Skip to content
/ fernet-hs Public

Haskell library to generate and verify "Fernet" HMAC-based authentication tokens.

License

Notifications You must be signed in to change notification settings

rvl/fernet-hs

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
Mar 21, 2017
Mar 19, 2017
Mar 22, 2017
Oct 11, 2024
Mar 20, 2017
Mar 19, 2017
Mar 20, 2017
Mar 22, 2017
Mar 19, 2017
Mar 21, 2017
Mar 19, 2017
Oct 11, 2024
Mar 20, 2017

Repository files navigation

Fernet Haskell Implementation

Build Status Hackage

Fernet generates and verifies HMAC-based authentication tokens.

Originally designed for use within OpenStack clusters, it was intended to be fast and light-weight, with non-persistent tokens. Integrity and confidentiality of the token contents are implemented with HMAC SHA256 and AES128 CBC.

See the Fernet Spec for a little more information.

Usage

To encrypt a token:

>>> import Network.Fernet
>>> k <- generateKey
>>> keyToBase64 k
"JQAeL3iFN9wIW_hMKiIzA1EiG_EZNivnMPBOOJn2wZc="
>>> token <- encrypt k "secret text"
>>> print token
"gAAAAABY0H9kx7ihkcj6ZF_bQ73Lvc7aG-ZlEtjx24io-DQy5tCjLbq1JvVY27uAe6BuwG8css-4LDIywOJRyY_zetq7aLPPag=="

The resulting token can be distributed to clients. To check and decrypt the token, use the same key:

>>> decrypt k 60 token
Right "secret text"

Do read the Network.Fernet module documentation for further information.

Command-line tool

This package also includes a command-line tool for encrypting and decrypting tokens.

Fernet Utility

Usage: fernet (((-k|--key STRING) | --key-file FILENAME) ([-e|--encrypt] |
              [-d|--decrypt]) [--ttl SECONDS] | (-g|--gen-key))
  Encrypts/decrypts Fernet tokens. One token written to stdout for each line
  read from stdin. Use --gen-key to make a key.

Available options:
  -h,--help                Show this help text
  -k,--key STRING          Base64-urlsafe-encoded 32 byte encryption key
  --key-file FILENAME      File containing the encryption key
  -e,--encrypt             Encryption mode (default: autodetect)
  -d,--decrypt             Decryption mode (default: autodetect)
  --ttl SECONDS            Token lifetime in seconds (default: 1 minute)
  -g,--gen-key             Generate a key from the password on standard input

Development

Building with Stack

stack build

Building with Nix

nix-shell -p cabal2nix --command "cabal2nix --shell . > default.nix"
nix-shell --command "cabal configure"
cabal build

Better & Cooler Stuff

You might also be interested in hsoz.