Use base64url when generating log tokens

Updated the log field syntax logic used to generate tokens so that it uses the base64url variant rather than standard base64, and therefore uses '-' and '_' instead of '+' and '/'. This is at least better when tokenizing value components for DNs, where the plus sign needs to be escaped because it may otherwise indicate the start of the next RDN component.
pingidentity · Mar 15, 2022 · 6580b9a · 6580b9a
1 parent 04f2231
commit 6580b9a
Showing 1 changed file with 7 additions and 2 deletions.
diff --git a/src/com/unboundid/ldap/sdk/unboundidds/logs/v2/syntax/LogFieldSyntax.java b/src/com/unboundid/ldap/sdk/unboundidds/logs/v2/syntax/LogFieldSyntax.java
@@ -1158,9 +1158,14 @@ protected final void tokenize(@NotNull final byte[] bytes,
       final byte[] digestBytes = sha256(concatBuffer);
 
 
-      // Base64-encode a portion of the digest to use as the token.
+      // Base64-encode a portion of the digest to use as the token.  Use the
+      // base64url syntax to avoid including the plus and slash characters,
+      // which might cause issues in certain cases (for example, the plus sign
+      // needs to be escaped in DNs because it would otherwise represent the
+      // start of the next component of a multivalued RDN).
       buffer.append(TOKEN_PREFIX_STRING);
-      Base64.encode(digestBytes, 0, TOKEN_DIGEST_BYTES_LENGTH, buffer);
+      Base64.urlEncode(digestBytes, 0, TOKEN_DIGEST_BYTES_LENGTH, buffer,
+           false);
       buffer.append(TOKEN_SUFFIX_STRING);
     }
     finally