokedCertificate -> Extensions

-- | A list of OID and strings.
newtype DistinguishedName
DistinguishedName :: [(OID, ASN1CharacterString)] -> DistinguishedName
getDistinguishedElements :: DistinguishedName -> [(OID, ASN1CharacterString)]

-- | Elements commonly available in a <a>DistinguishedName</a> structure
data DnElement

-- | CN
DnCommonName :: DnElement

-- | Country
DnCountry :: DnElement

-- | O
DnOrganization :: DnElement

-- | OU
DnOrganizationUnit :: DnElement

-- | ASN1 Character String with encoding
data ASN1CharacterString :: *
ASN1CharacterString :: ASN1StringEncoding -> ByteString -> ASN1CharacterString
characterEncoding :: ASN1CharacterString -> ASN1StringEncoding
getCharacterStringRawData :: ASN1CharacterString -> ByteString

-- | Try to get a specific element in a <a>DistinguishedName</a> structure
getDnElement :: DnElement -> DistinguishedName -> Maybe ASN1CharacterString

-- | A chain of X.509 certificates in exact form.
newtype CertificateChain
CertificateChain :: [SignedExact Certificate] -> CertificateChain

-- | Represent a chain of X.509 certificates in bytestring form.
newtype CertificateChainRaw
CertificateChainRaw :: [ByteString] -> CertificateChainRaw

-- | Decode a CertificateChainRaw into a CertificateChain if every raw
--   certificate are decoded correctly, otherwise return the index of the
--   failed certificate and the error associated.
decodeCertificateChain :: CertificateChainRaw -> Either (Int, String) CertificateChain

-- | Convert a CertificateChain into a CertificateChainRaw
encodeCertificateChain :: CertificateChain -> CertificateChainRaw

-- | Represent a signed object using a traditional X509 structure.
--   
--   When dealing with external certificate, use the SignedExact structure
--   not this one.
data (Show a, Eq a, ASN1Object a) => Signed a
Signed :: a -> SignatureALG -> ByteString -> Signed a

-- | Object to sign
signedObject :: Signed a -> a

-- | Signature Algorithm used
signedAlg :: Signed a -> SignatureALG

-- | Signature as bytes
signedSignature :: Signed a -> ByteString

-- | Represent the signed object plus the raw data that we need to keep
--   around for non compliant case to be able to verify signature.
data (Show a, Eq a, ASN1Object a) => SignedExact a

-- | get the decoded Signed data
getSigned :: SignedExact a -> Signed a

-- | Get the signed data for the signature
getSignedData :: (Show a, Eq a, ASN1Object a) => SignedExact a -> ByteString

-- | Transform an object into a <a>SignedExact</a> object
objectToSignedExact :: (Show a, Eq a, ASN1Object a) => (ByteString -> (ByteString, SignatureALG, r)) -> a -> (SignedExact a, r)

-- | The raw representation of the whole signed structure
encodeSignedObject :: SignedExact a -> ByteString

-- | Try to parse a bytestring that use the typical X509 signed structure
--   format
decodeSignedObject :: (Show a, Eq a, ASN1Object a) => ByteString -> Either String (SignedExact a)

-- | Get the Certificate associated to a SignedCertificate
getCertificate :: SignedCertificate -> Certificate

-- | Get the CRL associated to a SignedCRL
getCRL :: SignedCRL -> CRL

-- | Try to decode a bytestring to a SignedCertificate
decodeSignedCertificate :: ByteString -> Either String SignedCertificate

-- | Try to decode a bytestring to a SignedCRL
decodeSignedCRL :: ByteString -> Either String SignedCRL

-- | Make an OpenSSL style hash of distinguished name
--   
--   OpenSSL algorithm is odd, and has been replicated here somewhat. only
--   lower the case of ascii character.
hashDN :: DistinguishedName -> ByteString

-- | Create an openssl style old hash of distinguished name
hashDN_old :: DistinguishedName -> ByteString
