Skip to content

Commit

Permalink
ELY-2430: Update AbstractX509CertificateChainCredential to make use o…
Browse files Browse the repository at this point in the history 
…f MessageDigest#isEqual to avoid a potential timing attack
  • Loading branch information
@mbhardwaj09 @ivassile
mbhardwaj09 authored and ivassile committed Oct 18, 2022
1 parent 4abb472 commit 1e386fd
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions ...src/main/java/org/wildfly/security/credential/AbstractX509CertificateChainCredential.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@
import java.security.Provider;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.security.MessageDigest;
import java.security.spec.AlgorithmParameterSpec;
import java.util.Arrays;
import java.util.function.Supplier;

import org.wildfly.common.Assert;
Expand Down Expand Up @@ -56,7 +56,7 @@ public boolean verify(final Evidence evidence) {
if (evidence instanceof X509PeerCertificateChainEvidence) {
final X509PeerCertificateChainEvidence peerCertificateChainEvidence = (X509PeerCertificateChainEvidence) evidence;
try {
return getAlgorithm().equals(peerCertificateChainEvidence.getAlgorithm()) && Arrays.equals(getFirstCertificate().getEncoded(), peerCertificateChainEvidence.getFirstCertificate().getEncoded());
return getAlgorithm().equals(peerCertificateChainEvidence.getAlgorithm()) && MessageDigest.isEqual(getFirstCertificate().getEncoded(), peerCertificateChainEvidence.getFirstCertificate().getEncoded());
} catch (CertificateEncodingException e) {
}
}
Expand Down

0 comments on commit 1e386fd

Please sign in to comment.