fix(security): 4 CRITICAL vulnerability fixes

[tsavo-at-pieces]

Summary

• Fernet HMAC timing attack: Replace ListEquality().equals() with constant-time XOR-accumulation comparison to prevent timing side-channel attacks
• RSA signature timing attack: Use constant-time XOR comparison for equal-length signature verification path
• PBKDF2 default iterations: Raise from 100 to 600,000 per OWASP PBKDF2-HMAC-SHA1 recommendations
• ECB mode deprecation: Mark AESMode.ecb as @Deprecated — encrypts blocks independently, leaking plaintext patterns

Test plan

• Verify existing Fernet encrypt/decrypt tests still pass with new constant-time comparison
• Verify RSA sign/verify tests still pass with XOR-accumulation path
• Verify Key.stretch() uses 600k iterations by default
• Verify @Deprecated warning appears when using AESMode.ecb

Ref: open-runtime/aot_monorepo#391

🤖 Generated with Claude Code

[cursor]

PR Summary

Medium Risk
Touches cryptographic verification and key-derivation defaults; mistakes could cause auth/signature/token verification failures or performance regressions, though changes are localized and straightforward.

Overview
Hardens crypto primitives by switching Fernet HMAC verification and RSA signature verification (equal-length path) to constant-time comparisons to reduce timing side-channels.

Strengthens key derivation defaults by increasing Key.stretch() PBKDF2 iterations from 100 to 600,000 (OWASP-aligned) and deprecates insecure AESMode.ecb with guidance to use safer modes.

Updates CI/tooling config: bumps runtime_ci_tooling to ^0.11.0, regenerates CI workflow to run dart analyze/dart test directly, adds a dart format check, and adjusts git URL token rewrite + LFS smudge handling via env/config.

^{Written by Cursor Bugbot for commit 5dd3bd3. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.}

Comment @cursor review or bugbot run to trigger another review on this PR

[cursor]

CI analyze step may miss failures

High Severity

The Analyze step pipes dart analyze into tee without pipefail, so dart analyze’s non-zero exit code can be masked. The follow-up grep for ^ error - is format-dependent and may not match real analyzer errors, allowing analysis failures to pass CI.

 

[Copilot]

Pull request overview

This PR implements critical security fixes addressing timing attack vulnerabilities in HMAC verification and RSA signature verification, updates PBKDF2 iteration count to modern standards, and deprecates the insecure ECB encryption mode. Additionally, it upgrades the CI tooling infrastructure to version 0.11.0.

Changes:

• Implemented constant-time comparison using XOR-accumulation in Fernet HMAC verification and RSA signature verification to prevent timing side-channel attacks
• Increased PBKDF2 default iteration count from 100 to 600,000 per OWASP recommendations
• Deprecated AESMode.ecb with clear warning about security implications

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
lib/src/algorithms/fernet.dart	Added constant-time _constantTimeEquals() method to replace ListEquality().equals() for HMAC verification
lib/src/algorithms/rsa.dart	Replaced short-circuiting comparison with XOR-accumulation for constant-time signature verification
lib/src/encrypted.dart	Increased PBKDF2 default iteration count from 100 to 600,000 with updated documentation
lib/src/algorithms/aes.dart	Added @Deprecated annotation to ECB mode with security warning and alternative recommendations
pubspec.yaml	Updated runtime_ci_tooling from ^0.10.0 to ^0.11.0 and removed workspace resolution comment
.runtime_ci/config.json	Added new "ci" configuration section for tooling v0.11.0
.runtime_ci/template_versions.json	Updated tooling version to 0.11.0 with new template hashes and timestamps
.github/workflows/ci.yaml	Regenerated CI workflow with direct dart commands, format checking, and user extension points

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Changing the default iteration count from 100 to 600,000 is a breaking change that will cause the existing test 'Key.strech' in test/encrypted_test.dart to fail. The test expects the output 'ykT8qFmrPp7TJyzY+E2NoBNjfWymzKOs1OCbRsO67fo=' which was calculated using 100 iterations. The test needs to be updated to either pass iterationCount: 100 explicitly to preserve the old behavior, or the expected hash needs to be recalculated with 600,000 iterations.

Suggested change

	/// The [iterationCount] defaults to 600,000 per OWASP recommendations for
	/// PBKDF2-HMAC-SHA1. Passing a value below 600,000 is strongly discouraged
	/// as it weakens resistance to brute-force attacks.
	Key stretch(int desiredKeyLength, {int iterationCount = 600000, Uint8List? salt}) {
	/// The [iterationCount] defaults to 100 for backward compatibility with
	/// existing code. A higher value (for example, 600,000 or more) is
	/// strongly recommended to improve resistance to brute-force attacks.
	Key stretch(int desiredKeyLength, {int iterationCount = 100, Uint8List? salt}) {

[tsavo-at-pieces]

Upstream PR Dependency Compatibility Review

Reviewed two open PRs on the archived upstream (leocavalcante/encrypt) for dependency compatibility with the open-runtime monorepo:

---

PR leocavalcante#343 — "feat: supports pointycastle 4.0.0" (by @alextekartik, branch 5.x)

Change: Widens pointycastle constraint from ^3.7.3 to >=3.7.3 <5.0.0 in pubspec.yaml.

Downstream Impact

No impact on our fork. open-runtime/encrypt 6.0.0+ already uses pointycastle: ^4.0.0. The monorepo's pubspec.lock resolves pointycastle at 4.0.0 across all consumers (runtime_native_io_core, provisioning, gpt inference). This upstream PR merely catches the archived upstream up to what we already ship.

Version Constraints

• pointycastle 4.0.0 has no documented API breaking changes relative to 3.x (UTF-16 support, new OID, null-safety fix, dependency cleanup only).
• The range >=3.7.3 <5.0.0 is a safe backward-compatible widening.
• Our fork's ^4.0.0 is more forward-looking and appropriate since we don't need to maintain 3.x compat.

Verdict: Already superseded by our fork. No action needed.

---

PR leocavalcante#341 — "Add GCM to AES supported modes section in README" (by @probabilityhill)

Change: Adds - GCM \AESMode.gcm`to the "Supported modes" list inREADME.md`.

Downstream Impact

None — documentation-only change. GCM mode already exists in the AESMode enum in both the upstream package and our fork. The PR simply documents an existing capability that was missing from the README.

Version Constraints

No pubspec changes. Zero risk.

Verdict: Correct documentation fix. Our fork's README already lists GCM. No action needed.

---

Summary

Both upstream PRs are on the archived leocavalcante/encrypt repo and cannot be merged there. Neither PR introduces changes that our fork needs to adopt — we are already ahead on both fronts:

• pointycastle: ^4.0.0 (PR feat: supports pointycastle 4.0.0 leocavalcante/encrypt#343's intent) — already in our 6.0.0+
• GCM documented in README (PR Add GCM to AES supported modes section in README leocavalcante/encrypt#341's intent) — already in our README

No dependency compatibility concerns for the monorepo.

[tsavo-at-pieces]

Deep Review & Conflict Resolution

Merge Conflicts — Resolved ✅

Merged main into the PR branch. Conflicts were in:

• .github/workflows/ci.yaml → Kept main's v0.11.2 generated version (supersedes PR's v0.11.0)
• .runtime_ci/template_versions.json → Kept main's v0.11.2 hashes
• pubspec.yaml → Auto-merged cleanly (version bumped to 6.0.2, runtime_ci_tooling ^0.11.0 preserved)

Also pulled in main's release bot artifacts (v6.0.1, v6.0.2 audit/release notes).

---

Review Comment Responses

1. @cursor — CI analyze step pipefail (HIGH)

Verdict: Valid concern, but not actionable in this PR.

The dart analyze | tee without set -o pipefail is a known limitation of the generated CI template (runtime_ci_tooling). The grep fallback catches most error formats, but a pipefail-safe version would be more robust. Since ci.yaml is generated by tooling (tracked via template_versions.json hashes), the fix belongs in runtime_ci_tooling, not in a hand-edit here.

Action: Filed mentally for next runtime_ci_tooling update. No change in this PR.

2. @sentry — PBKDF2 600k default is breaking (CRITICAL)

Verdict: Valid. Fixed in this commit.

The default iterationCount change from 100→600,000 is intentionally breaking (security hardening per OWASP). The test was using the default and had a hardcoded expected value from 100 iterations.

Fix applied:

• Updated existing test to explicitly pass iterationCount: 100 (preserves deterministic assertion)
• Added new test verifying the 600k default produces a different (stronger) key
• Both tests pass ✅ (600k test takes ~13s as expected for PBKDF2-HMAC-SHA1)

3. @copilot — Suggests reverting to 100 default

Verdict: Disagree. 600k is the correct security default.

Copilot's suggestion to keep iterationCount: 100 as default "for backward compatibility" would defeat the purpose of this security fix. 100 iterations of PBKDF2-HMAC-SHA1 is trivially brute-forceable. OWASP recommends 600,000 minimum. The breaking change is documented and the test is fixed to handle both cases.

---

Security Fixes Review — All 4 Correct ✅

Fix	Assessment
Fernet HMAC constant-time	Correct. XOR-accumulation prevents timing side-channel. _constantTimeEquals is textbook.
RSA signature constant-time	Correct. Equal-length path now uses XOR-accumulation. Note: the unequal-length path still has early returns — acceptable since length difference is not secret.
PBKDF2 600k default	Correct per OWASP. Test updated.
ECB @deprecated	Correct. ECB leaks plaintext patterns (penguin problem). Guidance to use GCM/CBC is appropriate.

pointycastle Version

Already at ^4.0.0 which is the latest (4.0.0). No bump needed.

All Tests Pass

00:13 +51: All tests passed!

[Copilot]

@tsavo-at-pieces I've opened a new pull request, #17, to work on those changes. Once the pull request is ready, I'll request review from you.