Use constant-time string comparison for sigs

anfedorov · anfedorov · commit 2d2fa0d40ac8 · 2017-11-04T18:59:55.000-07:00
Fixed #12
diff --git a/src/main/scala/authentikat/jwt/JsonWebToken.scala b/src/main/scala/authentikat/jwt/JsonWebToken.scala
@@ -84,7 +84,7 @@ object JsonWebToken extends JsonMethods {
         val signature = encodeBase64URLSafeString(
           JsonWebSignature(header.algorithm.getOrElse("none"), providedHeader + "." + providedClaims, key))
 
-        providedSignature.contentEquals(signature)
+        java.security.MessageDigest.isEqual(providedSignature.getBytes(), signature.getBytes())
       case _ ⇒
         false
     }

Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,7 @@ object JsonWebToken extends JsonMethods {`
`84`	`84`	`val signature = encodeBase64URLSafeString(`
`85`	`85`	`JsonWebSignature(header.algorithm.getOrElse("none"), providedHeader + "." + providedClaims, key))`
`86`	`86`
`87`		`- providedSignature.contentEquals(signature)`
	`87`	`+ java.security.MessageDigest.isEqual(providedSignature.getBytes(), signature.getBytes())`
`88`	`88`	`case _ ⇒`
`89`	`89`	`false`
`90`	`90`	`}`