Prosoft Git

keycloak-memoizeit

Merge pull request #3734 from stianst/KEYCLOAK-4176 KEYCLOAK-4176

1/10/2017 12:19:05 PM
Stian Thorgersen

Stian Thorgersen

Commit: 7ceef82

Tree: 0237eec

Parents: 227900f
426e556

Changes

core/src/main/java/org/keycloak/jose/jws/crypto/HMACProvider.java 7(+3 -4)

server-spi-private/src/main/java/org/keycloak/services/managers/ClientSessionCode.java 3(+2 -1)

Details

core/src/main/java/org/keycloak/jose/jws/crypto/HMACProvider.java 7(+3 -4) 

diff --git a/core/src/main/java/org/keycloak/jose/jws/crypto/HMACProvider.java b/core/src/main/java/org/keycloak/jose/jws/crypto/HMACProvider.java
index c2ebc26..4a97d73 100755
--- a/core/src/main/java/org/keycloak/jose/jws/crypto/HMACProvider.java
+++ b/core/src/main/java/org/keycloak/jose/jws/crypto/HMACProvider.java
@@ -25,6 +25,7 @@ import org.keycloak.jose.jws.JWSInput;
 import javax.crypto.Mac;
 import javax.crypto.SecretKey;
 import javax.crypto.spec.SecretKeySpec;
+import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 
 /**
@@ -81,8 +82,7 @@ public class HMACProvider implements SignatureProvider {
     public static boolean verify(JWSInput input, SecretKey key) {
         try {
             byte[] signature = sign(input.getEncodedSignatureInput().getBytes("UTF-8"), input.getHeader().getAlgorithm(), key);
-            String x = Base64Url.encode(signature);
-            return x.equals(input.getEncodedSignature());
+            return MessageDigest.isEqual(signature, Base64Url.decode(input.getEncodedSignature()));
         } catch (Exception e) {
             throw new RuntimeException(e);
         }
@@ -92,8 +92,7 @@ public class HMACProvider implements SignatureProvider {
     public static boolean verify(JWSInput input, byte[] sharedSecret) {
         try {
             byte[] signature = sign(input.getEncodedSignatureInput().getBytes("UTF-8"), input.getHeader().getAlgorithm(), sharedSecret);
-            String x = Base64Url.encode(signature);
-            return x.equals(input.getEncodedSignature());
+            return MessageDigest.isEqual(signature, Base64Url.decode(input.getEncodedSignature()));
         } catch (Exception e) {
             throw new RuntimeException(e);
         }

server-spi-private/src/main/java/org/keycloak/services/managers/ClientSessionCode.java 3(+2 -1) 

diff --git a/server-spi-private/src/main/java/org/keycloak/services/managers/ClientSessionCode.java b/server-spi-private/src/main/java/org/keycloak/services/managers/ClientSessionCode.java
index e343823..ef11479 100755
--- a/server-spi-private/src/main/java/org/keycloak/services/managers/ClientSessionCode.java
+++ b/server-spi-private/src/main/java/org/keycloak/services/managers/ClientSessionCode.java
@@ -28,6 +28,7 @@ import org.keycloak.models.RealmModel;
 import org.keycloak.models.RoleModel;
 import org.keycloak.models.utils.KeycloakModelUtils;
 
+import java.security.MessageDigest;
 import java.util.HashSet;
 import java.util.Set;
 
@@ -252,7 +253,7 @@ public class ClientSessionCode {
 
             clientSession.removeNote(ACTIVE_CODE);
 
-            return code.equals(activeCode);
+            return MessageDigest.isEqual(code.getBytes(), activeCode.getBytes());
         } catch (Exception e) {
             throw new RuntimeException(e);
         }

Bonobo Git Server (6.3.0.632) © 2015 Jakub Chodounský · Official Page · Github