oscerd opened a new pull request, #24375: URL: https://github.com/apache/camel/pull/24375
## CAMEL-23766 `HMACAccumulator.validate()` compared the expected and actual MAC byte-by-byte with an early-exit loop that throws on the first differing byte. The time taken to reject a MAC therefore leaks how many leading bytes matched — a timing side-channel that can assist MAC forgery. ### Fix Use `java.security.MessageDigest.isEqual(expected, actual)`, which performs a constant-time comparison (since JDK 6u17) and is the standard practice for MAC/signature verification. Behaviour is otherwise unchanged (same `IllegalStateException` on mismatch, same message). ### Tests Added `testValidateFailsWhenAppendedMacDoesNotMatch` covering the mismatch case — previously only the matching path was exercised (via the `validate` helper). All `HMACAccumulatorTest` tests pass (9). Targets `main` (4.22.0); a backport to `camel-4.18.x` (4.18.4) will follow per the issue's fix versions. --- _Claude Code on behalf of Andrea Cosentino_ 🤖 Generated with [Claude Code](https://claude.com/claude-code) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
