Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency jsrsasign to v10 [security] - abandoned #86

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

fix(deps): update dependency jsrsasign to v10 [security] - abandoned #86

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 1, 2020
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
jsrsasign (source) ^8.0.12 -> ^10.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2020-14966

Impact

Jsrsasign supports ECDSA signature validation which signature value is represented by ASN.1 DER encoding. This vulnerablity may accept a wrong ASN.1 DER encoded ECDSA signature such as:

  • wrong multi-byte ASN.1 length of TLV (ex. 0x820045 even though 0x45 is correct)
  • prepending zeros with ASN.1 INTEGER value (ex. 0x00000123 even though 0x0123 is correct)
  • appending zeros to signature of ASN.1 TLV (ex. 0x3082....1fbc000000 even though 0x3082....1fbc, appending zeros are ignored.)

This vulnerability was fixed by strict ASN.1 DER checking.

Here is an assessment of this vulnerability:

  • If you are not use ECDSA signature validation, this vulnerability is not affected.
  • Not ASN.1 format signature like just concatenation of R and S value is not affected such as Bitcoin.
  • This vulnerability is affected to all ECC curve parameters.
  • Risk to accept a forged or crafted message to be signed is low.
  • Risk to raise memory corruption is low since jsrsasign uses BigInteger class.
  • ECDSA signatures semantically the same to valid one may be accepted as valid. There are many malleable variants.

As discussed here, there is no standards like X9.62 which requires ASN.1 DER. So ASN.1 BER can be applied to ECDSA however most of implementations like OpenSSL do strict ASN.1 DER checking.

Patches

Users using ECDSA signature validation should upgrade to 8.0.19.

Workarounds

Do strict ASN.1 DER checking for ASN.1 encoded ECDSA signature value.

References

https://nvd.nist.gov/vuln/detail/CVE-2020-14966
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14966
https://vuldb.com/?id.157123
https://github.com/kjur/jsrsasign/issues/437
https://kjur.github.io/jsrsasign/api/symbols/KJUR.crypto.ECDSA.html
https://kjur.github.io/jsrsasign/api/symbols/ASN1HEX.html#.checkStrictDER
https://www.itu.int/rec/T-REC-X.690

GHSA-g753-jx37-7xwh

Impact

ECDSA side-channel attack named Minerava have been found and it was found that it affects to jsrsasign.

Execution time of thousands signature generation have been observed then EC private key which is scalar value may be recovered since point and scalar multiplication time depends on bits of scalar. In jsrsasign 8.0.13 or later, execution time of EC point and scalar multiplication is almost constant and fixed for the issue.

  • Minerva is one of timing attack or side channel attack for EC.
  • If you don't use ECDSA class, you are not affected the vulnerability.
  • The vulnerability is that attacker may guess private key by checking processing time of EC key generation or ECDSA signing.
  • The cause issue is that point multiplication processing time in ECDSA signing is depends on private key value.
  • After 8.0.13, processing time of point multiplication in ECDSA signing have become constant for key value in theory.

Patches

Users using ECDSA signature generation should upgrade to 8.0.13 or later.

Workarounds

There is no workarounds in jsrsasign. Update jsrsasign or use other ECDSA library.

ACKNOWLEDGEMENT

Thanks to Jan Jancar @​J08nY, Petr Svenda and Vladimir Sedlacek of Masaryk University in Czech Republic to find and report this vulnerability.

References

https://minerva.crocs.fi.muni.cz/
https://www.npmjs.com/advisories/1505
https://github.com/kjur/jsrsasign/issues/411

CVE-2021-30246

Impact

Vulnerable jsrsasign will accept RSA signature with improper PKCS#​1.5 padding.
Decoded RSA signature value consists following form:
01(ff...(8 or more ffs)...ff)00[ASN.1 OF DigestInfo]
Its byte length shall be the same as RSA key length however such checking was not sufficient.

To make crafted message for practical attack is very hard.

Patches

Users validating RSA signature should upgrade to 10.2.0 or later.

Workarounds

There is no workaround. Not to use RSA signature validation in jsrsasign.

ACKNOWLEDGEMENT

Thanks to Daniel Yahyazadeh @​yahyazadeh for reporting and analyzing this vulnerability.

GHSA-h87q-g2wp-47pj

In the jsrsasign package through 10.1.13 for Node.js, some invalid RSA PKCS#​1 v1.5 signatures are mistakenly recognized to be valid. NOTE: there is no known practical attack.

CVE-2022-25898

Impact

Jsrsasign supports JWS(JSON Web Signatures) and JWT(JSON Web Token) validation. However JWS or JWT signature with non Base64URL encoding special characters or number escaped characters may be validated as valid by mistake.

For example, even if a string of non Base64URL encoding characters such as !@​$% or \11 is inserted into a valid JWS or JWT signature value string, it will still be a valid JWS or JWT signature by mistake.

When jsrsasign's JWS or JWT validation is used in OpenID connect or OAuth2, this vulnerability will affect to authentication or authorization.

By our internal assessment, CVSS 3.1 score will be 8.6.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Patches

Users validate JWS or JWT signatures should upgrade to 10.5.25.

Workarounds

Validate JWS or JWT signature if it has Base64URL and dot safe string before
executing JWS.verify() or JWS.verifyJWT() method.

ACKNOWLEDGEMENT

Thanks to Adi Malyanker and Or David for this vulnerability report. Also thanks for Snyk security team for this coordination.

References

https://github.com/kjur/jsrsasign/releases/tag/10.5.25
GHSA-3fvg-4v2m-98jf kjur's advisories
GHSA-3fvg-4v2m-98jf github advisories
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25898
https://kjur.github.io/jsrsasign/api/symbols/KJUR.jws.JWS.html#.verifyJWT
https://kjur.github.io/jsrsasign/api/symbols/KJUR.jws.JWS.html#.verify
https://kjur.github.io/jsrsasign/api/symbols/global__.html#.isBase64URLDot
https://github.com/kjur/jsrsasign/wiki/Tutorial-for-JWS-verification
https://github.com/kjur/jsrsasign/wiki/Tutorial-for-JWT-verification
https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-2869122

Release Notes

kjur/jsrsasign

v10.5.25: CVE-2022-25898 Security fix in JWS and JWT validation

Compare Source

  • Changes from 10.5.24 to 10.5.25 (2022-Jun-23)
    • src/jws.js
      • JWS.verify and JWS.verifyJWT
        • CVE-2022-25898 SECURITY FIX:
          verify and verifyJWT may accept signature with special characters
          or \number characters by mistake.
          Please see security advisory:
          GHSA-3fvg-4v2m-98jf
    • src/base64x.js
      • function isBase64URLDot added
    • test/qunit-do-jwt-veri.html

v10.5.24: X509.getParam bugfix for v1 certificate

Compare Source

  • Changes from 10.5.23 to 10.5.24 (2022-Jun-04)
    • src/x509.js
      • X509.getParam bugfix for X.509v1 certificate without extension

v10.5.23: BitString parsing bug fix

Compare Source

  • Changes from 10.5.22 to 10.5.23 (2022-May-27)
    • src/base64x.js
      • bitstrtobinstr bugfix fix
    • src/asn1hex.js
      • ASN1HEX.parse change for bin string range
    • npm/lib/footers.js
      • add missed exports (bitstrtobinstr, binstrtobitstr,
        namearraytobinstr, extendClass)
    • test/qunit-do-{asn1hex-parse,base64x}.html
      • add and fix some test cases for above

v10.5.22: DERBitString, KeyUsage and tsp PKIFailureInfo critical bug fix

Compare Source

  • Changes from 10.5.21 to 10.5.22 (2022-May-24)
    • src/asn1.js
      • DERBitString critical bugfix
    • src/asn1tsp.js
      • PKIFailureInfo critical bugfix
    • src/asn1x509.js
      • KeyUsage critical bugfix
    • src/base64.x
      • namearraytobinstr critical bugfix
    • test/qunit-do-{asn1,asn1tsp,asn1x509,base64x}.html
      • add and fix some test cases for above

v10.5.21

Compare Source

v10.5.20: OCSP ResponderID object udpate

Compare Source

  • Changes from 10.5.19 to 10.5.20 (2022-Apr-25)
    • src/asn1ocsp.js
      • ResponderID class now also supports PEM certificate or
        X509 object for key and name field.
    • test/qunit-do-asn1ocsp.html
      • add some test cases and fix for above
    • remove silver sponsor

v10.5.19: Time stamp package update

Compare Source

  • Changes from 10.5.18 to 10.5.19 (2022-Apr-23)
    • src/asn1tsp.js
      • TimeStampResp class update to statusinfo member
        will be optional. If omitted, it will be "granted" by default.
      • API manual update for more detail

v10.5.18: Time stamp package update

Compare Source

  • Changes from 10.5.17 to 10.5.18 (2022-Apr-22)
    • src/asn1tsp.js
      • TSPParser.getTimeStampReq added
      • TSPUtil.parse{TimeStampReq,MessageImprint} now DEPRECATED. Please use TSPParser.
    • test/qunit-do-asn1tsp.html
      • add some test cases and fix for above

v10.5.17: CIDR subnet mask support in iptohex and hextoip

Compare Source

  • Changes from 10.5.16 to 10.5.17 (2022-Apr-14)
    • src/asn1x509.js
      • add IP address support in NameConstraints class
      • bugfix in NameConstraints ip address
      • wrong ASN.1 encoder in NameConstraints class bug fix (wrong explicit tag)
    • src/base64x.js
      • add CIDR subnet mask support in iptohex and hextoip
      • iptohex, hextoip refactoring
    • test/qunit-do-{x509-ext,base64x,asn1x509-tbscert,asn1x509}.html
      • add some test cases and fix for above

v10.5.16: Add NameConstraints extension and modify getEncodedHex to tohex

Compare Source

  • Changes from 10.5.15 to 10.5.16 (2022-Apr-08)
    • src/asn1x509.js
      • NameConstraints and GeneralSubtree class added
      • add support for nameConstraints in Extensions class
      • remove old GeneralName code
    • src/x509.js
      • getExtNameConstraints and getGeneralSubbtree method added
      • add support for nameConstraints in getParam method
      • X509.getParam supports optional arguments:
        • tbshex: to return hexadecimal tbsCertificate value
        • nodnarray: delete array member of subject and issuer
          in the result.
    • src/x509crl.js
      • X509CRL.getParam supports optional arguments:
        • tbshex: to return hexadecimal tbsCertList value
        • nodnarray: delete array member of subject and issuer
          in the result.
    • src/asn1.js
      • ASN1Object.tohex() method added
      • ASN1Object.getEncodedHex() method is now DEPRECATED.
        Please use ASN1Object.tohex() instead.
      • clean up some codes
    • src/*.js
      • update for ASN1Object.tohex()
    • test/qunit-do-x509-ext.html
      • getExtNameConstraints and getGeneralSubtree method test added
    • test/qunit-do-asn1x509.html
      • NameConstraints and GeneralSubtree class test added
    • test/qunit-do-asn1-newobj.html
      • int and tag test refactoring
      • bugfix

v10.5.15: X509.getExtCRLDistributionPointsURI small fix

Compare Source

  • Changes from 10.5.14 to 10.5.15 (2022-Apr-06)
    • src/x509.js
      • fix X509.getExtCRLDistributionPointsURI. This returns
        undefined when no CDP extension as specified in document
        even though it is deprecated method.

v10.5.14: KEYUTIL.getPEM small fix

Compare Source

  • Changes from 10.5.13 to 10.5.14 (2022-Mar-28)
    • src/keyutil.js
      • fix KEYUTIL.getPEM when public key is not specified for ECDSA object.
        optional public key field will be omitted in such case. (#​549)
    • test/qunit-do-*.html
      • test case added for above updates.

v10.5.13: RSA key private generation fix

Compare Source

  • Changes from 10.5.12 to 10.5.13 (2022-Mar-18)
    • ext/rsa2.js
      • fix RSAGenerate for checking |p - q| (#​546)

v10.5.12: support ISO 8859-1 TeletexString and BMPString for X500Name

Compare Source

  • Changes from 10.5.11 to 10.5.12 (2022-Mar-13)
    • src/asn1hex.js
      • ASN1HEX.parse fixed for TeletexString and BMPString
      • ASN1HEX.parse TeletexString supports non-ASCII
        ISO 8859-1 Latin1 characters. Before this version,
        only supports ASCII characters.
      • hextoipv6 bug fix raised in some of enviroment
    • src/base64x.js
      • iso88591hextoutf8/utf8toiso88591hex added
      • iso88591hextoutf8hex/utf8hextoiso88591hex added
      • hextoipv6 fixed
    • src/x509.js
      • refactoring for X509.get{X500NameArray,RDN,AttrTypeAndValue}.
        Add support for Teletex/BMPString and more attrTypes
    • test/qunit-do-*.html
      • test case added for above updates.
        • qunit-do-base64x: add iso8859-1 / utf-8 converter tests
        • qunit-do-asn1hex-parse: add TeletexString parse tests
        • qunit-do-x509-ext: add NumericString/TeletexString X500Name tests

v10.5.11: asn1hex update

Compare Source

  • Changes from 10.5.10 to 10.5.11 (2022-Mar-12)
    • src/ash1hex.js
      • ASN1HEX.parse add NumericStiring(x12) support
      • ASN1HEX.parse fix for "8x" tag (non structured tag)
    • test/qunit-do-asn1hex.html
      • test case added for above updates.

v10.5.10: hextoipv6 fix

Compare Source

  • Changes from 10.5.9 to 10.5.10 (2022-Mar-10)
    • src/base64x.js
      • fix hextoipv6 for shrinking leading zeros (#​536)
    • test/qunit-do-base64x.html
      • test case added for above updates.

v10.5.9: small fix

Compare Source

  • Changes from 10.5.8 to 10.5.9 (2022-Mar-10)
    • src/base64x.js
    • src/asn1csr.js
    • test/qunit-do-{base64x,asn1csr}.html
      • test case update for above updates.

v10.5.8: OCSP CertID and X509 class update

Compare Source

  • Changes from 10.5.7 to 10.5.8 (2022-Feb-25)
    • src/asn1ocsp.js
      • CertID class refactoring
      • CertID.getParamByCerts method added
    • src/x509.js
      • DEPRECATED getPublicKeyHex method (use getSPKI instead)
      • getSPKI, getSPKIValue method added
      • getExtCRLDistributionPointsURI bugfix
      • API document fix
    • test/qunit-do-{asn1ocsp,x509-ext,x509,x509-v1}.html
      • test case update and bugfix for above updates.

v10.5.7: X509CRL.findRevCert bugfix for empty revCerts

Compare Source

  • Changes from 10.5.6 to 10.5.7 (2022-Feb-19)
    • src/x509crl.js
      • X509CRL.{findRevCert,findRevCertBySN} method fix for empty revCerts

v10.5.6: X509CRL.findRevCert bugfix

Compare Source

  • Changes from 10.5.5 to 10.5.6 (2022-Feb-17)
    • src/x509crl.js X509CRL class
      • fix sn error in findRevCert

v10.5.5: CRL parser update

Compare Source

  • Changes from 10.5.4 to 10.5.5 (2022-Feb-17)
    • src/x509crl.js X509CRL class
      • add getIssuerHex method
      • add findRevCert method
      • add findRevCertBySN method
    • test/x509crl.html update

v10.5.4: ASN.1 parser update and fix

Compare Source

  • Changes from 10.5.3 to 10.5.4 (2022-Feb-15)
    • src/asn1.js
      • DERTaggedObject
        • refactoring
        • add {tag: xx, str:"aaa"} parameter support
        • add {tag: xx, hex:"616161"} parameter support
        • setASN1Object method now deprecated. Please use setByParam
    • src/asn1hex.js
      • ASN1HEX.parse
        • add encapsulated OctetString, BitString support
        • add encapsulated structured TaggedObject support
        • changed to return binary string for 3byte or less BitString value
        • ObjectIdentifier fix when undefined OID name
    • src/base64x.js
      • added bitstrtobinstr/binstrtobitstr
      • utf8tohex fix for lower case hexadecimal string
      • hextoutf8 fix for improper hexadecimal string for UTF-8
      • bitstrtoint/inttobitstr fix for error case return
    • test/qunit-do-asn1.html
      • TaggedObject test case update
    • test/qunit-do-asn1hex-parse.html
      • BitString, TaggedObject test case update
    • test/qunit-do-base64x.html
      • hextoutf8/utf8tohex testcase update
      • bitstrtobinstr/binstrtobitstr testcase added

v10.5.3: add OtherName support in GeneralName

Compare Source

  • Changes from 10.5.2 to 10.5.3 (2022-Feb-10)
    • add otherName support in GeneralName by PR
      with small update (#​535)
    • src/asn1x509.js
      • add otherName of GeneralName support (#​535)
      • GeneralName class refactoring
      • add OtherName class
    • src/x509.js
      • add otherName of GeneralName support
    • src/asn1hex.js
      • add ASN1HEX.parse method
    • src/asn1.js
      • API doc and error exception fix
    • test/qunit-do-{asn1x509,x509-ext}.html
      • test case added
    • test/qunit-do-asn1hex-parse.html added

v10.5.2: small update for OID and JWK

Compare Source

  • Changes from 10.5.1 to 10.5.2 (2022-Feb-08)
    • src/asn1x509.js
      • add OID.{registerOIDs,checkOIDs} method
    • src/keyutil.js
      • getJWK, getJWKFromKey API doc update
    • test/qunit-do-asn1x509.html updated
      • test case added

v10.5.1: add KEYUTIL.getJWK, fix EC P-521 concat signature value and add support for P-521 JWS JWK

Compare Source

  • Changes from 10.5.0 to 10.5.1 (2021-Dec-01)
    • fix ECC P-521 curve issues (#​528)
      • src/ecdsa-modified.js
        • asn1SigToConcatSig fix P521 issue
        • concatSigToASN1Sig fix P521 issue
      • src/jws.js
        • add ES512 support
      • src/keyutil.js
        • fix P-521 issue in getKey,getJWKFromKey,
      • tool/tool_jwt.html
        • add ES512 support
      • test/qunit-do-ecdsamod-s.html
        • add P-521 asn1SigToConcatSig tests
        • add P-521 concatSigToASN1Sig tests
      • test/qunit-do-ecdsamod.html
        • add sha512 tests
      • test/qunit-do-jws-sign.html
        • add signing and verification ES512 test
      • test/qunit-do-keyutil-ec.html
        • add P-521 key test
      • test/qunit-do-keyutil-jwk.html
        • add P-521 private key test
      • test/qunit-do-x509-key.html
        • add P-521 certificate test
    • JWK from X509 certificate (#​529)
      • this PR was merged but
        • X509.getPublicKeyJWK was moved to KEYUTIL.getJWK
        • some tests in qunit-do-x509-jwk was moved to
          qunit-do-keyutil-jwk
        • readCertJWK was removed
    • src/keyutil
      • KEYUTIL.getJWK added and x5c/x5t/x5t#S256/kid member support
      • KEYUTIL.getJWKFromKey now deprecated
    • src/ecdsa-modified.js
      • missing variable definition fix (#​527)
    • test/qunit-do-x509.html test error fix
    • Great appreciate for @​cplussharp 's contribution.

v10.5.0: Add EC support for secp521r1 secp224r1 secp192r1

Compare Source

  • Changes from 10.4.1 to 10.5.0
    • Add EC support for secp521r1 secp224r1 secp192r1 (#​521 #​519)
      Thank you indeed for @​cplussharp 's great work.
      • EC key length bugs for newly supported curves are fixed.
        • src/ecdsa-modified: key length fixes
        • src/ecparam.js: add keycharlen property
        • src/asn1x509.js: add secp521r1 OID
        • test/qunit-do-ecdsamod.html: all test code passed
        • test/qunit-do-ecdsamod-unsupport.html: all test code passed
        • test/qunit-do-ecdsamod-s.html: all test code passed
        • test/qunit-do-ecdsamod-nisttv.html: added for NIST EC keygen test
        • sample/sample-ecdsa.html: add P-521
    • sample/sample-rsasign.html
      • fix to trim non hexadecimal strings (#​517)

v10.4.1: GeneralizedTime, UTCTime refactoring and some bug fix

Compare Source

  • Changes from 10.4.0 to 10.4.1 release
    • src/asn1.js
      • refactoring of DERUTCTime, DERGeneralizedTime and DERAbstractTime
      • now DERUTCTime support fraction of second
    • src/asn1x509.js
      • update Time class to follow DER{UTC,Generalized}Time update
    • tool/tool_tsreq.html
    • tool/tool_tsres.html
    • jsrsasign-*-min.js
      • header URL fix to kjur.github.io (#​503)
        (will be fixed in next release while rebuild)
    • test/qunit-do-{asn1,asn1x509}.html updated
      • KJUR.asn1.DER{UTC,Generalized}Time, KJUR.asn1.x509.Time class
        test case added and updated.

v10.4.0: Full support for parsing OCSP response

Compare Source

  • Changes from 10.3.2 to 10.4.0 (2021-08-17)
    • asn1ocsp.js
      • add OCSP response parser support in OCSPParser class (request #​501)
      • OCSPParser.get{OCSPResponse,ResponseBytes,BasicOCSPResponse,ResponseData,ResponderID,SingleResponseList,SingleResponse,CertStatus} methods added
      • DEPRECATED: OCSPUtil.getOCSPResponseInfo
    • test/qunit-do-asn1ocsp.html updated
      • add test for OCSP response parser

v10.3.2: fix wrong OCSPRequest for EC public key certificate

Compare Source

  • Changes from 10.3.1 to 10.3.2
    • asn1ocsp.js
      • CertID.setByCert fixed for issuer EC public key (#​500)

v10.3.0: remove all YUI dependency

Compare Source

  • Changes from 10.2.0 to 10.3.0
    • remove YUI library dependency
    • LICENSE.txt
      • remove YUI license
    • src/base64x.js
      • add extendClass function to replace YUI class extend
    • src/*.js
      • replace YAHOO.lang.extend to extendClass all
    • src/keyutil.js
      • change to raise exception in KEYUTIL class with Error class
    • src/asn1x509.js
      • API document update for Extesions and CRLReason class
    • npm_util/package.json
    • test/qunit-do-*.html
      • updated to follow above
    • test/qunit-do-base64x-class.html added
      • test for extendClass function

v10.2.0: CVE-2021-30246 RSAKey.verify issue fix

Compare Source

  • Changes from 10.1.13 to 10.2.0 (2021-04-14)
    • src/rsasign.js
    • src/asn1cms.js
      • IssuerSerial, IsseruAndSerialNumber API document update
    • sample_node/asn1extract2
      • change to "/usr/bin/env node"

v10.1.13: add non-ascii BMPString support

Compare Source

  • Changes from 10.1.12 to 10.1.13 (2021-03-08)
    • src/base64x.js
      • add ucs2hextoutf8 function
    • src/x509.js
      • X509.getAttrTypeAndValue supports non-ascii BMPString (#​474)
    • src/asn1hex.js
      • ASN1HEX.dump supports non-ascii BMPString
    • test/qunit-do-{asn1hex-dump,x509-ext,base64x}.html
      • updated to follow above

v10.1.12: fix for wrong UTF-8 encoding in distinguished name parser

Compare Source

  • Changes from 10.1.11 to 10.1.12 (2021-02-25)
    • src/x509.js
      • fix X509.getAttrTypeValue (#​473)
        • attribute value is converted by hextoutf8 not hextorstr
      • X509.getIssuerString update to use getIssuer
      • X509.getSubjectString update to use getSubject
      • X509.dnarraytostr fix to escape "+" and "/"
      • X509.hex2dn update to use getX500Name
    • test/qunit-do-x509-ext.html
      • updated to follow above

v10.1.11: update X509.getVersion and add jsrsasign-util saveFileJSON

Compare Source

  • Changes from 10.1.10 to 10.1.11 (2021-02-19)
    • src/x509.js
      • X509.getVersion supports other than
        empty(DEFAULT =v1) and [0] {INTEGER 2} (=v3).
        Thus version checking is relaxed. (#​471)
    • src/nodeutil.js (jsrsasign-util 1.0.4)
      • add saveFileUTF8
      • saveFileJSON API document fix

v10.1.10: extend support for distinguished name

Compare Source

  • Changes from 10.1.9 to 10.1.10 release (2021-02-14)
    • src/asn1x509.js
      • AttributeTypeAndValue
        • add support for OID and oid name constructor
          AttributeTypeAndValue({str: "/streetAddress=foo"})
          AttributeTypeAndValue({str: "/2.5.4.9=foo"})
      • OID.name2oidList
        • add givenName
    • test/qunit-do-asn1x509.html
      • updated to follow above

v10.1.9: Add SubjectDirectoryAttributes extension support

Compare Source

  • Changes from 10.1.8 to 10.1.9 release (2021-02-12)
    • src/asn1x509.js
      • SubjectDirectoryAttributes class added
      • Extensions class updated to support
        SubjectDirectoryAttributes
      • OID class update to support OIDs
        such as gender, placeOfBirth et.al. for
        SubjectDirectoryAttributes.
      • SubjectDirectoryAttributes parser is
        needed to be implemented in X509.js future.
    • test/qunit-do-asn1x509.html
      • updated to follow above

v10.1.8: KEYUTIL supports PKCS8 private key with extension

  • Changes from 10.1.5 to 10.1.8 release (2021-02-08)
    • src/keyutil.js
      • KEYUTIL.parsePlainPrivatePKCS8Hex now supports
        private key extsion and and issue #​454 fixed.
    • test/qunit-do-keyutil-eprv.html
      • updated to follow above

v10.1.5: CAdES-T support update and fix

Compare Source

  • Changes from 10.1.4 to 10.1.5 release (2021-01-17)
    • tool/tool_cades.html fix (#​465)
      • now works fine again for CAdES-T demo
    • src/asn1cms.js
      • SignerInfo class
        • unsigned attribute support again
      • Attribute class
        • add signaturePolicyIdentifier support
        • add signatureTimeStamp support
      • CMSParser class
        • add signaturePolicyIdentifier support
        • add setSignaturePolicyIdentifier method
    • src/asn1cades.js
      • CAdESUtil class
        • parseSignedDataForAddingUnsigned modified to use CMSParser
        • addSigTS removed since it was empty method
        • parseSignerInfoForAddingUnsigned is deprecated since
          parseSignedDataForAddingUnsigned will not call it.
    • src/crypto.js

v10.1.4: TSPParser.getPKIStatusInfo bugfix

Compare Source

  • Changes from 10.1.3 to 10.1.4 release (2020-11-23)
    • asn1tsp.js
      • TSPParser class
        • getPKIStatusInfo out parameter name bugfix
    • test/qunit-do-asn1hex.html
      • updated to follow above

v10.1.3: TSPParser.getPKIStatusInfo update

Compare Source

  • Changes from 10.1.2 to 10.1.3 release (2020-11-22)
    • asn1tsp.js
      • TSPParser class
        • getPKIStatusInfo updated to
          supports PKIFreeText and PKIFailureInfo
        • getPKIFreeText added
        • getPKIFailureInfo added
    • asn1hex.js
      • ASN1HEX class
        • getString added
        • getInt method updated to supports ASN.1 BitString
    • base64x.js
      • function bitstrtoint, inttobitstr added
    • test/qunit-do-{asn1hex,asn1tsp,base64x}.html
      • updated to follow above

v10.1.2: add SigningCertificateV2 for CMSParser and issue fix

Compare Source

  • Changes from 10.1.1 to 10.1.2 release (2020-11-21)
    • src/asn1cms.js
      • CMSParser
        • getAttribute updated to support
          SigningCertificateV2
        • add setSigningCertificateV2 method
        • add getESSCertIDv2 method
        • change sortflag of result parameter to true in
          CMSParser.getCertificateSet
    • test/qunit-do-asn1cms.html
      • updated to follow above

v10.1.1: CMSSignedData and TimeStamp parser bugfix

Compare Source

  • Changes from 10.1.0 to 10.1.1 release (2020-11-20)
    • src/asn1tsp.js
      • "serialNumber" parameter was changed to
        "serial" in TSTInfo class and TSPParser.getTSTInfo
        method.
    • src/asn1cms.js
      • change method name CMSParser.getAttributeArray to
        CMSParser.getAttributeList to align to the name
        AttributeList class.
      • getAttributeList returns JSON parameter which
        can be accepted by AttributeList constructor.
      • wrong sighex value for signature value
        by getSignerInfo method was fixed.
    • test/qunit-do-asn1tsp.html
      • updated to follow above

v10.1.0: add new CMSSignedData and TimeStamp parser and X500Name update

Compare Source

  • Changes from 10.0.5 to 10.1.0 release
    • add new CMSSignedData and TimeStamp parser
    • X500.get{X500Name,GeneralName,GeneralNames} result change
    • src/asn1cms.js
      • new CMSParser class for CMS SignedData
        • get{CMSSignedData,SignedData,HashAlgArray,
          EContent,SignerInfos,SignerInfo,SignerIdentifier,
          IssuerAndSerialNumber,AttributeArray,
          Attribute,ESSCertID,IssuerSerial,CertificateSet}
        • set{ContentType,SigningTime,MessageDigest,
          SigningCertificate}
    • src/asn1tsp.js
      • new TSPParser class to parser RFC 3161 TSP protocol
      • get{Response,Token,TSTInfo,Accuracy,MessageImprint,
        PKIStatusInfo}
      • setTSTInfo
    • src/asn1.js
      • DERObjectIdentifier class update to use new oidtohex
    • src/asn1hex.js
      • add ASN1HEX.{getInt,getOID,getOIDName}
    • src/asn1csr.js
      • CSRUtil.getParam result "subject" parameter result is changed
        because of X509.getX500Name update.
    • src/asn1x509.js
      • small update for Time class
      • small update for Certificate.sign method
      • document fix (issue #​463)
    • src/base64x.js
      • function "oidtohex" and "hextooid" added.
      • function "ishex" added
      • KJUR.lang.String.isHex now DEPRECATED. Please use "ishex".
    • src/x509.js
      • X509.getX500Name update
        • X509.get{Issuer,Subject,GeneralNames,GeneralName}
      • add X509.{getX500NameArray,dnarraytostr}
    • src/x509crl.js
      • X509CRL.getIssuer update for X509.getX500Name update
    • test/qunit-do-{asn1tsp,asn1cms,asn1hex,asn1x509-newcert-veri,
      base64x,x509-ext,x509crl}.html
      • updated to follow above

v10.0.5: small issue fixes and updates

Compare Source

  • Changes from 10.0.4 to 10.0.5 release
    • src/base64x.js
      • utf8tob64u, b64utoutf8
        replace new Buffer() to Buffer.from() for
        Node.JS deprecation (issue #​460)
    • src/asn1x509.js
    • src/x509.js
      • document fix
    • tool/tool_csr.html
      • update to show ASN.1 dump of CSR
    • test/qunit-do-base64x.html, npm/test/t_base64x.js
      • update test code to follow above

v10.0.4: add methods to modify some extension parameters

Compare Source

  • Changes from 10.0.3 to 10.0.4 (2020-Oct-23)
    • src/x509.js
      • add X509.updateExt{CDPFullURI,AIAOCSP,AIACAIssuer} method
    • src/nodeutil.js
      • add read{JSON,JSONC},saveJSON,printJSON method added
      • jrsasign-util npm package updated
    • test/qunit-do-x509-param.html
      • updated to follow above

v10.0.3: add findExt method in X509 class

Compare Source

  • Changes from 10.0.2 to 10.0.3 (2020-Oct-21)
    • src/x509.js
      • add X509.findExt method
    • test/qunit-do-x509-param.html
      • updated to follow above

v10.0.2: AdobeTimeStamp X.509v3 extension parser bugfix

Compare Source

  • Changes from 10.0.1 to 10.0.2 (2020-Oct-14)
    • src/x509.js
      • X509.getExtAdobeTimeStamp method bugfix

v10.0.1: AdobeTimeStamp X.509v3 certificate extension added

Compare Source

  • Changes from 10.0.0 to 10.0.1 (2020-Oct-13)
    • src/asn1x509.js
      • AdobeTimeStamp class added
      • add AdobeTimeStamp support in Extension class
      • add "adobeTimeStamp" OID in OID class
    • src/x509.js
      • add getExtAdobeTimeStamp method to X509 class
      • add "adobeTimeStamp" support in getExtParam
    • src/asn1.js
      • DERBoolean add support for "false" value.
    • test/qunit-do-{asn1,asn1x509,x509}.html
      • updated to follow above

v10.0.0: Major update for CMS SigneData TimeStamp and CAdES

Compare Source

  • Changes from 9.1.9 to 10.0.0 (2020-Sep-24)
    • major update for CMS SignedData related classes
      to allow more simple ASN.1 generation
    • src/asn1cms.js
      • new architecture updates in
        SignedData, Attribute
        • all implemented Attributes such as
          ContentType, SigningTime are also
          updated.
      • new class added
        • ESSCertID
        • ESSCertIDv2
        • SignerIdentifier
        • SubjectKeyIdentifier
        • CertificateSet
        • RevocationInfoChoices
        • RevocationInfoChoice
        • OtherRevocationFormat
      • following class/methods are now deprecated
        • CMSUtil.newSignedData
    • src/asn1tsp.js
      • aligned to new architecture:
        • TSTInfo, Accuracy, PKIStatusInfo,
          PKIStatus, PKIFreeText, PKIFailureInfo,
      • new class added
        • TimeStampToken
      • following class/methods are now deprecated
        • SimpleTSAAdapter, FixedTSAAdapter,
          TSPUtil.newTimeStampToken
    • src/asn1cades.js
      • aligned to new architecture
      • SignaturePolicyIdentifier, OtherHashAlgAndValue,
        SignatureTimeStamp, CompleteCertificateRefs,
        OtherCertID, OtherHash
      • new class added
      • SignaturePolicyId, OtherHashValue
    • src/asn1.js
      • DERTaggedObject add support for simple
        argument for explicit "tage" and implicit "tagi"
      • newObject add support for "asn1" property
      • DERObjectIdentifier constructor argument
        now accepts name and OID. method
        setValueNameOrOid added.
    • src/x509.js
      • X509(certPemOrHex)
        X509 class constructor add support for
        PEM or hex string of certificate as
        argument.
    • src/asn1x509.js
      • OID class: signaturePolicyIdentifier attribute
        OID added.

v9.1.9: wrong encoding in CRLReason in OCSP CertStatus fixed

Compare Source

  • Changes from 9.1.8 to 9.1.9 (2020-Sep-08)
    • src/asn1ocsp.js
      • BUGFIX: wrong encoding in CRLeason in OCSP CertStatus fixed
    • test/qunit-do-asn1ocsp.html
      • follow to above update

v9.1.8: wrong encoding in byKey of OCSP ResponderID fixed

Compare Source

  • Changes from 9.1.7 to 9.1.8 (2020-Sep-08)
    • src/asn1ocsp.js
      • BUGFIX: wrong encoding in byKey of OCSP ResponderID fixed
    • test/qunit-do-asn1ocsp.html
      • follow to above update

v9.1.7: nextUpdate encoding bugfix in ocsp SingleResponse

Compare Source

  • Changes from 9.1.6 to 9.1.7 (2020-Sep-08)
    • src/asn1ocsp.js
      • BUGFIX: nextUpdate encoding fix in SingleResponse
      • CertStatus document fix
    • test/qunit-do-asn1ocsp.html
      • follow to above update

v9.1.6: add OCSP response and request encoder

Compare Source

  • Changes from 9.1.5 to 9.1.6 (2020-Sep-05)
    • src/asn1ocsp.js
      • OCSPResponse class added
      • ResponseBytes class added
      • BasicOCSPResponse class added
      • ResponseData class added
      • ResponderID class added
      • SingleResponseList class added
      • SingleResponse class added
      • CertID class updated
        • changed properties to specify
          isserNameHash, issuerKeyHash and serialNumber
          without backward compatibility
      • CertStatus class added
      • OCSPParser class added
        • only OCSP request parser methods are available
    • src/asn1x509.js
      • OCSPNonce class OCSP extension added
      • OCSPNoCheck class certificate extension added
      • Extensios class supports OCSPNonce and OCSPNoCheck
      • OID clas supports ocspNonce, ocspNoCheck and ocspBasic
    • src/x509.js
      • X509.getExtParam supports OCSPNonce and OCSPNoCheck
      • X509.getExtOCSPNoCheck added
      • X509.getExtOCSPNonce added
    • src/asn1.js
      • ASN1Object class: add tlv parameter support
    • src/asn1hex.js
      • ASN1HEX.dump: enable to show tagged primitive

v9.1.5: ASN1HEX getChildIdx bug for too many children

Compare Source

  • Changes from 9.1.4 to 9.1.5 (2020-Aug-29)
    • src/asn1hex.js
      • BUGFIX: ASN1HEX.getChildIdx didn't returns
        proper result when too many child items
        such as over 200 children.
      • add ASN1HEX.getTLVblen method
      • DEPRECATED: getNextSiblingIdx. Please
        use getTLVblen instead.

v9.1.4: X509CRL parser revokedCertificate bugfix

X509CRL parser revokedCertificate bugfix

  • Changes from 9.1.3 to 9.1.4 (2020-Aug-28)
    • src/asn1hex.js
      • get{Idx,V,TLV}byList return value aligned to
        get{Idx,V,TLV}byListEx.
    • src/x509crl.js
      • BUGFIX: error when nextUpdate exists and
        no revokedCertificates

missed to export X509CRL in npm package

  • Changes from 9.1.2 to 9.1.3 (2020-Aug-28)
    • npm/lib/footer.js
      • export X509CRL
    • NOTE: only npm package released

v9.1.2: add private extension support for Cert CRL and CSR

Compare Source

  • Changes from 9.1.1 to 9.1.2 (2020-Aug-27)
    • undefined extension regarded as private extesion
      in extension parser X509.getExtParam.
      Thus certificate, CRL and CSR parser will
      not raise error when undefined extension
      is parsed.
    • src/x509.js
      • unknown extension is parsed as
        private extension.
    • test/qunit-do-{x509-param}.html
      • add test case to follow above update

v9.1.1: new CRL parser and private extension encoder support

Compare Source

  • Changes from 9.1.0 to 9.1.1 (2020-Aug-27)
    • add new X509CRL class for CRL parser
    • add Certificate, CSR and CRL private extension support
    • src/x509crl.js (new)
      • X509CRL class
    • src/x509.js
      • new X509.getExtCRLNumber method for extension parser
      • new X509.getExtCRLReason method for extension parser
      • new X509.getExtParam method for parsing one extension
        • NOTE: not yet support for private extension
    • src/asn1x509.js
      • Extensions class: add support for private extension
      • PrivateExtension class added
      • OID.name2oid: add support OID (ex. "1.2.3.4") as argument
    • src/asn1csr.js
      • CSRUtil.getParam update to support X509.getExtParamArray and
        not using X509.parseExt
    • src/asn1.js
      • getLengthHexFromValue small update for exception
    • test/qunit-do-{asn1x509,asn1x509-tbscert,x509}.html
      • update to follow above updates
    • test/x509csr.html (new)

v9.1.0: new CRL APIs and other updates

Compare Source

  • Changes from 9.0.3 to 9.1.0 (2020-Aug-24)
    • CRL constructor update to align Certificate
      class without backward compatibility.
    • BUGFIX: SigningCertificate{,V2} encoding bugifx
    • src/asn1cms.js
      • BUGFIX: SigningCertificate{,V2} encoding have been
        missign SEQUENCE. (#​448)
    • src/asn1csr.js
      • CertificationRequestInfo class updated to
        new KJUR.asn1.x509.Extension class.
    • src/asn1x509.js
      • CRL and TBSCertList class constructor have
        been updated to align Certificate and
        CertificationRequestInfo style in 9.0.0
        without backward compatibility.
        • this update makes more extension and
          entry extension support in the future.
        • CRLEntry class is deprecated since
          no more used in updated TBSCertList.
      • new CRLNumber extension class added
      • new CRLReason entry extension class added
      • OID class updated to support
        cRLNumber and cRLReason oids
      • TBSCertificate.getExtDERSequence method
        was moved to new Extensions class.
      • ASN1HEX.dump updated to support ENUMERATED
    • test/qunit-do-{asn1cms,asn1tsp,asn1x509-tbscert,
      asn1x509} updated to follow above updates.

v9.0.3: TimeStampToken ASN.1 encoding error fix

Compare Source

  • Changes from 9.0.2 to 9.0.3 (2020-Aug-22)
    • BUGFIX: tsa field of TSTInfo was not encoded properly. (#​450)
    • BUGFIX: CMSSignedData version of TimestampToken was not 3. (#​448)
    • src/asn1tsp.js
      • TSTInfo tsa field fix
      • TSTUtil.newTimeStampToken method to set
        CMSVersion 3.

v9.0.2: PolicyInformation named policy OID bug fix

Compare Source

  • Changes from 9.0.1 to 9.0.2 (2020-Aug-22)
    • BUGFIX: KJUR.asn1.tsp.PolicyInformation class constructor
      have not been accepted named policy OID such as "anyPolicy".
      The issue was fixed.
    • src/asn1x509.js
      • PolicyInformation bugfix for above.
    • test/qunit-do-asn1x509.html
      • updated to follow above.

v9.0.1: TimeStampToken contentType attribute bug fix

Compare Source

  • Changes from 9.0.0 to 9.0.1 (2020-Aug-21)
    • BUGFIX: KJUR.asn1.tsp.TimeStampToken class generates have
      generated with wrong contentType attribute
      with value "data". (#​448)
    • src/asn1tsp.js
      • TimeStampToken class constructor will add
        contentType attribute with "tstinfo" for bugfix. (#​448).
    • src/asn1cms.js
      • SignerInfo.setForContentAndHash class constructor
        parameter can have "contentType" property additionaly
        to set "tstinfo" as above.
    • src/asn1x509.js
      • some attribute type oids for CMS signedData are
        added to OID.name2oidList.

v9.0.0: Certificate and CSR generator and parser API major updates

Compare Source

  • Changes from 8.0.24 to 9.0.0 (2020-Aug-19)
    • Please see migration notes in wiki:
      https://github.com/kjur/jsrsasign/wiki/NOTE-jsrsasign-8.0.x-to-9.0.0-Certificate-and-CSR-API-migration-guide
    • CAUTION: some certificate and CSR APIs are missing
      backward compatibility so you may need to change your code
      to upgrade jsrsasign 9.0.0.
    • src/asn1x509.js
      • JSON argument format of Certificate and all certificate
        extension class were changed without backward compatibility.
        • They can accept JSON objects from ASN.1 parser methods
          in X509 class as an parameter arguments.
        • Certificate class constructor can automatically
          generate TBSCertificate and sign by params argument.
          So no need to call sign method or TBSCertificate
          constructor.
        • JSON argument format are aligned to the same manner
          among all certificate extension class.
        • For CRLDistributionPoints class, JSON argument format
          of DistributionPoint and DistributionPointName
          was changed.
      • Extension.appendByNameToArray method was removed.
      • "array" key was added to X500Name class constructor
        JSON argument.
        • AttributeTypeAndValue constructor argument also
          extended to support {type:"CN",value:"Test",ds:"prn"}
          style JSON object.
      • X509Util.newCertPEM argument format is updated to
        align Certificate class and is deprecated.
    • src/x509.js
      • returned JSON object format by all "get*" parser method
        was changed to accept by related class defined in asn1x509.js
        without backward compatibility.
      • all certificate extension parsing methods are
        changed to have "hExtV" and "critical" as arguments.
      • following methods are added:
        getAlgorithmIdentifierName, getIssuer, getSubject,
        getGeneralNames, getGeneralName, getDistributionPoint,
        getDistributionPointName, getExtAuthorityInfoAccess,
        getPolicyInformation, getPolicyQualifierInfo,
        getUserNotice, getDisplayText, getX500NameRule,
        getX500Name, getRDN, getAttrTypeAndValue, getParam,
        getExtParamArray
      • following methods are deprecated:
        getExtSubjectAltName2, getExtAIAInfo,
        getExtCRLDistributionPointsURI.
      • X509Util.newCertPEM bugfix.
        Got error when cakey is PKCS#​5 plain PEM key string
    • src/asn1csr.js
      • JSON argument format was changed in CertificationRequest,
        CertificationRequestInfo, CSRUtil.netCSRPEM without
        backward compatibility.
      • CSRUtil.getInfo was renamed to CSRUtil.getParam
      • CSRUtil.netCSRPEM is now deprecated
    • src/asn1.js
      • ASN1Util.newObject can also conclude ASN1Object
        as well as JSON parameter.
    • tool/tool_{ca,ca2}.html
      • changed to follow above updates.
    • test/*.html
      • following test pages are updated to follow above:
        qunit-do-{asn1csr,asn1tsp,asn1x509-newcrt,asn1x509,base64x,
        ecdsmod-s,keyutil-getpem,package-jwths,x509-ext,
        x509-key,x509-kid,x509}.html
      • following test pages are added:
        qunit-do-{asn1x509-tbscert,x509-param}.html

v8.0.24: fix SigningCertificate v1 v2 attribute ASN.1 encoding

Compare Source

  • Changes from 8.0.23 to 8.0.24 (2020-Aug-18)
    • KJUR.asn1.cms.{SigningCertificate,SigningCertificateV2}
      wrong ASN.1 encoding issue was fixed (#​448)
    • src/asn1cms.js
      • KJUR.asn1.cms.{SigningCertificate,SigningCertificateV2}
        ASN.1 encoding issue fixed (#​448)
      • added KJUR.asn1.cms.IssuerSerial
    • test/qunit-do-asn1{cms,tsp}.html
      • updated for above issue

v8.0.23: add CertificatePolicies BMPString and VisibleString support

Compare Source

  • Changes from 8.0.22 to 8.0.23 (2020-Aug-06)
    • src/asn1x509.js
      • CertificatePolicies class added
      • update Extension.appendByNameToArray for
        CertificatePolicies
      • PolicyInformation, PolicyQualifierInfo, UserNotice,
        NoticeReference and DisplayText class added
    • src/asn1.js
      • BMPString and VisibleString class added
      • update ASN1Util.newObject for {BMP,Visible}String
    • src/asn1hex.js
      • update ASN1HEX.dump for {BMP,Visible}String
    • test qunit-do-{asn1,asn1-newobj,asn1x509,asn1hex-dump}.html

v8.0.22: ASN1HEX and X509 c

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/npm-jsrsasign-vulnerability branch from d5e0852 to 8b250e5 Compare August 25, 2020 02:58
@renovate renovate bot force-pushed the renovate/npm-jsrsasign-vulnerability branch from 8b250e5 to 843b342 Compare April 26, 2021 13:34
@renovate renovate bot changed the title fix(deps): update dependency jsrsasign to v8.0.19 [security] fix(deps): update dependency jsrsasign to v10 [security] Apr 26, 2021
@renovate
Copy link
Contributor Author

renovate bot commented Mar 24, 2023
edited
Loading

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@renovate renovate bot changed the title fix(deps): update dependency jsrsasign to v10 [security] fix(deps): update dependency jsrsasign to v10 [security] - abandoned May 28, 2023
@renovate
Copy link
Contributor Author

renovate bot commented May 28, 2023

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Renovate 🌴
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@renovate-bot