Use MessageDigest.isEqual() instead of Array.equals()

paragonie-security · nbaars · commit 0930414b574c · 2021-08-06T08:18:16.000+02:00
diff --git a/version1/src/main/java/org/paseto4j/version1/PasetoLocal.java b/version1/src/main/java/org/paseto4j/version1/PasetoLocal.java
@@ -116,7 +116,7 @@ static String decrypt(SecretKey key, String token, String footer) {
 
         //1
         if (!isNullOrEmpty(footer)) {
-            verify(Arrays.equals(getUrlDecoder().decode(tokenParts[3]), footer.getBytes(UTF_8)), "footer does not match");
+            verify(MessageDigest.isEqual(getUrlDecoder().decode(tokenParts[3]), footer.getBytes(UTF_8)), "footer does not match");
         }
 
         //2

Original file line number	Diff line number	Diff line change
`@@ -116,7 +116,7 @@ static String decrypt(SecretKey key, String token, String footer) {`
`116`	`116`
`117`	`117`	`//1`
`118`	`118`	`if (!isNullOrEmpty(footer)) {`
`119`		`- verify(Arrays.equals(getUrlDecoder().decode(tokenParts[3]), footer.getBytes(UTF_8)), "footer does not match");`
	`119`	`+ verify(MessageDigest.isEqual(getUrlDecoder().decode(tokenParts[3]), footer.getBytes(UTF_8)), "footer does not match");`
`120`	`120`	`}`
`121`	`121`
`122`	`122`	`//2`