From 6370494db6416f025cac81a42a3d16e6f06a1300 Mon Sep 17 00:00:00 2001
From: Joe DeCock <josephdecock@gmail.com>
Date: Sat, 23 Nov 2024 13:52:37 -0600
Subject: [PATCH] Replace GetHashAlgorithmForSigningAlgorithm with
 GetHashFunctionForSigningAlgorithm

- Added GetHashFunctionForSigningAlgorithm, which returns a function that does not need to allocate an instance of HashAlgorithm to compute hashes.
- Deprecated GetHashAlgorithmForSigningAlgorithm because it does allocate a HashAlgorithm. GetHashFunctionForSigningAlgorithm is encouraged instead
- Use GetHashFunctionForSigningAlgorithm in CreateHashClaimValue
---
 .../Configuration/CryptoHelper.cs             | 38 +++++++++++++------
 1 file changed, 27 insertions(+), 11 deletions(-)

diff --git a/src/IdentityServer/Configuration/CryptoHelper.cs b/src/IdentityServer/Configuration/CryptoHelper.cs
index 2abe3bdb3..863feaaf2 100644
--- a/src/IdentityServer/Configuration/CryptoHelper.cs
+++ b/src/IdentityServer/Configuration/CryptoHelper.cs
@@ -69,18 +69,11 @@ public static RsaSecurityKey CreateRsaSecurityKey(RSAParameters parameters, stri
     /// <returns></returns>
     public static string CreateHashClaimValue(string value, string tokenSigningAlgorithm)
     {
-        var signingAlgorithmBits = int.Parse(tokenSigningAlgorithm.Substring(tokenSigningAlgorithm.Length - 3));
-        var toHash = Encoding.ASCII.GetBytes(value);
+        var (hashFunction, hashLength) = GetHashFunctionForSigningAlgorithm(tokenSigningAlgorithm);
+        var encodedBytes = Encoding.ASCII.GetBytes(value);
+        var hash = hashFunction(encodedBytes);
 
-        var hash = signingAlgorithmBits switch
-        {
-            256 => SHA256.HashData(toHash),
-            384 => SHA384.HashData(toHash),
-            512 => SHA512.HashData(toHash),
-            _ => throw new InvalidOperationException($"Invalid signing algorithm: {tokenSigningAlgorithm}"),
-        };
-
-        var size = (signingAlgorithmBits / 8) / 2;
+        var size = (hashLength / 8) / 2;
 
         var leftPart = new byte[size];
         Array.Copy(hash, leftPart, size);
@@ -88,11 +81,34 @@ public static string CreateHashClaimValue(string value, string tokenSigningAlgor
         return Base64Url.Encode(leftPart);
     }
 
+    /// <summary>
+    /// Returns the matching hash function for a token signing algorithm
+    /// </summary>
+    /// <param name="signingAlgorithm"></param>
+    /// <returns></returns>
+    /// <exception cref="InvalidOperationException"></exception>
+    public static (Func<byte[], byte[]> hashFunction, int hashLength) GetHashFunctionForSigningAlgorithm(string signingAlgorithm)
+    {
+        var hashLength = int.Parse(signingAlgorithm.Substring(signingAlgorithm.Length - 3));
+
+        Func<byte[], byte[]> hashFunction = hashLength switch
+        {
+            256 => SHA256.HashData,
+            384 => SHA384.HashData,
+            512 => SHA512.HashData,
+            _ => throw new InvalidOperationException($"Invalid signing algorithm: {signingAlgorithm}"),
+        };
+
+
+        return (hashFunction, hashLength);
+    }
+
     /// <summary>
     /// Returns the matching hashing algorithm for a token signing algorithm
     /// </summary>
     /// <param name="signingAlgorithm">The signing algorithm</param>
     /// <returns></returns>
+    [Obsolete("This method is obsolete and will be removed in a future version. Consider using GetHashFunctionForSigningAlgorithm instead for better performance (it does not allocate a HashAlgorithm)")]
     public static HashAlgorithm GetHashAlgorithmForSigningAlgorithm(string signingAlgorithm)
     {
         var signingAlgorithmBits = int.Parse(signingAlgorithm.Substring(signingAlgorithm.Length - 3));