From 46348d7b4932f22b3cb733694b32847bb29b9042 Mon Sep 17 00:00:00 2001
From: Jim <jlambert@hashicorp.com>
Date: Tue, 9 May 2023 11:17:21 -0400
Subject: [PATCH] fix (bsr/kms): use const time compare for sig

---
 internal/bsr/kms/keys.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/internal/bsr/kms/keys.go b/internal/bsr/kms/keys.go
index ae05ae5e46..fe3186bf3b 100644
--- a/internal/bsr/kms/keys.go
+++ b/internal/bsr/kms/keys.go
@@ -4,10 +4,10 @@
 package kms
 
 import (
-	"bytes"
 	"context"
 	"crypto/ed25519"
 	"crypto/rand"
+	"crypto/subtle"
 	"fmt"
 	"sync"
 
@@ -505,7 +505,7 @@ func (k *Keys) VerifySignatureWithBsrKey(ctx context.Context, sig *wrapping.SigI
 	if sig.KeyInfo.KeyId != bsrKeyId {
 		return false, fmt.Errorf("%s: signature key id %q doesn't match verifying key id %q: %w", op, k.PubKeyBsrSignature.KeyInfo.KeyId, bsrKeyId, ErrInvalidParameter)
 	}
-	if bytes.Equal(sig.Signature, sigInfo.Signature) {
+	if subtle.ConstantTimeCompare(sig.Signature, sigInfo.Signature) == 1 {
 		return true, nil
 	}
 	return false, nil