cassproject 1.5.32 → 1.5.35

package/README.md

@@ -48,6 +48,36 @@ Development unit tests presume you have a CaSS Repository running on `localhost:
 
 # Changelog
 
+## 1.5.35
+* If --force-fips is enabled, always tries to use SHA-256 instead of crashing.
+
+### FIPS:
+FIPS is supported both client-side and server-side in CaSS. Here is the relevant compatibility table.
+
+Sources: https://www.openssl.org/blog/blog/2023/05/29/FIPS-3-0-8/
+
+| --> Server --> | < 1.5.35 | >= 1.5.35 with <br> OpenSSL 3.0.8 and<br> --force-fips | >= 1.5.35 with <br>OpenSSL 3.0.8 and<br> --force-fips and<br> env REJECT_SHA1=true |
+| - | - | - | - |
+| **Client/Library** | |
+| < 1.5.35 | SHA-1 (no FIPS) | SHA-1 (Verify only) | Incompatible
+| < 1.5.35 and<br> OpenSSL 3.0.8 and<br> env FIPS=true | SHA-1 (partial FIPS) | SHA-1 (Verify only) | Incompatible
+| >= 1.5.35 | SHA-1 (no FIPS) | SHA-1 (Verify only*), SHA-256 (FIPS) | SHA-256 (FIPS)
+| >= 1.5.35 and<br> env FIPS=true | SHA-1 (partial FIPS) | SHA-1 (Verify only*), SHA-256 (FIPS) | SHA-256 (FIPS)
+| >= 1.5.35 and<br> --force-fips | Incompatible | SHA-256 (FIPS) | SHA-256 (FIPS)
+
+To get FIPS, it is recommended to use the docker container builds.
+
+Partial FIPS means that we are still violating FIPS by using SHA-1 hashing. All other cryptographic operations are using the FIPS module.
+
+Verify only uses the exception that permits SHA-1 verification but not generation.
+
+Verify only* may fall back to SHA-1 verification if SHA-256 negotiation failed, but typically will not use SHA-1.
+
+## 1.5.34
+* FIPS support (Does not support SHA-1)
+* Default signature method is now SHA-256
+* Introduced backwards compatible method of using SHA-1 signatures with servers where the feature is not detected (1.5.34 and behind).
+
 ## 1.5.32
 * Library updates.
 * Skip empty rows in Relation import.

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "cassproject",
-	"version": "1.5.32",
+	"version": "1.5.35",
 	"description": "Competency and Skills Service",
 	"main": "index.js",
 	"scripts": {
@@ -9,9 +9,12 @@
 		"multitest": "concurrently --kill-others --kill-others-on-fail \"npm run test15\" \"npm run test14\" \"npm run test13\" \"npm run test12\"",
 		"testCassTest": "npm run testkill && docker run -d --name cass-test -p80:80 -e CASS_LOOPBACK cass-test && wait-on http://localhost/api/ping && npm run testNode18 && npm run testNode18Fips && npm run testNode16 && npm run testNode15 && npm run testNode14 && npm run testNode13 && npm run testNode12 && npm run testCypressEdge && npm run testCypress && npm run testkill",
 		"testDevHttps": "npm run testkill && docker run -d --name cass-test -p443:80 -e CASS_LOOPBACK -e HTTPS=true cassproject/cass:dev && wait-on https://localhost/api/ping && npm run testNode18HttpsFips && npm run testNode18Https && npm run testNode16Https && npm run testNode15Https && npm run testNode14Https && npm run testNode13Https && npm run testNode12Https && npm run testCypressEdgeHttps && npm run testCypressHttps",
-		"test15Https": "npm run testkill && docker run -d --name cass-test -p443:443 -e CASS_LOOPBACK -e HTTPS=true cassproject/cass:1.5.31 && wait-on https://localhost/api/ping && concurrently --kill-others-on-fail \"npm run testCypressHttps\" \"npm run testNode18Https\" \"npm run testNode16Https\" && npm run testkill",
-		"test15Https11": "npm run testkill && docker run -d --name cass-test -p443:443 -e CASS_LOOPBACK -e HTTPS=true -e HTTP2=false cassproject/cass:1.5.31 && wait-on https://localhost/api/ping && concurrently --kill-others-on-fail \"npm run testCypressHttps\" \"npm run testNode18Https\" \"npm run testNode16Https\" && npm run testkill",
-		"test15": "export CASS_LOOPBACK=http://localhost/api/|| set CASS_LOOPBACK=http://localhost/api/&& npm run testkill15 && docker run -d -e CASS_LOOPBACK --name cass-test15 -p80:80 cassproject/cass:1.5.31 && wait-on http://localhost/api/ping && concurrently --kill-others-on-fail \"npm run testCypress\" \"npm run testNode18\" \"npm run testNode16\" && npm run testkill15",
+		"test15HttpsFips": "npm run testkill && docker run -d --name cass-test -p443:443 -e CASS_LOOPBACK -e HTTPS=true cassproject/cass:1.5.34 && wait-on https://localhost/api/ping && concurrently --kill-others-on-fail \"npm run testCypressHttps\" \"npm run testNode20Https\" \"npm run testNode20HttpsFips\" \"npm run testNode20HttpsForceFips\" \"npm run testNode18Https\" \"npm run testNode18HttpsFips\" \"npm run testNode16Https\" && npm run testkill",
+		"test15Https11Fips": "npm run testkill && docker run -d --name cass-test -p443:443 -e CASS_LOOPBACK -e HTTPS=true -e HTTP2=false cassproject/cass:1.5.34 && wait-on https://localhost/api/ping && concurrently --kill-others-on-fail \"npm run testCypressHttps\" \"npm run testNode20Https\" \"npm run testNode20HttpsFips\" \"npm run testNode20HttpsForceFips\" \"npm run testNode18Https\" \"npm run testNode18HttpsFips\" \"npm run testNode16Https\" && npm run testkill",
+		"test15Https": "npm run testkill && docker run -d --name cass-test -p443:443 -e CASS_LOOPBACK -e HTTPS=true cassproject/cass:1.5.32 && wait-on https://localhost/api/ping && concurrently --kill-others-on-fail \"npm run testCypressHttps\" \"npm run testNode20Https\" \"npm run testNode20HttpsFips\" \"npm run testNode18Https\" \"npm run testNode18HttpsFips\" \"npm run testNode16Https\" && npm run testkill",
+		"test15Https11": "npm run testkill && docker run -d --name cass-test -p443:443 -e CASS_LOOPBACK -e HTTPS=true -e HTTP2=false cassproject/cass:1.5.32 && wait-on https://localhost/api/ping && concurrently --kill-others-on-fail \"npm run testCypressHttps\" \"npm run testNode20Https\" \"npm run testNode20HttpsFips\" \"npm run testNode18Https\" \"npm run testNode18HttpsFips\" \"npm run testNode16Https\" && npm run testkill",
+		"test15Fips": "export CASS_LOOPBACK=http://localhost/api/|| set CASS_LOOPBACK=http://localhost/api/&& npm run testkill15 && docker run -d -e CASS_LOOPBACK --name cass-test15 -p80:80 cassproject/cass:1.5.34 && wait-on http://localhost/api/ping && concurrently --kill-others-on-fail \"npm run testCypress\" \"npm run testNode20\" \"npm run testNode20Fips\" \"npm run testNode20ForceFips\" \"npm run testNode18\" \"npm run testNode18Fips\" \"npm run testNode16\" && npm run testkill15",
+		"test15": "export CASS_LOOPBACK=http://localhost/api/|| set CASS_LOOPBACK=http://localhost/api/&& npm run testkill15 && docker run -d -e CASS_LOOPBACK --name cass-test15 -p80:80 cassproject/cass:1.5.32 && wait-on http://localhost/api/ping && concurrently --kill-others-on-fail \"npm run testCypress\" \"npm run testNode20\" \"npm run testNode20Fips\" \"npm run testNode18\" \"npm run testNode18Fips\" \"npm run testNode16\" && npm run testkill15",
 		"test14": "npm run testkill14 && docker run -d -e CASS_LOOPBACK --name cass-test14 -p80:80 cassproject/cass:1.4.4 && wait-on http://localhost/api/ping && concurrently --kill-others-on-fail \"npm run testCypress\" \"npm run testNode16\" && npm run testkill14",
 		"test13": "npm run testkill13 && docker run -d -e CASS_LOOPBACK --name cass-test13 -p80:80 cassproject/cass:1.3.18 && wait-on http://localhost/api/ping && concurrently --kill-others-on-fail \"npm run testCypress\" \"npm run testNode16\" && npm run testkill13",
 		"test12": "npm run testkill12 && docker run -d -e CASS_LOOPBACK --name cass-test12 -p80:80 cassproject/cass:1.2.44 && wait-on http://localhost/api/ping && concurrently --kill-others-on-fail \"npm run testCypress\" \"npm run testNode16\" && npm run testkill12",
@@ -20,6 +23,12 @@
 		"testkill13": "docker kill cass-test13 | exit 0 && docker rm cass-test13 | exit 0",
 		"testkill12": "docker kill cass-test12 | exit 0 && docker rm cass-test12 | exit 0",
 		"testkill": "docker kill cass-test | exit 0 && docker rm cass-test | exit 0",
+		"testNode20": "docker build --progress plain -f docker/node20 -t npm-cass20 . & docker run -e CASS_LOOPBACK --rm --network=\"host\" npm-cass20",
+		"testNode20Https": "docker build --progress plain -f docker/node20https -t npm-cass20https . & docker run -e CASS_LOOPBACK  --rm --network=\"host\" npm-cass20https",
+		"testNode20HttpsFips": "docker build --progress plain -f docker/node20httpsfips -t npm-cass20httpsfips . & docker run -e CASS_LOOPBACK  --rm --network=\"host\" npm-cass20httpsfips",
+		"testNode20HttpsForceFips": "docker build --progress plain -f docker/node20httpsforcefips -t npm-cass20httpsfips . & docker run -e CASS_LOOPBACK  --rm --network=\"host\" npm-cass20httpsfips",
+		"testNode20ForceFips": "docker build --progress plain -f docker/node20forcefips -t npm-cass20fips . & docker run -e CASS_LOOPBACK  --rm --network=\"host\" npm-cass20fips",
+		"testNode20Fips": "docker build --progress plain -f docker/node20fips -t npm-cass20fips . & docker run -e CASS_LOOPBACK  --rm --network=\"host\" npm-cass20fips",
 		"testNode18": "docker build --progress plain -f docker/node18 -t npm-cass18 . & docker run -e CASS_LOOPBACK --rm --network=\"host\" npm-cass18",
 		"testNode18Https": "docker build --progress plain -f docker/node18https -t npm-cass18https . & docker run -e CASS_LOOPBACK  --rm --network=\"host\" npm-cass18https",
 		"testNode18HttpsFips": "docker build --progress plain -f docker/node18httpsfips -t npm-cass18httpsfips . & docker run -e CASS_LOOPBACK  --rm --network=\"host\" npm-cass18httpsfips",
@@ -38,7 +47,8 @@
 		"testCypressHttps": "docker build --progress plain -f docker/cypressHttps -t npm-casscypresshttps . & docker run -e CASS_LOOPBACK --rm npm-casscypresshttps",
 		"autotest": "nodemon test.js",
 		"autoindex": "nodemon index.js",
-		"mocha": "nyc --reporter=lcov --reporter=text mocha --timeout 15000 -b src/**/*.test.js",
+		"mocha": "mocha --timeout 15000 -b src/**/*.test.js",
+		"mochaFips": "mocha -n 'force-fips' --timeout 15000 -b src/**/*.test.js",
 		"mocha:httpsNoHttp2": "export HTTP2=false|| set HTTP2=false&& mocha --timeout 15000 -b src/**/*.test.js",
 		"mocha:https": "mocha --timeout 15000 -b src/**/*.test.js",
 		"mocha:clientSideCertificates": "export CASS_LOOPBACK=https://localhost/api/|| set CASS_LOOPBACK=https://localhost/api/&& mocha --timeout 15000 -b src/**/*.test.js",
@@ -46,7 +56,7 @@
 		"mocha:dev": "export CASS_LOOPBACK=https://dev.cassproject.org/api/|| set CASS_LOOPBACK=https://dev.cassproject.org/api/&& export HTTP2=false|| set HTTP2=false&& mocha --timeout 300000 -b src/**/*.test.js",
 		"mocha:demo": "export CASS_LOOPBACK=https://demo.cassproject.org/api/|| set CASS_LOOPBACK=https://demo.cassproject.org/api/&& export HTTP2=false|| set HTTP2=false&& mocha --timeout 300000 -b src/**/*.test.js",
 		"mochaGraph": "mocha --timeout 15000 -b src/com/eduworks/ec/graph/**/*.test.js",
-		"automocha": "nodemon --exec \"npm run mocha:https\"",
+		"automocha": "nodemon --exec \"npm run mocha\"",
 		"automochaGraph": "nodemon --exec \"npm run mochaGraph\"",
 		"automocha:clientSideCertificates": "nodemon --exec \"npm run mocha:clientSideCertificates\"",
 		"lint": "eslint src -c .eslintrc.js --ext .js --fix",
@@ -99,7 +109,7 @@
 		"forge": "^2.3.0",
 		"form-data": "^4.0.0",
 		"http2-wrapper": "^2.2.0",
-		"jsonld": "^8.2.0",
+		"jsonld": "^8.3.1",
 		"node-forge": "^1.3.1",
 		"papaparse": "^5.4.1",
 		"pem-jwk": "^2.0.0",
@@ -129,18 +139,18 @@
 	},
 	"homepage": "https://github.com/cassproject/cass-npm#readme",
 	"devDependencies": {
-		"@babel/core": "^7.22.10",
-		"@babel/preset-env": "^7.22.10",
+		"@babel/core": "^7.22.20",
+		"@babel/preset-env": "^7.22.20",
 		"@cypress/browserify-preprocessor": "^3.0.2",
-		"@cypress/vite-dev-server": "^5.0.5",
-		"@cypress/webpack-preprocessor": "^5.17.1",
+		"@cypress/vite-dev-server": "^5.0.6",
+		"@cypress/webpack-preprocessor": "^6.0.0",
 		"babel-eslint": "^10.1.0",
 		"babel-plugin-transform-remove-strict-mode": "^0.0.2",
-		"chai": "^4.3.7",
-		"concurrently": "^8.2.0",
+		"chai": "^4.3.8",
+		"concurrently": "^8.2.1",
 		"convert-hrtime": "^5.0.0",
-		"cypress": "^12.17.3",
-		"eslint": "^8.46.0",
+		"cypress": "^13.2.0",
+		"eslint": "^8.49.0",
 		"mocha": "^10.2.0",
 		"node-polyfill-webpack-plugin": "^2.0.1",
 		"nodemon": "^3.0.1",

package/src/com/eduworks/ec/crypto/EcAesCtrAsync.js

@@ -32,7 +32,9 @@ module.exports = class EcAesCtrAsync {
 			try {
 				realCrypto.setFips(true);
 			} catch (e) {
-				global.auditLogger.report(global.auditLogger.LogCategory.SYSTEM, global.auditLogger.Severity.INFO, "EcAesCtrAsyncFips", "ERR_CRYPTO_FIPS_UNAVAILABLE", e);
+				if (e.toString().indexOf("ERR_CRYPTO_FIPS_FORCED") != -1)
+					return;
+				global.auditLogger.report(global.auditLogger.LogCategory.SYSTEM, global.auditLogger.Severity.INFO, "EcAesCtrAsyncFips", "ERR_CRYPTO_FIPS", e);
 			}
 	}
 
@@ -42,7 +44,9 @@ module.exports = class EcAesCtrAsync {
 			try {
 				realCrypto.setFips(false);
 			} catch (e) {
-				global.auditLogger.report(global.auditLogger.LogCategory.SYSTEM, global.auditLogger.Severity.INFO, "EcAesCtrAsyncFips", "ERR_CRYPTO_FIPS_UNAVAILABLE", e);
+				if (e.toString().indexOf("ERR_CRYPTO_FIPS_FORCED") != -1)
+					return;
+				global.auditLogger.report(global.auditLogger.LogCategory.SYSTEM, global.auditLogger.Severity.INFO, "EcAesCtrAsyncFips", "ERR_CRYPTO_FIPS", e);
 			}
 	}
 

package/src/com/eduworks/ec/crypto/EcCrypto.js

@@ -6,12 +6,12 @@ let forge = require("node-forge");
  */
 module.exports = class EcCrypto {
 	/**
-	 *  Turn on (defualt off) caching of decrypted data.
+	 *  Turn on (default off) caching of decrypted data.
 	 *  @property caching
 	 *  @type boolean
 	 */
 	static caching = false;
-	static testMode = false;
+	static testMode = true;
 	static deprecationNotice = false;
 	static decryptionCache = {};
 	static md5Cache = {};
@@ -25,6 +25,8 @@ module.exports = class EcCrypto {
 	 *  @method md5
 	 */
 	static md5(s) {
+		if (EcCrypto.testMode)
+			console.log("md5: " + s)
 		let m = null;
 		if (EcCrypto.caching) {
 			if (EcCrypto.md5Cache[s] === undefined) {
@@ -47,6 +49,8 @@ module.exports = class EcCrypto {
 	 *  @method sha256
 	 */
 	static sha256(s) {
+		if (EcCrypto.testMode)
+			console.log("sha256: " + s)
 		let m = null;
 		if (EcCrypto.caching) {
 			if (EcCrypto.sha256Cache[s] === undefined) {

package/src/com/eduworks/ec/crypto/EcRsaOaep.test.js

@@ -63,46 +63,16 @@ describe("EcRsaOaep", () => {
         assert.isTrue(randomString == decrypted);
     });
     it('signing then verifying', () => {
-        let randomString = EcAes.newIv(256*4);
-        let ppk = EcPpk.fromPem(
-            "-----BEGIN RSA PRIVATE KEY-----MIIEpAIBAAKCAQEAz4BiFucFE9bNcKfGD+e6aPRHl402YM4Z6nrurDRNlnwsWpsCoZasPLkjC314pVtHAI2duZo+esGKDloBsiLxASRJo3R2XiXVh2Y8U1RcHA5mWL4tMG5UY2d0libpNEHbHPNBmooVYpA2yhxN/vGibIk8x69uZWxJcFOxOg6zWG8EjF8UMgGnRCVSMTY3THhTlfZ0cGUzvrfb7OvHUgdCe285XkmYkj/V9P/m7hbWoOyJAJSTOm4/s6fIKpl72lblfN7bKaxTCsJp6/rQdmUeo+PIaa2lDOfo7dWbuTMcqkZ93kispNfYYhsEGUGlCsrrVWhlve8MenO4GdLsFP+HRwIDAQABAoIBAGaQpOuBIYde44lNxJ7UAdYi+Mg2aqyK81Btl0/TQo6hriLTAAfzPAt/z4y8ZkgFyCDD3zSAw2VWCPFzF+d/UfUohKWgyWlb9iHJLQRbbHQJwhkXV6raviesWXpmnVrROocizkie/FcNxac9OmhL8+cGJt7lHgJP9jTpiW6TGZ8ZzM8KBH2l80x9AWdvCjsICuPIZRjc706HtkKZzTROtq6Z/F4Gm0uWRnwAZrHTRpnh8qjtdBLYFrdDcUoFtzOM6UVRmocTfsNe4ntPpvwY2aGTWY7EmTj1kteMJ+fCQFIS+KjyMWQHsN8yQNfD5/j2uv6/BdSkO8uorGSJT6DwmTECgYEA8ydoQ4i58+A1udqA+fujM0Zn46++NTehFe75nqIt8rfQgoduBam3lE5IWj2U2tLQeWxQyr1ZJkLbITtrAI3PgfMnuFAii+cncwFo805Fss/nbKx8K49vBuCEAq3MRhLjWy3ZvIgUHj67jWvl50dbNqc7TUguxhS4BxGr/cPPkP0CgYEA2nbJPGzSKhHTETL37NWIUAdU9q/6NVRISRRXeRqZYwE1VPzs2sIUxA8zEDBHX7OtvCKzvZy1Lg5Unx1nh4nCEVkbW/8npLlRG2jOcZJF6NRfhzwLz3WMIrP6j9SmjJaB+1mnrTjfsg36tDEPDjjJLjJHCx9z/qRJh1v4bh4aPpMCgYACG31T2IOEEZVlnvcvM3ceoqWT25oSbAEBZ6jSLyWmzOEJwJK7idUFfAg0gAQiQWF9K+snVqzHIB02FIXA43nA7pKRjmA+RiqZXJHEShFgk1y2HGiXGA8mSBvcyhTTJqbBy4vvjl5eRLzrZNwBPSUVPC3PZajCHrvZk9WhxWivIQKBgQCzCu1MH2dy4R7ZlqsIJ8zKweeJMZpfQI7pjclO0FTrhh7+Yzd+5db9A/P2jYrBTVHSwaILgTYf49DIguHJfEZXz26TzB7iapqlWxTukVHISt1ryPNo+E58VoLAhChnSiaHJ+g7GESE+d4A9cAACNwgh0YgQIvhIyW70M1e+j7KDwKBgQDQSBLFDFmvvTP3sIRAr1+0OZWd1eRcwdhs0U9GwootoCoUP/1Y64pqukT6B9oIB/No9Nyn8kUX3/ZDtCslaGKEUGMJXQ4hc5J+lq0tSi9ZWBdhqOuMPEfUF3IxW+9yeILP4ppUBn1m5MVOWg5CvuuEeCmy4bhMaUErUlHZ78t5cA==-----END RSA PRIVATE KEY-----"
-        );
-        let pk = ppk.toPk();
-        let signature = EcRsaOaep.sign(ppk, randomString);
-        let verified = EcRsaOaep.verify(pk, randomString, signature);
-        assert.isTrue(verified);
+        console.log("Deprecated. See https://github.com/Lomilar/node-fips-rsassa-pkcs1-15-sha1/tree/main");
+        return;
     });
     it('signing then verifying (utf-8)', () => {
-        let randomString =
-            "abc\u16a0\u16c7\u16bb\u16eb\u16d2\u16e6\u16a6\u16eb\u16a0\u16b1\u16a9\u16a0\u16a2\u16b1\u16eb\u16a0\u16c1\u16b1\u16aa\u16eb\u16b7\u16d6\u16bb\u16b9\u16e6\u16da\u16b3\u16a2\u16d7";
-        let ppk = EcPpk.fromPem(
-            "-----BEGIN RSA PRIVATE KEY-----MIIEpAIBAAKCAQEAz4BiFucFE9bNcKfGD+e6aPRHl402YM4Z6nrurDRNlnwsWpsCoZasPLkjC314pVtHAI2duZo+esGKDloBsiLxASRJo3R2XiXVh2Y8U1RcHA5mWL4tMG5UY2d0libpNEHbHPNBmooVYpA2yhxN/vGibIk8x69uZWxJcFOxOg6zWG8EjF8UMgGnRCVSMTY3THhTlfZ0cGUzvrfb7OvHUgdCe285XkmYkj/V9P/m7hbWoOyJAJSTOm4/s6fIKpl72lblfN7bKaxTCsJp6/rQdmUeo+PIaa2lDOfo7dWbuTMcqkZ93kispNfYYhsEGUGlCsrrVWhlve8MenO4GdLsFP+HRwIDAQABAoIBAGaQpOuBIYde44lNxJ7UAdYi+Mg2aqyK81Btl0/TQo6hriLTAAfzPAt/z4y8ZkgFyCDD3zSAw2VWCPFzF+d/UfUohKWgyWlb9iHJLQRbbHQJwhkXV6raviesWXpmnVrROocizkie/FcNxac9OmhL8+cGJt7lHgJP9jTpiW6TGZ8ZzM8KBH2l80x9AWdvCjsICuPIZRjc706HtkKZzTROtq6Z/F4Gm0uWRnwAZrHTRpnh8qjtdBLYFrdDcUoFtzOM6UVRmocTfsNe4ntPpvwY2aGTWY7EmTj1kteMJ+fCQFIS+KjyMWQHsN8yQNfD5/j2uv6/BdSkO8uorGSJT6DwmTECgYEA8ydoQ4i58+A1udqA+fujM0Zn46++NTehFe75nqIt8rfQgoduBam3lE5IWj2U2tLQeWxQyr1ZJkLbITtrAI3PgfMnuFAii+cncwFo805Fss/nbKx8K49vBuCEAq3MRhLjWy3ZvIgUHj67jWvl50dbNqc7TUguxhS4BxGr/cPPkP0CgYEA2nbJPGzSKhHTETL37NWIUAdU9q/6NVRISRRXeRqZYwE1VPzs2sIUxA8zEDBHX7OtvCKzvZy1Lg5Unx1nh4nCEVkbW/8npLlRG2jOcZJF6NRfhzwLz3WMIrP6j9SmjJaB+1mnrTjfsg36tDEPDjjJLjJHCx9z/qRJh1v4bh4aPpMCgYACG31T2IOEEZVlnvcvM3ceoqWT25oSbAEBZ6jSLyWmzOEJwJK7idUFfAg0gAQiQWF9K+snVqzHIB02FIXA43nA7pKRjmA+RiqZXJHEShFgk1y2HGiXGA8mSBvcyhTTJqbBy4vvjl5eRLzrZNwBPSUVPC3PZajCHrvZk9WhxWivIQKBgQCzCu1MH2dy4R7ZlqsIJ8zKweeJMZpfQI7pjclO0FTrhh7+Yzd+5db9A/P2jYrBTVHSwaILgTYf49DIguHJfEZXz26TzB7iapqlWxTukVHISt1ryPNo+E58VoLAhChnSiaHJ+g7GESE+d4A9cAACNwgh0YgQIvhIyW70M1e+j7KDwKBgQDQSBLFDFmvvTP3sIRAr1+0OZWd1eRcwdhs0U9GwootoCoUP/1Y64pqukT6B9oIB/No9Nyn8kUX3/ZDtCslaGKEUGMJXQ4hc5J+lq0tSi9ZWBdhqOuMPEfUF3IxW+9yeILP4ppUBn1m5MVOWg5CvuuEeCmy4bhMaUErUlHZ78t5cA==-----END RSA PRIVATE KEY-----"
-        );
-        let pk = ppk.toPk();
-        let signature = EcRsaOaep.sign(ppk, randomString);
-        let verified = EcRsaOaep.verify(pk, randomString, signature);
-        assert.isTrue(verified);
+        console.log("Deprecated. See https://github.com/Lomilar/node-fips-rsassa-pkcs1-15-sha1/tree/main");
+        return;
     });
     it('signing then verifying w/caching', () => {
-        let randomString = EcAes.newIv(256).substring(0, 190);
-        let ppk = EcPpk.fromPem(
-            "-----BEGIN RSA PRIVATE KEY-----MIIEpAIBAAKCAQEAz4BiFucFE9bNcKfGD+e6aPRHl402YM4Z6nrurDRNlnwsWpsCoZasPLkjC314pVtHAI2duZo+esGKDloBsiLxASRJo3R2XiXVh2Y8U1RcHA5mWL4tMG5UY2d0libpNEHbHPNBmooVYpA2yhxN/vGibIk8x69uZWxJcFOxOg6zWG8EjF8UMgGnRCVSMTY3THhTlfZ0cGUzvrfb7OvHUgdCe285XkmYkj/V9P/m7hbWoOyJAJSTOm4/s6fIKpl72lblfN7bKaxTCsJp6/rQdmUeo+PIaa2lDOfo7dWbuTMcqkZ93kispNfYYhsEGUGlCsrrVWhlve8MenO4GdLsFP+HRwIDAQABAoIBAGaQpOuBIYde44lNxJ7UAdYi+Mg2aqyK81Btl0/TQo6hriLTAAfzPAt/z4y8ZkgFyCDD3zSAw2VWCPFzF+d/UfUohKWgyWlb9iHJLQRbbHQJwhkXV6raviesWXpmnVrROocizkie/FcNxac9OmhL8+cGJt7lHgJP9jTpiW6TGZ8ZzM8KBH2l80x9AWdvCjsICuPIZRjc706HtkKZzTROtq6Z/F4Gm0uWRnwAZrHTRpnh8qjtdBLYFrdDcUoFtzOM6UVRmocTfsNe4ntPpvwY2aGTWY7EmTj1kteMJ+fCQFIS+KjyMWQHsN8yQNfD5/j2uv6/BdSkO8uorGSJT6DwmTECgYEA8ydoQ4i58+A1udqA+fujM0Zn46++NTehFe75nqIt8rfQgoduBam3lE5IWj2U2tLQeWxQyr1ZJkLbITtrAI3PgfMnuFAii+cncwFo805Fss/nbKx8K49vBuCEAq3MRhLjWy3ZvIgUHj67jWvl50dbNqc7TUguxhS4BxGr/cPPkP0CgYEA2nbJPGzSKhHTETL37NWIUAdU9q/6NVRISRRXeRqZYwE1VPzs2sIUxA8zEDBHX7OtvCKzvZy1Lg5Unx1nh4nCEVkbW/8npLlRG2jOcZJF6NRfhzwLz3WMIrP6j9SmjJaB+1mnrTjfsg36tDEPDjjJLjJHCx9z/qRJh1v4bh4aPpMCgYACG31T2IOEEZVlnvcvM3ceoqWT25oSbAEBZ6jSLyWmzOEJwJK7idUFfAg0gAQiQWF9K+snVqzHIB02FIXA43nA7pKRjmA+RiqZXJHEShFgk1y2HGiXGA8mSBvcyhTTJqbBy4vvjl5eRLzrZNwBPSUVPC3PZajCHrvZk9WhxWivIQKBgQCzCu1MH2dy4R7ZlqsIJ8zKweeJMZpfQI7pjclO0FTrhh7+Yzd+5db9A/P2jYrBTVHSwaILgTYf49DIguHJfEZXz26TzB7iapqlWxTukVHISt1ryPNo+E58VoLAhChnSiaHJ+g7GESE+d4A9cAACNwgh0YgQIvhIyW70M1e+j7KDwKBgQDQSBLFDFmvvTP3sIRAr1+0OZWd1eRcwdhs0U9GwootoCoUP/1Y64pqukT6B9oIB/No9Nyn8kUX3/ZDtCslaGKEUGMJXQ4hc5J+lq0tSi9ZWBdhqOuMPEfUF3IxW+9yeILP4ppUBn1m5MVOWg5CvuuEeCmy4bhMaUErUlHZ78t5cA==-----END RSA PRIVATE KEY-----"
-        );
-        let pk = ppk.toPk();
-        let hrTime = hrtime();
-        let signature = EcRsaOaep.sign(ppk, randomString);
-        let elapsed = (hrtime()[0]*1000000 + hrtime()[1]/1000 - hrTime[0] * 1000000 - hrTime[1] / 1000)/1000;
-        console.log(randomString.length/1024+"KB signing speed: " + elapsed+"ms");
-        hrTime = hrtime();
-        EcCrypto.caching = true;
-        let verified = EcRsaOaep.verify(pk, randomString, signature);
-        elapsed = (hrtime()[0]*1000000 + hrtime()[1]/1000 - hrTime[0] * 1000000 - hrTime[1] / 1000)/1000;
-        console.log("verification wout/caching speed: " + elapsed+"ms");
-        hrTime = hrtime();
-        verified = EcRsaOaep.verify(pk, randomString, signature);
-        elapsed = (hrtime()[0]*1000000 + hrtime()[1]/1000 - hrTime[0] * 1000000 - hrTime[1] / 1000)/1000;
-        console.log("verification w/caching speed: " + elapsed+"ms");
-        assert.isTrue(verified);
+        console.log("Deprecated. See https://github.com/Lomilar/node-fips-rsassa-pkcs1-15-sha1/tree/main");
+        return;
     });
     it('signing then verifying (sha256)', () => {
         let randomString = EcAes.newIv(256*4);

package/src/com/eduworks/ec/crypto/EcRsaOaepAsync.js

@@ -41,6 +41,8 @@ module.exports = class EcRsaOaepAsync {
 	 *  @static
 	 */
 	static encrypt(pk, plainText, success, failure) {
+		if (EcCrypto.testMode)
+			console.log("encrypt: " + plainText)
 		if (
 			crypto == null ||
 			crypto === undefined ||
@@ -66,6 +68,7 @@ module.exports = class EcRsaOaepAsync {
 				.importKey("jwk", pk.toJwk(), algorithm, false, keyUsages)
 				.then(function (key) {
 					pk.key = key;
+					EcAesCtrAsync.fipsOn();
 					return crypto.subtle.encrypt(
 						algorithm,
 						key,
@@ -99,6 +102,8 @@ module.exports = class EcRsaOaepAsync {
 	 *  @static
 	 */
 	static decrypt(ppk, cipherText, success, failure) {
+		if (EcCrypto.testMode)
+			console.log("decrypt: " + cipherText)
 		if (EcCrypto.caching) {
 			let cacheGet = null;
 			cacheGet = EcCrypto.decryptionCache[ppk.toPk().fingerprint() + cipherText];
@@ -125,6 +130,7 @@ module.exports = class EcRsaOaepAsync {
 		algorithm.hash = "SHA-1";
 		let result;
 		let afterKeyIsImported = (p1) => {
+			EcAesCtrAsync.fipsOn();
 			try {
 				result = forge.util.decodeUtf8(EcCrypto.ab2str(p1));
 			} catch (ex) {
@@ -142,6 +148,7 @@ module.exports = class EcRsaOaepAsync {
 			let p = crypto.subtle
 				.importKey("jwk", ppk.toJwk(), algorithm, false, keyUsages)
 				.then(function (key) {
+					EcAesCtrAsync.fipsOn();
 					ppk.key = key;
 					return crypto.subtle.decrypt(
 						algorithm,
@@ -157,14 +164,16 @@ module.exports = class EcRsaOaepAsync {
 				});
 			return cassPromisify(p, success, failure);
 		} else {
-			let p = crypto.subtle
+			let p = new Promise((resolve,reject)=>{
+				EcAesCtrAsync.fipsOn();
+				resolve(crypto.subtle
 				.decrypt(algorithm, ppk.key, base64.decode(cipherText))
 				.then(afterKeyIsImported)
 				.catch((error) => {
 					global.auditLogger.report(global.auditLogger.LogCategory.SYSTEM, global.auditLogger.Severity.ERROR, "EcRsaOaepAsyncDecrypt", error);
 					EcAesCtrAsync.fipsOff();
 					return null;
-				});
+				}))});
 			return cassPromisify(p, success, failure);
 		}
 	}
@@ -182,18 +191,21 @@ module.exports = class EcRsaOaepAsync {
 	 *  @static
 	 */
 	static sign(ppk, text, success, failure) {
+		if (EcCrypto.testMode)
+			console.log("sign (sha1): " + text)
 		if (
 			crypto == null ||
 			crypto === undefined ||
 			crypto.subtle == null ||
-			crypto.subtle === undefined
+			crypto.subtle === undefined || 
+			(process && process.env && process.env.FIPS)
 		) {
 			return EcRsaOaepAsyncWorker.sign(ppk, text, success, failure);
 		}
 		if (text == null) {
 			return cassReturnAsPromise(null, success, failure);
 		}
-		//EcAesCtrAsync.fipsOn();// OPENSSL3 signing with this method doesn't seem to work right now.
+		EcAesCtrAsync.fipsOff();// OPENSSL3 signing with this method not allowed. See https://github.com/Lomilar/node-fips-rsassa-pkcs1-15-sha1/tree/main
 		let keyUsages = [];
 		keyUsages.push("sign");
 		let algorithm = {};
@@ -204,6 +216,7 @@ module.exports = class EcRsaOaepAsync {
 				crypto.subtle
 					.importKey("jwk", ppk.toJwk(), algorithm, false, keyUsages)
 					.then(function (key) {
+						EcAesCtrAsync.fipsOff();// OPENSSL3 signing with this method not allowed. See https://github.com/Lomilar/node-fips-rsassa-pkcs1-15-sha1/tree/main
 						ppk.signKey = key;
 						return crypto.subtle
 							.sign(
@@ -212,7 +225,7 @@ module.exports = class EcRsaOaepAsync {
 								EcCrypto.str2ab(forge.util.encodeUtf8(text))
 							)
 							.then(function (p1) {
-								//EcAesCtrAsync.fipsOff();// OPENSSL3 signing with this method doesn't seem to work right now.
+								//EcAesCtrAsync.fipsOff();// OPENSSL3 signing with this method not allowed. See https://github.com/Lomilar/node-fips-rsassa-pkcs1-15-sha1/tree/main
 								return base64.encode(p1);
 							});
 					}),
@@ -220,8 +233,9 @@ module.exports = class EcRsaOaepAsync {
 				failure
 			);
 		else
-			return cassPromisify(
-				crypto.subtle
+			return cassPromisify(new Promise((resolve,reject)=>{
+				EcAesCtrAsync.fipsOff();// OPENSSL3 signing with this method not allowed. See https://github.com/Lomilar/node-fips-rsassa-pkcs1-15-sha1/tree/main
+				resolve(crypto.subtle
 					.sign(
 						algorithm,
 						ppk.signKey,
@@ -229,7 +243,7 @@ module.exports = class EcRsaOaepAsync {
 					)
 					.then(function (p1) {
 						return base64.encode(p1);
-					}),
+					}))}),
 				success,
 				failure
 			);
@@ -248,6 +262,8 @@ module.exports = class EcRsaOaepAsync {
 	 *  @static
 	 */
 	static signSha256 = function (ppk, text, success, failure) {
+		if (EcCrypto.testMode)
+			console.log("sign (sha256): " + text)
 		if (
 			crypto == null ||
 			crypto === undefined ||
@@ -267,6 +283,7 @@ module.exports = class EcRsaOaepAsync {
 			p = crypto.subtle
 				.importKey("jwk", ppk.toJwk(), algorithm, false, keyUsages)
 				.then(function (key) {
+					EcAesCtrAsync.fipsOn();
 					ppk.signKey256 = key;
 					return crypto.subtle.sign(
 						algorithm,
@@ -302,6 +319,8 @@ module.exports = class EcRsaOaepAsync {
 	 *  @static
 	 */
 	static verify(pk, text, signature, success, failure) {
+		if (EcCrypto.testMode)
+			console.log("verify (sha1): " + text)
 		if (
 			crypto == null ||
 			crypto === undefined ||
@@ -327,6 +346,7 @@ module.exports = class EcRsaOaepAsync {
 				crypto.subtle
 					.importKey("jwk", pk.toJwk(), algorithm, false, keyUsages)
 					.then((key) => {
+						EcAesCtrAsync.fipsOn();
 						pk.signKey = key;
 						return crypto.subtle.verify(
 							algorithm,
@@ -342,8 +362,9 @@ module.exports = class EcRsaOaepAsync {
 				failure
 			);
 		} else {
-			return cassPromisify(
-				crypto.subtle.verify(
+			return cassPromisify(new Promise((resolve,reject)=>{				
+				EcAesCtrAsync.fipsOn();
+				resolve(crypto.subtle.verify(
 					algorithm,
 					pk.signKey,
 					base64.decode(signature),
@@ -351,7 +372,8 @@ module.exports = class EcRsaOaepAsync {
 				).then((result)=>{						
 					EcAesCtrAsync.fipsOff();
 					return result;
-				}),
+				}))})
+			,
 				success,
 				failure
 			);
@@ -372,6 +394,8 @@ module.exports = class EcRsaOaepAsync {
 	 *  @static
 	 */
 	static verifySha256(pk, text, signature, success, failure) {
+		if (EcCrypto.testMode)
+			console.log("verify (sha256): " + text)
 		if (
 			crypto == null ||
 			crypto === undefined ||
@@ -396,7 +420,8 @@ module.exports = class EcRsaOaepAsync {
 			return cassPromisify(
 				crypto.subtle
 					.importKey("jwk", pk.toJwk(), algorithm, false, keyUsages)
-					.then(function (key) {
+					.then(function (key) {			
+						EcAesCtrAsync.fipsOn();
 						pk.signKey256 = key;
 						return crypto.subtle.verify(
 							algorithm,
@@ -412,8 +437,9 @@ module.exports = class EcRsaOaepAsync {
 				failure
 			);
 		} else {
-			return cassPromisify(
-				crypto.subtle.verify(
+			return cassPromisify(new Promise((resolve,reject)=>{
+				EcAesCtrAsync.fipsOn();
+				resolve(crypto.subtle.verify(
 					algorithm,
 					pk.signKey256,
 					base64.decode(signature),
@@ -421,7 +447,7 @@ module.exports = class EcRsaOaepAsync {
 				).then((result)=>{						
 					EcAesCtrAsync.fipsOff();
 					return result;
-				}),
+				}))}),
 				success,
 				failure
 			);

package/src/com/eduworks/ec/crypto/EcRsaOaepAsync.test.js

@@ -66,48 +66,16 @@ describe("EcRsaOaepAsync", () => {
         assert.isTrue(randomString == decrypted);
     });
     it('signing then verifying', async () => {
-        let randomString = EcAes.newIv(256*4);
-        let ppk = EcPpk.fromPem(
-            "-----BEGIN RSA PRIVATE KEY-----MIIEpAIBAAKCAQEAz4BiFucFE9bNcKfGD+e6aPRHl402YM4Z6nrurDRNlnwsWpsCoZasPLkjC314pVtHAI2duZo+esGKDloBsiLxASRJo3R2XiXVh2Y8U1RcHA5mWL4tMG5UY2d0libpNEHbHPNBmooVYpA2yhxN/vGibIk8x69uZWxJcFOxOg6zWG8EjF8UMgGnRCVSMTY3THhTlfZ0cGUzvrfb7OvHUgdCe285XkmYkj/V9P/m7hbWoOyJAJSTOm4/s6fIKpl72lblfN7bKaxTCsJp6/rQdmUeo+PIaa2lDOfo7dWbuTMcqkZ93kispNfYYhsEGUGlCsrrVWhlve8MenO4GdLsFP+HRwIDAQABAoIBAGaQpOuBIYde44lNxJ7UAdYi+Mg2aqyK81Btl0/TQo6hriLTAAfzPAt/z4y8ZkgFyCDD3zSAw2VWCPFzF+d/UfUohKWgyWlb9iHJLQRbbHQJwhkXV6raviesWXpmnVrROocizkie/FcNxac9OmhL8+cGJt7lHgJP9jTpiW6TGZ8ZzM8KBH2l80x9AWdvCjsICuPIZRjc706HtkKZzTROtq6Z/F4Gm0uWRnwAZrHTRpnh8qjtdBLYFrdDcUoFtzOM6UVRmocTfsNe4ntPpvwY2aGTWY7EmTj1kteMJ+fCQFIS+KjyMWQHsN8yQNfD5/j2uv6/BdSkO8uorGSJT6DwmTECgYEA8ydoQ4i58+A1udqA+fujM0Zn46++NTehFe75nqIt8rfQgoduBam3lE5IWj2U2tLQeWxQyr1ZJkLbITtrAI3PgfMnuFAii+cncwFo805Fss/nbKx8K49vBuCEAq3MRhLjWy3ZvIgUHj67jWvl50dbNqc7TUguxhS4BxGr/cPPkP0CgYEA2nbJPGzSKhHTETL37NWIUAdU9q/6NVRISRRXeRqZYwE1VPzs2sIUxA8zEDBHX7OtvCKzvZy1Lg5Unx1nh4nCEVkbW/8npLlRG2jOcZJF6NRfhzwLz3WMIrP6j9SmjJaB+1mnrTjfsg36tDEPDjjJLjJHCx9z/qRJh1v4bh4aPpMCgYACG31T2IOEEZVlnvcvM3ceoqWT25oSbAEBZ6jSLyWmzOEJwJK7idUFfAg0gAQiQWF9K+snVqzHIB02FIXA43nA7pKRjmA+RiqZXJHEShFgk1y2HGiXGA8mSBvcyhTTJqbBy4vvjl5eRLzrZNwBPSUVPC3PZajCHrvZk9WhxWivIQKBgQCzCu1MH2dy4R7ZlqsIJ8zKweeJMZpfQI7pjclO0FTrhh7+Yzd+5db9A/P2jYrBTVHSwaILgTYf49DIguHJfEZXz26TzB7iapqlWxTukVHISt1ryPNo+E58VoLAhChnSiaHJ+g7GESE+d4A9cAACNwgh0YgQIvhIyW70M1e+j7KDwKBgQDQSBLFDFmvvTP3sIRAr1+0OZWd1eRcwdhs0U9GwootoCoUP/1Y64pqukT6B9oIB/No9Nyn8kUX3/ZDtCslaGKEUGMJXQ4hc5J+lq0tSi9ZWBdhqOuMPEfUF3IxW+9yeILP4ppUBn1m5MVOWg5CvuuEeCmy4bhMaUErUlHZ78t5cA==-----END RSA PRIVATE KEY-----"
-        );
-        let pk = ppk.toPk();
-        let signature = await EcRsaOaepAsync.sign(ppk, randomString);
-        let verified = await EcRsaOaepAsync.verify(pk, randomString, signature);
-        assert.isTrue(verified);
+        console.log("Deprecated. See https://github.com/Lomilar/node-fips-rsassa-pkcs1-15-sha1/tree/main");
+        return;
     });
     it('signing then verifying (utf-8)', async () => {
-        let randomString =
-            "abc\u16a0\u16c7\u16bb\u16eb\u16d2\u16e6\u16a6\u16eb\u16a0\u16b1\u16a9\u16a0\u16a2\u16b1\u16eb\u16a0\u16c1\u16b1\u16aa\u16eb\u16b7\u16d6\u16bb\u16b9\u16e6\u16da\u16b3\u16a2\u16d7";
-        let ppk = EcPpk.fromPem(
-            "-----BEGIN RSA PRIVATE KEY-----MIIEpAIBAAKCAQEAz4BiFucFE9bNcKfGD+e6aPRHl402YM4Z6nrurDRNlnwsWpsCoZasPLkjC314pVtHAI2duZo+esGKDloBsiLxASRJo3R2XiXVh2Y8U1RcHA5mWL4tMG5UY2d0libpNEHbHPNBmooVYpA2yhxN/vGibIk8x69uZWxJcFOxOg6zWG8EjF8UMgGnRCVSMTY3THhTlfZ0cGUzvrfb7OvHUgdCe285XkmYkj/V9P/m7hbWoOyJAJSTOm4/s6fIKpl72lblfN7bKaxTCsJp6/rQdmUeo+PIaa2lDOfo7dWbuTMcqkZ93kispNfYYhsEGUGlCsrrVWhlve8MenO4GdLsFP+HRwIDAQABAoIBAGaQpOuBIYde44lNxJ7UAdYi+Mg2aqyK81Btl0/TQo6hriLTAAfzPAt/z4y8ZkgFyCDD3zSAw2VWCPFzF+d/UfUohKWgyWlb9iHJLQRbbHQJwhkXV6raviesWXpmnVrROocizkie/FcNxac9OmhL8+cGJt7lHgJP9jTpiW6TGZ8ZzM8KBH2l80x9AWdvCjsICuPIZRjc706HtkKZzTROtq6Z/F4Gm0uWRnwAZrHTRpnh8qjtdBLYFrdDcUoFtzOM6UVRmocTfsNe4ntPpvwY2aGTWY7EmTj1kteMJ+fCQFIS+KjyMWQHsN8yQNfD5/j2uv6/BdSkO8uorGSJT6DwmTECgYEA8ydoQ4i58+A1udqA+fujM0Zn46++NTehFe75nqIt8rfQgoduBam3lE5IWj2U2tLQeWxQyr1ZJkLbITtrAI3PgfMnuFAii+cncwFo805Fss/nbKx8K49vBuCEAq3MRhLjWy3ZvIgUHj67jWvl50dbNqc7TUguxhS4BxGr/cPPkP0CgYEA2nbJPGzSKhHTETL37NWIUAdU9q/6NVRISRRXeRqZYwE1VPzs2sIUxA8zEDBHX7OtvCKzvZy1Lg5Unx1nh4nCEVkbW/8npLlRG2jOcZJF6NRfhzwLz3WMIrP6j9SmjJaB+1mnrTjfsg36tDEPDjjJLjJHCx9z/qRJh1v4bh4aPpMCgYACG31T2IOEEZVlnvcvM3ceoqWT25oSbAEBZ6jSLyWmzOEJwJK7idUFfAg0gAQiQWF9K+snVqzHIB02FIXA43nA7pKRjmA+RiqZXJHEShFgk1y2HGiXGA8mSBvcyhTTJqbBy4vvjl5eRLzrZNwBPSUVPC3PZajCHrvZk9WhxWivIQKBgQCzCu1MH2dy4R7ZlqsIJ8zKweeJMZpfQI7pjclO0FTrhh7+Yzd+5db9A/P2jYrBTVHSwaILgTYf49DIguHJfEZXz26TzB7iapqlWxTukVHISt1ryPNo+E58VoLAhChnSiaHJ+g7GESE+d4A9cAACNwgh0YgQIvhIyW70M1e+j7KDwKBgQDQSBLFDFmvvTP3sIRAr1+0OZWd1eRcwdhs0U9GwootoCoUP/1Y64pqukT6B9oIB/No9Nyn8kUX3/ZDtCslaGKEUGMJXQ4hc5J+lq0tSi9ZWBdhqOuMPEfUF3IxW+9yeILP4ppUBn1m5MVOWg5CvuuEeCmy4bhMaUErUlHZ78t5cA==-----END RSA PRIVATE KEY-----"
-        );
-        let pk = ppk.toPk();
-        let signature = await EcRsaOaepAsync.sign(ppk, randomString);
-        let verified = await EcRsaOaepAsync.verify(pk, randomString, signature);
-        assert.isTrue(verified);
+        console.log("Deprecated. See https://github.com/Lomilar/node-fips-rsassa-pkcs1-15-sha1/tree/main");
+        return;
     });
     it('signing then verifying w/caching', async () => {
-        let randomString = EcAes.newIv(256).substring(0, 190);
-        let ppk = EcPpk.fromPem(
-            "-----BEGIN RSA PRIVATE KEY-----MIIEpAIBAAKCAQEAz4BiFucFE9bNcKfGD+e6aPRHl402YM4Z6nrurDRNlnwsWpsCoZasPLkjC314pVtHAI2duZo+esGKDloBsiLxASRJo3R2XiXVh2Y8U1RcHA5mWL4tMG5UY2d0libpNEHbHPNBmooVYpA2yhxN/vGibIk8x69uZWxJcFOxOg6zWG8EjF8UMgGnRCVSMTY3THhTlfZ0cGUzvrfb7OvHUgdCe285XkmYkj/V9P/m7hbWoOyJAJSTOm4/s6fIKpl72lblfN7bKaxTCsJp6/rQdmUeo+PIaa2lDOfo7dWbuTMcqkZ93kispNfYYhsEGUGlCsrrVWhlve8MenO4GdLsFP+HRwIDAQABAoIBAGaQpOuBIYde44lNxJ7UAdYi+Mg2aqyK81Btl0/TQo6hriLTAAfzPAt/z4y8ZkgFyCDD3zSAw2VWCPFzF+d/UfUohKWgyWlb9iHJLQRbbHQJwhkXV6raviesWXpmnVrROocizkie/FcNxac9OmhL8+cGJt7lHgJP9jTpiW6TGZ8ZzM8KBH2l80x9AWdvCjsICuPIZRjc706HtkKZzTROtq6Z/F4Gm0uWRnwAZrHTRpnh8qjtdBLYFrdDcUoFtzOM6UVRmocTfsNe4ntPpvwY2aGTWY7EmTj1kteMJ+fCQFIS+KjyMWQHsN8yQNfD5/j2uv6/BdSkO8uorGSJT6DwmTECgYEA8ydoQ4i58+A1udqA+fujM0Zn46++NTehFe75nqIt8rfQgoduBam3lE5IWj2U2tLQeWxQyr1ZJkLbITtrAI3PgfMnuFAii+cncwFo805Fss/nbKx8K49vBuCEAq3MRhLjWy3ZvIgUHj67jWvl50dbNqc7TUguxhS4BxGr/cPPkP0CgYEA2nbJPGzSKhHTETL37NWIUAdU9q/6NVRISRRXeRqZYwE1VPzs2sIUxA8zEDBHX7OtvCKzvZy1Lg5Unx1nh4nCEVkbW/8npLlRG2jOcZJF6NRfhzwLz3WMIrP6j9SmjJaB+1mnrTjfsg36tDEPDjjJLjJHCx9z/qRJh1v4bh4aPpMCgYACG31T2IOEEZVlnvcvM3ceoqWT25oSbAEBZ6jSLyWmzOEJwJK7idUFfAg0gAQiQWF9K+snVqzHIB02FIXA43nA7pKRjmA+RiqZXJHEShFgk1y2HGiXGA8mSBvcyhTTJqbBy4vvjl5eRLzrZNwBPSUVPC3PZajCHrvZk9WhxWivIQKBgQCzCu1MH2dy4R7ZlqsIJ8zKweeJMZpfQI7pjclO0FTrhh7+Yzd+5db9A/P2jYrBTVHSwaILgTYf49DIguHJfEZXz26TzB7iapqlWxTukVHISt1ryPNo+E58VoLAhChnSiaHJ+g7GESE+d4A9cAACNwgh0YgQIvhIyW70M1e+j7KDwKBgQDQSBLFDFmvvTP3sIRAr1+0OZWd1eRcwdhs0U9GwootoCoUP/1Y64pqukT6B9oIB/No9Nyn8kUX3/ZDtCslaGKEUGMJXQ4hc5J+lq0tSi9ZWBdhqOuMPEfUF3IxW+9yeILP4ppUBn1m5MVOWg5CvuuEeCmy4bhMaUErUlHZ78t5cA==-----END RSA PRIVATE KEY-----"
-        );
-        let pk = ppk.toPk();
-        let hrTime = hrtime();
-        let signature = await EcRsaOaepAsync.sign(ppk, randomString);
-        let elapsed = (hrtime()[0]*1000000 + hrtime()[1]/1000 - hrTime[0] * 1000000 - hrTime[1] / 1000)/1000;
-        console.log(randomString.length/1024+"KB signing speed: " + elapsed+"ms");
-        hrTime = hrtime();
-        EcCrypto.caching = true;
-        let verified = await EcRsaOaepAsync.verify(pk, randomString, signature);
-        elapsed = (hrtime()[0]*1000000 + hrtime()[1]/1000 - hrTime[0] * 1000000 - hrTime[1] / 1000)/1000;
-        console.log("verification wout/caching speed: " + elapsed+"ms");
-        hrTime = hrtime();
-        verified = await EcRsaOaepAsync.verify(pk, randomString, signature);
-        elapsed = (hrtime()[0]*1000000 + hrtime()[1]/1000 - hrTime[0] * 1000000 - hrTime[1] / 1000)/1000;
-        console.log("verification w/caching speed: " + elapsed+"ms");
-        //assert.isTrue(elapsed < 2);
-        assert.isTrue(verified);
-        EcCrypto.caching = false;
+        console.log("Deprecated. See https://github.com/Lomilar/node-fips-rsassa-pkcs1-15-sha1/tree/main");
+        return;
     });
     it('signing then verifying (sha256)', async () => {
         let randomString = EcAes.newIv(256*4);
@@ -127,7 +95,9 @@ describe("EcRsaOaepAsync", () => {
         );
         let pk = ppk.toPk();
         let signature = await EcRsaOaepAsync.signSha256(ppk, randomString);
+        console.log(signature);
         let verified = await EcRsaOaepAsync.verifySha256(pk, randomString, signature);
+        console.log(verified);
         assert.isTrue(verified);
     });
     it('signing then verifying w/caching (sha256)', async () => {

package/src/com/eduworks/ec/crypto/EcRsaOaepAsyncWorker.test.js

@@ -65,46 +65,16 @@ describe("EcRsaOaepAsyncWorker", () => {
         assert.isTrue(randomString == decrypted);
     });
     it('signing then verifying', async () => {
-        let randomString = EcAes.newIv(256*4);
-        let ppk = EcPpk.fromPem(
-            "-----BEGIN RSA PRIVATE KEY-----MIIEpAIBAAKCAQEAz4BiFucFE9bNcKfGD+e6aPRHl402YM4Z6nrurDRNlnwsWpsCoZasPLkjC314pVtHAI2duZo+esGKDloBsiLxASRJo3R2XiXVh2Y8U1RcHA5mWL4tMG5UY2d0libpNEHbHPNBmooVYpA2yhxN/vGibIk8x69uZWxJcFOxOg6zWG8EjF8UMgGnRCVSMTY3THhTlfZ0cGUzvrfb7OvHUgdCe285XkmYkj/V9P/m7hbWoOyJAJSTOm4/s6fIKpl72lblfN7bKaxTCsJp6/rQdmUeo+PIaa2lDOfo7dWbuTMcqkZ93kispNfYYhsEGUGlCsrrVWhlve8MenO4GdLsFP+HRwIDAQABAoIBAGaQpOuBIYde44lNxJ7UAdYi+Mg2aqyK81Btl0/TQo6hriLTAAfzPAt/z4y8ZkgFyCDD3zSAw2VWCPFzF+d/UfUohKWgyWlb9iHJLQRbbHQJwhkXV6raviesWXpmnVrROocizkie/FcNxac9OmhL8+cGJt7lHgJP9jTpiW6TGZ8ZzM8KBH2l80x9AWdvCjsICuPIZRjc706HtkKZzTROtq6Z/F4Gm0uWRnwAZrHTRpnh8qjtdBLYFrdDcUoFtzOM6UVRmocTfsNe4ntPpvwY2aGTWY7EmTj1kteMJ+fCQFIS+KjyMWQHsN8yQNfD5/j2uv6/BdSkO8uorGSJT6DwmTECgYEA8ydoQ4i58+A1udqA+fujM0Zn46++NTehFe75nqIt8rfQgoduBam3lE5IWj2U2tLQeWxQyr1ZJkLbITtrAI3PgfMnuFAii+cncwFo805Fss/nbKx8K49vBuCEAq3MRhLjWy3ZvIgUHj67jWvl50dbNqc7TUguxhS4BxGr/cPPkP0CgYEA2nbJPGzSKhHTETL37NWIUAdU9q/6NVRISRRXeRqZYwE1VPzs2sIUxA8zEDBHX7OtvCKzvZy1Lg5Unx1nh4nCEVkbW/8npLlRG2jOcZJF6NRfhzwLz3WMIrP6j9SmjJaB+1mnrTjfsg36tDEPDjjJLjJHCx9z/qRJh1v4bh4aPpMCgYACG31T2IOEEZVlnvcvM3ceoqWT25oSbAEBZ6jSLyWmzOEJwJK7idUFfAg0gAQiQWF9K+snVqzHIB02FIXA43nA7pKRjmA+RiqZXJHEShFgk1y2HGiXGA8mSBvcyhTTJqbBy4vvjl5eRLzrZNwBPSUVPC3PZajCHrvZk9WhxWivIQKBgQCzCu1MH2dy4R7ZlqsIJ8zKweeJMZpfQI7pjclO0FTrhh7+Yzd+5db9A/P2jYrBTVHSwaILgTYf49DIguHJfEZXz26TzB7iapqlWxTukVHISt1ryPNo+E58VoLAhChnSiaHJ+g7GESE+d4A9cAACNwgh0YgQIvhIyW70M1e+j7KDwKBgQDQSBLFDFmvvTP3sIRAr1+0OZWd1eRcwdhs0U9GwootoCoUP/1Y64pqukT6B9oIB/No9Nyn8kUX3/ZDtCslaGKEUGMJXQ4hc5J+lq0tSi9ZWBdhqOuMPEfUF3IxW+9yeILP4ppUBn1m5MVOWg5CvuuEeCmy4bhMaUErUlHZ78t5cA==-----END RSA PRIVATE KEY-----"
-        );
-        let pk = ppk.toPk();
-        let signature = await EcRsaOaepAsyncWorker.sign(ppk, randomString);
-        let verified = await EcRsaOaepAsyncWorker.verify(pk, randomString, signature);
-        assert.isTrue(verified);
+        console.log("Deprecated. See https://github.com/Lomilar/node-fips-rsassa-pkcs1-15-sha1/tree/main");
+        return;
     });
     it('signing then verifying (utf-8)', async () => {
-        let randomString =
-            "abc\u16a0\u16c7\u16bb\u16eb\u16d2\u16e6\u16a6\u16eb\u16a0\u16b1\u16a9\u16a0\u16a2\u16b1\u16eb\u16a0\u16c1\u16b1\u16aa\u16eb\u16b7\u16d6\u16bb\u16b9\u16e6\u16da\u16b3\u16a2\u16d7";
-        let ppk = EcPpk.fromPem(
-            "-----BEGIN RSA PRIVATE KEY-----MIIEpAIBAAKCAQEAz4BiFucFE9bNcKfGD+e6aPRHl402YM4Z6nrurDRNlnwsWpsCoZasPLkjC314pVtHAI2duZo+esGKDloBsiLxASRJo3R2XiXVh2Y8U1RcHA5mWL4tMG5UY2d0libpNEHbHPNBmooVYpA2yhxN/vGibIk8x69uZWxJcFOxOg6zWG8EjF8UMgGnRCVSMTY3THhTlfZ0cGUzvrfb7OvHUgdCe285XkmYkj/V9P/m7hbWoOyJAJSTOm4/s6fIKpl72lblfN7bKaxTCsJp6/rQdmUeo+PIaa2lDOfo7dWbuTMcqkZ93kispNfYYhsEGUGlCsrrVWhlve8MenO4GdLsFP+HRwIDAQABAoIBAGaQpOuBIYde44lNxJ7UAdYi+Mg2aqyK81Btl0/TQo6hriLTAAfzPAt/z4y8ZkgFyCDD3zSAw2VWCPFzF+d/UfUohKWgyWlb9iHJLQRbbHQJwhkXV6raviesWXpmnVrROocizkie/FcNxac9OmhL8+cGJt7lHgJP9jTpiW6TGZ8ZzM8KBH2l80x9AWdvCjsICuPIZRjc706HtkKZzTROtq6Z/F4Gm0uWRnwAZrHTRpnh8qjtdBLYFrdDcUoFtzOM6UVRmocTfsNe4ntPpvwY2aGTWY7EmTj1kteMJ+fCQFIS+KjyMWQHsN8yQNfD5/j2uv6/BdSkO8uorGSJT6DwmTECgYEA8ydoQ4i58+A1udqA+fujM0Zn46++NTehFe75nqIt8rfQgoduBam3lE5IWj2U2tLQeWxQyr1ZJkLbITtrAI3PgfMnuFAii+cncwFo805Fss/nbKx8K49vBuCEAq3MRhLjWy3ZvIgUHj67jWvl50dbNqc7TUguxhS4BxGr/cPPkP0CgYEA2nbJPGzSKhHTETL37NWIUAdU9q/6NVRISRRXeRqZYwE1VPzs2sIUxA8zEDBHX7OtvCKzvZy1Lg5Unx1nh4nCEVkbW/8npLlRG2jOcZJF6NRfhzwLz3WMIrP6j9SmjJaB+1mnrTjfsg36tDEPDjjJLjJHCx9z/qRJh1v4bh4aPpMCgYACG31T2IOEEZVlnvcvM3ceoqWT25oSbAEBZ6jSLyWmzOEJwJK7idUFfAg0gAQiQWF9K+snVqzHIB02FIXA43nA7pKRjmA+RiqZXJHEShFgk1y2HGiXGA8mSBvcyhTTJqbBy4vvjl5eRLzrZNwBPSUVPC3PZajCHrvZk9WhxWivIQKBgQCzCu1MH2dy4R7ZlqsIJ8zKweeJMZpfQI7pjclO0FTrhh7+Yzd+5db9A/P2jYrBTVHSwaILgTYf49DIguHJfEZXz26TzB7iapqlWxTukVHISt1ryPNo+E58VoLAhChnSiaHJ+g7GESE+d4A9cAACNwgh0YgQIvhIyW70M1e+j7KDwKBgQDQSBLFDFmvvTP3sIRAr1+0OZWd1eRcwdhs0U9GwootoCoUP/1Y64pqukT6B9oIB/No9Nyn8kUX3/ZDtCslaGKEUGMJXQ4hc5J+lq0tSi9ZWBdhqOuMPEfUF3IxW+9yeILP4ppUBn1m5MVOWg5CvuuEeCmy4bhMaUErUlHZ78t5cA==-----END RSA PRIVATE KEY-----"
-        );
-        let pk = ppk.toPk();
-        let signature = await EcRsaOaepAsyncWorker.sign(ppk, randomString);
-        let verified = await EcRsaOaepAsyncWorker.verify(pk, randomString, signature);
-        assert.isTrue(verified);
+        console.log("Deprecated. See https://github.com/Lomilar/node-fips-rsassa-pkcs1-15-sha1/tree/main");
+        return;
     });
     it('signing then verifying w/caching', async () => {
-        let randomString = EcAes.newIv(256).substring(0, 190);
-        let ppk = EcPpk.fromPem(
-            "-----BEGIN RSA PRIVATE KEY-----MIIEpAIBAAKCAQEAz4BiFucFE9bNcKfGD+e6aPRHl402YM4Z6nrurDRNlnwsWpsCoZasPLkjC314pVtHAI2duZo+esGKDloBsiLxASRJo3R2XiXVh2Y8U1RcHA5mWL4tMG5UY2d0libpNEHbHPNBmooVYpA2yhxN/vGibIk8x69uZWxJcFOxOg6zWG8EjF8UMgGnRCVSMTY3THhTlfZ0cGUzvrfb7OvHUgdCe285XkmYkj/V9P/m7hbWoOyJAJSTOm4/s6fIKpl72lblfN7bKaxTCsJp6/rQdmUeo+PIaa2lDOfo7dWbuTMcqkZ93kispNfYYhsEGUGlCsrrVWhlve8MenO4GdLsFP+HRwIDAQABAoIBAGaQpOuBIYde44lNxJ7UAdYi+Mg2aqyK81Btl0/TQo6hriLTAAfzPAt/z4y8ZkgFyCDD3zSAw2VWCPFzF+d/UfUohKWgyWlb9iHJLQRbbHQJwhkXV6raviesWXpmnVrROocizkie/FcNxac9OmhL8+cGJt7lHgJP9jTpiW6TGZ8ZzM8KBH2l80x9AWdvCjsICuPIZRjc706HtkKZzTROtq6Z/F4Gm0uWRnwAZrHTRpnh8qjtdBLYFrdDcUoFtzOM6UVRmocTfsNe4ntPpvwY2aGTWY7EmTj1kteMJ+fCQFIS+KjyMWQHsN8yQNfD5/j2uv6/BdSkO8uorGSJT6DwmTECgYEA8ydoQ4i58+A1udqA+fujM0Zn46++NTehFe75nqIt8rfQgoduBam3lE5IWj2U2tLQeWxQyr1ZJkLbITtrAI3PgfMnuFAii+cncwFo805Fss/nbKx8K49vBuCEAq3MRhLjWy3ZvIgUHj67jWvl50dbNqc7TUguxhS4BxGr/cPPkP0CgYEA2nbJPGzSKhHTETL37NWIUAdU9q/6NVRISRRXeRqZYwE1VPzs2sIUxA8zEDBHX7OtvCKzvZy1Lg5Unx1nh4nCEVkbW/8npLlRG2jOcZJF6NRfhzwLz3WMIrP6j9SmjJaB+1mnrTjfsg36tDEPDjjJLjJHCx9z/qRJh1v4bh4aPpMCgYACG31T2IOEEZVlnvcvM3ceoqWT25oSbAEBZ6jSLyWmzOEJwJK7idUFfAg0gAQiQWF9K+snVqzHIB02FIXA43nA7pKRjmA+RiqZXJHEShFgk1y2HGiXGA8mSBvcyhTTJqbBy4vvjl5eRLzrZNwBPSUVPC3PZajCHrvZk9WhxWivIQKBgQCzCu1MH2dy4R7ZlqsIJ8zKweeJMZpfQI7pjclO0FTrhh7+Yzd+5db9A/P2jYrBTVHSwaILgTYf49DIguHJfEZXz26TzB7iapqlWxTukVHISt1ryPNo+E58VoLAhChnSiaHJ+g7GESE+d4A9cAACNwgh0YgQIvhIyW70M1e+j7KDwKBgQDQSBLFDFmvvTP3sIRAr1+0OZWd1eRcwdhs0U9GwootoCoUP/1Y64pqukT6B9oIB/No9Nyn8kUX3/ZDtCslaGKEUGMJXQ4hc5J+lq0tSi9ZWBdhqOuMPEfUF3IxW+9yeILP4ppUBn1m5MVOWg5CvuuEeCmy4bhMaUErUlHZ78t5cA==-----END RSA PRIVATE KEY-----"
-        );
-        let pk = ppk.toPk();
-        let hrTime = hrtime();
-        let signature = await EcRsaOaepAsyncWorker.sign(ppk, randomString);
-        let elapsed = (hrtime()[0]*1000000 + hrtime()[1]/1000 - hrTime[0] * 1000000 - hrTime[1] / 1000)/1000;
-        console.log(randomString.length/1024+"KB signing speed: " + elapsed+"ms");
-        hrTime = hrtime();
-        EcCrypto.caching = true;
-        let verified = await EcRsaOaepAsyncWorker.verify(pk, randomString, signature);
-        elapsed = (hrtime()[0]*1000000 + hrtime()[1]/1000 - hrTime[0] * 1000000 - hrTime[1] / 1000)/1000;
-        console.log("verification wout/caching speed: " + elapsed+"ms");
-        hrTime = hrtime();
-        verified = await EcRsaOaepAsyncWorker.verify(pk, randomString, signature);
-        elapsed = (hrtime()[0]*1000000 + hrtime()[1]/1000 - hrTime[0] * 1000000 - hrTime[1] / 1000)/1000;
-        console.log("verification w/caching speed: " + elapsed+"ms");
-        assert.isTrue(verified);
+        console.log("Deprecated. See https://github.com/Lomilar/node-fips-rsassa-pkcs1-15-sha1/tree/main");
+        return;
     });
     it('signing then verifying (sha256)', async () => {
         let randomString = EcAes.newIv(256*4);

package/src/org/cassproject/ebac/identity/EcIdentityManager.js

@@ -4,6 +4,7 @@ const EcPpkFacade = require("../../../../com/eduworks/ec/crypto/EcPpkFacade");
 const EcRsaOaepAsync = require("../../../../com/eduworks/ec/crypto/EcRsaOaepAsync");
 const {cassReturnAsPromise, cassPromisify} = require("../../../../com/eduworks/ec/promises/helpers");
 const EbacSignature = require("../../../../com/eduworks/schema/ebac/EbacSignature");
+let realCrypto = require('crypto');
 
 /**
  *  Manages identities and contacts, provides hooks to respond to identity and
@@ -348,7 +349,8 @@ module.exports = class EcIdentityManager {
 		duration,
 		server,
 		success,
-		failure
+		failure,
+		signatureSheetHashAlgorithm
 	) {
 		let cache = null;
 		if (this.signatureSheetCaching) {
@@ -365,7 +367,7 @@ module.exports = class EcIdentityManager {
 			.map((pk) => this.getPpk(EcPk.fromPem(pk)))
 			.filter((x) => x != null)
 			.map((ppk) =>
-				this.createSignature(finalDuration, server, ppk)
+				this.createSignature(finalDuration, server, ppk, signatureSheetHashAlgorithm)
 			);
 		let p = Promise.all(promises);
 		p = p.then((signatureCandidates) => {
@@ -394,7 +396,7 @@ module.exports = class EcIdentityManager {
 	 *  @method signatureSheet
 	 *  @static
 	 */
-	signatureSheet(duration, server, success, failure) {
+	signatureSheet(duration, server, success, failure, signatureSheetHashAlgorithm) {
 		let cache = null;
 		if (this.signatureSheetCaching) {
 			cache = this.signatureSheetCache[server];
@@ -407,7 +409,7 @@ module.exports = class EcIdentityManager {
 		}
 		let finalDuration = duration;
 		let promises = this.ids.map((ident) =>
-			this.createSignature(finalDuration, server, ident.ppk)
+			this.createSignature(finalDuration, server, ident.ppk, signatureSheetHashAlgorithm)
 		);
 		let p = Promise.all(promises);
 		p = p.then((signatureCandidates) => {
@@ -437,7 +439,11 @@ module.exports = class EcIdentityManager {
 	 *  @method createSignature
 	 *  @static
 	 */
-	createSignature(duration, server, ppk) {
+	createSignature(duration, server, ppk, algorithm) {
+		if (process && process.env && process.env.FIPS == null && realCrypto.getFips && realCrypto.getFips() == 1)
+		{
+			algorithm = "SHA-256";
+		}
 		if (ppk instanceof EcPpkFacade) {
 			return null;
 		}
@@ -446,11 +452,17 @@ module.exports = class EcIdentityManager {
 		s.server = server;
 		delete s.owner;
 		delete s.signature;
+		delete s.signatureSha256;
 		s["@owner"] = ppk.toPk().toPem();
+		if (algorithm != null && algorithm == "SHA-256")
+			return EcRsaOaepAsync.signSha256(ppk, s.toJson()).then((signatureSha256) => {
+				s["@signatureSha256"] = signatureSha256;
+				return s;
+			});
 		return EcRsaOaepAsync.sign(ppk, s.toJson()).then((signature) => {
 			s["@signature"] = signature;
 			return s;
-		});
+		});	
 	}
 	/**
 	 *  Get PPK from PK (if we have it)
@@ -525,8 +537,9 @@ module.exports = class EcIdentityManager {
 			}
 		}
 		return Promise.all(promises).then((signatures) => {
-			d.signature = signatures.filter(x=>x);
-			if (d.signature != null && d.signature.length == 0) {
+			d.signatureSha256 = signatures.filter(x=>x);
+			if (d.signatureSha256 != null && d.signatureSha256.length == 0) {
+				delete d["signatureSha256"];
 				delete d["signature"];
 			}
 			return d;

package/src/org/cassproject/ebac/identity/EcRekeyRequest.js

@@ -91,11 +91,15 @@ module.exports = class EcRekeyRequest extends EcRemoteLinkedData {
 	 */
 	async verify() {
 		if (!await super.verify()) return false;
-		return await EcRsaOaepAsync.verifySha256(
+		return (await EcRsaOaepAsync.verifySha256(
 			EcPk.fromPem(this.rekeyPk),
 			this.toSignableRekeyJson(),
 			this.rekeySignature
-		);
+		) || (await EcRsaOaepAsync.verify(
+			EcPk.fromPem(this.rekeyPk),
+			this.toSignableRekeyJson(),
+			this.rekeySignature
+		)));
 	}
 	addRekeyRequestToForwardingTable() {
 		if (!this.verify()) return;

package/src/org/cassproject/ebac/identity/remote/EcRemoteIdentityManager.js

@@ -50,6 +50,7 @@ module.exports = class EcRemoteIdentityManager extends RemoteIdentityManagerInte
 	secretSalt = null;
 	secretIterations = 0;
 	configured = false;
+	signatureSheetHashAlgorithm;
 	/**
 	 *  Returns true if the identity manager is global. Returns false if the identity manager is local to the server.
 	 *
@@ -165,6 +166,7 @@ module.exports = class EcRemoteIdentityManager extends RemoteIdentityManagerInte
 							"Insufficient iterations on Secret Hash"
 						);
 					}
+					me.signatureSheetHashAlgorithm = p1["signatureSheetHashAlgorithm"];
 					me.configured = true;
 					return p1;
 				},
@@ -529,7 +531,7 @@ module.exports = class EcRemoteIdentityManager extends RemoteIdentityManagerInte
 				},
 				function (arg0) {
 					throw new Error(arg0);
-				}
+				}, this.signatureSheetHashAlgorithm
 			),
 			success,
 			failure

package/src/org/cassproject/ebac/repository/EcRepository.js

@@ -42,6 +42,7 @@ module.exports = class EcRepository {
 	selectedServer = null;
 	selectedServerProxy = null;
 	autoDetectFound = false;
+	signatureSheetHashAlgorithm = "SHA-1";
 	timeOffset = 0;
 	postMaxSize = null;
 	init(selectedServer, success, failure, loginObjectCallback) {
@@ -66,6 +67,9 @@ module.exports = class EcRepository {
 				if (p1["postMaxSize"]) {
 					me.postMaxSize = p1["postMaxSize"];
 				}
+				if (p1["signatureSheetHashAlgorithm"]) {
+					me.signatureSheetHashAlgorithm = p1["signatureSheetHashAlgorithm"];
+				}
 				if (p1["ping"] == "pong") {
 					if (loginObjectCallback != null)
 						loginObjectCallback(p1);
@@ -132,7 +136,7 @@ module.exports = class EcRepository {
 			p = EcRemote.getExpectingObject(finalUrl);
 		} else {
 			let offset = this.setOffset(url);
-			p = eim.signatureSheet(60000 + offset, url).then(
+			p = eim.signatureSheet(60000 + offset, url, null, null, repo != null ? repo.signatureSheetHashAlgorithm : null).then(
 				(signatureSheet) => {
 					let fd = new FormData();
 					fd.append("signatureSheet", signatureSheet);
@@ -247,7 +251,7 @@ module.exports = class EcRepository {
 			p = EcRemote.getExpectingObject(finalUrl);
 		} else {
 			let offset = this.setOffset(url);
-			p = eim.signatureSheet(60000 + offset, url).then(
+			p = eim.signatureSheet(60000 + offset, url, null, null, repo != null ? repo.signatureSheetHashAlgorithm : null).then(
 				(signatureSheet) => {
 					let fd = new FormData();
 					fd.append("signatureSheet", signatureSheet);
@@ -653,10 +657,11 @@ module.exports = class EcRepository {
 			p = eim.signatureSheetFor(
 				data.owner,
 				60000 + offset,
-				data.id
+				data.id,
+				null, null, repo != null ? repo.signatureSheetHashAlgorithm : null
 			);
 		} else {
-			p = eim.signatureSheet(60000 + offset, data.id);
+			p = eim.signatureSheet(60000 + offset, data.id, null, null, repo != null ? repo.signatureSheetHashAlgorithm : null);
 		}
 		p = p.then((signatureSheet) => {
 			let fd = new FormData();
@@ -752,7 +757,8 @@ module.exports = class EcRepository {
 			return eim.signatureSheetFor(
 				data.owner,
 				60000 + offset,
-				data.id
+				data.id,
+				null, null, repo != null ? repo.signatureSheetHashAlgorithm : null
 			).then((signatureSheet) => {
 				return EcRemote._delete(
 					targetUrl,
@@ -821,7 +827,8 @@ module.exports = class EcRepository {
 			return eim.signatureSheetFor(
 				data.owner,
 				60000 + offset,
-				data.id
+				data.id,
+				null, null, repo != null ? repo.signatureSheetHashAlgorithm : null
 			).then((signatureSheet) => {
 				return EcRemote._delete(
 					targetUrl,
@@ -907,12 +914,13 @@ module.exports = class EcRepository {
 					return eim.signatureSheetFor(
 						allOwners,
 						60000 + this.timeOffset,
-						this.selectedServer
+						this.selectedServer,
+						null, null, this.signatureSheetHashAlgorithm
 					);
 				} else {
 					return eim.signatureSheet(
 						60000 + this.timeOffset,
-						this.selectedServer
+						this.selectedServer, null, null, this.signatureSheetHashAlgorithm
 					);
 				}
 			})
@@ -980,7 +988,7 @@ module.exports = class EcRepository {
 			p = p.then(() => {
 				return eim.signatureSheet(
 					60000 + this.timeOffset,
-					this.selectedServer
+					this.selectedServer, null, null, this.signatureSheetHashAlgorithm
 				).then((signatureSheet) => {
 					fd.append("signatureSheet", signatureSheet);
 				});
@@ -1124,7 +1132,7 @@ module.exports = class EcRepository {
 			p = p.then(() =>
 				eim.signatureSheet(
 					60000 + this.timeOffset,
-					this.selectedServer
+					this.selectedServer, null, null, this.signatureSheetHashAlgorithm
 				).then((signatureSheet) => {
 					fd.append("signatureSheet", signatureSheet);
 				})
@@ -1546,7 +1554,7 @@ module.exports = class EcRepository {
 			"signatureSheet",
 			eim.signatureSheet(
 				60000 + this.timeOffset,
-				this.selectedServer
+				this.selectedServer, null, null, this.signatureSheetHashAlgorithm
 			)
 		);
 		EcRemote.postExpectingObject(

package/src/org/cassproject/ebac/repository/EcRepository.test.js

@@ -68,6 +68,7 @@ let changeNameAndSaveAndCheck = async (rld) => {
     let newName = "Some Thing " + EcCrypto.generateUUID();
     rld.setName(newName);
     await repo.saveTo(rld);
+    console.log(rld.id);
     assert.equal((await EcEncryptedValue.fromEncryptedValue(await EcRepository.get(rld.shortId(), null, null, repo))).getName(), newName);
 };
 

package/src/org/cassproject/schema/general/EcRemoteLinkedData.js

@@ -250,15 +250,23 @@ module.exports = class EcRemoteLinkedData extends EcLinkedData {
 		if (ppk instanceof EcPpkFacade)
 			return;
 		let signableJson = this.toSignableJson();
-		let signed = await EcRsaOaepAsync.sign(ppk, signableJson);
-		if (this.signature != null) {
-			for (let i = 0; i < this.signature.length; i++)
-				if (this.signature[i] == signed) return;
+		// let signed = await EcRsaOaepAsync.sign(ppk, signableJson);
+		// if (this.signature != null) {
+		// 	for (let i = 0; i < this.signature.length; i++)
+		// 		if (this.signature[i] == signed) return;
+		// } else {
+		// 	this.signature = [];
+		// }
+		// this.signature.push(signed);
+		let signedSha256 = await EcRsaOaepAsync.signSha256(ppk, signableJson);
+		if (this.signatureSha256 != null) {
+			for (let i = 0; i < this.signatureSha256.length; i++)
+				if (this.signatureSha256[i] == signedSha256) return;
 		} else {
-			this.signature = [];
+			this.signatureSha256 = [];
 		}
-		this.signature.push(signed);
-		return signed;
+		this.signatureSha256.push(signedSha256);
+		return signedSha256;
 	}
 	/**
 	 *  Verifies the object's signatures.
@@ -267,9 +275,11 @@ module.exports = class EcRemoteLinkedData extends EcLinkedData {
 	 *  @method verify
 	 */
 	async verify() {
+		let works = null;
+		let works256 = null;
 		if (this.signature != null) {
 			for (let i = 0; i < this.signature.length; ) {
-				let works = false;
+				works = false;
 				let sig = this.signature[i];
 				if (this.owner != null) {
 					for (let j = 0; j < this.owner.length; j++) {
@@ -295,10 +305,41 @@ module.exports = class EcRemoteLinkedData extends EcLinkedData {
 				if (!works) return false;
 				else i++;
 			}
-			if (this.signature.length == 0) return false;
-			return true;
 		}
-		return false;
+		console.log(works);
+		if (this.signatureSha256 != null) {
+			for (let i = 0; i < this.signatureSha256.length; ) {
+				works256 = false;
+				let sig = this.signatureSha256[i];
+				if (this.owner != null) {
+					for (let j = 0; j < this.owner.length; j++) {
+						let own = this.owner[j];
+						let pk = EcPk.fromPem(own);
+						let verify = false;
+						try {
+							verify = await EcRsaOaepAsync.verifySha256(
+								pk,
+								this.toSignableJson(),
+								sig
+							);
+							global.auditLogger.report(global.auditLogger.LogCategory.SYSTEM, global.auditLogger.Severity.INFO, "EcRemoteLDVer256", verify);
+						} catch (ex) {
+							verify = false;
+						}
+						if (verify == true) {
+							works256 = true;
+							break;
+						}
+					}
+				}
+				if (!works256) return false;
+				else i++;
+			}
+		}
+		if (works == null && works256 == null) return false;
+		if (works == null) return works256;
+		if (works256 == null) return works;
+		return true;
 	}
 	/**
 	 *  Adds an owner to the object, if the owner does not exist.
@@ -540,6 +581,9 @@ module.exports = class EcRemoteLinkedData extends EcLinkedData {
 		if (me["@signature"] != null) {
 			me["signature"] = me["@signature"];
 		}
+		if (me["@signatureSha256"] != null) {
+			me["signatureSha256"] = me["@signatureSha256"];
+		}
 		if (me["@encryptedType"] != null) {
 			me["encryptedType"] = me["@encryptedType"];
 		}

package/src/org/json/ld/EcLinkedData.js

@@ -309,12 +309,14 @@ global.jsonld = require("jsonld");
 			delete d["owner"];
 			delete d["reader"];
 			delete d["@signature"];
+			delete d["@signatureSha256"];
 			delete d["@owner"];
 			delete d["@reader"];
 			delete d["@id"];
 		} else {
 			delete d["signature"];
 			delete d["@signature"];
+			delete d["@signatureSha256"];
 			delete d["@id"];
 		}
 		let e = new EcLinkedData(d.context, d.type);