Repository: cxf Updated Branches: refs/heads/3.0.x-fixes 4a89a4870 -> 1338469f7
Doing a better bytes comparison in some of JAXRS OAuth2/Jose code Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/1338469f Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/1338469f Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/1338469f Branch: refs/heads/3.0.x-fixes Commit: 1338469f7d25cfcda75b547c68bed95bd97903ac Parents: 4a89a48 Author: Sergey Beryozkin <[email protected]> Authored: Fri Dec 30 16:27:03 2016 +0000 Committer: Sergey Beryozkin <[email protected]> Committed: Fri Dec 30 16:29:30 2016 +0000 ---------------------------------------------------------------------- .../apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java | 4 ++-- .../cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java | 4 ++-- .../oauth2/tokens/hawk/AbstractHawkAccessTokenValidator.java | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/1338469f/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java index e713ff0..a0f1bfd 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jwe/AesCbcHmacJweDecryption.java @@ -18,8 +18,8 @@ */ package org.apache.cxf.rs.security.jose.jwe; +import java.security.MessageDigest; import java.security.spec.AlgorithmParameterSpec; -import java.util.Arrays; import javax.crypto.spec.IvParameterSpec; @@ -56,7 +56,7 @@ public class AesCbcHmacJweDecryption extends JweDecryption { jweDecryptionInput.getDecodedJsonHeaders()); macState.mac.update(jweDecryptionInput.getEncryptedContent()); byte[] expectedAuthTag = AesCbcHmacJweEncryption.signAndGetTag(macState); - if (!Arrays.equals(actualAuthTag, expectedAuthTag)) { + if (!MessageDigest.isEqual(actualAuthTag, expectedAuthTag)) { LOG.warning("Invalid authentication tag"); throw new JweException(JweException.Error.CONTENT_DECRYPTION_FAILURE); } http://git-wip-us.apache.org/repos/asf/cxf/blob/1338469f/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java index 7910659..66b5d5c 100644 --- a/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java +++ b/rt/rs/security/jose-parent/jose/src/main/java/org/apache/cxf/rs/security/jose/jws/HmacJwsSignatureVerifier.java @@ -18,8 +18,8 @@ */ package org.apache.cxf.rs.security.jose.jws; +import java.security.MessageDigest; import java.security.spec.AlgorithmParameterSpec; -import java.util.Arrays; import java.util.logging.Logger; import org.apache.cxf.common.logging.LogUtils; @@ -53,7 +53,7 @@ public class HmacJwsSignatureVerifier implements JwsSignatureVerifier { @Override public boolean verify(JwsHeaders headers, String unsignedText, byte[] signature) { byte[] expected = computeMac(headers, unsignedText); - return Arrays.equals(expected, signature); + return MessageDigest.isEqual(expected, signature); } private byte[] computeMac(JwsHeaders headers, String text) { http://git-wip-us.apache.org/repos/asf/cxf/blob/1338469f/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/AbstractHawkAccessTokenValidator.java ---------------------------------------------------------------------- diff --git a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/AbstractHawkAccessTokenValidator.java b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/AbstractHawkAccessTokenValidator.java index d9d70a5..aa17a4e 100644 --- a/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/AbstractHawkAccessTokenValidator.java +++ b/rt/rs/security/oauth-parent/oauth2/src/main/java/org/apache/cxf/rs/security/oauth2/tokens/hawk/AbstractHawkAccessTokenValidator.java @@ -19,7 +19,7 @@ package org.apache.cxf.rs.security.oauth2.tokens.hawk; import java.net.URI; -import java.util.Arrays; +import java.security.MessageDigest; import java.util.Collections; import java.util.HashMap; import java.util.List; @@ -78,7 +78,7 @@ public abstract class AbstractHawkAccessTokenValidator implements AccessTokenVal String clientMacString = schemeParams.get(OAuthConstants.HAWK_TOKEN_SIGNATURE); byte[] clientMacData = Base64Utility.decode(clientMacString); - boolean validMac = Arrays.equals(serverMacData, clientMacData); + boolean validMac = MessageDigest.isEqual(serverMacData, clientMacData); if (!validMac) { AuthorizationUtils.throwAuthorizationFailure(Collections .singleton(OAuthConstants.HAWK_AUTHORIZATION_SCHEME));
