SignXML's signature verification with HMAC is vulnerable to a timing attack

SignXML is an implementation of the W3C XML Signature standard in Python. When verifying signatures with X509 certificate validation turned off and HMAC shared secret set (`signxml.XMLVerifier.verify(require_x509=False, hmac_key=...`), versions of SignXML prior to 4.0.4 are vulnerable to a potential timing attack. The verifier may leak information about the correct HMAC when comparing it with the user supplied hash, allowing users to reconstruct the correct HMAC for any data.

N/A

通过时间差异性导致的信息暴露

SignXML 安全漏洞

SignXML是XML-Security开源的一个Python XML签名和XAdES库。 SignXML 4.0.4之前版本存在安全漏洞，该漏洞源于时序攻击缺陷，可能导致HMAC密钥泄露。

N/A

N/A