libre.sh/keycloak-scim
4
0
Fork 0
Code Issues 15 Pull requests Releases 1 Activity Actions

Merge pull request #3734 from stianst/KEYCLOAK-4176

Browse source 
KEYCLOAK-4176
This commit is contained in:
Stian Thorgersen 2017-01-10 15:19:05 +01:00 committed by GitHub
commit 7ceef826ac
2 changed files with 5 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
core/src/main/java/org/keycloak/jose/jws/crypto/HMACProvider.java
View file

@ -25,6 +25,7 @@ import org.keycloak.jose.jws.JWSInput;
import javax.crypto.Mac; import javax.crypto.Mac;
import javax.crypto.SecretKey; import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec; import javax.crypto.spec.SecretKeySpec;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
/** /**
@ -81,8 +82,7 @@ public class HMACProvider implements SignatureProvider {
public static boolean verify(JWSInput input, SecretKey key) { public static boolean verify(JWSInput input, SecretKey key) {
try { try {
byte[] signature = sign(input.getEncodedSignatureInput().getBytes("UTF-8"), input.getHeader().getAlgorithm(), key); byte[] signature = sign(input.getEncodedSignatureInput().getBytes("UTF-8"), input.getHeader().getAlgorithm(), key);
String x = Base64Url.encode(signature); return MessageDigest.isEqual(signature, Base64Url.decode(input.getEncodedSignature()));
return x.equals(input.getEncodedSignature());
} catch (Exception e) { } catch (Exception e) {
throw new RuntimeException(e); throw new RuntimeException(e);
} }
@ -92,8 +92,7 @@ public class HMACProvider implements SignatureProvider {
public static boolean verify(JWSInput input, byte[] sharedSecret) { public static boolean verify(JWSInput input, byte[] sharedSecret) {
try { try {
byte[] signature = sign(input.getEncodedSignatureInput().getBytes("UTF-8"), input.getHeader().getAlgorithm(), sharedSecret); byte[] signature = sign(input.getEncodedSignatureInput().getBytes("UTF-8"), input.getHeader().getAlgorithm(), sharedSecret);
String x = Base64Url.encode(signature); return MessageDigest.isEqual(signature, Base64Url.decode(input.getEncodedSignature()));
return x.equals(input.getEncodedSignature());
} catch (Exception e) { } catch (Exception e) {
throw new RuntimeException(e); throw new RuntimeException(e);
} }

3
server-spi-private/src/main/java/org/keycloak/services/managers/ClientSessionCode.java
View file

@ -28,6 +28,7 @@ import org.keycloak.models.RealmModel;
import org.keycloak.models.RoleModel; import org.keycloak.models.RoleModel;
import org.keycloak.models.utils.KeycloakModelUtils; import org.keycloak.models.utils.KeycloakModelUtils;
import java.security.MessageDigest;
import java.util.HashSet; import java.util.HashSet;
import java.util.Set; import java.util.Set;
@ -252,7 +253,7 @@ public class ClientSessionCode {
clientSession.removeNote(ACTIVE_CODE); clientSession.removeNote(ACTIVE_CODE);
return code.equals(activeCode); return MessageDigest.isEqual(code.getBytes(), activeCode.getBytes());
} catch (Exception e) { } catch (Exception e) {
throw new RuntimeException(e); throw new RuntimeException(e);
} }