Using constant-time comparison for signatures.

pose · pose · commit b227e8135f25 · 2015-01-15T11:56:25.000-03:00
diff --git a/src/main/java/com/auth0/jwt/JWTVerifier.java b/src/main/java/com/auth0/jwt/JWTVerifier.java
@@ -12,6 +12,7 @@
 import java.io.UnsupportedEncodingException;
 import java.nio.charset.Charset;
 import java.security.InvalidKeyException;
+import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.security.SignatureException;
 import java.util.ArrayList;
@@ -118,7 +119,7 @@ void verifySignature(String[] pieces, String algorithm) throws NoSuchAlgorithmEx
         hmac.init(new SecretKeySpec(secret, algorithm));
         byte[] sig = hmac.doFinal(new StringBuilder(pieces[0]).append(".").append(pieces[1]).toString().getBytes());
 
-        if (!Arrays.equals(sig, decoder.decodeBase64(pieces[2]))) {
+        if (!MessageDigest.isEqual(sig, decoder.decodeBase64(pieces[2]))) {
             throw new SignatureException("signature verification failed");
         }
     }
