diff --git a/src/JWT/JWT.csproj b/src/JWT/JWT.csproj
index 5734d2cc4..e82e617c8 100644
--- a/src/JWT/JWT.csproj
+++ b/src/JWT/JWT.csproj
@@ -21,7 +21,7 @@
https://github.com/jwt-dotnet/jwt
John Sheehan, Michael Lehenbauer, Alexander Batishchev
https://creativecommons.org/publicdomain/zero/1.0/
- 3.0.0-beta3
+ 3.0.0-beta4
jwt json
diff --git a/src/JWT/JwtValidator.cs b/src/JWT/JwtValidator.cs
index d045fa401..121314289 100644
--- a/src/JWT/JwtValidator.cs
+++ b/src/JWT/JwtValidator.cs
@@ -1,5 +1,6 @@
using System;
using System.Collections.Generic;
+using System.Text;
namespace JWT
{
@@ -31,7 +32,7 @@ public JwtValidator(IJsonSerializer jsonSerializer, IDateTimeProvider dateTimePr
///
public void Validate(string payloadJson, string decodedCrypto, string decodedSignature)
{
- if (decodedCrypto != decodedSignature)
+ if (!CompareCryptoWithSignature(decodedCrypto, decodedSignature))
{
throw new SignatureVerificationException("Invalid signature")
{
@@ -99,5 +100,25 @@ public void Validate(string payloadJson, string decodedCrypto, string decodedSig
}
}
}
+
+ /// In the future this method can be open for extension so made protected virtual
+ private static bool CompareCryptoWithSignature(string decodedCrypto, string decodedSignature)
+ {
+ if (decodedCrypto.Length != decodedSignature.Length)
+ {
+ return false;
+ }
+
+ byte[] decodedCryptoBytes = Encoding.ASCII.GetBytes(decodedCrypto);
+ byte[] decodedSignatureBytes = Encoding.ASCII.GetBytes(decodedSignature);
+
+ byte result = 0;
+ for (int i = 0; i < decodedCrypto.Length; i++)
+ {
+ result |= (byte)(decodedCryptoBytes[i] ^ decodedSignatureBytes[i]);
+ }
+
+ return result == 0;
+ }
}
}
\ No newline at end of file