Andrea Cosentino created CAMEL-23766:
----------------------------------------
Summary: camel-crypto: use a constant-time comparison for HMAC
verification in HMACAccumulator
Key: CAMEL-23766
URL: https://issues.apache.org/jira/browse/CAMEL-23766
Project: Camel
Issue Type: Improvement
Reporter: Andrea Cosentino
Assignee: Andrea Cosentino
Fix For: 4.21.0, 4.18.3, 4.14.8
HMACAccumulator.validate() compares the expected and actual MAC byte-by-byte
with an early-exit loop. This proposes using
java.security.MessageDigest.isEqual(...) for a constant-time comparison, which
is the standard practice for MAC/signature verification.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
