Releases: kjur/jsrsasign
Releases · kjur/jsrsasign
Security Fix
- Changes from 11.1.2 to 11.1.3 (2026-Apr-18)
- base64x.js
- timingSafeEqual and timingSafeEqualImpl added
- jws.js
- modified to use timingSafeEqual for HS* signature verification
- Security fixes:
- bugfix
- jws.js
- wrong thumbprint calculation for symmetric key (KJUR.jws.JWS.getJWKthumbprint)
reported in issue #656 by @e3stpavel
- wrong thumbprint calculation for symmetric key (KJUR.jws.JWS.getJWKthumbprint)
- jws.js
- base64x.js
Contributors
Kr0emer and e3stpavel
Assets 2
Security Fix
- Changes from 11.1.1 to 11.1.2 (2026-Apr-12)
- Security fixes:
- HIGH: wrong random for for Node.JS >= 19 and modern browsers (ext/rng.js SecureRandom)
reported by Bronson Yen of Calif.io and @Kr0emer #655. - HIGH: ASN.1 Parser Infinite Loop (asn1hex.js)
getChildIdx fix to avoid infinite loop reported by Koda Reef. - HIGH: DSA Universal Signature Forgery (dsa.js)
FIPS 186-4 section 4.7 wrong boundary checking in verifyWithMessageHash
reported by Koda Reef, Nicholas Carlini and @Kr0emer. - ASN1HEX.getChildIdx DoS (asn1hex.js)
getChildIdx may raise DoS because of lacking value length check
reported by Yt(yutengsun) and Franciny S Roj. - missing JWS crit header parameter validation (jws.js)
as reported by Franciny S Roj.
Thank you indeed for those vulnerability reports and/or patches.
- HIGH: wrong random for for Node.JS >= 19 and modern browsers (ext/rng.js SecureRandom)
- Security fixes:
Contributors
Kr0emer
Assets 2
restore KJUR.crypto.Cipher class without RSA/RSAOAEP support
- Changes from 11.0.0 to 11.1.0 (2024-Feb-01)
- src/crypto.js
- restore KJUR.crypto.Cipher class without RSA and RSAOAEP encryption/decryption support
- src/crypto.js
remove RSA and RSAOAEP encryption for Marvin attack
- Changes from 10.9.0 to 11.0.0 (2024-Jan-16)
- remove RSA PKCS#1.5 end OAEP encryption/decryption for Marvin attack (#598)
- src/crypto.js
- remove KJUR.crypto.Cipher class for RSA and RSAOAEP encryption/decryption
- ext/{rsa,rsa2}.js
remove encrypt/decrypt/encryptOAEP/decryptOAEP for RSAKey class
enhanced support for encrypted PKCS8
- Changes from 10.8.6 to 10.9.0 (2023-Nov-27)
- KEYUTIL.getPEM is updated not to use weak ciphers (#599)
- default encryptionScheme is changed from des-EDE3-CBC to aes256-CBC
- default prf is changed from hmacWithSHA1 to hmacWithSHA256
- src/keyutil.js
- more encrypted PKCS#8 private key support
- KEYUTIL.getKey now supports encrypted PKCS#8 private key with
aes128-CBC, aes256-CBC encrypted and using hmacWithSHA224/256/384/512 as
psudorandom function. - KEYUTIL.getPEM now supports such as above encrypted PKCS#8 PEM
priavte key.
- KEYUTIL.getKey now supports encrypted PKCS#8 private key with
- more encrypted PKCS#8 private key support
- src/crypto.js
- Cipher.decrypt/encrypt now supports symmetric ciphers (des-EDE3-CBC,aes128-CBC,aes256-CBC)
- src/base64x.js
- function inttohex and twoscompl are added
- src/asn1.js
- ASN1Util.bigIntToMinTwosComplementsHex is now DEPRECATED. use twoscompl.
- src/asn1x509.js
- aes*-CBC and hmacWithSHA* OIDs are added
- test/qunit-do-{base64x,crypto-cipher,keyutil-eprv,keyutil,keyutil-p8egen}.html
- update and add some test cases for above
- stop bower support (bower.json removed)
- KEYUTIL.getPEM is updated not to use weak ciphers (#599)
X509.getExtSubjectDirectoryAttributes another bugfix
- Changes from 10.8.5 to 10.8.6 (2023-Apr-26)
- src/x509.js
- another bugfix X509.getExtSubjectDirectoryAttributes method
- src/x509.js
X509.getExtSubjectDirectoryAttributes bugfix
- Changes from 10.8.4 to 10.8.5 (2023-Apr-26)
- src/x509.js
- bugfix X509.getExtSubjectDirectoryAttributes method
- src/x509.js
more SubjectDirectoryExtension support
- Changes from 10.8.3 to 10.8.4 (2023-Apr-26)
- src/asn1x509.js
- SubjectDirectoryAttributes class
- add array of array support for arbitrary attribute value
- SubjectDirectoryAttributes class
- src/x509.js
- add X509.getExtSubjectDirectoryAttributes method for
ExtSubjectDirectoryAttributes extension - update X509.getExtParam method
- support SubjectDirectoryAttributes
- parse unknown extension as ASN.1
- add X509.getExtSubjectDirectoryAttributes method for
- src/base64x.js
- bugfix foldnl function: when length of s is multiple of n,
result has unnecessary new line in the end of string.
- bugfix foldnl function: when length of s is multiple of n,
- qunit-do-{asn1x509,x509-ext,base64x,x500-param}.html
- update and add some test cases for above
- src/asn1x509.js
CABF SMIMEBR OID support
- Changes from 10.8.2 to 10.8.3 (2023-Apr-20)
- src/asn1x509.js
- Add OIDs for CABR S/MIME BR policy OIDs and GN givenName attribute type
- src/asn1x509.js