Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8295919

java.security.MessageDigest.isEqual does not adhere to @implNote

XMLWordPrintable

    • b18
    • generic
    • generic

      A DESCRIPTION OF THE PROBLEM :
      The @implNote section of the MessageDigest.isEqual method reads:

      "All bytes in {@code digesta} are examined to determine equality. The calculation time depends only on the length of {@code digesta}. It does not depend on the length of {@code digestb} or the contents of {@code digesta} and {@code digestb}."

      (see: https://github.com/openjdk/jdk/blob/jdk-20%2B20/src/java.base/share/classes/java/security/MessageDigest.java#L455)

      Looking at the implementation, these statements are violated at two different places:

      (1) In line 473, if 'digestb' is null, then the calculation time does not depend on 'digesta'.
      (2) In line 480, if the length of 'digestb' is zero, then the calculation time does also not depend on 'digesta'.

      I'd say (2) can be fixed by switching the two comparisions in lines 480 and 481. I'm not sure whether (1) has any relevant implications.


            kdriver Kevin Driver
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: