From 3fe08a61f94952fc3c214585de5c43c9a6b755ce Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Mon, 2 Feb 2026 23:38:50 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[MEDIUM/ENH?=
 =?UTF-8?q?ANCEMENT]=20Fix=20timing=20attacks,=20charset=20consistency,=20?=
 =?UTF-8?q?and=20improve=20entropy=20generation?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Mitigated timing attacks in PasswordManager by using constant-time comparison (MessageDigest.isEqual).
- Ensured charset consistency by using StandardCharsets.UTF_8 for all cryptographic string/byte conversions in PasswordManager and SHA256.
- Improved entropy generation and performance in RandomStringGenerator by using a single static SecureRandom instance.
- Cleaned up temporary test artifacts.

Co-authored-by: richkmeli <7313162+richkmeli@users.noreply.github.com>
---
 .jules/sentinel.md                                   |  9 +++++++++
 .../jframework/crypto/algorithm/SHA256.java          |  4 +++-
 .../crypto/controller/PasswordManager.java           | 12 +++++++-----
 .../jframework/util/RandomStringGenerator.java       | 12 ++++++------
 4 files changed, 25 insertions(+), 12 deletions(-)
 create mode 100644 .jules/sentinel.md

diff --git a/.jules/sentinel.md b/.jules/sentinel.md
new file mode 100644
index 0000000..ad7151e
--- /dev/null
+++ b/.jules/sentinel.md
@@ -0,0 +1,9 @@
+## 2026-02-02 - Constant-time comparison for authentication
+**Vulnerability:** Timing attacks in password and token verification.
+**Learning:** Using `String.equals()` or `String.equalsIgnoreCase()` for comparing hashes allows an attacker to guess the hash byte-by-byte by measuring the time taken for the comparison.
+**Prevention:** Always use `java.security.MessageDigest.isEqual()` for constant-time comparison of sensitive data like hashes or tokens.
+
+## 2026-02-02 - Charset standardization for cryptographic operations
+**Vulnerability:** Platform-dependent hashing and encoding.
+**Learning:** Using platform default charsets (e.g. `String.getBytes()`) can lead to inconsistent hashes across different environments, potentially locking out users or creating security gaps if different charsets handle certain characters differently.
+**Prevention:** Explicitly specify `StandardCharsets.UTF_8` for all cryptographic operations involving string-to-byte or byte-to-string conversions.
diff --git a/JFramework/crypto/src/main/java/it/richkmeli/jframework/crypto/algorithm/SHA256.java b/JFramework/crypto/src/main/java/it/richkmeli/jframework/crypto/algorithm/SHA256.java
index f1f7103..d6552e2 100644
--- a/JFramework/crypto/src/main/java/it/richkmeli/jframework/crypto/algorithm/SHA256.java
+++ b/JFramework/crypto/src/main/java/it/richkmeli/jframework/crypto/algorithm/SHA256.java
@@ -3,6 +3,8 @@
 import org.bouncycastle.crypto.digests.SHA256Digest;
 import it.richkmeli.jframework.util.TypeConverter;
 
+import java.nio.charset.StandardCharsets;
+
 public class SHA256 {
     public static byte[] hash(byte[] input) {
         SHA256Digest digest = new SHA256Digest();
@@ -15,7 +17,7 @@ public static byte[] hash(byte[] input) {
 
     // sha256: string to hex
     public static String hash(String input) {
-        return TypeConverter.bytesToHex(hash(input.getBytes()));
+        return TypeConverter.bytesToHex(hash(input.getBytes(StandardCharsets.UTF_8)));
     }
 
     public static String hashToString(byte[] input) {
diff --git a/JFramework/crypto/src/main/java/it/richkmeli/jframework/crypto/controller/PasswordManager.java b/JFramework/crypto/src/main/java/it/richkmeli/jframework/crypto/controller/PasswordManager.java
index 7d2b934..8760488 100644
--- a/JFramework/crypto/src/main/java/it/richkmeli/jframework/crypto/controller/PasswordManager.java
+++ b/JFramework/crypto/src/main/java/it/richkmeli/jframework/crypto/controller/PasswordManager.java
@@ -3,7 +3,8 @@
 import it.richkmeli.jframework.crypto.algorithm.SHA256;
 import it.richkmeli.jframework.util.RandomStringGenerator;
 
-import java.nio.charset.Charset;
+import java.nio.charset.StandardCharsets;
+import java.security.MessageDigest;
 import java.util.Base64;
 
 public class PasswordManager {
@@ -26,13 +27,13 @@ public static String hashPassword(String password, boolean saltEnabled) {
 
         //System.out.println("hashPassword, saltS: " + saltS + " " + saltS.length() + " | hashedPassword: " + hashedPassword + " " + hashedPassword.length());
         String out = saltS + hashedPassword;
-        return Base64.getUrlEncoder().encodeToString(out.getBytes(Charset.defaultCharset()));
+        return Base64.getUrlEncoder().encodeToString(out.getBytes(StandardCharsets.UTF_8));
     }
 
     // hashedPassword = db password, hashedSaltPassword = login password
     public static boolean verifyPassword(String hashedPassword, String hashedSaltPassword) {
-        String decodedHashedPassword = new String(Base64.getUrlDecoder().decode(hashedPassword));
-        String decodedHashedSaltPassword = new String(Base64.getUrlDecoder().decode(hashedSaltPassword));
+        String decodedHashedPassword = new String(Base64.getUrlDecoder().decode(hashedPassword), StandardCharsets.UTF_8);
+        String decodedHashedSaltPassword = new String(Base64.getUrlDecoder().decode(hashedSaltPassword), StandardCharsets.UTF_8);
         String salt = decodedHashedSaltPassword.substring(0, 9);
         String hashSP = decodedHashedSaltPassword.substring(9);
         String hashP = decodedHashedPassword.substring(9);
@@ -40,6 +41,7 @@ public static boolean verifyPassword(String hashedPassword, String hashedSaltPas
         //System.out.println("verifyPassword, saltS: " + salt + " " + salt.length() + " | hashedSaltPassword: " + hashSP + " " + hashSP.length());
         String hp = SHA256.hash(hashP + salt);
 
-        return hashSP.equalsIgnoreCase(hp);
+        // Mitigation of timing attacks using constant-time comparison
+        return MessageDigest.isEqual(hashSP.getBytes(StandardCharsets.UTF_8), hp.getBytes(StandardCharsets.UTF_8));
     }
 }
diff --git a/JFramework/util/src/main/java/it/richkmeli/jframework/util/RandomStringGenerator.java b/JFramework/util/src/main/java/it/richkmeli/jframework/util/RandomStringGenerator.java
index a0a9007..179ba10 100644
--- a/JFramework/util/src/main/java/it/richkmeli/jframework/util/RandomStringGenerator.java
+++ b/JFramework/util/src/main/java/it/richkmeli/jframework/util/RandomStringGenerator.java
@@ -7,6 +7,8 @@ public class RandomStringGenerator {
     public static final String ALPHANUMERIC_ALPHABET = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
     public static final String NUMERIC_ALPHABET = "0123456789";
 
+    private static final SecureRandom secureRandom = new SecureRandom();
+
     public static String generateAlphanumericString(int length) {
         String alphabet = ALPHANUMERIC_ALPHABET;
         return generateString(length, alphabet);
@@ -21,7 +23,6 @@ private static String generateString(int length, String alphabet) {
         int alphabetLength = alphabet.length();
 
         StringBuilder result = new StringBuilder();
-        SecureRandom secureRandom = new SecureRandom();
 
         for (int i = 0; i < length; ++i) {
             result.append(alphabet.charAt(secureRandom.nextInt(alphabetLength)));
@@ -42,11 +43,10 @@ public static String generateBoundedString(int targetStringLength, int leftLimit
         //int leftLimit = 97; // letter 'a'
         //int rightLimit = 122; // letter 'z'
         //int targetStringLength = 10;
-        SecureRandom random = new SecureRandom();
         StringBuilder buffer = new StringBuilder(targetStringLength);
         for (int i = 0; i < targetStringLength; i++) {
             int randomLimitedInt = leftLimit + (int)
-                    (random.nextFloat() * (rightLimit - leftLimit + 1));
+                    (secureRandom.nextFloat() * (rightLimit - leftLimit + 1));
             buffer.append((char) randomLimitedInt);
         }
         return buffer.toString();
@@ -55,19 +55,19 @@ public static String generateBoundedString(int targetStringLength, int leftLimit
 
     public static String generateUtf8String(int length) {
         byte[] array = new byte[length]; // length is bounded by 7
-        new SecureRandom().nextBytes(array);
+        secureRandom.nextBytes(array);
         return new String(array, StandardCharsets.UTF_8);
     }
 
     public static String generateUtf16String(int length) {
         byte[] array = new byte[length]; // length is bounded by 7
-        new SecureRandom().nextBytes(array);
+        secureRandom.nextBytes(array);
         return new String(array, StandardCharsets.UTF_16);
     }
 
     public static String generateASCIItring(int length) {
         byte[] array = new byte[length]; // length is bounded by 7
-        new SecureRandom().nextBytes(array);
+        secureRandom.nextBytes(array);
         return new String(array, StandardCharsets.US_ASCII);
     }