[cxf] branch master updated: Use MessageDigest in the SCTCanceller

Tue, 09 Jul 2019 08:58:32 -0700 

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/master by this push:
     new c09877e  Use MessageDigest in the SCTCanceller
c09877e is described below

commit c09877e9773d5a4b5737930a348ce9f13e48df42
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Tue Jul 9 16:57:30 2019 +0100

    Use MessageDigest in the SCTCanceller
---
 .../main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java  | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git 
a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
 
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
index 92c0917..fc874d1 100644
--- 
a/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
+++ 
b/services/sts/sts-core/src/main/java/org/apache/cxf/sts/token/canceller/SCTCanceller.java
@@ -20,7 +20,7 @@
 package org.apache.cxf.sts.token.canceller;
 
 import java.security.Key;
-import java.util.Arrays;
+import java.security.MessageDigest;
 import java.util.List;
 import java.util.Map;
 import java.util.logging.Level;
@@ -164,7 +164,7 @@ public class SCTCanceller implements TokenCanceller {
             if (signedResults != null) {
                 for (WSSecurityEngineResult engineResult : signedResults) {
                     byte[] receivedKey = 
(byte[])engineResult.get(WSSecurityEngineResult.TAG_SECRET);
-                    if (Arrays.equals(secretToMatch, receivedKey)) {
+                    if (MessageDigest.isEqual(secretToMatch, receivedKey)) {
                         LOG.log(
                                 Level.FINE,
                                 "Verification of the proof of possession of 
the key associated with "
@@ -196,7 +196,7 @@ public class SCTCanceller implements TokenCanceller {
                         for (String key : token.getSecretKey().keySet()) {
                             Key keyObject = token.getSecretKey().get(key);
                             if (keyObject instanceof SecretKey
-                                && Arrays.equals(secretToMatch, 
((SecretKey)keyObject).getEncoded())) {
+                                && MessageDigest.isEqual(secretToMatch, 
((SecretKey)keyObject).getEncoded())) {
                                 LOG.log(
                                     Level.FINE,
                                     "Verification of the proof of possession 
of the key associated with "

Reply via email to