remove deprecated verify_slices_are_equal

jayakasadev · jayakasadev · commit 42c6baa92397 · 2025-03-07T10:26:07.000-05:00
diff --git a/Cargo.toml b/Cargo.toml
@@ -26,7 +26,6 @@ base64 = "0.22"
 # For PEM decoding
 pem = { version = "3", optional = true }
 simple_asn1 = { version = "0.6", optional = true }
-openssl = "0.10.71"
 
 [target.'cfg(not(target_arch = "wasm32"))'.dependencies]
 ring = { version = "0.17.4", features = ["std"] }
diff --git a/src/crypto/mod.rs b/src/crypto/mod.rs
@@ -3,7 +3,7 @@ use ring::{hmac, signature};
 use crate::algorithms::Algorithm;
 use crate::decoding::{DecodingKey, DecodingKeyKind};
 use crate::encoding::EncodingKey;
-use crate::errors::{Error, Result};
+use crate::errors::Result;
 use crate::serialization::{b64_decode, b64_encode};
 
 pub(crate) mod ecdsa;
@@ -20,17 +20,6 @@ fn alg_to_hmac(alg: Algorithm) -> hmac::Algorithm {
     }
 }
 
-/// Returns `Ok(())` if `a == b` and `Err(error::Unspecified)` otherwise.
-pub fn verify_slices_are_equal(a: &[u8], b: &[u8]) -> Result<()> {
-    if b.len() != a.len() {
-        return Err(Error::from(ring::error::Unspecified));
-    }
-    match openssl::memcmp::eq(a, b) {
-        true => Ok(()),
-        _ => Err(Error::from(ring::error::Unspecified)),
-    }
-}
-
 /// The actual HS signing + encoding
 /// Could be in its own file to match RSA/EC but it's 2 lines...
 pub(crate) fn sign_hmac(alg: hmac::Algorithm, key: &[u8], message: &[u8]) -> String {
@@ -94,8 +83,10 @@ pub fn verify(
     match algorithm {
         Algorithm::HS256 | Algorithm::HS384 | Algorithm::HS512 => {
             // we just re-sign the message with the key and compare if they are equal
-            let signed = sign(message, &EncodingKey::from_secret(key.as_bytes()), algorithm)?;
-            Ok(verify_slices_are_equal(signature.as_ref(), signed.as_ref()).is_ok())
+            let encoding_key = &EncodingKey::from_secret(key.as_bytes());
+            let key = &hmac::Key::new(alg_to_hmac(algorithm), encoding_key.inner());
+            let digest = hmac::sign(key, message);
+            Ok(hmac::verify(key, message, digest.as_ref()).is_ok())
         }
         Algorithm::ES256 | Algorithm::ES384 => verify_ring(
             ecdsa::alg_to_ec_verification(algorithm),
diff --git a/tests/hmac.rs b/tests/hmac.rs
@@ -151,7 +151,7 @@ fn decode_token_missing_parts() {
 
 #[test]
 #[wasm_bindgen_test]
-#[should_panic(expected = "InvalidSignature")]
+#[should_panic(expected = "missing field `exp`")]
 fn decode_token_invalid_signature() {
     let token =
         "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJiQGIuY29tIiwiY29tcGFueSI6IkFDTUUifQ.wrong";
