/usr/share/doc/libghc-hsopenssl-doc/html/HsOpenSSL.txt

-- Hoogle documentation, generated by Haddock
-- See Hoogle, http://www.haskell.org/hoogle/


-- | Partial OpenSSL binding for Haskell
--   
--   HsOpenSSL is an OpenSSL binding for Haskell. It can generate RSA and
--   DSA keys, read and write PEM files, generate message digests, sign and
--   verify messages, encrypt and decrypt messages. It has also some
--   capabilities of creating SSL clients and servers.
--   
--   This package is in production use by a number of Haskell based systems
--   and stable. You may also be interested in the <tt>tls</tt> package,
--   <a>http://hackage.haskell.org/package/tls</a>, which is a pure Haskell
--   implementation of SSL.
@package HsOpenSSL
@version 0.11.1.1


-- | An interface to Base64 codec.
module OpenSSL.EVP.Base64

-- | <tt><a>encodeBase64</a> str</tt> lazilly encodes a stream of data to
--   Base64. The string doesn't have to be finite. Note that the string
--   must not contain any letters which aren't in the range of U+0000 -
--   U+00FF.

-- | <i>Deprecated: Use encodeBase64BS or encodeBase64LBS instead.</i>
encodeBase64 :: String -> String

-- | <tt><a>encodeBase64BS</a> bs</tt> strictly encodes a chunk of data to
--   Base64.
encodeBase64BS :: ByteString -> ByteString

-- | <tt><a>encodeBase64LBS</a> lbs</tt> lazilly encodes a stream of data
--   to Base64. The string doesn't have to be finite.
encodeBase64LBS :: ByteString -> ByteString

-- | <tt><a>decodeBase64</a> str</tt> lazilly decodes a stream of data from
--   Base64. The string doesn't have to be finite.

-- | <i>Deprecated: Use decodeBase64BS or decodeBase64LBS instead.</i>
decodeBase64 :: String -> String

-- | <tt><a>decodeBase64BS</a> bs</tt> strictly decodes a chunk of data
--   from Base64.
decodeBase64BS :: ByteString -> ByteString

-- | <tt><a>decodeBase64LBS</a> lbs</tt> lazilly decodes a stream of data
--   from Base64. The string doesn't have to be finite.
decodeBase64LBS :: ByteString -> ByteString

module OpenSSL.EVP.Internal

-- | <tt>Cipher</tt> is an opaque object that represents an algorithm of
--   symmetric cipher.
newtype Cipher
Cipher :: (Ptr EVP_CIPHER) -> Cipher
data EVP_CIPHER
withCipherPtr :: Cipher -> (Ptr EVP_CIPHER -> IO a) -> IO a
cipherIvLength :: Cipher -> Int
newtype CipherCtx
CipherCtx :: (ForeignPtr EVP_CIPHER_CTX) -> CipherCtx
data EVP_CIPHER_CTX
newCipherCtx :: IO CipherCtx
withCipherCtxPtr :: CipherCtx -> (Ptr EVP_CIPHER_CTX -> IO a) -> IO a
withNewCipherCtxPtr :: (Ptr EVP_CIPHER_CTX -> IO a) -> IO a

-- | <tt>CryptoMode</tt> represents instruction to <tt>cipher</tt> and such
--   like.
data CryptoMode
Encrypt :: CryptoMode
Decrypt :: CryptoMode
cipherInitBS :: Cipher -> ByteString -> ByteString -> CryptoMode -> IO CipherCtx
cipherUpdateBS :: CipherCtx -> ByteString -> IO ByteString
cipherFinalBS :: CipherCtx -> IO ByteString
cipherStrictly :: CipherCtx -> ByteString -> IO ByteString
cipherLazily :: CipherCtx -> ByteString -> IO ByteString

-- | <tt>Digest</tt> is an opaque object that represents an algorithm of
--   message digest.
newtype Digest
Digest :: (Ptr EVP_MD) -> Digest
data EVP_MD
withMDPtr :: Digest -> (Ptr EVP_MD -> IO a) -> IO a
newtype DigestCtx
DigestCtx :: (ForeignPtr EVP_MD_CTX) -> DigestCtx
data EVP_MD_CTX
withDigestCtxPtr :: DigestCtx -> (Ptr EVP_MD_CTX -> IO a) -> IO a
digestUpdateBS :: DigestCtx -> ByteString -> IO ()
digestFinalBS :: DigestCtx -> IO ByteString
digestFinal :: DigestCtx -> IO String
digestStrictly :: Digest -> ByteString -> IO DigestCtx
digestLazily :: Digest -> ByteString -> IO DigestCtx

-- | VaguePKey is a <a>ForeignPtr</a> to <a>EVP_PKEY</a>, that is either
--   public key or a ker pair. We can't tell which at compile time.
newtype VaguePKey
VaguePKey :: (ForeignPtr EVP_PKEY) -> VaguePKey
data EVP_PKEY

-- | Instances of class <a>PKey</a> can be converted back and forth to
--   <a>VaguePKey</a>.
class PKey k

-- | Wrap the key (i.g. RSA) into <a>EVP_PKEY</a>.
toPKey :: PKey k => k -> IO VaguePKey

-- | Extract the concrete key from the <a>EVP_PKEY</a>. Returns
--   <a>Nothing</a> if the type mismatches.
fromPKey :: PKey k => VaguePKey -> IO (Maybe k)

-- | Do the same as EVP_PKEY_size().
pkeySize :: PKey k => k -> Int

-- | Return the default digesting algorithm for the key.
pkeyDefaultMD :: PKey k => k -> IO Digest
createPKey :: (Ptr EVP_PKEY -> IO a) -> IO VaguePKey
wrapPKeyPtr :: Ptr EVP_PKEY -> IO VaguePKey
withPKeyPtr :: VaguePKey -> (Ptr EVP_PKEY -> IO a) -> IO a
withPKeyPtr' :: PKey k => k -> (Ptr EVP_PKEY -> IO a) -> IO a
unsafePKeyToPtr :: VaguePKey -> Ptr EVP_PKEY
touchPKey :: VaguePKey -> IO ()


-- | An interface to symmetric cipher algorithms.
module OpenSSL.EVP.Cipher

-- | <tt>Cipher</tt> is an opaque object that represents an algorithm of
--   symmetric cipher.
data Cipher

-- | <tt><a>getCipherByName</a> name</tt> returns a symmetric cipher
--   algorithm whose name is <tt>name</tt>. If no algorithms are found, the
--   result is <tt>Nothing</tt>.
getCipherByName :: String -> IO (Maybe Cipher)

-- | <tt><a>getCipherNames</a></tt> returns a list of name of symmetric
--   cipher algorithms.
getCipherNames :: IO [String]

-- | <tt>CryptoMode</tt> represents instruction to <tt>cipher</tt> and such
--   like.
data CryptoMode
Encrypt :: CryptoMode
Decrypt :: CryptoMode

-- | <tt><a>cipher</a></tt> lazilly encrypts or decrypts a stream of data.
--   The input string doesn't necessarily have to be finite.

-- | <i>Deprecated: Use cipherBS, cipherLBS or cipherStrictLBS.</i>
cipher :: Cipher -> String -> String -> CryptoMode -> String -> IO String

-- | <tt><a>cipherBS</a></tt> strictly encrypts or decrypts a chunk of
--   data.
cipherBS :: Cipher -> ByteString -> ByteString -> CryptoMode -> ByteString -> IO ByteString

-- | <tt><a>cipherLBS</a></tt> lazilly encrypts or decrypts a stream of
--   data. The input string doesn't necessarily have to be finite.
cipherLBS :: Cipher -> ByteString -> ByteString -> CryptoMode -> ByteString -> IO ByteString

-- | Encrypt a lazy bytestring in a strict manner. Does not leak the keys.
cipherStrictLBS :: Cipher -> ByteString -> ByteString -> CryptoMode -> ByteString -> IO ByteString


-- | An interface to message digest algorithms.
module OpenSSL.EVP.Digest

-- | <tt>Digest</tt> is an opaque object that represents an algorithm of
--   message digest.
data Digest

-- | <tt><a>getDigestByName</a> name</tt> returns a message digest
--   algorithm whose name is <tt>name</tt>. If no algorithms are found, the
--   result is <tt>Nothing</tt>.
getDigestByName :: String -> IO (Maybe Digest)

-- | <tt><a>getDigestNames</a></tt> returns a list of name of message
--   digest algorithms.
getDigestNames :: IO [String]

-- | <tt><a>digest</a></tt> digests a stream of data. The string must not
--   contain any letters which aren't in the range of U+0000 - U+00FF.

-- | <i>Deprecated: Use digestBS or digestLBS instead.</i>
digest :: Digest -> String -> String

-- | <tt><a>digestBS</a></tt> digests a chunk of data.
digestBS :: Digest -> ByteString -> ByteString

-- | <tt><a>digestLBS</a></tt> digests a stream of data.
digestLBS :: Digest -> ByteString -> ByteString

-- | Perform a private key signing using the HMAC template with a given
--   hash
hmacBS :: Digest -> ByteString -> ByteString -> ByteString

-- | Calculate a PKCS5-PBKDF2 SHA1-HMAC suitable for password hashing.
pkcs5_pbkdf2_hmac_sha1 :: ByteString -> ByteString -> Int -> Int -> ByteString


-- | This module interfaces to some of the OpenSSL ciphers without using
--   EVP (see OpenSSL.EVP.Cipher). The EVP ciphers are easier to use,
--   however, in some cases you cannot do without using the OpenSSL
--   fuctions directly.
--   
--   One of these cases (and the motivating example for this module) is
--   that the EVP CBC functions try to encode the length of the input
--   string in the output (thus hiding the fact that the cipher is, in
--   fact, block based and needs padding). This means that the EVP CBC
--   functions cannot, in some cases, interface with other users which
--   don't use that system (like SSH).
module OpenSSL.Cipher
data Mode
Encrypt :: Mode
Decrypt :: Mode
data AESCtx

-- | Construct a new context which holds the key schedule and IV.
newAESCtx :: Mode -> ByteString -> ByteString -> IO AESCtx

-- | Encrypt some number of blocks using CBC. This is an IO function
--   because the context is destructivly updated.
aesCBC :: AESCtx -> ByteString -> IO ByteString

-- | Encrypt some number of bytes using CTR mode. This is an IO function
--   because the context is destructivly updated.
aesCTR :: AESCtx -> ByteString -> IO ByteString
instance GHC.Show.Show OpenSSL.Cipher.Mode
instance GHC.Classes.Eq OpenSSL.Cipher.Mode


-- | PRNG services See <a>http://www.openssl.org/docs/crypto/rand.html</a>
--   For random Integer generation, see <a>OpenSSL.BN</a>
module OpenSSL.Random

-- | Return a bytestring consisting of the given number of strongly random
--   bytes
randBytes :: Int -> IO ByteString

-- | Return a bytestring consisting of the given number of pseudo random
--   bytes
prandBytes :: Int -> IO ByteString

-- | Add data to the entropy pool. It's safe to add sensitive information
--   (e.g. user passwords etc) to the pool. Also, adding data with an
--   entropy of 0 can never hurt.
add :: ByteString -> Int -> IO ()


-- | BN - multiprecision integer arithmetics
module OpenSSL.BN

-- | <a>BigNum</a> is an opaque object representing a big number.
data BigNum

-- | <tt><a>allocaBN</a> f</tt> allocates a <a>BigNum</a> and computes
--   <tt>f</tt>. Then it frees the <a>BigNum</a>.
allocaBN :: (BigNum -> IO a) -> IO a

-- | <tt><a>withBN</a> n f</tt> converts n to a <a>BigNum</a> and computes
--   <tt>f</tt>. Then it frees the <a>BigNum</a>.
withBN :: Integer -> (BigNum -> IO a) -> IO a

-- | This is an alias to <a>integerToBN</a>.
newBN :: Integer -> IO BigNum

-- | This is an alias to <a>bnToInteger</a>.
peekBN :: BigNum -> IO Integer

-- | Return a new, alloced BIGNUM.
integerToBN :: Integer -> IO BigNum

-- | Convert a BIGNUM to an <a>Integer</a>.
bnToInteger :: BigNum -> IO Integer

-- | Convert an Integer to an MPI. See bnToMPI for the format
integerToMPI :: Integer -> IO ByteString

-- | Convert an MPI to an Integer. See bnToMPI for the format
mpiToInteger :: ByteString -> IO Integer

-- | <tt><a>modexp</a> a p m</tt> computes <tt>a</tt> to the <tt>p</tt>-th
--   power modulo <tt>m</tt>.
modexp :: Integer -> Integer -> Integer -> Integer

-- | Return a strongly random number in the range 0 &lt;= x &lt; n where
--   the given filter function returns true.
randIntegerUptoNMinusOneSuchThat :: (Integer -> Bool) -> Integer -> IO Integer

-- | Return a random number in the range 0 &lt;= x &lt; n where the given
--   filter function returns true.
prandIntegerUptoNMinusOneSuchThat :: (Integer -> Bool) -> Integer -> IO Integer

-- | Return a strongly random number in the range 0 &lt;= x &lt; n
randIntegerZeroToNMinusOne :: Integer -> IO Integer

-- | Return a random number in the range 0 &lt;= x &lt; n
prandIntegerZeroToNMinusOne :: Integer -> IO Integer

-- | Return a strongly random number in the range 0 &lt; x &lt; n
randIntegerOneToNMinusOne :: Integer -> IO Integer

-- | Return a random number in the range 0 &lt; x &lt; n
prandIntegerOneToNMinusOne :: Integer -> IO Integer


-- | The Digital Signature Algorithm (FIPS 186-2). See
--   <a>http://www.openssl.org/docs/crypto/dsa.html</a>
module OpenSSL.DSA

-- | <tt><a>DSAKey</a> a</tt> is either <a>DSAPubKey</a> or
--   <a>DSAKeyPair</a>.
class DSAKey k where dsaSize dsa = unsafePerformIO $ withDSAPtr dsa $ \ dsaPtr -> fmap fromIntegral (_size dsaPtr) dsaP = peekI ((\ hsc_ptr -> peekByteOff hsc_ptr 24)) dsaQ = peekI ((\ hsc_ptr -> peekByteOff hsc_ptr 32)) dsaG = peekI ((\ hsc_ptr -> peekByteOff hsc_ptr 40)) dsaPublic = peekI ((\ hsc_ptr -> peekByteOff hsc_ptr 48))

-- | Return the length of key.
dsaSize :: DSAKey k => k -> Int

-- | Return the public prime number of the key.
dsaP :: DSAKey k => k -> Integer

-- | Return the public 160-bit subprime, <tt>q | p - 1</tt> of the key.
dsaQ :: DSAKey k => k -> Integer

-- | Return the public generator of subgroup of the key.
dsaG :: DSAKey k => k -> Integer

-- | Return the public key <tt>y = g^x</tt>.
dsaPublic :: DSAKey k => k -> Integer
withDSAPtr :: DSAKey k => k -> (Ptr DSA -> IO a) -> IO a
peekDSAPtr :: DSAKey k => Ptr DSA -> IO (Maybe k)
absorbDSAPtr :: DSAKey k => Ptr DSA -> IO (Maybe k)

-- | The type of a DSA public key, includes parameters p, q, g and public.
data DSAPubKey

-- | The type of a DSA keypair, includes parameters p, q, g, public and
--   private.
data DSAKeyPair

-- | Generate DSA parameters (*not* a key, but required for a key). This is
--   a compute intensive operation. See FIPS 186-2, app 2. This agrees with
--   the test vectors given in FIP 186-2, app 5
generateDSAParameters :: Int -> Maybe ByteString -> IO (Int, Int, Integer, Integer, Integer)

-- | Generate a new DSA keypair, given valid parameters
generateDSAKey :: Integer -> Integer -> Integer -> IO DSAKeyPair

-- | A utility function to generate both the parameters and the key pair at
--   the same time. Saves serialising and deserialising the parameters too
generateDSAParametersAndKey :: Int -> Maybe ByteString -> IO DSAKeyPair

-- | Sign pre-digested data. The DSA specs call for SHA1 to be used so, if
--   you use anything else, YMMV. Returns a pair of Integers which,
--   together, are the signature
signDigestedDataWithDSA :: DSAKeyPair -> ByteString -> IO (Integer, Integer)

-- | Verify pre-digested data given a signature.
verifyDigestedDataWithDSA :: DSAKey k => k -> ByteString -> (Integer, Integer) -> IO Bool

-- | Return the private key <tt>x</tt>.
dsaPrivate :: DSAKeyPair -> Integer

-- | Convert a DSAPubKey object to a tuple of its members in the order p,
--   q, g, and public.
dsaPubKeyToTuple :: DSAKeyPair -> (Integer, Integer, Integer, Integer)

-- | Convert a DSAKeyPair object to a tuple of its members in the order p,
--   q, g, public and private.
dsaKeyPairToTuple :: DSAKeyPair -> (Integer, Integer, Integer, Integer, Integer)

-- | Convert a tuple of members (in the same format as from
--   <a>dsaPubKeyToTuple</a>) into a DSAPubKey object
tupleToDSAPubKey :: (Integer, Integer, Integer, Integer) -> DSAPubKey

-- | Convert a tuple of members (in the same format as from
--   <a>dsaPubKeyToTuple</a>) into a DSAPubKey object
tupleToDSAKeyPair :: (Integer, Integer, Integer, Integer, Integer) -> DSAKeyPair
instance OpenSSL.DSA.DSAKey OpenSSL.DSA.DSAPubKey
instance OpenSSL.DSA.DSAKey OpenSSL.DSA.DSAKeyPair
instance GHC.Classes.Eq OpenSSL.DSA.DSAPubKey
instance GHC.Classes.Eq OpenSSL.DSA.DSAKeyPair
instance GHC.Classes.Ord OpenSSL.DSA.DSAPubKey
instance GHC.Classes.Ord OpenSSL.DSA.DSAKeyPair
instance GHC.Show.Show OpenSSL.DSA.DSAPubKey
instance GHC.Show.Show OpenSSL.DSA.DSAKeyPair


-- | An interface to RSA public key generator.
module OpenSSL.RSA

-- | <tt><a>RSAKey</a> a</tt> is either <a>RSAPubKey</a> or
--   <a>RSAKeyPair</a>.
class RSAKey k where rsaSize rsa = unsafePerformIO $ withRSAPtr rsa $ \ rsaPtr -> fmap fromIntegral (_size rsaPtr) rsaN = peekI ((\ hsc_ptr -> peekByteOff hsc_ptr 32)) rsaE = peekI ((\ hsc_ptr -> peekByteOff hsc_ptr 40))

-- | <tt><a>rsaSize</a> key</tt> returns the length of key.
rsaSize :: RSAKey k => k -> Int

-- | <tt><a>rsaN</a> key</tt> returns the public modulus of the key.
rsaN :: RSAKey k => k -> Integer

-- | <tt><a>rsaE</a> key</tt> returns the public exponent of the key.
rsaE :: RSAKey k => k -> Integer
withRSAPtr :: RSAKey k => k -> (Ptr RSA -> IO a) -> IO a
peekRSAPtr :: RSAKey k => Ptr RSA -> IO (Maybe k)
absorbRSAPtr :: RSAKey k => Ptr RSA -> IO (Maybe k)

-- | <tt><a>RSAPubKey</a></tt> is an opaque object that represents RSA
--   public key.
data RSAPubKey

-- | <tt><a>RSAKeyPair</a></tt> is an opaque object that represents RSA
--   keypair.
data RSAKeyPair

-- | <tt><a>RSAGenKeyCallback</a></tt> represents a callback function to
--   get informed the progress of RSA key generation.
--   
--   <ul>
--   <li><tt>callback 0 i</tt> is called after generating the <tt>i</tt>-th
--   potential prime number.</li>
--   <li>While the number is being tested for primality, <tt>callback 1
--   j</tt> is called after the <tt>j</tt>-th iteration (j = 0, 1,
--   ...).</li>
--   <li>When the <tt>n</tt>-th randomly generated prime is rejected as not
--   suitable for the key, <tt>callback 2 n</tt> is called.</li>
--   <li>When a random <tt>p</tt> has been found with <tt>p</tt>-1
--   relatively prime to <tt>e</tt>, it is called as <tt>callback 3
--   0</tt>.</li>
--   <li>The process is then repeated for prime <tt>q</tt> with
--   <tt>callback 3 1</tt>.</li>
--   </ul>
type RSAGenKeyCallback = Int -> Int -> IO ()

-- | <tt><a>generateRSAKey</a></tt> generates an RSA keypair.
generateRSAKey :: Int -> Int -> Maybe RSAGenKeyCallback -> IO RSAKeyPair

-- | A simplified alternative to <a>generateRSAKey</a>
generateRSAKey' :: Int -> Int -> IO RSAKeyPair

-- | <tt><a>rsaD</a> privKey</tt> returns the private exponent of the key.
rsaD :: RSAKeyPair -> Integer

-- | <tt><a>rsaP</a> privkey</tt> returns the secret prime factor
--   <tt>p</tt> of the key.
rsaP :: RSAKeyPair -> Integer

-- | <tt><a>rsaQ</a> privkey</tt> returns the secret prime factor
--   <tt>q</tt> of the key.
rsaQ :: RSAKeyPair -> Integer

-- | <tt><a>rsaDMP1</a> privkey</tt> returns <tt>d mod (p-1)</tt> of the
--   key.
rsaDMP1 :: RSAKeyPair -> Maybe Integer

-- | <tt><a>rsaDMQ1</a> privkey</tt> returns <tt>d mod (q-1)</tt> of the
--   key.
rsaDMQ1 :: RSAKeyPair -> Maybe Integer

-- | <tt><a>rsaIQMP</a> privkey</tt> returns <tt>q^-1 mod p</tt> of the
--   key.
rsaIQMP :: RSAKeyPair -> Maybe Integer

-- | Make a copy of the public parameters of the given key.
rsaCopyPublic :: RSAKey key => key -> IO RSAPubKey
instance OpenSSL.RSA.RSAKey OpenSSL.RSA.RSAPubKey
instance OpenSSL.RSA.RSAKey OpenSSL.RSA.RSAKeyPair
instance GHC.Classes.Eq OpenSSL.RSA.RSAPubKey
instance GHC.Classes.Eq OpenSSL.RSA.RSAKeyPair
instance GHC.Classes.Ord OpenSSL.RSA.RSAPubKey
instance GHC.Classes.Ord OpenSSL.RSA.RSAKeyPair
instance GHC.Show.Show OpenSSL.RSA.RSAPubKey
instance GHC.Show.Show OpenSSL.RSA.RSAKeyPair


-- | An interface to asymmetric cipher keypair.
module OpenSSL.EVP.PKey

-- | Instances of this class has at least public portion of a keypair. They
--   might or might not have the private key.
class (Eq k, Typeable k, PKey k) => PublicKey k where fromPublicKey = SomePublicKey toPublicKey (SomePublicKey pk) = cast pk

-- | Wrap an arbitrary public key into polymorphic type
--   <a>SomePublicKey</a>.
fromPublicKey :: PublicKey k => k -> SomePublicKey

-- | Cast from the polymorphic type <a>SomePublicKey</a> to the concrete
--   type. Return <a>Nothing</a> if failed.
toPublicKey :: PublicKey k => SomePublicKey -> Maybe k

-- | Instances of this class has both of public and private portions of a
--   keypair.
class PublicKey a => KeyPair a where fromKeyPair = SomeKeyPair toKeyPair (SomeKeyPair pk) = cast pk

-- | Wrap an arbitrary keypair into polymorphic type <a>SomeKeyPair</a>.
fromKeyPair :: KeyPair a => a -> SomeKeyPair

-- | Cast from the polymorphic type <a>SomeKeyPair</a> to the concrete
--   type. Return <a>Nothing</a> if failed.
toKeyPair :: KeyPair a => SomeKeyPair -> Maybe a

-- | This is an opaque type to hold an arbitrary public key in it. The
--   actual key type can be safelly type-casted using <a>toPublicKey</a>.
data SomePublicKey

-- | This is an opaque type to hold an arbitrary keypair in it. The actual
--   key type can be safelly type-casted using <a>toKeyPair</a>.
data SomeKeyPair
instance GHC.Classes.Eq OpenSSL.EVP.PKey.SomePublicKey
instance OpenSSL.EVP.PKey.PublicKey OpenSSL.EVP.PKey.SomePublicKey
instance OpenSSL.EVP.Internal.PKey OpenSSL.EVP.PKey.SomePublicKey
instance GHC.Classes.Eq OpenSSL.EVP.PKey.SomeKeyPair
instance OpenSSL.EVP.PKey.PublicKey OpenSSL.EVP.PKey.SomeKeyPair
instance OpenSSL.EVP.PKey.KeyPair OpenSSL.EVP.PKey.SomeKeyPair
instance OpenSSL.EVP.Internal.PKey OpenSSL.EVP.PKey.SomeKeyPair
instance OpenSSL.EVP.PKey.PublicKey OpenSSL.RSA.RSAPubKey
instance OpenSSL.EVP.Internal.PKey OpenSSL.RSA.RSAPubKey
instance OpenSSL.EVP.PKey.KeyPair OpenSSL.RSA.RSAKeyPair
instance OpenSSL.EVP.PKey.PublicKey OpenSSL.RSA.RSAKeyPair
instance OpenSSL.EVP.Internal.PKey OpenSSL.RSA.RSAKeyPair
instance OpenSSL.EVP.PKey.PublicKey OpenSSL.DSA.DSAPubKey
instance OpenSSL.EVP.Internal.PKey OpenSSL.DSA.DSAPubKey
instance OpenSSL.EVP.PKey.KeyPair OpenSSL.DSA.DSAKeyPair
instance OpenSSL.EVP.PKey.PublicKey OpenSSL.DSA.DSAKeyPair
instance OpenSSL.EVP.Internal.PKey OpenSSL.DSA.DSAKeyPair


-- | Asymmetric cipher decryption using encrypted symmetric key. This is an
--   opposite of <a>OpenSSL.EVP.Seal</a>.
module OpenSSL.EVP.Open

-- | <tt><a>open</a></tt> lazilly decrypts a stream of data. The input
--   string doesn't necessarily have to be finite.

-- | <i>Deprecated: Use openBS or openLBS instead.</i>
open :: KeyPair key => Cipher -> String -> String -> key -> String -> String

-- | <tt><a>openBS</a></tt> decrypts a chunk of data.
openBS :: KeyPair key => Cipher -> ByteString -> ByteString -> key -> ByteString -> ByteString

-- | <tt><a>openLBS</a></tt> lazilly decrypts a stream of data. The input
--   string doesn't necessarily have to be finite.
openLBS :: KeyPair key => Cipher -> ByteString -> ByteString -> key -> ByteString -> ByteString


-- | Asymmetric cipher decryption using encrypted symmetric key. This is an
--   opposite of <a>OpenSSL.EVP.Open</a>.
module OpenSSL.EVP.Seal

-- | <tt><a>seal</a></tt> lazilly encrypts a stream of data. The input
--   string doesn't necessarily have to be finite.

-- | <i>Deprecated: Use sealBS or sealLBS instead.</i>
seal :: Cipher -> [SomePublicKey] -> String -> IO (String, [String], String)

-- | <tt><a>sealBS</a></tt> strictly encrypts a chunk of data.
sealBS :: Cipher -> [SomePublicKey] -> ByteString -> IO (ByteString, [ByteString], ByteString)

-- | <tt><a>sealLBS</a></tt> lazilly encrypts a stream of data. The input
--   string doesn't necessarily have to be finite.
sealLBS :: Cipher -> [SomePublicKey] -> ByteString -> IO (ByteString, [ByteString], ByteString)


-- | Message signing using asymmetric cipher and message digest algorithm.
--   This is an opposite of <a>OpenSSL.EVP.Verify</a>.
module OpenSSL.EVP.Sign

-- | <tt><a>sign</a></tt> generates a signature from a stream of data. The
--   string must not contain any letters which aren't in the range of
--   U+0000 - U+00FF.

-- | <i>Deprecated: Use signBS or signLBS instead.</i>
sign :: KeyPair key => Digest -> key -> String -> IO String

-- | <tt><a>signBS</a></tt> generates a signature from a chunk of data.
signBS :: KeyPair key => Digest -> key -> ByteString -> IO ByteString

-- | <tt><a>signLBS</a></tt> generates a signature from a stream of data.
signLBS :: KeyPair key => Digest -> key -> ByteString -> IO ByteString


-- | Message verification using asymmetric cipher and message digest
--   algorithm. This is an opposite of <a>OpenSSL.EVP.Sign</a>.
module OpenSSL.EVP.Verify

-- | <tt><a>VerifyStatus</a></tt> represents a result of verification.
data VerifyStatus
VerifySuccess :: VerifyStatus
VerifyFailure :: VerifyStatus

-- | <tt><a>verify</a></tt> verifies a signature and a stream of data. The
--   string must not contain any letters which aren't in the range of
--   U+0000 - U+00FF.

-- | <i>Deprecated: Use verifyBS or verifyLBS instead.</i>
verify :: PublicKey key => Digest -> String -> key -> String -> IO VerifyStatus

-- | <tt><a>verifyBS</a></tt> verifies a signature and a chunk of data.
verifyBS :: PublicKey key => Digest -> ByteString -> key -> ByteString -> IO VerifyStatus

-- | <tt><a>verifyLBS</a></tt> verifies a signature of a stream of data.
verifyLBS :: PublicKey key => Digest -> ByteString -> key -> ByteString -> IO VerifyStatus
instance GHC.Classes.Eq OpenSSL.EVP.Verify.VerifyStatus
instance GHC.Show.Show OpenSSL.EVP.Verify.VerifyStatus


-- | Diffie-Hellman key exchange
module OpenSSL.DH
data DHP
data DH
data DHGen
DHGen2 :: DHGen
DHGen5 :: DHGen

-- | <tt><a>genDHParams</a> gen n</tt> generates <tt>n</tt>-bit long DH
--   parameters.
genDHParams :: DHGen -> Int -> IO DHP

-- | Get DH parameters length (in bits).
getDHLength :: DHP -> IO Int

-- | Check that DH parameters are coherent.
checkDHParams :: DHP -> IO Bool

-- | The first step of a key exchange. Public and private keys are
--   generated.
genDH :: DHP -> IO DH

-- | Get parameters of a key exchange.
getDHParams :: DH -> DHP

-- | Get the public key.
getDHPublicKey :: DH -> IO Integer

-- | Compute the shared key using the other party's public key.
computeDHKey :: DH -> Integer -> IO ByteString
instance GHC.Show.Show OpenSSL.DH.DHGen
instance GHC.Classes.Ord OpenSSL.DH.DHGen
instance GHC.Classes.Eq OpenSSL.DH.DHGen


-- | An interface to X.509 certificate.
module OpenSSL.X509

-- | <tt><a>X509</a></tt> is an opaque object that represents X.509
--   certificate.
data X509

-- | <tt><a>newX509</a></tt> creates an empty certificate. You must set the
--   following properties to and sign it (see <a>signX509</a>) to actually
--   use the certificate.
--   
--   <ul>
--   <li><i><i>Version</i></i> See <a>setVersion</a>.</li>
--   <li><i><i>Serial number</i></i> See <a>setSerialNumber</a>.</li>
--   <li><i><i>Issuer name</i></i> See <a>setIssuerName</a>.</li>
--   <li><i><i>Subject name</i></i> See <a>setSubjectName</a>.</li>
--   <li><i><i>Validity</i></i> See <a>setNotBefore</a> and
--   <a>setNotAfter</a>.</li>
--   <li><i><i>Public Key</i></i> See <a>setPublicKey</a>.</li>
--   </ul>
newX509 :: IO X509

-- | <tt><a>compareX509</a> cert1 cert2</tt> compares two certificates.
compareX509 :: X509 -> X509 -> IO Ordering

-- | <tt><a>signX509</a></tt> signs a certificate with an issuer private
--   key.
signX509 :: KeyPair key => X509 -> key -> Maybe Digest -> IO ()

-- | <tt><a>verifyX509</a></tt> verifies a signature of certificate with an
--   issuer public key.
verifyX509 :: PublicKey key => X509 -> key -> IO VerifyStatus

-- | <tt><a>printX509</a> cert</tt> translates a certificate into
--   human-readable format.
printX509 :: X509 -> IO String

-- | <tt><a>getVersion</a> cert</tt> returns the version number of
--   certificate. It seems the number is 0-origin: version 2 means X.509
--   v3.
getVersion :: X509 -> IO Int

-- | <tt><a>setVersion</a> cert ver</tt> updates the version number of
--   certificate.
setVersion :: X509 -> Int -> IO ()

-- | <tt><a>getSerialNumber</a> cert</tt> returns the serial number of
--   certificate.
getSerialNumber :: X509 -> IO Integer

-- | <tt><a>setSerialNumber</a> cert num</tt> updates the serial number of
--   certificate.
setSerialNumber :: X509 -> Integer -> IO ()

-- | <tt><a>getIssuerName</a></tt> returns the issuer name of certificate.
getIssuerName :: X509 -> Bool -> IO [(String, String)]

-- | <tt><a>setIssuerName</a> cert name</tt> updates the issuer name of
--   certificate. Keys of each parts may be of either long form or short
--   form. See <a>getIssuerName</a>.
setIssuerName :: X509 -> [(String, String)] -> IO ()

-- | <tt><a>getSubjectName</a> cert wantLongName</tt> returns the subject
--   name of certificate. See <a>getIssuerName</a>.
getSubjectName :: X509 -> Bool -> IO [(String, String)]

-- | <tt><a>setSubjectName</a> cert name</tt> updates the subject name of
--   certificate. See <a>setIssuerName</a>.
setSubjectName :: X509 -> [(String, String)] -> IO ()

-- | <tt><a>getNotBefore</a> cert</tt> returns the time when the
--   certificate begins to be valid.
getNotBefore :: X509 -> IO UTCTime

-- | <tt><a>setNotBefore</a> cert utc</tt> updates the time when the
--   certificate begins to be valid.
setNotBefore :: X509 -> UTCTime -> IO ()

-- | <tt><a>getNotAfter</a> cert</tt> returns the time when the certificate
--   expires.
getNotAfter :: X509 -> IO UTCTime

-- | <tt><a>setNotAfter</a> cert utc</tt> updates the time when the
--   certificate expires.
setNotAfter :: X509 -> UTCTime -> IO ()

-- | <tt><a>getPublicKey</a> cert</tt> returns the public key of the
--   subject of certificate.
getPublicKey :: X509 -> IO SomePublicKey

-- | <tt><a>setPublicKey</a> cert pubkey</tt> updates the public key of the
--   subject of certificate.
setPublicKey :: PublicKey key => X509 -> key -> IO ()

-- | <tt><a>getSubjectEmail</a> cert</tt> returns every subject email
--   addresses in the certificate.
getSubjectEmail :: X509 -> IO [String]


-- | An interface to PKCS#10 certificate request.
module OpenSSL.X509.Request

-- | <tt><a>X509Req</a></tt> is an opaque object that represents PKCS#10
--   certificate request.
data X509Req

-- | <tt><a>newX509Req</a></tt> creates an empty certificate request. You
--   must set the following properties to and sign it (see
--   <a>signX509Req</a>) to actually use the certificate request.
--   
--   <ul>
--   <li><i><i>Version</i></i> See <a>setVersion</a>.</li>
--   <li><i><i>Subject Name</i></i> See <a>setSubjectName</a>.</li>
--   <li><i><i>Public Key</i></i> See <a>setPublicKey</a>.</li>
--   </ul>
newX509Req :: IO X509Req

-- | <tt><a>signX509Req</a></tt> signs a certificate request with a subject
--   private key.
signX509Req :: KeyPair key => X509Req -> key -> Maybe Digest -> IO ()

-- | <tt><a>verifyX509Req</a></tt> verifies a signature of certificate
--   request with a subject public key.
verifyX509Req :: PublicKey key => X509Req -> key -> IO VerifyStatus

-- | <tt><a>printX509Req</a> req</tt> translates a certificate request into
--   human-readable format.
printX509Req :: X509Req -> IO String

-- | <tt><a>makeX509FromReq</a> req cert</tt> creates an empty X.509
--   certificate and copies as much data from the request as possible. The
--   resulting certificate doesn't have the following data and it isn't
--   signed so you must fill them and sign it yourself.
--   
--   <ul>
--   <li>Serial number</li>
--   <li>Validity (Not Before and Not After)</li>
--   </ul>
--   
--   Example:
--   
--   <pre>
--   import Data.Time.Clock
--   
--   genCert :: X509 -&gt; EvpPKey -&gt; Integer -&gt; Int -&gt; X509Req -&gt; IO X509
--   genCert caCert caKey serial days req
--       = do cert &lt;- makeX509FromReq req caCert
--            now  &lt;- getCurrentTime
--            setSerialNumber cert serial
--            setNotBefore cert $ addUTCTime (-1) now
--            setNotAfter  cert $ addUTCTime (days * 24 * 60 * 60) now
--            signX509 cert caKey Nothing
--            return cert
--   </pre>
makeX509FromReq :: X509Req -> X509 -> IO X509

-- | <tt><a>getVersion</a> req</tt> returns the version number of
--   certificate request.
getVersion :: X509Req -> IO Int

-- | <tt><a>setVersion</a> req ver</tt> updates the version number of
--   certificate request.
setVersion :: X509Req -> Int -> IO ()

-- | <tt><a>getSubjectName</a> req wantLongName</tt> returns the subject
--   name of certificate request. See <a>getSubjectName</a> of
--   <a>OpenSSL.X509</a>.
getSubjectName :: X509Req -> Bool -> IO [(String, String)]

-- | <tt><a>setSubjectName</a> req name</tt> updates the subject name of
--   certificate request. See <a>setSubjectName</a> of <a>OpenSSL.X509</a>.
setSubjectName :: X509Req -> [(String, String)] -> IO ()

-- | <tt><a>getPublicKey</a> req</tt> returns the public key of the subject
--   of certificate request.
getPublicKey :: X509Req -> IO SomePublicKey

-- | <tt><a>setPublicKey</a> req</tt> updates the public key of the subject
--   of certificate request.
setPublicKey :: PublicKey key => X509Req -> key -> IO ()


-- | An interface to Certificate Revocation List.
module OpenSSL.X509.Revocation

-- | <tt><a>CRL</a></tt> is an opaque object that represents Certificate
--   Revocation List.
data CRL

-- | <tt><a>RevokedCertificate</a></tt> represents a revoked certificate in
--   a list. Each certificates are supposed to be distinguishable by issuer
--   name and serial number, so it is sufficient to have only serial number
--   on each entries.
data RevokedCertificate
RevokedCertificate :: Integer -> UTCTime -> RevokedCertificate
[revSerialNumber] :: RevokedCertificate -> Integer
[revRevocationDate] :: RevokedCertificate -> UTCTime

-- | <tt><a>newCRL</a></tt> creates an empty revocation list. You must set
--   the following properties to and sign it (see <a>signCRL</a>) to
--   actually use the revocation list. If you have any certificates to be
--   listed, you must of course add them (see <a>addRevoked</a>) before
--   signing the list.
--   
--   <ul>
--   <li><i><i>Version</i></i> See <a>setVersion</a>.</li>
--   <li><i><i>Last Update</i></i> See <a>setLastUpdate</a>.</li>
--   <li><i><i>Next Update</i></i> See <a>setNextUpdate</a>.</li>
--   <li><i><i>Issuer Name</i></i> See <a>setIssuerName</a>.</li>
--   </ul>
newCRL :: IO CRL

-- | <tt><a>signCRL</a></tt> signs a revocation list with an issuer private
--   key.
signCRL :: KeyPair key => CRL -> key -> Maybe Digest -> IO ()

-- | <tt><a>verifyCRL</a></tt> verifies a signature of revocation list with
--   an issuer public key.
verifyCRL :: PublicKey key => CRL -> key -> IO VerifyStatus

-- | <tt><a>printCRL</a></tt> translates a revocation list into
--   human-readable format.
printCRL :: CRL -> IO String

-- | <tt><a>sortCRL</a> crl</tt> sorts the certificates in the revocation
--   list.
sortCRL :: CRL -> IO ()

-- | <tt><a>getVersion</a> crl</tt> returns the version number of
--   revocation list.
getVersion :: CRL -> IO Int

-- | <tt><a>setVersion</a> crl ver</tt> updates the version number of
--   revocation list.
setVersion :: CRL -> Int -> IO ()

-- | <tt><a>getLastUpdate</a> crl</tt> returns the time when the revocation
--   list has last been updated.
getLastUpdate :: CRL -> IO UTCTime

-- | <tt><a>setLastUpdate</a> crl utc</tt> updates the time when the
--   revocation list has last been updated.
setLastUpdate :: CRL -> UTCTime -> IO ()

-- | <tt><a>getNextUpdate</a> crl</tt> returns the time when the revocation
--   list will next be updated.
getNextUpdate :: CRL -> IO UTCTime

-- | <tt><a>setNextUpdate</a> crl utc</tt> updates the time when the
--   revocation list will next be updated.
setNextUpdate :: CRL -> UTCTime -> IO ()

-- | <tt><a>getIssuerName</a> crl wantLongName</tt> returns the issuer name
--   of revocation list. See <a>getIssuerName</a> of <a>OpenSSL.X509</a>.
getIssuerName :: CRL -> Bool -> IO [(String, String)]

-- | <tt><a>setIssuerName</a> crl name</tt> updates the issuer name of
--   revocation list. See <a>setIssuerName</a> of <a>OpenSSL.X509</a>.
setIssuerName :: CRL -> [(String, String)] -> IO ()

-- | <tt><a>getRevokedList</a> crl</tt> returns the list of revoked
--   certificates.
getRevokedList :: CRL -> IO [RevokedCertificate]

-- | <tt><a>addRevoked</a> crl revoked</tt> add the certificate to the
--   revocation list.
addRevoked :: CRL -> RevokedCertificate -> IO ()

-- | <tt><a>getRevoked</a> crl serial</tt> looks up the corresponding
--   revocation.
getRevoked :: CRL -> Integer -> IO (Maybe RevokedCertificate)
instance GHC.Classes.Eq OpenSSL.X509.Revocation.RevokedCertificate
instance GHC.Show.Show OpenSSL.X509.Revocation.RevokedCertificate


-- | An interface to X.509 certificate store.
module OpenSSL.X509.Store

-- | <tt><a>X509Store</a></tt> is an opaque object that represents X.509
--   certificate store. The certificate store is usually used for chain
--   verification.
data X509Store

-- | <tt><a>newX509Store</a></tt> creates an empty X.509 certificate store.
newX509Store :: IO X509Store

-- | <tt><a>addCertToStore</a> store cert</tt> adds a certificate to store.
addCertToStore :: X509Store -> X509 -> IO ()

-- | <tt><a>addCRLToStore</a> store crl</tt> adds a revocation list to
--   store.
addCRLToStore :: X509Store -> CRL -> IO ()


-- | An interface to PKCS#7 structure and S/MIME message.
module OpenSSL.PKCS7

-- | <tt><a>Pkcs7</a></tt> represents an abstract PKCS#7 structure. The
--   concrete type of structure is hidden in the object: such polymorphism
--   isn't very haskellish but please get it out of your mind since OpenSSL
--   is written in C.
data Pkcs7

-- | <tt><a>Pkcs7Flag</a></tt> is a set of flags that are used in many
--   operations related to PKCS#7.
data Pkcs7Flag
Pkcs7Text :: Pkcs7Flag
Pkcs7NoCerts :: Pkcs7Flag
Pkcs7NoSigs :: Pkcs7Flag
Pkcs7NoChain :: Pkcs7Flag
Pkcs7NoIntern :: Pkcs7Flag
Pkcs7NoVerify :: Pkcs7Flag
Pkcs7Detached :: Pkcs7Flag
Pkcs7Binary :: Pkcs7Flag
Pkcs7NoAttr :: Pkcs7Flag
Pkcs7NoSmimeCap :: Pkcs7Flag
Pkcs7NoOldMimeType :: Pkcs7Flag
Pkcs7CRLFEOL :: Pkcs7Flag

-- | <tt><a>Pkcs7VerifyStatus</a></tt> represents a result of PKCS#7
--   verification. See <a>pkcs7Verify</a>.
data Pkcs7VerifyStatus

-- | Nothing if the PKCS#7 signature was a detached signature, and <tt>Just
--   content</tt> if it wasn't.
Pkcs7VerifySuccess :: (Maybe String) -> Pkcs7VerifyStatus
Pkcs7VerifyFailure :: Pkcs7VerifyStatus

-- | <tt><a>pkcs7Sign</a></tt> creates a PKCS#7 signedData structure.
pkcs7Sign :: KeyPair key => X509 -> key -> [X509] -> String -> [Pkcs7Flag] -> IO Pkcs7

-- | <tt><a>pkcs7Verify</a></tt> verifies a PKCS#7 signedData structure.
pkcs7Verify :: Pkcs7 -> [X509] -> X509Store -> Maybe String -> [Pkcs7Flag] -> IO Pkcs7VerifyStatus

-- | <tt><a>pkcs7Encrypt</a></tt> creates a PKCS#7 envelopedData structure.
pkcs7Encrypt :: [X509] -> String -> Cipher -> [Pkcs7Flag] -> IO Pkcs7

-- | <tt><a>pkcs7Decrypt</a></tt> decrypts content from PKCS#7
--   envelopedData structure.
pkcs7Decrypt :: KeyPair key => Pkcs7 -> key -> X509 -> [Pkcs7Flag] -> IO String

-- | <tt><a>writeSmime</a></tt> writes PKCS#7 structure to S/MIME message.
writeSmime :: Pkcs7 -> Maybe String -> [Pkcs7Flag] -> IO String

-- | <tt><a>readSmime</a></tt> parses S/MIME message.
readSmime :: String -> IO (Pkcs7, Maybe String)
instance GHC.Classes.Eq OpenSSL.PKCS7.Pkcs7VerifyStatus
instance GHC.Show.Show OpenSSL.PKCS7.Pkcs7VerifyStatus
instance GHC.Classes.Eq OpenSSL.PKCS7.Pkcs7Flag
instance GHC.Show.Show OpenSSL.PKCS7.Pkcs7Flag


-- | An interface to PEM routines.
module OpenSSL.PEM

-- | <tt><a>PemPasswordCallback</a></tt> represents a callback function to
--   supply a password.
--   
--   <ul>
--   <li><i><tt>Int</tt></i> The maximum length of the password to be
--   accepted.</li>
--   <li><i><tt>PemPasswordRWState</tt></i> The context.</li>
--   <li><i><tt>IO String</tt></i> The resulting password.</li>
--   </ul>
type PemPasswordCallback = Int -> PemPasswordRWState -> IO String

-- | <tt><a>PemPasswordRWState</a></tt> represents a context of
--   <a>PemPasswordCallback</a>.
data PemPasswordRWState

-- | The callback was called to get a password to read something encrypted.
PwRead :: PemPasswordRWState

-- | The callback was called to get a password to encrypt something.
PwWrite :: PemPasswordRWState

-- | <tt><a>PemPasswordSupply</a></tt> represents a way to supply password.
--   
--   FIXME: using PwTTY causes an error but I don't know why:
--   "error:0906406D:PEM routines:DEF_CALLBACK:problems getting password"
data PemPasswordSupply

-- | no password
PwNone :: PemPasswordSupply

-- | password in a static string
PwStr :: String -> PemPasswordSupply

-- | password in a static bytestring.
PwBS :: ByteString -> PemPasswordSupply

-- | get a password by a callback
PwCallback :: PemPasswordCallback -> PemPasswordSupply

-- | read a password from TTY
PwTTY :: PemPasswordSupply

-- | <tt><a>writePKCS8PrivateKey</a></tt> writes a private key to PEM
--   string in PKCS#8 format.
writePKCS8PrivateKey :: KeyPair key => key -> Maybe (Cipher, PemPasswordSupply) -> IO String

-- | <tt><a>readPrivateKey</a> pem supply</tt> reads a private key in PEM
--   string.
readPrivateKey :: String -> PemPasswordSupply -> IO SomeKeyPair

-- | <tt><a>writePublicKey</a> pubkey</tt> writes a public to PEM string.
writePublicKey :: PublicKey key => key -> IO String

-- | <tt><a>readPublicKey</a> pem</tt> reads a public key in PEM string.
readPublicKey :: String -> IO SomePublicKey

-- | <tt><a>writeX509</a> cert</tt> writes an X.509 certificate to PEM
--   string.
writeX509 :: X509 -> IO String

-- | <tt><a>readX509</a> pem</tt> reads an X.509 certificate in PEM string.
readX509 :: String -> IO X509

-- | <tt><a>PemX509ReqFormat</a></tt> represents format of PKCS#10
--   certificate request.
data PemX509ReqFormat

-- | The new format, whose header is "NEW CERTIFICATE REQUEST".
ReqNewFormat :: PemX509ReqFormat

-- | The old format, whose header is "CERTIFICATE REQUEST".
ReqOldFormat :: PemX509ReqFormat

-- | <tt><a>writeX509Req</a></tt> writes a PKCS#10 certificate request to
--   PEM string.
writeX509Req :: X509Req -> PemX509ReqFormat -> IO String

-- | <tt><a>readX509Req</a></tt> reads a PKCS#10 certificate request in PEM
--   string.
readX509Req :: String -> IO X509Req

-- | <tt><a>writeCRL</a> crl</tt> writes a Certificate Revocation List to
--   PEM string.
writeCRL :: CRL -> IO String

-- | <tt><a>readCRL</a> pem</tt> reads a Certificate Revocation List in PEM
--   string.
readCRL :: String -> IO CRL

-- | <tt><a>writePkcs7</a> p7</tt> writes a PKCS#7 structure to PEM string.
writePkcs7 :: Pkcs7 -> IO String

-- | <tt><a>readPkcs7</a> pem</tt> reads a PKCS#7 structure in PEM string.
readPkcs7 :: String -> IO Pkcs7

-- | <tt><a>writeDHParams</a> dh</tt> writes DH parameters to PEM string.
writeDHParams :: DHP -> IO String

-- | <tt><a>readDHParams</a> pem</tt> reads DH parameters in PEM string.
readDHParams :: String -> IO DHP


-- | Functions for handling SSL connections. These functions use GHC
--   specific calls to cooperative the with the scheduler so that
--   <tt>blocking</tt> functions only actually block the Haskell thread,
--   not a whole OS thread.
module OpenSSL.Session

-- | An SSL context. Contexts carry configuration such as a server's
--   private key, root CA certiifcates etc. Contexts are stateful IO
--   objects; they start empty and various options are set on them by the
--   functions in this module. Note that an empty context will pretty much
--   cause any operation to fail since it doesn't even have any ciphers
--   enabled.
data SSLContext

-- | Create a new SSL context.
context :: IO SSLContext

-- | Add a protocol option to the context.
contextAddOption :: SSLContext -> SSLOption -> IO ()

-- | Remove a protocol option from the context.
contextRemoveOption :: SSLContext -> SSLOption -> IO ()

-- | Install a private key into a context.
contextSetPrivateKey :: KeyPair k => SSLContext -> k -> IO ()

-- | Install a certificate (public key) into a context.
contextSetCertificate :: SSLContext -> X509 -> IO ()

-- | Install a private key file in a context. The key is given as a path to
--   the file which contains the key. The file is parsed first as PEM and,
--   if that fails, as ASN1. If both fail, an exception is raised.
contextSetPrivateKeyFile :: SSLContext -> FilePath -> IO ()

-- | Install a certificate (public key) file in a context. The key is given
--   as a path to the file which contains the key. The file is parsed first
--   as PEM and, if that fails, as ASN1. If both fail, an exception is
--   raised.
contextSetCertificateFile :: SSLContext -> FilePath -> IO ()

-- | Install a certificate chain in a context. The certificates must be in
--   PEM format and must be sorted starting with the subject's certificate
--   (actual client or server certificate), followed by intermediate CA
--   certificates if applicable, and ending at the highest level (root) CA.
contextSetCertificateChainFile :: SSLContext -> FilePath -> IO ()

-- | Set the ciphers to be used by the given context. The string argument
--   is a list of ciphers, comma separated, as given at
--   <a>http://www.openssl.org/docs/apps/ciphers.html</a>
--   
--   Unrecognised ciphers are ignored. If no ciphers from the list are
--   recognised, an exception is raised.
contextSetCiphers :: SSLContext -> String -> IO ()
contextSetDefaultCiphers :: SSLContext -> IO ()

-- | Return true iff the private key installed in the given context matches
--   the certificate also installed.
contextCheckPrivateKey :: SSLContext -> IO Bool

-- | See <a>http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html</a>
data VerificationMode
VerifyNone :: VerificationMode
VerifyPeer :: Bool -> Bool -> Maybe (Bool -> X509StoreCtx -> IO Bool) -> VerificationMode

-- | is a certificate required
[vpFailIfNoPeerCert] :: VerificationMode -> Bool

-- | only request once per connection
[vpClientOnce] :: VerificationMode -> Bool

-- | optional callback
[vpCallback] :: VerificationMode -> Maybe (Bool -> X509StoreCtx -> IO Bool)
contextSetVerificationMode :: SSLContext -> VerificationMode -> IO ()

-- | Set the location of a PEM encoded list of CA certificates to be used
--   when verifying a server's certificate
contextSetCAFile :: SSLContext -> FilePath -> IO ()

-- | Set the path to a directory which contains the PEM encoded CA root
--   certificates. This is an alternative to <a>contextSetCAFile</a>. See
--   <a>http://www.openssl.org/docs/ssl/SSL_CTX_load_verify_locations.html</a>
--   for details of the file naming scheme
contextSetCADirectory :: SSLContext -> FilePath -> IO ()

-- | Get a reference to, not a copy of, the X.509 certificate storage in
--   the SSL context.
contextGetCAStore :: SSLContext -> IO X509Store

-- | This is the type of an SSL connection
--   
--   IO with SSL objects is non-blocking and many SSL functions return a
--   error code which signifies that it needs to read or write more data.
--   We handle these calls and call threadWaitRead and threadWaitWrite at
--   the correct times. Thus multiple OS threads can be <tt>blocked</tt>
--   inside IO in the same SSL object at a time, because they aren't really
--   in the SSL object, they are waiting for the RTS to wake the Haskell
--   thread.
data SSL

-- | This is the type of an SSL IO operation. Errors are handled by
--   exceptions while everything else is one of these. Note that reading
--   from an SSL socket can result in WantWrite and vice versa.
data SSLResult a

-- | operation finished successfully
SSLDone :: a -> SSLResult a

-- | needs more data from the network
WantRead :: SSLResult a

-- | needs more outgoing buffer space
WantWrite :: SSLResult a

-- | Wrap a Socket in an SSL connection. Reading and writing to the Socket
--   after this will cause weird errors in the SSL code. The SSL object
--   carries a handle to the Socket so you need not worry about the garbage
--   collector closing the file descriptor out from under you.
connection :: SSLContext -> Socket -> IO SSL

-- | Wrap a socket Fd in an SSL connection.
fdConnection :: SSLContext -> Fd -> IO SSL

-- | Add a protocol option to the SSL connection.
addOption :: SSL -> SSLOption -> IO ()

-- | Remove a protocol option from the SSL connection.
removeOption :: SSL -> SSLOption -> IO ()

-- | Perform an SSL server handshake
accept :: SSL -> IO ()

-- | Try to perform an SSL server handshake without blocking
tryAccept :: SSL -> IO (SSLResult ())

-- | Perform an SSL client handshake
connect :: SSL -> IO ()

-- | Try to perform an SSL client handshake without blocking
tryConnect :: SSL -> IO (SSLResult ())

-- | Try to read the given number of bytes from an SSL connection. On EOF
--   an empty ByteString is returned. If the connection dies without a
--   graceful SSL shutdown, an exception is raised.
read :: SSL -> Int -> IO ByteString

-- | Try to read the given number of bytes from an SSL connection without
--   blocking.
tryRead :: SSL -> Int -> IO (SSLResult ByteString)

-- | Read some data into a raw pointer buffer. Retrns the number of bytes
--   read.
readPtr :: SSL -> Ptr a -> Int -> IO Int

-- | Try to read some data into a raw pointer buffer, without blocking.
tryReadPtr :: SSL -> Ptr a -> Int -> IO (SSLResult Int)

-- | Write a given ByteString to the SSL connection. Either all the data is
--   written or an exception is raised because of an error.
write :: SSL -> ByteString -> IO ()

-- | Try to write a given ByteString to the SSL connection without
--   blocking.
tryWrite :: SSL -> ByteString -> IO (SSLResult ())

-- | Send some data from a raw pointer buffer.
writePtr :: SSL -> Ptr a -> Int -> IO ()

-- | Send some data from a raw pointer buffer, without blocking.
tryWritePtr :: SSL -> Ptr a -> Int -> IO (SSLResult ())

-- | Lazily read all data until reaching EOF. If the connection dies
--   without a graceful SSL shutdown, an exception is raised.
lazyRead :: SSL -> IO ByteString

-- | Write a lazy ByteString to the SSL connection. In contrast to
--   <a>write</a>, there is a chance that the string is written partway and
--   then an exception is raised for an error. The string doesn't
--   necessarily have to be finite.
lazyWrite :: SSL -> ByteString -> IO ()

-- | Cleanly shutdown an SSL connection. Note that SSL has a concept of a
--   secure shutdown, which is distinct from just closing the TCP
--   connection. This performs the former and should always be preferred.
--   
--   This can either just send a shutdown, or can send and wait for the
--   peer's shutdown message.
shutdown :: SSL -> ShutdownType -> IO ()

-- | Try to cleanly shutdown an SSL connection without blocking.
tryShutdown :: SSL -> ShutdownType -> IO (SSLResult ())
data ShutdownType

-- | wait for the peer to also shutdown
Bidirectional :: ShutdownType

-- | only send our shutdown
Unidirectional :: ShutdownType

-- | After a successful connection, get the certificate of the other party.
--   If this is a server connection, you probably won't get a certificate
--   unless you asked for it with contextSetVerificationMode
getPeerCertificate :: SSL -> IO (Maybe X509)

-- | Get the result of verifing the peer's certificate. This is mostly for
--   clients to verify the certificate of the server that they have
--   connected it. You must set a list of root CA certificates with
--   contextSetCA... for this to make sense.
--   
--   Note that this returns True iff the peer's certificate has a valid
--   chain to a root CA. You also need to check that the certificate is
--   correct (i.e. has the correct hostname in it) with getPeerCertificate.
getVerifyResult :: SSL -> IO Bool

-- | Get the socket underlying an SSL connection
sslSocket :: SSL -> Maybe Socket

-- | Get the underlying socket Fd
sslFd :: SSL -> Fd

-- | The behaviour of the SSL library can be changed by setting several
--   options. During a handshake, the option settings of the <a>SSL</a>
--   object are used. When a new <a>SSL</a> object is created from a
--   <a>SSLContext</a>, the current option setting is copied. Changes to
--   <a>SSLContext</a> do not affect already created <a>SSL</a> objects.
data SSLOption

-- | As of OpenSSL 1.0.0 this option has no effect.
SSL_OP_MICROSOFT_SESS_ID_BUG :: SSLOption

-- | As of OpenSSL 1.0.0 this option has no effect.
SSL_OP_NETSCAPE_CHALLENGE_BUG :: SSLOption

-- | As of OpenSSL 0.9.8q and 1.0.0c, this option has no effect.
SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG :: SSLOption
SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG :: SSLOption
SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER :: SSLOption

-- | Don't prefer ECDHE-ECDSA ciphers when the client appears to be Safari
--   on OS X. OS X 10.8..10.8.3 has broken support for ECDHE-ECDSA ciphers.
SSL_OP_SAFARI_ECDHE_ECDSA_BUG :: SSLOption
SSL_OP_SSLEAY_080_CLIENT_DH_BUG :: SSLOption
SSL_OP_TLS_D5_BUG :: SSLOption
SSL_OP_TLS_BLOCK_PADDING_BUG :: SSLOption

-- | Disables a countermeasure against a SSL 3.0/TLS 1.0 protocol
--   vulnerability affecting CBC ciphers, which cannot be handled by some
--   broken SSL implementations. This option has no effect for connections
--   using other ciphers.
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS :: SSLOption

-- | Adds a padding extension to ensure the ClientHello size is never
--   between 256 and 511 bytes in length. This is needed as a workaround
--   for some implementations.
SSL_OP_TLSEXT_PADDING :: SSLOption

-- | All of the above bug workarounds.
SSL_OP_ALL :: SSLOption

-- | Disable version rollback attack detection.
--   
--   During the client key exchange, the client must send the same
--   information about acceptable SSL/TLS protocol levels as during the
--   first hello. Some clients violate this rule by adapting to the
--   server's answer. (Example: the client sends a SSLv2 hello and accepts
--   up to SSLv3.1=TLSv1, the server only understands up to SSLv3. In this
--   case the client must still use the same SSLv3.1=TLSv1 announcement.
--   Some clients step down to SSLv3 with respect to the server's answer
--   and violate the version rollback protection.)
SSL_OP_TLS_ROLLBACK_BUG :: SSLOption

-- | Always create a new key when using temporary/ephemeral DH parameters.
--   This option must be used to prevent small subgroup attacks, when the
--   DH parameters were not generated using "strong" primes (e.g. when
--   using DSA-parameters). If "strong" primes were used, it is not
--   strictly necessary to generate a new DH key during each handshake but
--   it is also recommended. <a>SSL_OP_SINGLE_DH_USE</a> should therefore
--   be enabled whenever temporary/ephemeral DH parameters are used.
SSL_OP_SINGLE_DH_USE :: SSLOption

-- | Always use ephemeral (temporary) RSA key when doing RSA operations.
--   According to the specifications this is only done, when a RSA key can
--   only be used for signature operations (namely under export ciphers
--   with restricted RSA keylength). By setting this option, ephemeral RSA
--   keys are always used. This option breaks compatibility with the
--   SSL/TLS specifications and may lead to interoperability problems with
--   clients and should therefore never be used. Ciphers with DHE
--   (ephemeral Diffie-Hellman) key exchange should be used instead.
SSL_OP_EPHEMERAL_RSA :: SSLOption

-- | When choosing a cipher, use the server's preferences instead of the
--   client preferences. When not set, the SSL server will always follow
--   the clients preferences. When set, the SSLv3/TLSv1 server will choose
--   following its own preferences. Because of the different protocol, for
--   SSLv2 the server will send its list of preferences to the client and
--   the client chooses.
SSL_OP_CIPHER_SERVER_PREFERENCE :: SSLOption
SSL_OP_PKCS1_CHECK_1 :: SSLOption
SSL_OP_PKCS1_CHECK_2 :: SSLOption

-- | If we accept a netscape connection, demand a client cert, have a
--   non-self-signed CA which does not have its CA in netscape, and the
--   browser has a cert, it will crash/hang. Works for 3.x and 4.xbeta
SSL_OP_NETSCAPE_CA_DN_BUG :: SSLOption
SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG :: SSLOption

-- | Do not use the SSLv2 protocol.
SSL_OP_NO_SSLv2 :: SSLOption

-- | Do not use the SSLv3 protocol.
SSL_OP_NO_SSLv3 :: SSLOption

-- | Do not use the TLSv1 protocol.
SSL_OP_NO_TLSv1 :: SSLOption

-- | When performing renegotiation as a server, always start a new session
--   (i.e., session resumption requests are only accepted in the initial
--   handshake). This option is not needed for clients.
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION :: SSLOption

-- | Normally clients and servers will, where possible, transparently make
--   use of <a>RFC 4507</a> tickets for stateless session resumption.
--   
--   If this option is set this functionality is disabled and tickets will
--   not be used by clients or servers.
SSL_OP_NO_TICKET :: SSLOption

-- | Allow legacy insecure renegotiation between OpenSSL and unpatched
--   clients or servers. See <a>SECURE RENEGOTIATION</a> for more details.
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION :: SSLOption

-- | Allow legacy insecure renegotiation between OpenSSL and unpatched
--   servers _only_. See <a>SECURE RENEGOTIATION</a> for more details.
SSL_OP_LEGACY_SERVER_CONNECT :: SSLOption

-- | The root exception type for all SSL exceptions.
data SomeSSLException

-- | The peer uncleanly terminated the connection without sending the
--   "close notify" alert.
data ConnectionAbruptlyTerminated

-- | A failure in the SSL library occurred, usually a protocol error.
data ProtocolError
ProtocolError :: !String -> ProtocolError
instance GHC.Classes.Eq OpenSSL.Session.ProtocolError
instance GHC.Show.Show OpenSSL.Session.ProtocolError
instance GHC.Classes.Eq OpenSSL.Session.ConnectionAbruptlyTerminated
instance GHC.Show.Show OpenSSL.Session.ConnectionAbruptlyTerminated
instance GHC.Show.Show OpenSSL.Session.ShutdownType
instance GHC.Classes.Eq OpenSSL.Session.ShutdownType
instance Data.Traversable.Traversable OpenSSL.Session.SSLResult
instance Data.Foldable.Foldable OpenSSL.Session.SSLResult
instance GHC.Base.Functor OpenSSL.Session.SSLResult
instance GHC.Show.Show a => GHC.Show.Show (OpenSSL.Session.SSLResult a)
instance GHC.Classes.Eq a => GHC.Classes.Eq (OpenSSL.Session.SSLResult a)
instance GHC.Show.Show OpenSSL.Session.SomeSSLException
instance GHC.Exception.Exception OpenSSL.Session.SomeSSLException
instance GHC.Exception.Exception OpenSSL.Session.ConnectionAbruptlyTerminated
instance GHC.Exception.Exception OpenSSL.Session.ProtocolError


-- | HsOpenSSL is an OpenSSL binding for Haskell. It can generate RSA and
--   DSA keys, read and write PEM files, generate message digests, sign and
--   verify messages, encrypt and decrypt messages.
--   
--   Please note that this project has started at the time when there were
--   no pure-Haskell implementations of TLS. Now there is tls package
--   (<a>http://hackage.haskell.org/package/tls</a>), which looks pretty
--   saner than HsOpenSSL especially for initialisation and error
--   handlings. So PHO (the initial author of HsOpenSSL) wants to encourage
--   you to use and improve the tls package instead as long as possible.
--   The only problem is that the tls package has not received as much
--   review as OpenSSL from cryptography specialists yet, thus we can't
--   assume it's secure enough.
--   
--   Features that aren't (yet) supported:
--   
--   <ul>
--   <li><i><i>SSL network connection</i></i> ssl(3) functionalities aren't
--   fully covered yet. See <a>OpenSSL.Session</a>.</li>
--   <li><i><i>Complete coverage of Low-level API to symmetric
--   ciphers</i></i> Only high-level APIs (EVP and BIO) are fully
--   available. But I believe no one will be lost without functions like
--   <tt>DES_set_odd_parity</tt>.</li>
--   <li><i><i>Low-level API to asymmetric ciphers</i></i> Only a
--   high-level API (EVP) is available. But I believe no one will complain
--   about the absence of functions like <tt>RSA_public_encrypt</tt>.</li>
--   <li><i><i>X.509 v3 extension handling</i></i> It should be supported
--   in the future.</li>
--   <li><i><i>Low-level API to message digest functions</i></i> Just use
--   EVP instead of something like <tt>MD5_Update</tt>.</li>
--   <li><i><i>API to PKCS#12 functionality</i></i> It should be covered
--   someday.</li>
--   <li><i><i>BIO</i></i> BIO isn't needed because we are Haskell hackers.
--   Though HsOpenSSL itself uses BIO internally.</li>
--   <li><i><i>ENGINE cryptographic module</i></i> The default
--   implementations work very well, don't they?</li>
--   </ul>
module OpenSSL

-- | Computation of <tt><a>withOpenSSL</a> action</tt> initializes the
--   OpenSSL library as necessary, and computes <tt>action</tt>. Every
--   application that uses HsOpenSSL must wrap any operations involving
--   OpenSSL with <a>withOpenSSL</a>, or they might crash:
--   
--   <pre>
--   module Main where
--   import OpenSSL
--   
--   main :: IO ()
--   main = withOpenSSL $
--          do ...
--   </pre>
--   
--   Since 0.10.3.5, <a>withOpenSSL</a> is safe to be applied redundantly.
--   Library authors may wish to wrap their functions not to force their
--   users to think about initialization:
--   
--   <pre>
--   get :: URI -&gt; IO Response
--   get uri = withOpenSSL $ internalImplementationOfGet uri
--   </pre>
withOpenSSL :: IO a -> IO a
libghc-hsopenssl-doc 0.11.1.1-2 / usr / share / doc / libghc-hsopenssl-doc / html / HsOpenSSL.txt
