From 9bb4637f84ce6e415586e9fd0bca4b09463f1c3c Mon Sep 17 00:00:00 2001
From: Giuseppe De Marco <demarcog83@gmail.com>
Date: Thu, 7 Dec 2023 11:41:42 +0100
Subject: [PATCH] fix: added salt in the pairwised subject id - closes #158

---
 example/satosa/pyeudiw_backend.yaml       | 2 +-
 pyeudiw/openid4vp/direct_post_response.py | 2 +-
 pyeudiw/satosa/backend.py                 | 9 +++------
 3 files changed, 5 insertions(+), 8 deletions(-)

diff --git a/example/satosa/pyeudiw_backend.yaml b/example/satosa/pyeudiw_backend.yaml
index e2560722..d1d9e091 100644
--- a/example/satosa/pyeudiw_backend.yaml
+++ b/example/satosa/pyeudiw_backend.yaml
@@ -61,7 +61,7 @@ config:
     unique_identifiers:
     - tax_id_code
     - unique_id
-    subject_id_salt: CHANGEME!
+    subject_id_random_value: CHANGEME!
   
   network:
     httpc_params:
diff --git a/pyeudiw/openid4vp/direct_post_response.py b/pyeudiw/openid4vp/direct_post_response.py
index 38eae6a7..5099256e 100644
--- a/pyeudiw/openid4vp/direct_post_response.py
+++ b/pyeudiw/openid4vp/direct_post_response.py
@@ -28,7 +28,7 @@ def __init__(self, jwt: str, jwks_by_kids: dict, nonce: str = ""):
 
     @property
     def payload(self) -> dict:
-        # TODO: detect if if it encrypted otherwise ...
+        # TODO: detect if it is encrypted otherwise ...
         # here we support only the encrypted jwt
         if not self._payload:
             self.decrypt()
diff --git a/pyeudiw/satosa/backend.py b/pyeudiw/satosa/backend.py
index 2aa3bdee..48ed827e 100644
--- a/pyeudiw/satosa/backend.py
+++ b/pyeudiw/satosa/backend.py
@@ -307,11 +307,12 @@ def _translate_response(self, response: dict, issuer: str, context: Context):
         internal_resp = InternalData(auth_info=auth_info)
 
         sub = ""
+        pepper = self.config['user_attributes']['subject_id_random_value']
         for i in self.config.get("user_attributes", {}).get("unique_identifiers", []):
             if response.get(i):
                 _sub = response[i]
                 sub = hashlib.sha256(
-                    f"{_sub}~{self.config['user_attributes']['subject_id_salt']}".encode(
+                    f"{_sub}~{pepper}".encode(
                     )
                 ).hexdigest()
                 break
@@ -325,9 +326,8 @@ def _translate_response(self, response: dict, issuer: str, context: Context):
                     "setting a random one for interop for internal frontends"
                 )
             )
-            # TODO - add a salt here
             sub = hashlib.sha256(
-                json.dumps(response).encode()
+                f"{json.dumps(response).encode()}~{pepper}".encode()
             ).hexdigest()
 
         response["sub"] = [sub]
@@ -731,9 +731,6 @@ def handle_error(
         level="error"
     ):
 
-        # TODO: evaluate with UX designers if Jinja2 template
-        # loader and rendering is required, it seems not.
-
         _msg = f"{message}:"
         if err:
             _msg += f" {err}."