Class ComputedPairwiseIdStore

All Implemented Interfaces:
PairwiseIdStore, Component, DestructableComponent, InitializableComponent

public class ComputedPairwiseIdStore
extends AbstractInitializableComponent
implements PairwiseIdStore
A PairwiseIdStore that generates a pairwise ID by computing the hash of a given attribute value, the entity ID of the recipient, and a provided salt.

The original implementation and values in common use relied on base64 encoding of the result, but due to discovery of the lack of appropriate case handling of identifiers by applications, the ability to use base32 has been added to eliminate the possibility of case conflicts.

Since:
4.0.0
  • Field Details

    • WILDCARD_OVERRIDE

      @Nonnull @NotEmpty public static final String WILDCARD_OVERRIDE
      An override trigger to apply to all relying parties.
      See Also:
      Constant Field Values
    • log

      @Nonnull private final org.slf4j.Logger log
      Class logger.
    • salt

      @NonnullAfterInit private byte[] salt
      Salt used when computing the ID.
    • algorithm

      @Nonnull @NotEmpty private String algorithm
      JCE digest algorithm name to use.
    • encoding

      @Nonnull private ComputedPairwiseIdStore.Encoding encoding
      The encoding to apply to the digest.
    • exceptionMap

      @Nonnull private Map<String,​Map<String,​String>> exceptionMap
      Override map to block or re-issue identifiers.
  • Constructor Details

    • ComputedPairwiseIdStore

      public ComputedPairwiseIdStore()
      Constructor.
  • Method Details

    • getSalt

      @NonnullAfterInit public byte[] getSalt()
      Get the salt used when computing the ID.
      Returns:
      salt used when computing the ID
    • setSalt

      public void setSalt​(@Nullable byte[] newValue)
      Set the salt used when computing the ID.

      An empty/null input is ignored.

      Parameters:
      newValue - used when computing the ID
    • setSalt

      public void setSalt​(@Nullable String newValue)
      Set the salt used when computing the ID.

      An empty/null input is ignored.

      Parameters:
      newValue - used when computing the ID
    • setEncodedSalt

      public void setEncodedSalt​(@Nullable String newValue)
      Set the base64-encoded salt used when computing the ID.

      An empty/null input is ignored.

      Parameters:
      newValue - used when computing the ID
    • getAlgorithm

      @Nonnull @NotEmpty public String getAlgorithm()
      Get the JCE algorithm name of the digest algorithm to use (default is SHA).
      Returns:
      JCE message digest algorithm
    • setAlgorithm

      public void setAlgorithm​(@Nonnull @NotEmpty String alg)
      Set the JCE algorithm name of the digest algorithm to use (default is SHA).
      Parameters:
      alg - JCE message digest algorithm
    • getEncoding

      @Nonnull public ComputedPairwiseIdStore.Encoding getEncoding()
      Get the post-digest encoding to use.
      Returns:
      encoding
    • setEncoding

      public void setEncoding​(@Nonnull ComputedPairwiseIdStore.Encoding enc)
      Set the post-digest encoding to use.
      Parameters:
      enc - encoding
    • setExceptionMap

      public void setExceptionMap​(@Nullable @NotEmpty Map<String,​Map<String,​String>> map)
      Install map of exceptions that override standard generation.

      The map is keyed by principal name (or '*' for all), and the values are a map of relying party to salt overrides. A relying party of '*' applies to all parties. A null mapped value implies that no value should be generated, while a string value is fed into the computation in place of the default salt. Specific rules trump wildcarded rules.

      Parameters:
      map - exceptions to apply
    • doInitialize

      protected void doInitialize() throws ComponentInitializationException
      Overrides:
      doInitialize in class AbstractInitializableComponent
      Throws:
      ComponentInitializationException
    • getBySourceValue

      @Nullable public PairwiseId getBySourceValue​(@Nonnull PairwiseId pid, boolean allowCreate) throws IOException
      Populate the pairwise ID field for the input object based on the supplied values.

      The input object must contain values for issuer and recipient entityIDs and the principal name, and the pairwise ID will be populated as applicable on output.

      The object returned, if non-null, may be, but does not have to be, the same physical object used as input. The original input object should not be referenced further.

      Specified by:
      getBySourceValue in interface PairwiseIdStore
      Parameters:
      pid - object to populate
      allowCreate - true iff the caller is authorizing the issuance of a new identifier
      Returns:
      object for the given inputs or null if none exists
      Throws:
      IOException - if an error occurs accessing the store
    • getEffectiveSalt

      @Nullable private byte[] getEffectiveSalt​(@Nonnull @NotEmpty String principalName, @Nonnull @NotEmpty String relyingPartyId)
      Get the effective salt to apply for a particular principal/RP pair, or null to refuse to generate one.
      Parameters:
      principalName - name of subject
      relyingPartyId - name of relying party scope
      Returns:
      salt to use