Use SHA*.HashData() one-shot methods

Use `SHA*.HashData()` one-shot methods to avoid allocating `SHA*` objects.
DuendeSoftware · Nov 23, 2024 · 9f7f7ca · 9f7f7ca
1 parent 4c83776
commit 9f7f7ca
Show file tree

Hide file tree

Showing 6 changed files with 29 additions and 43 deletions.
diff --git a/src/IdentityServer/Configuration/CryptoHelper.cs b/src/IdentityServer/Configuration/CryptoHelper.cs
@@ -69,16 +69,23 @@ public static RsaSecurityKey CreateRsaSecurityKey(RSAParameters parameters, stri
     /// <returns></returns>
     public static string CreateHashClaimValue(string value, string tokenSigningAlgorithm)
     {
-        using (var sha = GetHashAlgorithmForSigningAlgorithm(tokenSigningAlgorithm))
+        var signingAlgorithmBits = int.Parse(tokenSigningAlgorithm.Substring(tokenSigningAlgorithm.Length - 3));
+        var toHash = Encoding.ASCII.GetBytes(value);
+
+        var hash = signingAlgorithmBits switch
         {
-            var hash = sha.ComputeHash(Encoding.ASCII.GetBytes(value));
-            var size = (sha.HashSize / 8) / 2;
+            256 => SHA256.HashData(toHash),
+            384 => SHA384.HashData(toHash),
+            512 => SHA512.HashData(toHash),
+            _ => throw new InvalidOperationException($"Invalid signing algorithm: {tokenSigningAlgorithm}"),
+        };
 
-            var leftPart = new byte[size];
-            Array.Copy(hash, leftPart, size);
+        var size = (signingAlgorithmBits / 8) / 2;
 
-            return Base64Url.Encode(leftPart);
-        }
+        var leftPart = new byte[size];
+        Array.Copy(hash, leftPart, size);
+
+        return Base64Url.Encode(leftPart);
     }
 
     /// <summary>

diff --git a/src/IdentityServer/Extensions/HashExtensions.cs b/src/IdentityServer/Extensions/HashExtensions.cs
@@ -23,13 +23,10 @@ public static string Sha256(this string input)
     {
         if (input.IsMissing()) return string.Empty;
 
-        using (var sha = SHA256.Create())
-        {
-            var bytes = Encoding.UTF8.GetBytes(input);
-            var hash = sha.ComputeHash(bytes);
+        var bytes = Encoding.UTF8.GetBytes(input);
+        var hash = SHA256.HashData(bytes);
 
-            return Convert.ToBase64String(hash);
-        }
+        return Convert.ToBase64String(hash);
     }
 
     /// <summary>
@@ -44,10 +41,7 @@ public static byte[] Sha256(this byte[] input)
             return null;
         }
 
-        using (var sha = SHA256.Create())
-        {
-            return sha.ComputeHash(input);
-        }
+        return SHA256.HashData(input);
     }
 
     /// <summary>
@@ -59,12 +53,9 @@ public static string Sha512(this string input)
     {
         if (input.IsMissing()) return string.Empty;
 
-        using (var sha = SHA512.Create())
-        {
-            var bytes = Encoding.UTF8.GetBytes(input);
-            var hash = sha.ComputeHash(bytes);
+        var bytes = Encoding.UTF8.GetBytes(input);
+        var hash = SHA512.HashData(bytes);
 
-            return Convert.ToBase64String(hash);
-        }
+        return Convert.ToBase64String(hash);
     }
 }
diff --git a/src/IdentityServer/Extensions/ValidatedAuthorizeRequestExtensions.cs b/src/IdentityServer/Extensions/ValidatedAuthorizeRequestExtensions.cs
@@ -155,12 +155,7 @@ public static string GenerateSessionStateValue(this ValidatedAuthorizeRequest re
         }
 
         var bytes = Encoding.UTF8.GetBytes(clientId + origin + sessionId + salt);
-        byte[] hash;
-
-        using (var sha = SHA256.Create())
-        {
-            hash = sha.ComputeHash(bytes);
-        }
+        var hash = SHA256.HashData(bytes);
 
         return Base64Url.Encode(hash) + "." + salt;
     }

diff --git a/src/IdentityServer/Models/Messages/ConsentRequest.cs b/src/IdentityServer/Models/Messages/ConsentRequest.cs
@@ -88,13 +88,10 @@ public string Id
             var normalizedScopes = ScopesRequested?.OrderBy(x => x).Distinct().Aggregate((x, y) => x + "," + y);
             var value = $"{ClientId}:{Subject}:{Nonce}:{normalizedScopes}";
 
-            using (var sha = SHA256.Create())
-            {
-                var bytes = Encoding.UTF8.GetBytes(value);
-                var hash = sha.ComputeHash(bytes);
+            var bytes = Encoding.UTF8.GetBytes(value);
+            var hash = SHA256.HashData(bytes);
 
-                return Base64Url.Encode(hash);
-            }
+            return Base64Url.Encode(hash);
         }
     }
 }
diff --git a/src/IdentityServer/Stores/Default/DefaultGrantStore.cs b/src/IdentityServer/Stores/Default/DefaultGrantStore.cs
@@ -98,12 +98,9 @@ protected virtual string GetHashedKey(string value)
         if (value.EndsWith(HexEncodingFormatSuffix))
         {
             // newer format >= v6; uses hex encoding to avoid collation issues
-            using (var sha = SHA256.Create())
-            {
-                var bytes = Encoding.UTF8.GetBytes(key);
-                var hash = sha.ComputeHash(bytes);
-                return BitConverter.ToString(hash).Replace("-", "");
-            }
+            var bytes = Encoding.UTF8.GetBytes(key);
+            var hash = SHA256.HashData(bytes);
+            return BitConverter.ToString(hash).Replace("-", "");
         }
 
         // old format <= v5

diff --git a/src/IdentityServer/Validation/Default/DefaultDPoPProofValidator.cs b/src/IdentityServer/Validation/Default/DefaultDPoPProofValidator.cs
@@ -300,9 +300,8 @@ protected virtual async Task ValidatePayloadAsync(DPoPProofValidatonContext cont
                 return;
             }
 
-            using var sha = SHA256.Create();
             var bytes = Encoding.UTF8.GetBytes(context.AccessToken);
-            var hash = sha.ComputeHash(bytes);
+            var hash = SHA256.HashData(bytes);
 
             var accessTokenHash = Base64Url.Encode(hash);
             if (accessTokenHash != result.AccessTokenHash)