Merge branch 'refactor-signature-check'

3 files changed, 3 insertions, 12 deletions

diff --git a/openid/association.py b/openid/association.py
index de607f4..ca063bd 100644
--- a/openid/association.py
+++ b/openid/association.py
@@ -28,6 +28,7 @@ from __future__ import unicode_literals
 import time
 
 import six
+from cryptography.hazmat.primitives.constant_time import bytes_eq
 
 from openid import cryptutil, kvform, oidutil
 from openid.message import OPENID_NS
@@ -513,7 +514,7 @@ class Association(object):
         if not message_sig:
             raise ValueError("%s has no sig." % (message,))
         calculated_sig = self.getMessageSignature(message)
-        return cryptutil.const_eq(calculated_sig, message_sig)
+        return bytes_eq(calculated_sig.encode('utf-8'), message_sig.encode('utf-8'))
 
     def _makePairs(self, message):
         signed = message.getArg(OPENID_NS, 'signed')
diff --git a/openid/cryptutil.py b/openid/cryptutil.py
index 3fddee6..86c3e86 100644
--- a/openid/cryptutil.py
+++ b/openid/cryptutil.py
@@ -182,14 +182,3 @@ def longToBase64(l):
 
 def base64ToLong(s):
     return binaryToLong(fromBase64(s))
-
-
-def const_eq(s1, s2):
-    if len(s1) != len(s2):
-        return False
-
-    result = True
-    for i in range(len(s1)):
-        result = result and (s1[i] == s2[i])
-
-    return result
diff --git a/setup.py b/setup.py
index a230b66..52bca80 100644
--- a/setup.py
+++ b/setup.py
@@ -13,6 +13,7 @@ if 'sdist' in sys.argv:
 VERSION = __import__('openid').__version__
 INSTALL_REQUIRES = [
     'six',
+    'cryptography',
     'lxml;platform_python_implementation=="CPython"',
     'lxml <4.0;platform_python_implementation=="PyPy"',
 ]