Skip to content

Commit

Permalink
Merge pull request #282 from mjechow/master
Browse files Browse the repository at this point in the history 
prevent CWE-208: Observable Timing Discrepancy
  • Loading branch information
@luisgoncalves
luisgoncalves authored Jan 3, 2024
2 parents 49fc076 + ddae003 commit 673ecdd
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 8 deletions.
3 changes: 1 addition & 2 deletions src/main/java/xades4j/verification/CertRefUtils.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,6 @@
import java.security.MessageDigest;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import xades4j.UnsupportedAlgorithmException;
import xades4j.XAdES4jException;
Expand Down Expand Up @@ -85,7 +84,7 @@ static void checkCertRef(
{
messageDigest = messageDigestProvider.getEngine(certRef.getDigestAlgUri());
byte[] actualDigest = messageDigest.digest(cert.getEncoded());
if (!Arrays.equals(certRef.getDigestValue(), actualDigest))
if (!MessageDigest.isEqual(certRef.getDigestValue(), actualDigest))
throw new InvalidCertRefException("digests mismatch");
return;
} catch (UnsupportedAlgorithmException | CertificateEncodingException ex)
Expand Down
10 changes: 4 additions & 6 deletions src/main/java/xades4j/verification/SignaturePolicyVerifier.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@
package xades4j.verification;

import jakarta.inject.Inject;
import java.io.IOException;
import java.io.InputStream;
import java.security.MessageDigest;
import xades4j.UnsupportedAlgorithmException;
import xades4j.properties.ObjectIdentifier;
import xades4j.properties.QualifyingProperty;
Expand All @@ -27,11 +30,6 @@
import xades4j.providers.SignaturePolicyDocumentProvider;
import xades4j.utils.MessageDigestUtils;

import java.io.IOException;
import java.io.InputStream;
import java.security.MessageDigest;
import java.util.Arrays;

/**
*
* @author Luís
Expand Down Expand Up @@ -75,7 +73,7 @@ public QualifyingProperty verify(
byte[] sigDocDigest = MessageDigestUtils.digestStream(md, sigDocStream);

// Check the document digest.
if (!Arrays.equals(sigDocDigest, propData.getDigestValue()))
if (!MessageDigest.isEqual(sigDocDigest, propData.getDigestValue()))
{
throw new SignaturePolicyDigestMismatchException(policyId);
}
Expand Down

0 comments on commit 673ecdd

Please sign in to comment.