001/* 002 * oauth2-oidc-sdk 003 * 004 * Copyright 2012-2016, Connect2id Ltd and contributors. 005 * 006 * Licensed under the Apache License, Version 2.0 (the "License"); you may not use 007 * this file except in compliance with the License. You may obtain a copy of the 008 * License at 009 * 010 * http://www.apache.org/licenses/LICENSE-2.0 011 * 012 * Unless required by applicable law or agreed to in writing, software distributed 013 * under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR 014 * CONDITIONS OF ANY KIND, either express or implied. See the License for the 015 * specific language governing permissions and limitations under the License. 016 */ 017 018package com.nimbusds.openid.connect.sdk.id; 019 020 021import java.security.MessageDigest; 022import java.security.NoSuchAlgorithmException; 023 024import com.nimbusds.jose.util.Base64URL; 025import com.nimbusds.oauth2.sdk.id.Subject; 026import net.jcip.annotations.ThreadSafe; 027 028 029/** 030 * SHA-256 based encoder of pairwise subject identifiers. Reversal is not 031 * supported. 032 * 033 * <p>Algorithm: 034 * 035 * <pre> 036 * sub = SHA-256 ( sector_id || local_sub || salt ) 037 * </pre> 038 * 039 * <p>Related specifications: 040 * 041 * <ul> 042 * <li>OpenID Connect Core 1.0, section 8.1. 043 * </ul> 044 */ 045@ThreadSafe 046public class HashBasedPairwiseSubjectCodec extends PairwiseSubjectCodec { 047 048 049 /** 050 * The hashing algorithm. 051 */ 052 public static final String HASH_ALGORITHM = "SHA-256"; 053 054 055 /** 056 * Creates a new hash-based codec for pairwise subject identifiers. 057 * 058 * @param salt The salt, must not be {@code null}. 059 */ 060 public HashBasedPairwiseSubjectCodec(final byte[] salt) { 061 super(salt); 062 if (salt == null) { 063 throw new IllegalArgumentException("The salt must not be null"); 064 } 065 } 066 067 068 /** 069 * Creates a new hash-based codec for pairwise subject identifiers. 070 * 071 * @param salt The salt, must not be {@code null}. 072 */ 073 public HashBasedPairwiseSubjectCodec(final Base64URL salt) { 074 super(salt.decode()); 075 } 076 077 078 @Override 079 public Subject encode(final SectorID sectorID, final Subject localSub) { 080 081 MessageDigest sha256; 082 try { 083 if (getProvider() != null) { 084 sha256 = MessageDigest.getInstance(HASH_ALGORITHM, getProvider()); 085 } else { 086 sha256 = MessageDigest.getInstance(HASH_ALGORITHM); 087 } 088 } catch (NoSuchAlgorithmException e) { 089 throw new RuntimeException(e.getMessage(), e); 090 } 091 092 sha256.update(sectorID.getValue().getBytes(CHARSET)); 093 sha256.update(localSub.getValue().getBytes(CHARSET)); 094 byte[] hash = sha256.digest(getSalt()); 095 096 return new Subject(Base64URL.encode(hash).toString()); 097 } 098}