[pulsar] branch branch-3.0 updated: [fix][broker] Use MessageDigest.isEqual when comparing digests (#21061)

Thu, 24 Aug 2023 10:38:21 -0700 

This is an automated email from the ASF dual-hosted git repository.

mmarshall pushed a commit to branch branch-3.0
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/branch-3.0 by this push:
     new bc1019fa8ed [fix][broker] Use MessageDigest.isEqual when comparing 
digests (#21061)
bc1019fa8ed is described below

commit bc1019fa8ed37b8a4c8bb01e3662c6c015e1bc27
Author: Yiheng Cao <[email protected]>
AuthorDate: Fri Aug 25 00:41:32 2023 +0800

    [fix][broker] Use MessageDigest.isEqual when comparing digests (#21061)
    
    (cherry picked from commit c05954e66ff33098aeb848f4bde51613ace7e47e)
---
 .../org/apache/pulsar/broker/authentication/SaslRoleTokenSigner.java    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git 
a/pulsar-broker-auth-sasl/src/main/java/org/apache/pulsar/broker/authentication/SaslRoleTokenSigner.java
 
b/pulsar-broker-auth-sasl/src/main/java/org/apache/pulsar/broker/authentication/SaslRoleTokenSigner.java
index c979566e485..82f760e14b7 100644
--- 
a/pulsar-broker-auth-sasl/src/main/java/org/apache/pulsar/broker/authentication/SaslRoleTokenSigner.java
+++ 
b/pulsar-broker-auth-sasl/src/main/java/org/apache/pulsar/broker/authentication/SaslRoleTokenSigner.java
@@ -76,7 +76,7 @@ public class SaslRoleTokenSigner {
         String originalSignature = signedStr.substring(index + 
SIGNATURE.length());
         String rawValue = signedStr.substring(0, index);
         String currentSignature = computeSignature(rawValue);
-        if (!originalSignature.equals(currentSignature)) {
+        if (!MessageDigest.isEqual(originalSignature.getBytes(), 
currentSignature.getBytes())){
             throw new AuthenticationException("Invalid signature");
         }
         return rawValue;

Reply via email to