Merge commit from fork

fix(security): Timing Attack Vulnerability

Author: jorsol

checks/forbiddenapis.txt

@@ -0,0 +1,2 @@
+
+java.util.Arrays#equals(byte[],byte[]) @ Replace with java.security.MessageDigest#isEqual(byte[],byte[])

scram-common/src/main/java/com/ongres/scram/common/ScramFunctions.java

@@ -7,8 +7,8 @@
 
 import static java.nio.charset.StandardCharsets.UTF_8;
 
+import java.security.MessageDigest;
 import java.security.SecureRandom;
-import java.util.Arrays;
 
 import com.ongres.scram.common.util.Preconditions;
 import org.jetbrains.annotations.NotNull;
@@ -190,8 +190,7 @@ public static boolean verifyClientProof(
     byte[] clientSignature = clientSignature(scramMechanism, storedKey, authMessage);
     byte[] clientKey = CryptoUtil.xor(clientSignature, clientProof);
     byte[] computedStoredKey = hash(scramMechanism, clientKey);
-
-    return Arrays.equals(storedKey, computedStoredKey);
+    return MessageDigest.isEqual(storedKey, computedStoredKey);
   }
 
   /**
@@ -205,7 +204,8 @@ public static boolean verifyClientProof(
    */
   public static boolean verifyServerSignature(
       ScramMechanism scramMechanism, byte[] serverKey, String authMessage, byte[] serverSignature) {
-    return Arrays.equals(serverSignature(scramMechanism, serverKey, authMessage), serverSignature);
+    byte[] computedServerSignature = serverSignature(scramMechanism, serverKey, authMessage);
+    return MessageDigest.isEqual(serverSignature, computedServerSignature);
   }
 
   /**

scram-parent/pom.xml

@@ -521,6 +521,9 @@
                 <!-- don't allow System.out or System.err: -->
                 <bundledSignature>jdk-system-out</bundledSignature>
               </bundledSignatures>
+              <signaturesFiles>
+                <signaturesFile>${checks.location}/forbiddenapis.txt</signaturesFile>
+              </signaturesFiles>
             </configuration>
             <executions>
               <execution>