Add startsWith and regionMatches to SecureString (#134973)

tvernum · web-flow · commit dacd9a71ff0b · 2025-09-19T14:28:30.000+10:00
Sometimes we need to compare parts of a SecureString to another
sequences of characters. We would like to do this

1. Without converting the `SecureString` into a regular `String`
2. In constant time

This commit adds the `startsWith` and `regionMatches` methods to
`SecureString` so that we can perform those operations according to
the above requirements
diff --git a/server/src/main/java/org/elasticsearch/common/settings/SecureString.java b/server/src/main/java/org/elasticsearch/common/settings/SecureString.java
@@ -54,9 +54,59 @@ public synchronized boolean equals(Object o) {
             return false;
         }
 
+        return compareChars(0, that, 0, chars.length);
+    }
+
+    public boolean startsWith(CharSequence other) {
+        ensureNotClosed();
+        if (this.length() < other.length()) {
+            return false;
+        }
+        return compareChars(0, other, 0, other.length());
+    }
+
+    /**
+     * Compare the characters in this {@code SecureString} from {@code thisOffset} to {@code thisOffset + len}
+     * against that characters in {@code other} from {@code otherOffset} to {@code otherOffset + len}
+     * <br />
+     * This operation is performed in constant time (relative to {@code len})
+     */
+    public synchronized boolean regionMatches(int thisOffset, CharSequence other, int otherOffset, int len) {
+        ensureNotClosed();
+        if (otherOffset < 0 || thisOffset < 0) {
+            // cannot start from a negative value
+            return false;
+        }
+
+        // Perform some calculations as long to prevent overflow
+        if (thisOffset + (long) len > this.length() || otherOffset + (long) len > other.length()) {
+            // cannot compare a region that runs past the end of the source
+            return false;
+        }
+
+        if (len < 0) {
+            throw new IllegalArgumentException("length cannot be negative");
+        }
+        if (len == 0) {
+            // zero length regions are always equals
+            return true;
+        }
+
+        return compareChars(thisOffset, other, otherOffset, len);
+    }
+
+    /**
+     * Constant time comparison of a range from {@link #chars} against an identical length range from {@code other}
+     */
+    private boolean compareChars(int thisOffset, CharSequence other, int otherOffset, int len) {
+        assert len <= this.chars.length : "len is longer that secure-string: " + len + " vs " + this.chars.length;
+        assert len <= other.length() : "len is longer that comparison string: " + len + " vs " + other.length();
+
         int equals = 0;
-        for (int i = 0; i < chars.length; i++) {
-            equals |= chars[i] ^ that.charAt(i);
+        for (int i = 0; i < len; i++) {
+            final char t = chars[thisOffset + i];
+            final char o = other.charAt(otherOffset + i);
+            equals |= t ^ o;
         }
 
         return equals == 0;
diff --git a/server/src/test/java/org/elasticsearch/common/settings/SecureStringTests.java b/server/src/test/java/org/elasticsearch/common/settings/SecureStringTests.java
@@ -13,7 +13,9 @@
 
 import java.util.Arrays;
 
+import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.hasLength;
 import static org.hamcrest.Matchers.not;
 import static org.hamcrest.Matchers.sameInstance;
 
@@ -73,6 +75,122 @@ public void testGetCloseableCharsAfterSecureStringClosed() {
         assertThat(e.getMessage(), containsString("already been closed"));
     }
 
+    public void testEquals() {
+        final String string = randomAlphaOfLengthBetween(8, 128);
+        final SecureString secureString = new SecureString(string.toCharArray());
+        final StringBuilder stringBuilder = new StringBuilder(string);
+
+        assertThat(secureString.equals(string), is(true));
+        assertThat(secureString.equals(stringBuilder), is(true));
+
+        final int split = randomIntBetween(1, string.length() - 1);
+        final String altString = string.substring(0, split) + randomAlphanumericOfLength(1) + string.substring(split);
+        assertThat(secureString.equals(altString), is(false));
+    }
+
+    public void testStartsWith() {
+        final String str = randomAlphanumericOfLength(16);
+        final SecureString secStr = new SecureString(str.toCharArray());
+        for (int i = 0; i <= str.length(); i++) {
+            final String substr = str.substring(0, i);
+            assertThat(secStr.startsWith(substr), is(true));
+            assertThat(secStr.startsWith(new SecureString(substr.toCharArray())), is(true));
+            assertThat(secStr.startsWith(new StringBuilder(substr)), is(true));
+
+            if (i != 0) {
+                assertThat(secStr.startsWith(randomValueOtherThan(substr, () -> randomAlphanumericOfLength(substr.length()))), is(false));
+                if (i > 1) {
+                    final int suffixLength = randomIntBetween(1, i - 1);
+                    final String altStr = substr.substring(0, i - suffixLength) + randomValueOtherThan(
+                        substr.substring(i - suffixLength),
+                        () -> randomAlphanumericOfLength(suffixLength)
+                    );
+                    assertThat(altStr, hasLength(substr.length()));
+                    assertThat(secStr.startsWith(altStr), is(false));
+                }
+            }
+        }
+
+        assertThat(secStr.startsWith(str + randomAlphanumericOfLength(1)), is(false));
+    }
+
+    public void testRegionMatches() {
+        // Matching text
+        assertRegionMatch(true, "abc", 0, "012abc789", 3, 3);
+        assertRegionMatch(true, "abc", 0, "abc789", 0, 3);
+        assertRegionMatch(true, "abc", 0, "012abc", 3, 3);
+        assertRegionMatch(true, "XYabcZ", 2, "012abc789", 3, 3);
+        assertRegionMatch(true, "XYabcZ", 2, "abc789", 0, 3);
+        assertRegionMatch(true, "XYabcZ", 2, "012abc", 3, 3);
+        assertRegionMatch(true, "XYabcZ", 2, "abc", 0, 3);
+
+        // Bad region boundaries
+        assertRegionMatch(false, "abc", -1, "abc", 0, 3);
+        assertRegionMatch(false, "abc", 0, "abc", -1, 3);
+        assertRegionMatch(false, "abc", 0, "abc", 0, 4);
+        assertRegionMatch(false, "abc", 0, "ab", 0, 3);
+        assertRegionMatch(false, "abc", 0, "Xab", 1, 3);
+
+        // Mismatched text
+        assertRegionMatch(false, "abc", 0, "012", 0, 3);
+        assertRegionMatch(false, "012abc", 3, "012", 0, 3);
+        assertRegionMatch(false, "abc012", 0, "012", 0, 3);
+        assertRegionMatch(false, "012abc789", 3, "012", 0, 3);
+        assertRegionMatch(false, "abc", 0, "xyz012", 3, 3);
+        assertRegionMatch(false, "012abc", 3, "xyz012", 3, 3);
+        assertRegionMatch(false, "abc012", 0, "xyz012", 3, 3);
+        assertRegionMatch(false, "012abc789", 3, "xyz012", 3, 3);
+        assertRegionMatch(false, "abc", 0, "012xyz", 0, 3);
+        assertRegionMatch(false, "012abc", 3, "012xyz", 0, 3);
+        assertRegionMatch(false, "abc012", 0, "012xyz", 0, 3);
+        assertRegionMatch(false, "012abc789", 3, "012xyz", 0, 3);
+        assertRegionMatch(false, "abc", 0, "abc012xyz", 3, 3);
+        assertRegionMatch(false, "012abc", 3, "abc012xyz", 3, 3);
+        assertRegionMatch(false, "abc012", 0, "abc012xyz", 3, 3);
+        assertRegionMatch(false, "012abc789", 3, "abc012xyz", 3, 3);
+
+        // Zero length always matches
+        assertRegionMatch(
+            true,
+            randomAlphanumericOfLength(12),
+            randomIntBetween(0, 12),
+            randomAlphanumericOfLength(8),
+            randomIntBetween(0, 8),
+            0
+        );
+
+        // Random chars
+        final String shared = randomAlphanumericOfLength(randomIntBetween(4, 64));
+        final String rand1 = randomAlphaOfLengthBetween(0, 256);
+        final String rand2 = randomAlphaOfLengthBetween(0, 256);
+        assertRegionMatch(
+            true,
+            rand1 + shared + randomAlphaOfLengthBetween(0, 256),
+            rand1.length(),
+            rand2 + shared + randomAlphaOfLengthBetween(0, 256),
+            rand2.length(),
+            shared.length()
+        );
+        assertRegionMatch(
+            false,
+            rand1 + shared + randomAlphaOfLengthBetween(0, 256),
+            rand1.length(),
+            rand2 + randomValueOtherThan(shared, () -> randomAlphanumericOfLength(shared.length())) + randomAlphaOfLengthBetween(0, 256),
+            rand2.length(),
+            shared.length()
+        );
+    }
+
+    private void assertRegionMatch(final boolean expected, String a, int offsetA, String b, int offsetB, int len) {
+        // First check that our test strings match using the standard `String` version
+        assert a.regionMatches(offsetA, b, offsetB, len) == expected
+            : "Bad test case [" + a + "][" + offsetA + "] vs [" + b + "][" + offsetB + "] : " + len + " == " + expected;
+
+        // Test a-vs-b and b-vs-a because these operations should be identical
+        assertThat(new SecureString(a.toCharArray()).regionMatches(offsetA, b, offsetB, len), is(expected));
+        assertThat(new SecureString(b.toCharArray()).regionMatches(offsetB, a, offsetA, len), is(expected));
+    }
+
     private void assertSecureStringEqualToChars(char[] expected, SecureString secureString) {
         int pos = 0;
         for (int i : secureString.chars().toArray()) {
