Class SIVAESBasedPairwiseSubjectCodec
- java.lang.Object
-
- com.nimbusds.openid.connect.sdk.id.PairwiseSubjectCodec
-
- com.nimbusds.openid.connect.sdk.id.SIVAESBasedPairwiseSubjectCodec
-
@ThreadSafe public class SIVAESBasedPairwiseSubjectCodec extends PairwiseSubjectCodec
SIV AES - based encoder / decoder of pairwise subject identifiers. Requires a 256, 384, or 512-bit secret key. Reversal is supported.The plain text is formatted as follows ('|' as delimiter):
sector_id|local_sub
The encoder can be configured to pad the local subject up to a certain string length, typically the maximum expected length of the local subject identifiers, to ensure the output pairwise subject identifiers are output with a length that is uniform and doesn't vary with the local subject identifier length. This is intended as an additional measure against leaking end-user information and hence correlation. Note that local subjects that are longer than the configured length will appear as proportionally longer pairwise identifiers.
Pad local subjects that are shorter than 50 characters in length:
new SIVAESBasedPairwiseSubjectCodec(secretKey, 50);
Related specifications:
- Synthetic Initialization Vector (SIV) Authenticated Encryption Using the Advanced Encryption Standard (AES) (RFC 5297).
- OpenID Connect Core 1.0, section 8.1.
-
-
Field Summary
-
Fields inherited from class com.nimbusds.openid.connect.sdk.id.PairwiseSubjectCodec
CHARSET
-
-
Constructor Summary
Constructors Constructor Description SIVAESBasedPairwiseSubjectCodec(SecretKey secretKey)
Creates a new SIV AES - based codec for pairwise subject identifiers.SIVAESBasedPairwiseSubjectCodec(SecretKey secretKey, int padSubjectToLength)
Creates a new SIV AES - based codec for pairwise subject identifiers.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description Map.Entry<SectorID,Subject>
decode(Subject pairwiseSubject)
Decodes the specified pairwise subject identifier to produce the matching sector identifier and local subject.Subject
encode(SectorID sectorID, Subject localSub)
Encodes a new pairwise subject identifier from the specified sector identifier and local subject.int
getPadSubjectToLength()
Returns the optional padded string length of local subjects.SecretKey
getSecretKey()
Returns the secret key.-
Methods inherited from class com.nimbusds.openid.connect.sdk.id.PairwiseSubjectCodec
encode, getProvider, getSalt, setProvider
-
-
-
-
Constructor Detail
-
SIVAESBasedPairwiseSubjectCodec
public SIVAESBasedPairwiseSubjectCodec(SecretKey secretKey)
Creates a new SIV AES - based codec for pairwise subject identifiers. Local subjects are not padded up to a certain length.- Parameters:
secretKey
- A 256, 384, or 512-bit secret key. Must not benull
.
-
SIVAESBasedPairwiseSubjectCodec
public SIVAESBasedPairwiseSubjectCodec(SecretKey secretKey, int padSubjectToLength)
Creates a new SIV AES - based codec for pairwise subject identifiers.- Parameters:
secretKey
- A 256, 384, or 512-bit secret key. Must not benull
.padSubjectToLength
- Pads the local subject to the specified length, -1 (negative integer) for no padding.
-
-
Method Detail
-
getSecretKey
public SecretKey getSecretKey()
Returns the secret key.- Returns:
- The key.
-
getPadSubjectToLength
public int getPadSubjectToLength()
Returns the optional padded string length of local subjects.- Returns:
- The padding string length, -1 (negative integer) for no padding.
-
encode
public Subject encode(SectorID sectorID, Subject localSub)
Description copied from class:PairwiseSubjectCodec
Encodes a new pairwise subject identifier from the specified sector identifier and local subject.- Specified by:
encode
in classPairwiseSubjectCodec
- Parameters:
sectorID
- The sector identifier. Must not benull
.localSub
- The local subject identifier. Must not benull
.- Returns:
- The pairwise subject identifier.
-
decode
public Map.Entry<SectorID,Subject> decode(Subject pairwiseSubject) throws InvalidPairwiseSubjectException
Description copied from class:PairwiseSubjectCodec
Decodes the specified pairwise subject identifier to produce the matching sector identifier and local subject. Throws aUnsupportedOperationException
. Codecs that support pairwise subject identifier reversal should override this method.- Overrides:
decode
in classPairwiseSubjectCodec
- Parameters:
pairwiseSubject
- The pairwise subject identifier. Must be valid and notnull
.- Returns:
- The matching sector identifier and local subject.
- Throws:
InvalidPairwiseSubjectException
- If the pairwise subject is invalid.
-
-