diff --git a/src/JWT/JWT.csproj b/src/JWT/JWT.csproj index 5734d2cc4..e82e617c8 100644 --- a/src/JWT/JWT.csproj +++ b/src/JWT/JWT.csproj @@ -21,7 +21,7 @@ https://github.com/jwt-dotnet/jwt John Sheehan, Michael Lehenbauer, Alexander Batishchev https://creativecommons.org/publicdomain/zero/1.0/ - 3.0.0-beta3 + 3.0.0-beta4 jwt json diff --git a/src/JWT/JwtValidator.cs b/src/JWT/JwtValidator.cs index d045fa401..121314289 100644 --- a/src/JWT/JwtValidator.cs +++ b/src/JWT/JwtValidator.cs @@ -1,5 +1,6 @@ using System; using System.Collections.Generic; +using System.Text; namespace JWT { @@ -31,7 +32,7 @@ public JwtValidator(IJsonSerializer jsonSerializer, IDateTimeProvider dateTimePr /// public void Validate(string payloadJson, string decodedCrypto, string decodedSignature) { - if (decodedCrypto != decodedSignature) + if (!CompareCryptoWithSignature(decodedCrypto, decodedSignature)) { throw new SignatureVerificationException("Invalid signature") { @@ -99,5 +100,25 @@ public void Validate(string payloadJson, string decodedCrypto, string decodedSig } } } + + /// In the future this method can be open for extension so made protected virtual + private static bool CompareCryptoWithSignature(string decodedCrypto, string decodedSignature) + { + if (decodedCrypto.Length != decodedSignature.Length) + { + return false; + } + + byte[] decodedCryptoBytes = Encoding.ASCII.GetBytes(decodedCrypto); + byte[] decodedSignatureBytes = Encoding.ASCII.GetBytes(decodedSignature); + + byte result = 0; + for (int i = 0; i < decodedCrypto.Length; i++) + { + result |= (byte)(decodedCryptoBytes[i] ^ decodedSignatureBytes[i]); + } + + return result == 0; + } } } \ No newline at end of file