1 files changed, 46 insertions, 0 deletions

diff --git a/security-utils/src/main/java/com/yahoo/security/token/TokenCheckHash.java b/security-utils/src/main/java/com/yahoo/security/token/TokenCheckHash.java
new file mode 100644
index 00000000000..e4d9825842e
--- /dev/null
+++ b/security-utils/src/main/java/com/yahoo/security/token/TokenCheckHash.java
@@ -0,0 +1,46 @@
+// Copyright Yahoo. Licensed under the terms of the Apache 2.0 license. See LICENSE in the project root.
+package com.yahoo.security.token;
+
+import java.util.Arrays;
+
+import static com.yahoo.security.ArrayUtils.hex;
+
+/**
+ * A token check hash represents a hash derived from a token in such a way that
+ * distinct "audiences" for the token compute entirely different hashes even for
+ * identical token values.
+ */
+public record TokenCheckHash(byte[] hashBytes) {
+
+    @Override
+    public boolean equals(Object o) {
+        if (this == o) return true;
+        if (o == null || getClass() != o.getClass()) return false;
+        TokenCheckHash tokenCheckHash = (TokenCheckHash) o;
+        // We don't consider token hashes secret data, so no harm in data-dependent equals()
+        return Arrays.equals(hashBytes, tokenCheckHash.hashBytes);
+    }
+
+    @Override
+    public int hashCode() {
+        return Arrays.hashCode(hashBytes);
+    }
+
+    public String toHexString() {
+        return hex(hashBytes);
+    }
+
+    @Override
+    public String toString() {
+        return toHexString();
+    }
+
+    public static TokenCheckHash of(Token token, int nHashBytes) {
+        return new TokenCheckHash(token.toDerivedBytes(nHashBytes, token.domain().checkHashContext()));
+    }
+
+    public static TokenCheckHash ofRawBytes(byte[] hashBytes) {
+        return new TokenCheckHash(Arrays.copyOf(hashBytes, hashBytes.length));
+    }
+
+}