Package org.apache.tomcat.util.security

Class ConstantTime

  • public class ConstantTime
extends java.lang.Object
    Utility class for methods that, for security reasons, need to run in - as far as practical - constant time.

    • Method Summary

      All Methods Static Methods Concrete Methods 
      Modifier and Type Method Description
      static boolean equals​(byte[] b1, byte[] b2)
      Implements byte-array equality which always compares all bytes in the array, without stopping early if any bytes do not match.
      static boolean equals​(java.lang.String s1, java.lang.String s2, boolean ignoreCase)
      Implements String equality which always compares all characters in the string, without stopping early if any characters do not match.
      static boolean equals​(ByteChunk bc, java.lang.String s)
      Implements ByteChunk / String equality which always compares all characters, without stopping early if any characters do not match.

      • Methods inherited from class java.lang.Object

        clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

    • Method Detail

      • equals

        public static boolean equals​(java.lang.String s1,
                             java.lang.String s2,
                             boolean ignoreCase)
        Implements String equality which always compares all characters in the string, without stopping early if any characters do not match.

        Note: This implementation was adapted from MessageDigest.isEqual(byte[], byte[]) which we assume is as optimizer-defeating as possible.

        Parameters:
        s1 - The first string to compare.
        s2 - The second string to compare.
        ignoreCase - true if the strings should be compared without regard to case. Note that "true" here is only guaranteed to work with plain ASCII characters.
        Returns:
        true if the strings are equal to each other, false otherwise.

      • equals

        public static boolean equals​(ByteChunk bc,
                             java.lang.String s)
        Implements ByteChunk / String equality which always compares all characters, without stopping early if any characters do not match.

        Note: This implementation was adapted from MessageDigest.isEqual(byte[], byte[]) which we assume is as optimizer-defeating as possible.

        Parameters:
        bc - The ByteChunk to compare.
        s - The string to compare.
        Returns:
        true if the strings are equal to each other, false otherwise.

      • equals

        public static boolean equals​(byte[] b1,
                             byte[] b2)
        Implements byte-array equality which always compares all bytes in the array, without stopping early if any bytes do not match.

        Note: Implementation note: this method delegates to MessageDigest.isEqual(byte[], byte[]) under the assumption that it provides a constant-time comparison of the bytes in the arrays. Java 7+ has such an implementation, but neither the Javadoc nor any specification requires it. Therefore, Tomcat should continue to use this method internally in case the JDK implementation changes so this method can be re-implemented properly.

        Parameters:
        b1 - The first array to compare.
        b2 - The second array to compare.
        Returns:
        true if the arrays are equal to each other, false otherwise.