libre.sh/keycloak-scim
3
0
Fork 0
Code Issues 15 Pull requests Releases Packages Activity Actions

KEYCLOAK-4176

Browse source
This commit is contained in:
Stian Thorgersen 2017-01-10 07:59:45 +01:00
parent 8a02ef1859
commit 426e55664f
2 changed files with 5 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
core/src/main/java/org/keycloak/jose/jws/crypto/HMACProvider.java
View file

@ -25,6 +25,7 @@ import org.keycloak.jose.jws.JWSInput;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
/**
@ -81,8 +82,7 @@ public class HMACProvider implements SignatureProvider {
public static boolean verify(JWSInput input, SecretKey key) {
try {
byte[] signature = sign(input.getEncodedSignatureInput().getBytes("UTF-8"), input.getHeader().getAlgorithm(), key);
String x = Base64Url.encode(signature);
return x.equals(input.getEncodedSignature());
return MessageDigest.isEqual(signature, Base64Url.decode(input.getEncodedSignature()));
} catch (Exception e) {
throw new RuntimeException(e);
}
@ -92,8 +92,7 @@ public class HMACProvider implements SignatureProvider {
public static boolean verify(JWSInput input, byte[] sharedSecret) {
try {
byte[] signature = sign(input.getEncodedSignatureInput().getBytes("UTF-8"), input.getHeader().getAlgorithm(), sharedSecret);
String x = Base64Url.encode(signature);
return x.equals(input.getEncodedSignature());
return MessageDigest.isEqual(signature, Base64Url.decode(input.getEncodedSignature()));
} catch (Exception e) {
throw new RuntimeException(e);
}

3
server-spi-private/src/main/java/org/keycloak/services/managers/ClientSessionCode.java
View file

@ -28,6 +28,7 @@ import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel;
import org.keycloak.models.utils.KeycloakModelUtils;
import java.security.MessageDigest;
import java.util.HashSet;
import java.util.Set;
@ -252,7 +253,7 @@ public class ClientSessionCode {
clientSession.removeNote(ACTIVE_CODE);
return code.equals(activeCode);
return MessageDigest.isEqual(code.getBytes(), activeCode.getBytes());
} catch (Exception e) {
throw new RuntimeException(e);
}