There’s 2 places in https://github.com/wildfly-security/wildfly-elytron/blob/1.x/password/impl/src/main/java/org/wildfly/security/password/impl/SimpleDigestPasswordImpl.java where Arrays#equals is currently used to compare digests.

Arrays#equals is vulnerable to timing attacks because it uses a non time-constant comparison.

MessageDigest#isEqual uses a time-constant comparison which means that all bytes in the arrays will be compared.

Update SimpleDigestPasswordImpl so that it uses the MessageDigest#isEqual method instead of Arrays#equals to compare the digests.