diff options
author | Tor Brede Vekterli <vekterli@yahooinc.com> | 2023-06-15 14:46:15 +0200 |
---|---|---|
committer | Tor Brede Vekterli <vekterli@yahooinc.com> | 2023-06-15 14:46:15 +0200 |
commit | 01e1c1bfc9180c62d88501d9c4c29585cdca46fc (patch) | |
tree | 52452571ec640751634a03482b0425c6e6c66c4a /security-utils/src/main/java/com/yahoo/security | |
parent | 4a5f76d4840af80588159edfe574b25847ba1307 (diff) |
Simplify token API by using fixed context for fingerprints
Fingerprints are now always derived using the a fixed context
of `Vespa token fingerprint`. Enforcement has been added that a
`TokenDomain` cannot be initialized with a context equal to the
fingerprint context.
This changes the fingerprint outputs from their previous values,
but that's fine since they are not yet in use anywhere.
Diffstat (limited to 'security-utils/src/main/java/com/yahoo/security')
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/token/TokenDomain.java | 22 | ||||
-rw-r--r-- | security-utils/src/main/java/com/yahoo/security/token/TokenFingerprint.java | 4 |
2 files changed, 15 insertions, 11 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/token/TokenDomain.java b/security-utils/src/main/java/com/yahoo/security/token/TokenDomain.java index e01d942cacf..ad01a2f8b5b 100644 --- a/security-utils/src/main/java/com/yahoo/security/token/TokenDomain.java +++ b/security-utils/src/main/java/com/yahoo/security/token/TokenDomain.java @@ -26,32 +26,34 @@ import static com.yahoo.security.ArrayUtils.toUtf8Bytes; * never be made to match, be it accidentally or deliberately. * </p> */ -public record TokenDomain(byte[] fingerprintContext, byte[] checkHashContext) { +public record TokenDomain(byte[] checkHashContext) { + + public TokenDomain { + if (Arrays.equals(checkHashContext, TokenFingerprint.FINGERPRINT_CONTEXT)) { + throw new IllegalArgumentException("Fingerprint and check hash contexts can not be equal"); + } + } @Override public boolean equals(Object o) { if (this == o) return true; if (o == null || getClass() != o.getClass()) return false; TokenDomain that = (TokenDomain) o; - return Arrays.equals(fingerprintContext, that.fingerprintContext) && - Arrays.equals(checkHashContext, that.checkHashContext); + return Arrays.equals(checkHashContext, that.checkHashContext); } @Override public int hashCode() { - int result = Arrays.hashCode(fingerprintContext); - result = 31 * result + Arrays.hashCode(checkHashContext); - return result; + return Arrays.hashCode(checkHashContext); } @Override public String toString() { - return "'%s'/'%s'".formatted(fromUtf8Bytes(fingerprintContext), fromUtf8Bytes(checkHashContext)); + return "'%s'".formatted(fromUtf8Bytes(checkHashContext)); } - public static TokenDomain of(String fingerprintContext, String checkHashContext) { - return new TokenDomain(toUtf8Bytes(fingerprintContext), - toUtf8Bytes(checkHashContext)); + public static TokenDomain of(String checkHashContext) { + return new TokenDomain(toUtf8Bytes(checkHashContext)); } } diff --git a/security-utils/src/main/java/com/yahoo/security/token/TokenFingerprint.java b/security-utils/src/main/java/com/yahoo/security/token/TokenFingerprint.java index 0bec3d8af80..bb08653da43 100644 --- a/security-utils/src/main/java/com/yahoo/security/token/TokenFingerprint.java +++ b/security-utils/src/main/java/com/yahoo/security/token/TokenFingerprint.java @@ -5,6 +5,7 @@ import java.util.Arrays; import java.util.HexFormat; import static com.yahoo.security.ArrayUtils.hex; +import static com.yahoo.security.ArrayUtils.toUtf8Bytes; /** * <p>A token fingerprint represents an opaque sequence of bytes that is expected @@ -21,6 +22,7 @@ public record TokenFingerprint(byte[] hashBytes) { public static final int FINGERPRINT_BITS = 128; public static final int FINGERPRINT_BYTES = FINGERPRINT_BITS / 8; + public static final byte[] FINGERPRINT_CONTEXT = toUtf8Bytes("Vespa token fingerprint"); @Override public boolean equals(Object o) { @@ -50,7 +52,7 @@ public record TokenFingerprint(byte[] hashBytes) { } public static TokenFingerprint of(Token token) { - return new TokenFingerprint(token.toDerivedBytes(FINGERPRINT_BYTES, token.domain().fingerprintContext())); + return new TokenFingerprint(token.toDerivedBytes(FINGERPRINT_BYTES, FINGERPRINT_CONTEXT)); } public static TokenFingerprint ofRawBytes(byte[] hashBytes) { |