Skip to content

Commit b08e16f

Browse files
karesclaude
andcommitted
[refactor] use constant-time comparison for PKCS7 digest verification
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
1 parent d784651 commit b08e16f

1 file changed

Lines changed: 1 addition & 1 deletion

File tree

  • src/main/java/org/jruby/ext/openssl/impl

src/main/java/org/jruby/ext/openssl/impl/PKCS7.java

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -293,7 +293,7 @@ public void signatureVerify(BIO bio, SignerInfoWithPkey si, X509AuxCertificate x
293293
if(message_digest == null) {
294294
throw new PKCS7Exception(F_PKCS7_SIGNATUREVERIFY, R_UNABLE_TO_FIND_MESSAGE_DIGEST);
295295
}
296-
if(!Arrays.equals(md_dat, message_digest.getOctets())) {
296+
if(!MessageDigest.isEqual(md_dat, message_digest.getOctets())) {
297297
throw new NotVerifiedPKCS7Exception();
298298
}
299299

0 commit comments

Comments
 (0)