Replace GetHashAlgorithmForSigningAlgorithm with GetHashFunctionForSi…

…gningAlgorithm - Added GetHashFunctionForSigningAlgorithm, which returns a function that does not need to allocate an instance of HashAlgorithm to compute hashes. - Deprecated GetHashAlgorithmForSigningAlgorithm because it does allocate a HashAlgorithm. GetHashFunctionForSigningAlgorithm is encouraged instead - Use GetHashFunctionForSigningAlgorithm in CreateHashClaimValue
DuendeSoftware · Nov 23, 2024 · 6370494 · 6370494
1 parent 9f7f7ca
commit 6370494
Showing 1 changed file with 27 additions and 11 deletions.
diff --git a/src/IdentityServer/Configuration/CryptoHelper.cs b/src/IdentityServer/Configuration/CryptoHelper.cs
@@ -69,30 +69,46 @@ public static RsaSecurityKey CreateRsaSecurityKey(RSAParameters parameters, stri
     /// <returns></returns>
     public static string CreateHashClaimValue(string value, string tokenSigningAlgorithm)
     {
-        var signingAlgorithmBits = int.Parse(tokenSigningAlgorithm.Substring(tokenSigningAlgorithm.Length - 3));
-        var toHash = Encoding.ASCII.GetBytes(value);
+        var (hashFunction, hashLength) = GetHashFunctionForSigningAlgorithm(tokenSigningAlgorithm);
+        var encodedBytes = Encoding.ASCII.GetBytes(value);
+        var hash = hashFunction(encodedBytes);
 
-        var hash = signingAlgorithmBits switch
-        {
-            256 => SHA256.HashData(toHash),
-            384 => SHA384.HashData(toHash),
-            512 => SHA512.HashData(toHash),
-            _ => throw new InvalidOperationException($"Invalid signing algorithm: {tokenSigningAlgorithm}"),
-        };
-
-        var size = (signingAlgorithmBits / 8) / 2;
+        var size = (hashLength / 8) / 2;
 
         var leftPart = new byte[size];
         Array.Copy(hash, leftPart, size);
 
         return Base64Url.Encode(leftPart);
     }
 
+    /// <summary>
+    /// Returns the matching hash function for a token signing algorithm
+    /// </summary>
+    /// <param name="signingAlgorithm"></param>
+    /// <returns></returns>
+    /// <exception cref="InvalidOperationException"></exception>
+    public static (Func<byte[], byte[]> hashFunction, int hashLength) GetHashFunctionForSigningAlgorithm(string signingAlgorithm)
+    {
+        var hashLength = int.Parse(signingAlgorithm.Substring(signingAlgorithm.Length - 3));
+
+        Func<byte[], byte[]> hashFunction = hashLength switch
+        {
+            256 => SHA256.HashData,
+            384 => SHA384.HashData,
+            512 => SHA512.HashData,
+            _ => throw new InvalidOperationException($"Invalid signing algorithm: {signingAlgorithm}"),
+        };
+
+
+        return (hashFunction, hashLength);
+    }
+
     /// <summary>
     /// Returns the matching hashing algorithm for a token signing algorithm
     /// </summary>
     /// <param name="signingAlgorithm">The signing algorithm</param>
     /// <returns></returns>
+    [Obsolete("This method is obsolete and will be removed in a future version. Consider using GetHashFunctionForSigningAlgorithm instead for better performance (it does not allocate a HashAlgorithm)")]
     public static HashAlgorithm GetHashAlgorithmForSigningAlgorithm(string signingAlgorithm)
     {
         var signingAlgorithmBits = int.Parse(signingAlgorithm.Substring(signingAlgorithm.Length - 3));