常量时间比较与签名验真（Timing/ConstantTime）最佳实践

背景与价值短路比较与长度泄露会引发时序侧信道。统一使用常量时间比较与长度对齐的HMAC验证可显著降低风险。统一规范比较函数：始终遍历完整长度并累计差异，避免提前返回。长度对齐：对输入进行统一长度处理，拒绝异常长度。验证流程：统一计算并比较，失败不暴露细节。核心实现常量时间比较function ctEqual(a: Uint8Array, b: Uint8Array): boolean { if (a.length !== b.length) return false let diff = 0 for (let i = 0; i < a.length; i++) diff |= a[i] ^ b[i] return diff === 0 } function b64uToBytes(s: string): Uint8Array { const b = atob(s.replace(/-/g,'+').replace(/_/g,'/')); const u = new Uint8Array(b.length); for (let i=0;i<b.length;i++) u[i] = b.charCodeAt(i); return u } HMAC验证（常量时间比较）async function importHmacKey(secret: ArrayBuffer): Promise<CryptoKey> { return crypto.subtle.importKey('raw', secret, { name: 'HMAC', hash: 'SHA-256' }, false, ['sign']) } function enc(s: string): Uint8Array { return new TextEncoder().encode(s) } async function hmacB64u(key: CryptoKey, payload: string): Promise<string> { const raw = await crypto.subtle.sign('HMAC', key, enc(payload)); const u = new Uint8Array(raw); let s=''; for (let i=0;i<u.length;i++) s+=String.fromCharCode(u[i]); return btoa(s).replace(/\+/g,'-').replace(/\//g,'_').replace(/=+$/,'') } async function verifyHmac(sigB64u: string, payload: string, key: CryptoKey): Promise<boolean> { const expect = await hmacB64u(key, payload) const a = b64uToBytes(sigB64u) const b = b64uToBytes(expect) return ctEqual(a, b) } 落地建议对所有签名验证统一采用常量时间比较与长度检查，避免短路与泄露。异常统一返回失败，不暴露长度或格式差异细节。验证清单比较函数是否遍历完整长度并累计差异；HMAC验证是否使用常量时间比较。