001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2016, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.openid.connect.sdk.id; 019 020 021import java.util.AbstractMap; 022import java.util.Map; 023import javax.crypto.SecretKey; 024import javax.crypto.spec.SecretKeySpec; 025 026import com.nimbusds.jose.util.Base64URL; 027import com.nimbusds.jose.util.ByteUtils; 028import com.nimbusds.oauth2.sdk.id.Subject; 029import net.jcip.annotations.ThreadSafe; 030import org.cryptomator.siv.SivMode; 031 032 033/** 034 * SIV AES - based encoder / decoder of pairwise subject identifiers. Requires 035 * a 256, 384, or 512-bit secret key. Reversal is supported. 036 * 037 * <p>The plain text is formatted as follows ('|' as delimiter): 038 * 039 * <pre> 040 * sector_id|local_sub 041 * </pre> 042 * 043 * <p>The encoder can be configured to pad the local subject up to a certain 044 * string length, typically the maximum expected length of the local subject 045 * identifiers, to ensure the output pairwise subject identifiers are output 046 * with a length that is uniform and doesn't vary with the local subject 047 * identifier length. This is intended as an additional measure against leaking 048 * end-user information and hence correlation. Note that local subjects that 049 * are longer than the configured length will appear as proportionally longer 050 * pairwise identifiers. 051 * 052 * <p>Pad local subjects that are shorter than 50 characters in length: 053 * 054 * <pre> 055 * new SIVAESBasedPairwiseSubjectCodec(secretKey, 50); 056 * </pre> 057 * 058 * <p>Related specifications: 059 * 060 * <ul> 061 * <li>Synthetic Initialization Vector (SIV) Authenticated Encryption Using 062 * the Advanced Encryption Standard (AES) (RFC 5297). 063 * <li>OpenID Connect Core 1.0, section 8.1. 064 * </ul> 065 */ 066@ThreadSafe 067public class SIVAESBasedPairwiseSubjectCodec extends PairwiseSubjectCodec { 068 069 070 /** 071 * The AES SIV crypto engine. 072 */ 073 private static final SivMode AES_SIV = new SivMode(); 074 075 076 /** 077 * The AES CTR key (1st half). 078 */ 079 private final byte[] aesCtrKey; 080 081 082 /** 083 * The MAC key (2nd half). 084 */ 085 private final byte[] macKey; 086 087 088 /** 089 * Pads the local subject to the specified length, -1 for no padding. 090 */ 091 private final int padSubjectToLength; 092 093 094 /** 095 * Creates a new SIV AES - based codec for pairwise subject 096 * identifiers. Local subjects are not padded up to a certain length. 097 * 098 * @param secretKey A 256, 384, or 512-bit secret key. Must not be 099 * {@code null}. 100 */ 101 public SIVAESBasedPairwiseSubjectCodec(final SecretKey secretKey) { 102 this(secretKey, -1); 103 } 104 105 106 /** 107 * Creates a new SIV AES - based codec for pairwise subject 108 * identifiers. 109 * 110 * @param secretKey A 256, 384, or 512-bit secret key. Must 111 * not be {@code null}. 112 * @param padSubjectToLength Pads the local subject to the specified 113 * length, -1 (negative integer) for no 114 * padding. 115 */ 116 public SIVAESBasedPairwiseSubjectCodec(final SecretKey secretKey, 117 final int padSubjectToLength) { 118 super(null); 119 120 if (secretKey == null) { 121 throw new IllegalArgumentException("The SIV AES secret key must not be null"); 122 } 123 124 byte[] keyBytes = secretKey.getEncoded(); 125 126 switch (keyBytes.length) { 127 case 32: 128 aesCtrKey = ByteUtils.subArray(keyBytes, 0, 16); 129 macKey = ByteUtils.subArray(keyBytes, 16, 16); 130 break; 131 case 48: 132 aesCtrKey = ByteUtils.subArray(keyBytes, 0, 24); 133 macKey = ByteUtils.subArray(keyBytes, 24, 24); 134 break; 135 case 64: 136 aesCtrKey = ByteUtils.subArray(keyBytes, 0, 32); 137 macKey = ByteUtils.subArray(keyBytes, 32, 32); 138 break; 139 default: 140 throw new IllegalArgumentException("The SIV AES secret key length must be 256, 384 or 512 bits"); 141 } 142 143 this.padSubjectToLength = padSubjectToLength; 144 } 145 146 147 /** 148 * Returns the secret key. 149 * 150 * @return The key. 151 */ 152 public SecretKey getSecretKey() { 153 154 return new SecretKeySpec(ByteUtils.concat(aesCtrKey, macKey), "AES"); 155 } 156 157 158 /** 159 * Returns the optional padded string length of local subjects. 160 * 161 * @return The padding string length, -1 (negative integer) for no 162 * padding. 163 */ 164 public int getPadSubjectToLength() { 165 166 return padSubjectToLength; 167 } 168 169 170 private static String escapeSeparator(final String s) { 171 172 return s.replace("|", "\\|"); 173 } 174 175 176 @Override 177 public Subject encode(final SectorID sectorID, final Subject localSub) { 178 179 // Escape separator chars 180 final String escapedSectorIDString = escapeSeparator(sectorID.getValue()); 181 final String escapedLocalSub = escapeSeparator(localSub.getValue()); 182 183 StringBuilder optionalPadding = new StringBuilder(); 184 185 if (padSubjectToLength > 0) { 186 // Apply padding 187 int paddingLength = padSubjectToLength - escapedLocalSub.length(); 188 189 if (paddingLength == 1) { 190 191 optionalPadding = new StringBuilder("|"); 192 193 } else if (paddingLength > 1) { 194 195 optionalPadding = new StringBuilder("|"); 196 int i = paddingLength; 197 while (--i > 0) { 198 optionalPadding.append("0"); // pad with 0 199 } 200 } 201 } 202 203 // Join parameters, delimited by '|' 204 final String plainTextString = (escapedSectorIDString + '|' + escapedLocalSub + optionalPadding); 205 206 byte[] plainText = plainTextString.getBytes(CHARSET); 207 byte[] cipherText = AES_SIV.encrypt(aesCtrKey, macKey, plainText); 208 return new Subject(Base64URL.encode(cipherText).toString()); 209 } 210 211 212 @Override 213 public Map.Entry<SectorID, Subject> decode(final Subject pairwiseSubject) 214 throws InvalidPairwiseSubjectException { 215 216 byte[] cipherText = new Base64URL(pairwiseSubject.getValue()).decode(); 217 218 byte[] plainText; 219 try { 220 plainText = AES_SIV.decrypt(aesCtrKey, macKey, cipherText); 221 } catch (Exception e) { 222 throw new InvalidPairwiseSubjectException("Decryption failed: " + e.getMessage(), e); 223 } 224 225 // Split along the '|' delimiter 226 String[] parts = new String(plainText, CHARSET).split("(?<!\\\\)\\|"); 227 228 // Unescape delimiter 229 for (int i=0; i<parts.length; i++) { 230 parts[i] = parts[i].replace("\\|", "|"); 231 } 232 233 // Check format 234 if (parts.length > 3) { 235 throw new InvalidPairwiseSubjectException("Invalid format: Unexpected number of tokens: " + parts.length); 236 } 237 238 return new AbstractMap.SimpleImmutableEntry<>(new SectorID(parts[0]), new Subject(parts[1])); 239 } 240}