Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8136459

MessageDigest.isEqual is not a "simple byte compare"

    Details

    • Subcomponent:
    • Introduced In Version:
      7
    • Resolved In Build:
      b128
    • CPU:
      x86_64
    • OS:
      linux
    • Verification:
      Not verified

      Description

      A DESCRIPTION OF THE PROBLEM :
      The documentation for MessageDigest.isEqual claims to do a simple byte compare. However, it does a constant time comparison (in order to prevent side-channel leaks).

      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      Compares two digests for equality. Does a constant-time byte comparison.
      ACTUAL -
      Compares two digests for equality. Does a simple byte compare.

      URL OF FAULTY DOCUMENTATION :
      https://docs.oracle.com/javase/7/docs/api/java/security/MessageDigest.html#isEqual%28byte[],%20byte[]%29

        Attachments

          Activity

            People

            • Assignee:
              valeriep Valerie Peng
              Reporter:
              webbuggrp Webbug Group
            • Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

              • Due:
                Created:
                Updated:
                Resolved: