[refactor] use constant-time comparison for PKCS7 digest verification

kares · claude · kares · commit b08e16f9e806 · 2026-04-05T14:53:23.000+02:00
Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/main/java/org/jruby/ext/openssl/impl/PKCS7.java b/src/main/java/org/jruby/ext/openssl/impl/PKCS7.java
@@ -293,7 +293,7 @@ public void signatureVerify(BIO bio, SignerInfoWithPkey si, X509AuxCertificate x
                 if(message_digest == null) {
                     throw new PKCS7Exception(F_PKCS7_SIGNATUREVERIFY, R_UNABLE_TO_FIND_MESSAGE_DIGEST);
                 }
-                if(!Arrays.equals(md_dat, message_digest.getOctets())) {
+                if(!MessageDigest.isEqual(md_dat, message_digest.getOctets())) {
                     throw new NotVerifiedPKCS7Exception();
                 }
 

Original file line number	Diff line number	Diff line change
`@@ -293,7 +293,7 @@ public void signatureVerify(BIO bio, SignerInfoWithPkey si, X509AuxCertificate x`
`293`	`293`	`if(message_digest == null) {`
`294`	`294`	`throw new PKCS7Exception(F_PKCS7_SIGNATUREVERIFY, R_UNABLE_TO_FIND_MESSAGE_DIGEST);`
`295`	`295`	`}`
`296`		`- if(!Arrays.equals(md_dat, message_digest.getOctets())) {`
	`296`	`+ if(!MessageDigest.isEqual(md_dat, message_digest.getOctets())) {`
`297`	`297`	`throw new NotVerifiedPKCS7Exception();`
`298`	`298`	`}`
`299`	`299`