Use cryptography for signature comparison

author: Vlastimil Zíma <vlastimil.zima@nic.cz> 2018-05-11 13:54:14 +0200
committer: Vlastimil Zíma <vlastimil.zima@nic.cz> 2018-05-17 11:14:44 +0200
commit: 6f6b6972036adc5d1937fbb4f63c0b279d630cb7 (patch)
tree: 2db5811c68c2485daf12d23338b0d48578c8a86e /openid/association.py
parent: ce2705ff6d3583c800f8f5974bed6f1de11f1d3c (diff)
download: openid-6f6b6972036adc5d1937fbb4f63c0b279d630cb7.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/openid/association.py b/openid/association.py
index de607f4..ca063bd 100644
--- a/openid/association.py
+++ b/openid/association.py
@@ -28,6 +28,7 @@ from __future__ import unicode_literals
 import time
 
 import six
+from cryptography.hazmat.primitives.constant_time import bytes_eq
 
 from openid import cryptutil, kvform, oidutil
 from openid.message import OPENID_NS
@@ -513,7 +514,7 @@ class Association(object):
         if not message_sig:
             raise ValueError("%s has no sig." % (message,))
         calculated_sig = self.getMessageSignature(message)
-        return cryptutil.const_eq(calculated_sig, message_sig)
+        return bytes_eq(calculated_sig.encode('utf-8'), message_sig.encode('utf-8'))
 
     def _makePairs(self, message):
         signed = message.getArg(OPENID_NS, 'signed')
author	Vlastimil Zíma <vlastimil.zima@nic.cz>	2018-05-11 13:54:14 +0200
committer	Vlastimil Zíma <vlastimil.zima@nic.cz>	2018-05-17 11:14:44 +0200
commit	6f6b6972036adc5d1937fbb4f63c0b279d630cb7 (patch)
tree	2db5811c68c2485daf12d23338b0d48578c8a86e /openid/association.py
parent	ce2705ff6d3583c800f8f5974bed6f1de11f1d3c (diff)
download	openid-6f6b6972036adc5d1937fbb4f63c0b279d630cb7.tar.gz