Crypto

This module gives access to various cryptographic functions provided by the Web Crypto API.

In addition to supporting generating random values and UUIDs, this module supports the following algorithms and operations:

All of the above algorithms also have appropriate key generation, import, and export functions.

Secure Context

Many functions in this module must be run in a secure context to operate safely and correctly. Before you use any functions, it's likely that you'll need to obtain and store the SecureContext value in your model.

type SecureContext

Represents the platform being considered secure. This type can be generated using the getSecureContext function and is required for some functions to be run in this package.
getSecureContext : Task {} SecureContext

A Task that succeeds with SecureContext if the code is being run in a secure context. If this Task fails, most of the functions within this module will not be able to run.

While running this function on the node platform, it should succeed unless you are running a version of node that does not support the Web Crypto APIs.

While running this function on the browser platform, it will succeed if the application being run is considered as being in a secure context.

Generate Random Values

Generate random values of 8, 16, or 32 bits long (signed and unsigned).

All functions for generating random values take an Int as the single parameter. This value is clamped to a minimum of 0 and a maximum of however many values can be generated.

The maximum number of values that can be generated depends on the amount of bytes the values you're generating are. 65536 is the maximum number of bytes that can be generated. For example, when using getRandomInt16Values, each value is 16 bits (or 2 bytes), so the maximum number of values that getRandomInt16Values can generate is 32768 values.

getRandomInt8Values : Int -> Task x Bytes

Get some Bytes of random, signed, 8-bit values equal to the length of the passed Int with a maximum of 65536 values.
getRandomUInt8Values : Int -> Task x Bytes

Get some Bytes of random, unsigned, 8-bit values equal to the length of the passed Int with a maximum of 65536 values.
getRandomInt16Values : Int -> Task x Bytes

Get some Bytes of random, signed, 16-bit values equal to the length of the passed Int. with a maximum of 32768 values.
getRandomUInt16Values : Int -> Task x Bytes

Get some Bytes of random, unsigned, 16-bit values equal to the length of the passed Int. with a maximum of 32768 values.
getRandomInt32Values : Int -> Task x Bytes

Get some Bytes of random, signed, 32-bit values equal to the length of the passed Int with a maximum of 16384 values.
getRandomUInt32Values : Int -> Task x Bytes

Get some Bytes of random, unsigned, 32-bit values equal to the length of the passed Int with a maximum of 16384 values.

Generate Random UUIDs

randomUuidV4 : SecureContext -> Task x String

Generate a random UUID using the UUID v4 algorithm.

Encryption & Decryption

Encrypt and decrypt values. Each operation requires a specific key for the algorithm being used. You can learn more about key generation in the "Key Generation" section of this module.

Encrypt & decrypt with the RSA-OAEP algorithm

Encrypt and decrypt Bytes with the RSA-OAEP (Rivest-Shamir-Adleman Optimal Asymmetric Encryption Padding) algorithm. These functions require an RSA-OAEP key pair. You can generate one with the generateRsaOaepKeyPair function.

type alias RsaOaepParams = { label : Maybe Bytes }

The parameters needed to encrypt or decrypt with the RSA-OAEP algorithm. There's only one parameter: a label consisting of some Bytes. The label is completely optional and passing Nothing will not make the operation less secure.
encryptWithRsaOaep :
RsaOaepParams
-> PublicKey RsaOaepKey RsaKeyParams
-> Bytes
-> Task x Bytes

Encrypt some Bytes with a PublicKey RsaOaepKey. You can generate the apporpriate key with the generateRsaOaepKeyPair function.
type RsaOaepDecryptionError
= RsaOaepDecryptionError

Errors that can happen when decrypting Bytes using the decryptWithRsaOaep function. There are two cases where the function can fail:

  • The label used to encrypt the data does not match the label used when decrypting the data
  • The decryption algorithm fails due to the passed Bytes not being suitable for decryption (for whatever reason)
decryptWithRsaOaep :
RsaOaepParams
-> PrivateKey RsaOaepKey RsaKeyParams
-> Bytes
-> Task RsaOaepDecryptionError Bytes

Decrypt some Bytes with a PrivateKey RsaOaepKey. You can generate the apporpriate key with the generateRsaOaepKeyPair function.

Encrypt & decrypt with the AES-CTR algorithm

Encrypt and decrypt Bytes with the AES-CTR (Advanced Encryption Standard - Counter Mode) algorithm. These functions require an AES-CTR key. You can generate one with the generateAesCtrKey function.

type alias AesCtrParams = { counter : Bytes, length : Int }

Required paramaters to encrypt and decrypt values with the AES-CTR algorithm.

  • counter must be exactly 16 bytes, or else encryption and decryption will fail.
  • length must be between 1 and 128. If provided an Int that is below or above that range, it will be clamped to prevent the operation from failing.
type AesCtrEncryptionError
= AesCtrEncryptionError
| AesCtrEncryptionErrorCounterTooLong

Errors that can happen when encrypting using the encryptWithAesCtr function. There are two cases where this function can fail:

  • When the passed counter in AesCtrParams is greater or less than than the required 16 bytes. This is captured by AesCtrEncryptionErrorCounterTooLong.
  • Any unknown or unexpected errors are captured with AesCtrEncryptionError.
encryptWithAesCtr :
AesCtrParams
-> Key AesCtrKey AesKeyParams
-> Bytes
-> Task AesCtrEncryptionError Bytes

Encrypt some Bytes with a Key AesCtrKey. You can generate the apporpriate key with the generateAesCtrKey function.
type AesCtrDecryptionError
= AesCtrDecryptionError
| AesCtrDecryptionErrorCounterTooLong

Errors that can happen when decrypting Bytes using the decryptWithAesCtr function. There are a few cases where this function can fail:

  • The passed Bytes are unable to be decrypted for whatever reason. This is captured by AesCtrDecryptionError.
  • When the passed counter in AesCtrParams is greater or less than than the required 16 bytes. This is captured by AesCtrDecryptionErrorCounterTooLong
  • Any unknown or unexpected errors are captured by AesCtrDecryptionError.
decryptWithAesCtr :
AesCtrParams
-> Key AesCtrKey AesKeyParams
-> Bytes
-> Task AesCtrDecryptionError Bytes

Decrypt some Bytes with a Key AesCtrKey. You can generate the apporpriate key with the generateAesCtrKey function.

Encrypt & decrypt with the AES-CBC algorithm

Encrypt and decrypt Bytes with the AES-CBC (Advanced Encryption Standard - Cipher Block Chaining) algorithm. These functions require an AES-CBC key. You can generate one with the generateAesCbcKey function.

type alias AesCbcParams = { iv : Bytes }

Required paramaters to encrypt and decrypt values with the AES-CBC algorithm.

  • iv should be exactly 16 bytes. These bytes should be random, but do not need to be secret.
type AesCbcEncryptionError
= AesCbcEncryptionErrorIvTooLong
| AesCbcEncryptionError

Errors that can happen when encrypting Bytes using the encryptWithAesCbc function. There are a few cases where this function can fail:

  • The passed Bytes are unable to be decrypted for whatever reason. This is captured by AesCbcDecryptionError.
  • When the passed iv in AesCtrParams is greater or less than than the required 16 bytes. This is captured by AesCbcEncryptionErrorIvTooLong
  • Any unknown or unexpected errors are captured by AesCbcDecryptionError.
encryptWithAesCbc :
AesCbcParams
-> Key AesCbcKey AesKeyParams
-> Bytes
-> Task AesCbcEncryptionError Bytes

Encrypt some Bytes with a Key AesCbcKey. You can generate the apporpriate key with the generateAesCbcKey function.
type AesCbcDecryptionError
= AesCtrDecryptionErrorIvTooLong
| AesCbcDecryptionError

Errors that can happen when decrypting Bytes using the decryptWithAesCbc function. There are a few cases where this function can fail:

  • The passed Bytes are unable to be decrypted for whatever reason. This is captured by AesCbcDecryptionError.
  • When the passed iv in AesCbcParams is greater or less than than the required 16 bytes. This is captured by AesCtrDecryptionErrorIvTooLong
  • Any unknown or unexpected errors are captured by AesCtrDecryptionError.
decryptWithAesCbc :
AesCbcParams
-> Key AesCbcKey AesKeyParams
-> Bytes
-> Task AesCbcDecryptionError Bytes

Decrypt some Bytes with a Key AesCbcKey. You can generate the apporpriate key with the generateAesCbcKey function.

It's important to use the same iv value when encrypting and decrypting. Using a different iv value will succeed, but the resulting Bytes will not match the Bytes originally encrypted.

Encrypt & decrypt with the AES-GCM algorithm

Encrypt and decrypt Bytes with the AES-GCM (Advanced Encryption Standard - Galois/Counter Mode) algorithm. These functions require an AES-GCM key. You can generate one with the generateAesGcmKey function.

type alias AesGcmParams =
{ iv : Bytes
, additionalData : Maybe Bytes
, tagLength : Maybe AesGcmTagLength
}

Required paramaters to encrypt and decrypt values with the AES-GCM algorithm.

  • iv needs to be be greater than 12 bytes, but less than 128 bytes. The recommended length is 96 bytes.
  • additionalData is completely optional data that is not encrypted, but will be a part of the completed, encrypted, Bytes. If provided when encrypting data, the same value must be provided when decrypting it or else the operation will fail.
  • tagLength is optional and defaults to AesTagLength128, which is recommended. You can find more information about this on the Web Crypto API docs.
type AesGcmTagLength
= AesGcmTagLength96
| AesGcmTagLength104
| AesGcmTagLength112
| AesGcmTagLength120
| AesGcmTagLength128

The set of allowed tag lengths for the AES-GCM algorithm.
type AesGcmEncryptionError
= AesGcmEncryptionErrorInvalidIvByteLegth
| AesGcmEncryptionError

Errors that can happen when encrypting Bytes using the encryptWithAesGcm function. There are a few cases where this function can fail:

  • When the passed iv in AesGcmParams is longer or shorter than required. This is captured by AesGcmEncryptionErrorInvalidIvByteLegth.
  • Any unknown or unexpected errors are captured with AesCtrEncryptionError.
encryptWithAesGcm :
AesGcmParams
-> Key AesGcmKey AesKeyParams
-> Bytes
-> Task AesGcmEncryptionError Bytes

Encrypt some Bytes with a Key AesGcmKey. You can generate the apporpriate key with the generateAesGcmKey function.
type AesGcmDecryptionError
= AesGcmDecryptionErrorInvalidIvByteLegth
| AesGcmDecryptionError

Errors that can happen when decrypting Bytes using the decryptWithAesGcm function. There are a few cases where this function can fail:

  • The passed Bytes are unable to be decrypted for whatever reason. This is captured by AesGcmDecryptionError.
  • When the passed iv in AesGcmParams is longer or shorter than required. This is captured by AesGcmDecryptionErrorInvalidIvByteLegth.
  • If the passed iv for encrypting the data does not match the iv being used to decrypt the data. This is captured with AesCtrDecryptionError.
  • Any unknown or unexpected errors are captured with AesCtrDecryptionError.
decryptWithAesGcm :
AesGcmParams
-> Key AesGcmKey AesKeyParams
-> Bytes
-> Task AesGcmDecryptionError Bytes

Decrypt some Bytes with a Key AesGcmKey. You can generate the apporpriate key with the generateAesGcmKey function.

Signing & Verifying

Sign and verify values. Each operation requires a specific key for the algorithm being used. You can learn more about key generation in the "Key Generation" section of this module.

type alias Signature = Bytes

A handy alias for differentiating between artibrary Bytes and the Bytes of a generated signature (using a signing function).

Sign & verify with the RSASSA-PKCS1-v1_5 algorithm

Sign and verify some Bytes with the RSASSA-PKCS1-v1_5 (Rivest, Shamir, and Adleman Signature Scheme with Appendix ...) algorithm. These functions require an RSASSA-PKCS1-v1_5 key. You can generate one with the generateRsaSsaPkcs1V1_5KeyPair function.

signWithRsaSsaPkcs1V1_5 :
PrivateKey RsaSsaPkcs1V1_5Key RsaKeyParams -> Bytes -> Task x Signature

Sign some Bytes with the RSA-SSAPKCS1v1.5 algorithm. This produces a Signature (which is just some Bytes). The Signature can be used with the cooresponding verification function to verify that the passed Bytes were signed with the passed key.
verifyWithRsaSsaPkcs1V1_5 :
PublicKey RsaSsaPkcs1V1_5Key RsaKeyParams -> Signature -> Bytes -> Task {} Bytes

Verify that some Bytes were signed with the passed Signature with the RSA-SSAPKCS1v1.5 algorithm.

The Task succeeds with the verified Bytes if the passed signature is valid and fails otherwise.

Sign & verify with the RSA-PSS algorithm

Sign and verify some Bytes with the RSA-PSS (Rivest, Shamir, and Adleman - Probabilistic Signature Scheme) algorithm. These functions require an RSA-PSS key. You can generate one with the generateRsaPssKeyPair function.

type alias RsaPssParams = { salt : Int }

The parameters needed to sign or verify with the RSA-PSS algorithm.
type RsaPssSigningError
= RsaPssSigningErrorInvalidSalt
| RsaPssSigningError

Errors that can happen when signing using the signWithRsaPss function. There are a few cases where this function can fail:

  • If the passed salt as part of the RsaPssParams is not equal to or less than the amount of bytes of the DigestAlgorithm that was used to generate the key. For example, if the RsaPssKey was generated with SHA-256, the maximum number for the salt value must be 32 or less. This is captured by RsaPssSigningErrorInvalidSalt.
  • Any unknown or unexpected errors are captured with RsaPssSigningError.
signWithRsaPss :
RsaPssParams
-> PrivateKey RsaPssKey RsaKeyParams
-> Bytes
-> Task RsaPssSigningError Signature

Sign some Bytes with the RSA-PSS algorithm. This produces a Signature (which is just some Bytes). The Signature can be used with the cooresponding verification function to verify that the passed Bytes were signed with the passed key.
verifyWithRsaPss :
RsaPssParams
-> PublicKey RsaPssKey RsaKeyParams
-> Signature
-> Bytes
-> Task {} Bytes

Verify that some Bytes were signed with the passed Signature with the RSA-PSS algorithm.

The Task succeeds with the verified Bytes if the passed signature is valid and fails otherwise.

Sign & verify with the ECDSA algorithm

Sign and verify some Bytes with the ECDSA (Elliptic Curve Digital Signature Algorithm) algorithm. These functions require an RSA-PSS key. You can generate one with the generateEcdsaKeyPair function.

signWithEcdsa :
DigestAlgorithm
-> PrivateKey EcdsaKey EcKeyParams
-> Bytes
-> Task x Signature

Sign some Bytes with the ECDSA algorithm. This produces a Signature (which is just some Bytes). The Signature can be used with the cooresponding verification function to verify that the passed Bytes were signed with the passed key.

The returned Task should not fail. If it does, please file a ticket!
verifyWithEcdsa :
DigestAlgorithm
-> PublicKey EcdsaKey EcKeyParams
-> Signature
-> Bytes
-> Task {} Bytes

Verify that some Bytes were signed with the passed Signature with the ECDSA algorithm.

The Task succeeds with the verified Bytes if the passed signature is valid and fails otherwise.

Sign & verify with the HMAC algorithm

Sign and verify some Bytes with the HMAC (Hash-Based Message Authentication Code) algorithm. These functions require an RSA-PSS key. You can generate one with the generateEcdsaKeyPair function.

signWithHmac : Key HmacKey HmacKeyParams -> Bytes -> Task x Signature

Sign some Bytes with the HMAC algorithm. This produces a Signature (which is just some Bytes). The Signature can be used with the cooresponding verification function to verify that the passed Bytes were signed with the passed key.

The returned Task should not fail. If it does, please file a ticket!
verifyWithHmac :
Key HmacKey HmacKeyParams
-> Signature
-> Bytes
-> Task {} Bytes

Verify that some Bytes were signed with the passed Signature with the HMAC algorithm.

The Task succeeds with the verified Bytes if the passed signature is valid and fails otherwise.

Digest

type DigestAlgorithm
= Sha256
| Sha384
| Sha512

Supported algorithms suitable for digesting data.

Note: The algorithm SHA1 is supported by the WebCrypto API, but not available in this package due to known security vunerabilities.
digest : SecureContext -> DigestAlgorithm -> Bytes -> Task x Bytes

Take some Bytes and create a hash from them using the passed DigestAlgorithm. This operation should always succeed.

Generate Keys

Generate, import, and export keys for completing cryptographic operations.

type Key key keyData

A generated key.
type PublicKey a b

A public key that is used for encrypting and verifying values. This key type, as the name suggests, can be exposed publicly and is safe to transport across the network.
type PrivateKey a b

A private key that is used for decrypting and signing values. This key should be protected and not revealed to any system outside of your application.
type alias KeyPair a b = { publicKey : PublicKey a b, privateKey : PrivateKey a b }

A set of public and private keys created by some key generation algorithms.
type Extractable
= CanBeExtracted
| CannotBeExtracted

Denotes if a key can be exported using the exportKey or exportKeyPair functions. If a key is not marked as exportable when it is created or imported, any attempts to export the key will fail.

Public keys will always be exportable when generated or imported, regardless of the Extractable value provided when generating the key.

Generate RSA Keys

Generate keys to use with RSA (Rivest-Shamir-Adleman) algorithm.

type alias RsaKeyParams =
{ modulusLength : Int
, hash : DigestAlgorithm
, extractable : Extractable
}

Parameters required to generate a key for use with the RSA algorithm.

  • modulusLength is clamped be at least 2048 and no greater than 4096. If the Int used is outside of that range, it will be corrected. It also needs to be divisible by 8.
  • hash is the DigestAlgorithm that's used for key generation
  • extractable denotes that if this key is extractable or not. For more information, see the Extractable type documentation.

A missing part of these parameters is the public exponent. Generated keys will always have a [ 1, 0, 1 ] or 65537 public exponent. This is a recommended value and a value that works across the browser and node platforms. If you have need for other public exponents, please file a ticket!
type RsaKeyGenerationError
= ModulusLengthNotDivisibleByEight

Errors that can happen when generating a key for use with the RSA algorithm. There is a single case where this function can fail at runtime:

  • When the passed modulusLength is not divisible by 8, as is required by the algorithm. This is captured by ModulusLengthNotDivisibleByEight.
generateRsaOaepKeyPair :
SecureContext
-> RsaKeyParams
-> Task RsaKeyGenerationError (KeyPair RsaOaepKey RsaKeyParams)

Generate a new key pair using the RSA-OAEP algorithm.

Produces a KeyPair that can be used to encrypt data with encryptWithRsaOaep and decrypt data with decryptWithRsaOaep.
generateRsaPssKeyPair :
SecureContext
-> RsaKeyParams
-> Task RsaKeyGenerationError (KeyPair RsaPssKey RsaKeyParams)

Generate a new key using the RSA-PSS algorithm.

Produces a KeyPair that can be used to sign data with signWithRsaPss and verify data with verifyWithRsaPss.
generateRsaSsaPkcs1V1_5KeyPair :
SecureContext -> RsaKeyParams -> Task RsaKeyGenerationError (KeyPair RsaSsaPkcs1V1_5Key RsaKeyParams)

Generate a new key using the RSASSA-PKCS1-v1_5 algorithm.

Produces a KeyPair that can be used to sign data with signWithRsaSsaPkcs1V1_5 and verify data with verifyWithRsaSsaPkcs1V1_5.

Generate AES Keys

Generate keys to use with AES (Advanced Encryption Standard) algorithm.

type alias AesKeyParams = { length : AesLength, extractable : Extractable }

Parameters required to generates an AES key.

  • length is the length, in bits, of the generated key. It must be one of the AesLength type.
  • extractable denotes that if this key is extractable or not. For more information, see the Extractable type documentation.
type AesLength
= AesLength128
| AesLength192
| AesLength256

The length of bits of the key that is being generated using the AES algorithm. These are the only values that can be chosen.

The Web Crypto API supports a length of 192, but some browsers do not implement this. To keep compatability across the browser platform, the option is not provided.
generateAesCtrKey :
SecureContext
-> AesKeyParams
-> Task x (Key AesCtrKey AesKeyParams)

Generate a new key using the AES-CTR algorithm.

Produces a Key that can be used to encrypt data with encryptWithAesCtr and decrypt data with decryptWithAesCtr.
generateAesCbcKey :
SecureContext
-> AesKeyParams
-> Task x (Key AesCbcKey AesKeyParams)

Generate a new key using the AES-CBC algorithm.

Produces a Key that can be used to encrypt data with encryptWithAesCbc and decrypt data with decryptWithAesCbc.
generateAesGcmKey :
SecureContext
-> AesKeyParams
-> Task x (Key AesGcmKey AesKeyParams)

Generate a new key using the AES-GCM algorithm.

Produces a Key that can be used to encrypt data with encryptWithAesGcm and decrypt data with decryptWithAesGcm.

Generate EC Keys

Generate keys to use with EC (Elliptic Curve) algorithm.

type alias EcKeyParams = { namedCurve : EcNamedCurve, extractable : Extractable }

Parameters required to generates an AES key.

  • namedCurve is the curve used to generate the key. It must be one of the EcNamedCurve variant.
  • extractable denotes that if this key is extractable or not. For more information, see the Extractable type documentation.
type EcNamedCurve
= P256
| P384
| P521

The name of the elliptic curve to use for the generated key.
generateEcdsaKeyPair :
SecureContext
-> EcKeyParams
-> Task x (KeyPair EcdsaKey EcKeyParams)

Generate a new key using the ECDSA algorithm.

Produces a KeyPair that can be used to sign data with signWithEcdsa and verify data with verifyWithEcdsa.

Generate HMAC Keys

Generate keys to use with HMAC (Hash-Based Message Authentication Code) algorithm.

type alias HmacKeyParams =
{ length : Maybe Int
, hash : DigestAlgorithm
, extractable : Extractable
}

Parameters required to generate a key for use with the HMAC algorithm.

  • length is the length of the resulting key in bits. If Nothing, the key will be equal in bits to the passed DigestAlgorithm. It's recommended to pass Nothing and let the length of the key be equal to the hash function (DigestAlgorithm). If passed, the length is clamped be at least 8 and no greater than 2048. If the Int used is outside of that range, it will be corrected.
  • hash is the DigestAlgorithm that's used for key generation
  • extractable denotes that if this key is extractable or not. For more information, see the Extractable type documentation.
type HmacKeyGenerationError
= HmacLengthNotDivisibleByEight

Errors that can happen when generating a key for use with the RSA algorithm.

Errors that can happen when enerating a key for use with the HMAC algorithm. There's a single case where this function can fail:

  • When the passed length is not divisible by 8, as is required by the algorithm. This is captured by HmacLengthNotDivisibleByEight.
generateHmacKey :
SecureContext
-> HmacKeyParams
-> Task HmacKeyGenerationError (Key HmacKey HmacKeyParams)

Generate a new key using the HMAC algorithm.

Produces a Key that can be used to sign data with signWithHmac and verify data with verifyWithHmac.

Export Keys

Export keys in various formats. Available formats depend on the key being exported. For more information on exporting keys, check out the MDN web docs for the Web Crypto API.

type ExportKeyError
= KeyNotExportable

Errors that can arise when exporting keys.

  • KeyNotExportable happens when trying to export a key that was not made Extractable during creation or import. This only applies to private keys, as public keys are always exportable.

Export RSA Keys

exportRsaOaepPublicKeyAsSpki : PublicKey RsaOaepKey RsaKeyParams -> Task {} Bytes
exportRsaOaepPublicKeyAsJwk : PublicKey RsaOaepKey RsaKeyParams -> Task {} Value
exportRsaOaepPrivateKeyAsPkcs8 :
PrivateKey RsaOaepKey RsaKeyParams
-> Task ExportKeyError Bytes
exportRsaOaepPrivateKeyAsJwk :
PrivateKey RsaOaepKey RsaKeyParams
-> Task ExportKeyError Value
exportRsaPssPublicKeyAsSpki : PublicKey RsaPssKey RsaKeyParams -> Task {} Bytes
exportRsaPssPublicKeyAsJwk : PublicKey RsaPssKey RsaKeyParams -> Task {} Value
exportRsaPssPrivateKeyAsPkcs8 :
PrivateKey RsaPssKey RsaKeyParams
-> Task ExportKeyError Bytes
exportRsaPssPrivateKeyAsJwk :
PrivateKey RsaPssKey RsaKeyParams
-> Task ExportKeyError Value
exportRsaSsaPkcs1V1_5PublicKeyAsSpki : PublicKey RsaSsaPkcs1V1_5Key RsaKeyParams -> Task {} Bytes
exportRsaSsaPkcs1V1_5PublicKeyAsJwk : PublicKey RsaSsaPkcs1V1_5Key RsaKeyParams -> Task {} Value
exportRsaSsaPkcs1V1_5PrivateKeyAsPkcs8 :
PrivateKey RsaSsaPkcs1V1_5Key RsaKeyParams -> Task ExportKeyError Bytes
exportRsaSsaPkcs1V1_5PrivateKeyAsJwk :
PrivateKey RsaSsaPkcs1V1_5Key RsaKeyParams -> Task ExportKeyError Value

Export AES Keys

exportAesCtrKeyAsRaw : Key AesCtrKey AesKeyParams -> Task ExportKeyError Bytes
exportAesCtrKeyAsJwk : Key AesCtrKey AesKeyParams -> Task ExportKeyError Value
exportAesCbcKeyAsRaw : Key AesCbcKey AesKeyParams -> Task ExportKeyError Bytes
exportAesCbcKeyAsJwk : Key AesCbcKey AesKeyParams -> Task ExportKeyError Value
exportAesGcmKeyAsRaw : Key AesGcmKey AesKeyParams -> Task ExportKeyError Bytes
exportAesGcmKeyAsJwk : Key AesGcmKey AesKeyParams -> Task ExportKeyError Value

Export EC Keys

exportEcdsaPublicKeyAsRaw : PublicKey EcdsaKey EcKeyParams -> Task {} Bytes
exportEcdsaPublicKeyAsSpki : PublicKey EcdsaKey EcKeyParams -> Task {} Bytes
exportEcdsaPublicKeyAsJwk : PublicKey EcdsaKey EcKeyParams -> Task {} Value
exportEcdsaPrivateKeyAsPkcs8 :
PrivateKey EcdsaKey EcKeyParams
-> Task ExportKeyError Bytes
exportEcdsaPrivateKeyAsJwk :
PrivateKey EcdsaKey EcKeyParams
-> Task ExportKeyError Value

Export HMAC Keys

exportHmacKeyAsRaw : Key HmacKey HmacKeyParams -> Task ExportKeyError Bytes
exportHmacKeyAsJwk : Key HmacKey HmacKeyParams -> Task ExportKeyError Value

Import Keys

Import keys generated in this module or generated elsewhere. For more information on exporting keys, check out the MDN web docs for the Web Crypto API.

Import RSA Keys

type ImportRsaKeyError
= ImportRsaKeyError

Errors that can happen when importing a key using an RSA algorithm. There are a few possible reasons this error happens:

  • The passed key value (either Json.Encode.Value or Bytes) is not a valid key and cannot be imported.
  • The hash passed to the function does not match the hash of the imported key. This only happens when importing a JSON Web Key. It is recommended to always match the hash of the imported key or you will get different results when using the imported key, even when not importing in the JSON Web Key format.
importRsaOaepPublicKeyFromJwk :
SecureContext
-> ImportRsaKeyParams
-> Value
-> Task ImportRsaKeyError (PublicKey RsaOaepKey RsaKeyParams)
importRsaOaepPublicKeyFromSpki :
SecureContext
-> ImportRsaKeyParams
-> Bytes
-> Task ImportRsaKeyError (PublicKey RsaOaepKey RsaKeyParams)
importRsaOaepPrivateKeyFromJwk :
SecureContext
-> Extractable
-> ImportRsaKeyParams
-> Value
-> Task ImportRsaKeyError (PrivateKey RsaOaepKey RsaKeyParams)
importRsaOaepPrivateKeyFromPkcs8 :
SecureContext
-> Extractable
-> ImportRsaKeyParams
-> Bytes
-> Task ImportRsaKeyError (PrivateKey RsaOaepKey RsaKeyParams)
importRsaPssPublicKeyFromJwk :
SecureContext
-> ImportRsaKeyParams
-> Value
-> Task ImportRsaKeyError (PublicKey RsaPssKey RsaKeyParams)
importRsaPssPublicKeyFromSpki :
SecureContext
-> ImportRsaKeyParams
-> Bytes
-> Task ImportRsaKeyError (PublicKey RsaPssKey RsaKeyParams)
importRsaPssPrivateKeyFromJwk :
SecureContext
-> Extractable
-> ImportRsaKeyParams
-> Value
-> Task ImportRsaKeyError (PrivateKey RsaPssKey RsaKeyParams)
importRsaPssPrivateKeyFromPkcs8 :
SecureContext
-> Extractable
-> ImportRsaKeyParams
-> Bytes
-> Task ImportRsaKeyError (PrivateKey RsaPssKey RsaKeyParams)
importRsaSsaPkcs1V1_5PrivateKeyFromJwk :
SecureContext -> Extractable -> ImportRsaKeyParams -> Value -> Task ImportRsaKeyError (PrivateKey RsaSsaPkcs1V1_5Key RsaKeyParams)
importRsaSsaPkcs1V1_5PrivateKeyFromPkcs8 :
SecureContext -> Extractable -> ImportRsaKeyParams -> Bytes -> Task ImportRsaKeyError (PrivateKey RsaSsaPkcs1V1_5Key RsaKeyParams)
importRsaSsaPkcs1V1_5PublicKeyFromJwk :
SecureContext -> ImportRsaKeyParams -> Value -> Task ImportRsaKeyError (PublicKey RsaSsaPkcs1V1_5Key RsaKeyParams)
importRsaSsaPkcs1V1_5PublicKeyFromSpki :
SecureContext -> ImportRsaKeyParams -> Bytes -> Task ImportRsaKeyError (PublicKey RsaSsaPkcs1V1_5Key RsaKeyParams)

Import AES Keys

type ImportAesKeyError
= ImportAesKeyError

Errors that can happen when importing a key using an AES algorithm. There's only one known instance where this error can appear:

  • The passed key value (either Json.Encode.Value or Bytes) is not a valid key and cannot be imported.
importAesCbcKeyFromJwk :
SecureContext
-> Extractable
-> Value
-> Task ImportAesKeyError (Key AesCbcKey AesKeyParams)
importAesCbcKeyFromRaw :
SecureContext
-> Extractable
-> Bytes
-> Task ImportAesKeyError (Key AesCbcKey AesKeyParams)
importAesCtrKeyFromJwk :
SecureContext
-> Extractable
-> Value
-> Task ImportAesKeyError (Key AesCtrKey AesKeyParams)
importAesCtrKeyFromRaw :
SecureContext
-> Extractable
-> Bytes
-> Task ImportAesKeyError (Key AesCtrKey AesKeyParams)
importAesGcmKeyFromJwk :
SecureContext
-> Extractable
-> Value
-> Task ImportAesKeyError (Key AesGcmKey AesKeyParams)
importAesGcmKeyFromRaw :
SecureContext
-> Extractable
-> Bytes
-> Task ImportAesKeyError (Key AesGcmKey AesKeyParams)

Import EC Keys

type ImportEcKeyError
= ImportEcKeyError

Errors that can happen when importing a key using an EC algorithm. There are two possible reasons this error happens:

  • The passed key value (either Json.Encode.Value or Bytes) is not a valid key and cannot be imported.
  • The EcNamedCurve passed to the function does not match the EcNamedCurve of the imported key.
importEcdsaPrivateKeyFromJwk :
SecureContext
-> Extractable
-> EcNamedCurve
-> Value
-> Task ImportEcKeyError (PrivateKey EcdsaKey EcKeyParams)
importEcdsaPrivateKeyFromPkcs8 :
SecureContext
-> Extractable
-> EcNamedCurve
-> Bytes
-> Task ImportEcKeyError (PrivateKey EcdsaKey EcKeyParams)
importEcdsaPrivateKeyFromSpki :
SecureContext
-> Extractable
-> EcNamedCurve
-> Bytes
-> Task ImportEcKeyError (PrivateKey EcdsaKey EcKeyParams)
importEcdsaPublicKeyFromJwk :
SecureContext
-> EcNamedCurve
-> Value
-> Task ImportEcKeyError (PublicKey EcdsaKey EcKeyParams)
importEcdsaPublicKeyFromRaw :
SecureContext
-> EcNamedCurve
-> Bytes
-> Task ImportEcKeyError (PublicKey EcdsaKey EcKeyParams)
importEcdsaPublicKeyFromSpki :
SecureContext
-> EcNamedCurve
-> Bytes
-> Task ImportEcKeyError (PublicKey EcdsaKey EcKeyParams)

Import HMAC Keys

type ImportHmacKeyError
= ImportHmacKeyError

Errors that can happen when importing a key using an HMAC algorithm. There are three known reasons an errors can happen when importing HMAC keys:

  • The passed key Bytes value (either Json.Encode.Value or Bytes) is not a valid key and cannot be imported.
  • The length passed to the function is not correct for the imported key.
  • The hash passed to the function does not match the hash of the imported key. This only happens when importing a JSON Web Key. It is recommended to always match the hash of the imported key or you will get different results when using the imported key for cryptographic functions.
importHmacKeyFromJwk :
SecureContext
-> Extractable
-> DigestAlgorithm
-> Maybe Int
-> Value
-> Task ImportHmacKeyError (Key HmacKey HmacKeyParams)
importHmacKeyFromRaw :
SecureContext
-> Extractable
-> DigestAlgorithm
-> Maybe Int
-> Bytes
-> Task ImportHmacKeyError (Key HmacKey HmacKeyParams)