Use a constant time equality check for HMAC signature verification
This commit is contained in:
parent
96e515d257
commit
8e6be13652
2 changed files with 5 additions and 3 deletions
|
@ -1,4 +1,4 @@
|
|||
(defproject clj-jwt "0.0.9"
|
||||
(defproject clj-jwt "0.0.10"
|
||||
:description "Clojure library for JSON Web Token(JWT)"
|
||||
:url "https://github.com/liquidz/clj-jwt"
|
||||
:license {:name "Eclipse Public License"
|
||||
|
@ -7,6 +7,7 @@
|
|||
[org.clojure/data.json "0.2.5"]
|
||||
[org.clojure/data.codec "0.1.0"]
|
||||
[org.bouncycastle/bcprov-jdk15 "1.46"]
|
||||
[crypto-equality "1.0.0"]
|
||||
[clj-time "0.8.0"]]
|
||||
|
||||
:profiles {:dev {:dependencies [[midje "1.6.3" :exclusions [org.clojure/clojure]]]}}
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
(ns clj-jwt.sign
|
||||
(:require
|
||||
[clj-jwt.base64 :refer [url-safe-encode-str url-safe-decode]]))
|
||||
[clj-jwt.base64 :refer [url-safe-encode-str url-safe-decode]]
|
||||
[crypto.equality :as creq]))
|
||||
|
||||
(java.security.Security/addProvider
|
||||
(org.bouncycastle.jce.provider.BouncyCastleProvider.))
|
||||
|
@ -17,7 +18,7 @@
|
|||
(defn- hmac-verify
|
||||
"Function to verify data and signature with HMAC algorithm."
|
||||
[alg key body signature & {:keys [charset] :or {charset "UTF-8"}}]
|
||||
(= signature (hmac-sign alg key body :charset charset)))
|
||||
(creq/eq? signature (hmac-sign alg key body :charset charset)))
|
||||
|
||||
; RSA
|
||||
(defn- rsa-sign
|
||||
|
|
Loading…
Reference in a new issue