Class ConstantTimeEquals

java.lang.Object
org.mockserver.authentication.ConstantTimeEquals

public final class ConstantTimeEquals extends Object
Shared constant-time equality checks for authentication credentials.

Comparisons delegate to MessageDigest.isEqual(byte[], byte[]), which is documented to be constant-time and to not short-circuit on content, so an attacker cannot recover a secret one byte at a time by measuring how long a comparison takes. isEqual does return false fast when the two arrays differ in length, which leaks only the length of the supplied credential — never any byte of the configured secret.

Both the control-plane CONNECT/SOCKS5 proxy authentication and the data-plane authenticator route their credential comparisons through here so there is a single, audited constant-time implementation rather than duplicated String.equals / isEqual calls.

  • Method Details

    • equals

      public static boolean equals(String a, String b)
      Constant-time comparison of two strings by their UTF-8 bytes. A null is only ever equal to another null; a null and a non-null are never equal.
    • equals

      public static boolean equals(byte[] a, byte[] b)
      Constant-time comparison of two byte arrays via MessageDigest.isEqual(byte[], byte[]).