Source code

001/*
002 * oauth2-oidc-sdk
003 *
004 * Copyright 2012-2016, Connect2id Ltd and contributors.
005 *
006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use
007 * this file except in compliance with the License. You may obtain a copy of the
008 * License at
009 *
010 *    http://www.apache.org/licenses/LICENSE-2.0
011 *
012 * Unless required by applicable law or agreed to in writing, software distributed
013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the
015 * specific language governing permissions and limitations under the License.
016 */
017
018package com.nimbusds.openid.connect.sdk.id;
019
020
021import java.security.MessageDigest;
022import java.security.NoSuchAlgorithmException;
023
024import com.nimbusds.jose.util.Base64URL;
025import com.nimbusds.oauth2.sdk.id.Subject;
026import net.jcip.annotations.ThreadSafe;
027
028
029/**
030 * SHA-256 based encoder of pairwise subject identifiers. Reversal is not
031 * supported.
032 *
033 * <p>Algorithm:
034 *
035 * <pre>
036 * sub = SHA-256 ( sector_id || local_sub || salt )
037 * </pre>
038 *
039 * <p>Related specifications:
040 *
041 * <ul>
042 *     <li>OpenID Connect Core 1.0, section 8.1.
043 * </ul>
044 */
045@ThreadSafe
046public class HashBasedPairwiseSubjectCodec extends PairwiseSubjectCodec {
047
048
049        /**
050         * The hashing algorithm.
051         */
052        public static final String HASH_ALGORITHM = "SHA-256";
053
054
055        /**
056         * Creates a new hash-based codec for pairwise subject identifiers.
057         *
058         * @param salt The salt, must not be {@code null}.
059         */
060        public HashBasedPairwiseSubjectCodec(final byte[] salt) {
061                super(salt);
062                if (salt == null) {
063                        throw new IllegalArgumentException("The salt must not be null");
064                }
065        }
066
067
068        /**
069         * Creates a new hash-based codec for pairwise subject identifiers.
070         *
071         * @param salt The salt, must not be {@code null}.
072         */
073        public HashBasedPairwiseSubjectCodec(final Base64URL salt) {
074                super(salt.decode());
075        }
076
077
078        @Override
079        public Subject encode(final SectorID sectorID, final Subject localSub) {
080
081                MessageDigest sha256;
082                try {
083                        if (getProvider() != null) {
084                                sha256 = MessageDigest.getInstance(HASH_ALGORITHM, getProvider());
085                        } else {
086                                sha256 = MessageDigest.getInstance(HASH_ALGORITHM);
087                        }
088                } catch (NoSuchAlgorithmException e) {
089                        throw new RuntimeException(e.getMessage(), e);
090                }
091
092                sha256.update(sectorID.getValue().getBytes(CHARSET));
093                sha256.update(localSub.getValue().getBytes(CHARSET));
094                byte[] hash = sha256.digest(getSalt());
095
096                return new Subject(Base64URL.encode(hash).toString());
097        }
098}