Class SIVAESBasedPairwiseSubjectCodec
java.lang.Object
com.nimbusds.openid.connect.sdk.id.PairwiseSubjectCodec
com.nimbusds.openid.connect.sdk.id.SIVAESBasedPairwiseSubjectCodec
SIV AES - based encoder / decoder of pairwise subject identifiers. Requires
a 256, 384, or 512-bit secret key. Reversal is supported.
The plain text is formatted as follows ('|' as delimiter):
sector_id|local_sub
The encoder can be configured to pad the local subject up to a certain string length, typically the maximum expected length of the local subject identifiers, to ensure the output pairwise subject identifiers are output with a length that is uniform and doesn't vary with the local subject identifier length. This is intended as an additional measure against leaking end-user information and hence correlation. Note that local subjects that are longer than the configured length will appear as proportionally longer pairwise identifiers.
Pad local subjects that are shorter than 50 characters in length:
new SIVAESBasedPairwiseSubjectCodec(secretKey, 50);
Related specifications:
- Synthetic Initialization Vector (SIV) Authenticated Encryption Using the Advanced Encryption Standard (AES) (RFC 5297).
- OpenID Connect Core 1.0, section 8.1.
-
Field Summary
Fields inherited from class com.nimbusds.openid.connect.sdk.id.PairwiseSubjectCodec
CHARSET -
Constructor Summary
ConstructorsConstructorDescriptionSIVAESBasedPairwiseSubjectCodec(SecretKey secretKey) Creates a new SIV AES - based codec for pairwise subject identifiers.SIVAESBasedPairwiseSubjectCodec(SecretKey secretKey, int padSubjectToLength) Creates a new SIV AES - based codec for pairwise subject identifiers. -
Method Summary
Modifier and TypeMethodDescriptionDecodes the specified pairwise subject identifier to produce the matching sector identifier and local subject.Encodes a new pairwise subject identifier from the specified sector identifier and local subject.intReturns the optional padded string length of local subjects.Returns the secret key.Methods inherited from class com.nimbusds.openid.connect.sdk.id.PairwiseSubjectCodec
encode, getProvider, getSalt, setProvider
-
Constructor Details
-
SIVAESBasedPairwiseSubjectCodec
Creates a new SIV AES - based codec for pairwise subject identifiers. Local subjects are not padded up to a certain length.- Parameters:
secretKey- A 256, 384, or 512-bit secret key. Must not benull.
-
SIVAESBasedPairwiseSubjectCodec
Creates a new SIV AES - based codec for pairwise subject identifiers.- Parameters:
secretKey- A 256, 384, or 512-bit secret key. Must not benull.padSubjectToLength- Pads the local subject to the specified length, -1 (negative integer) for no padding.
-
-
Method Details
-
getSecretKey
Returns the secret key.- Returns:
- The key.
-
getPadSubjectToLength
Returns the optional padded string length of local subjects.- Returns:
- The padding string length, -1 (negative integer) for no padding.
-
encode
Description copied from class:PairwiseSubjectCodecEncodes a new pairwise subject identifier from the specified sector identifier and local subject.- Specified by:
encodein classPairwiseSubjectCodec- Parameters:
sectorID- The sector identifier. Must not benull.localSub- The local subject identifier. Must not benull.- Returns:
- The pairwise subject identifier.
-
decode
public Map.Entry<SectorID,Subject> decode(Subject pairwiseSubject) throws InvalidPairwiseSubjectException Description copied from class:PairwiseSubjectCodecDecodes the specified pairwise subject identifier to produce the matching sector identifier and local subject. Throws aUnsupportedOperationException. Codecs that support pairwise subject identifier reversal should override this method.- Overrides:
decodein classPairwiseSubjectCodec- Parameters:
pairwiseSubject- The pairwise subject identifier. Must be valid and notnull.- Returns:
- The matching sector identifier and local subject.
- Throws:
InvalidPairwiseSubjectException- If the pairwise subject is invalid.
-