npm - node-forge - Versions diffs - 0.10.0 → 1.2.1 - Mend

node-forge 0.10.0 → 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (18) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,7 +1,88 @@
 Forge ChangeLog
 ===============
-## 0.10.0 - 2019-09-01
+## 1.2.1 - 2022-01-11
+### Fixed
+- [tests]: Load entire module to improve top-level testing and coverage
+  reporting.
+- [log]: Refactor logging setup to avoid use of `URLSearchParams`.
+## 1.2.0 - 2022-01-07
+### Fixed
+- [x509] 'Expected' and 'Actual' issuers were backwards in verification failure
+  message.
+### Added
+- [oid,x509]: Added OID `1.3.14.3.2.29 / sha1WithRSASignature` for sha1 with
+  RSA. Considered a deprecated equivalent to `1.2.840.113549.1.1.5 /
+  sha1WithRSAEncryption`. See [discussion and
+  links](https://github.com/digitalbazaar/forge/issues/825).
+### Changed
+- [x509]: Reduce duplicate code. Add helper function to create a signature
+  digest given an signature algorithm OID. Add helper function to verify
+  signatures.
+## 1.1.0 - 2022-01-06
+### Fixed
+- [x509]: Correctly compute certificate issuer and subject hashes to match
+  behavior of openssl.
+- [pem]: Accept certificate requests with "NEW" in the label. "BEGIN NEW
+  CERTIFICATE REQUEST" handled as "BEGIN CERTIFICATE REQUEST".
+## 1.0.0 - 2022-01-04
+### Notes
+- **1.0.0**!
+- This project is over a decade old! Time for a 1.0.0 release.
+- The URL related changes may expose bugs in some of the networking related
+  code (unrelated to the much wider used cryptography code). The automated and
+  manual test coverage for this code is weak at best. Issues or patches to
+  update the code or tests would be appreciated.
+### Removed
+- **SECURITY**, **BREAKING**: Remove `forge.debug` API. The API has the
+  potential for prototype pollution. This API was only briefly used by the
+  maintainers for internal project debug purposes and was never intended to be
+  used with untrusted user inputs. This API was not documented or advertised
+  and is being removed rather than fixed.
+- **SECURITY**, **BREAKING**: Remove `forge.util.parseUrl()` (and
+  `forge.http.parseUrl` alias) and use the [WHATWG URL
+  Standard](https://url.spec.whatwg.org/). `URL` is supported by modern browers
+  and modern Node.js. This change is needed to address URL parsing security
+  issues. If `forge.util.parseUrl()` is used directly or through `forge.xhr` or
+  `forge.http` APIs, and support is needed for environments without `URL`
+  support, then a polyfill must be used.
+- **BREAKING**: Remove `forge.task` API. This API was never used, documented,
+  or advertised by the maintainers. If anyone was using this API and wishes to
+  continue development it in other project, please let the maintainers know.
+  Due to use in the test suite, a modified version is located in
+  `tests/support/`.
+- **BREAKING**: Remove `forge.util.makeLink`, `forge.util.makeRequest`,
+  `forge.util.parseFragment`, `forge.util.getQueryVariables`. Replace with
+  `URL`, `URLSearchParams`, and custom code as needed.
+### Changed
+- **BREAKING**: Increase supported Node.js version to 6.13.0 for URL support.
+- **BREAKING**: Renamed `master` branch to `main`.
+- **BREAKING**: Release process updated to use tooling that prefixes versions
+  with `v`. Other tools, scripts, or scanners may need to adapt.
+- **BREAKING**: Remove docs related to Bower and
+  [forge-dist](https://github.com/digitalbazaar/forge-dist). Install using
+  [another method](./README.md#installation).
+### Added
+- OIDs for `surname`, `title`, and `givenName`.
+### Fixed
+- **BREAKING**: OID 2.5.4.5 name fixed from `serialName` to `serialNumber`.
+  Depending on how applications used this id to name association it could cause
+  compatibility issues.
+## 0.10.0 - 2020-09-01
 ### Changed
 - **BREAKING**: Node.js 4 no longer supported. The code *may* still work, and
@@ -15,11 +96,11 @@ Forge ChangeLog
   from an early time when `forge` was targeted at providing general helper
   functions. The library direction changed to be more focused on cryptography.
   Many other excellent libraries are more suitable for general utilities. If
-  you need a replacement for these functions, consier `get`, `set`, and `unset`
+  you need a replacement for these functions, consider `get`, `set`, and `unset`
   from [lodash](https://lodash.com/). But also consider the potential similar
   security issues with those APIs.
-## 0.9.2 - 2019-09-01
+## 0.9.2 - 2020-09-01
 ### Changed
 - Added `util.setPath` security note to function docs and to README.

package/README.md CHANGED Viewed

@@ -2,7 +2,7 @@
 [![npm package](https://nodei.co/npm/node-forge.png?downloads=true&downloadRank=true&stars=true)](https://nodei.co/npm/node-forge/)
-[![Build status](https://img.shields.io/travis/digitalbazaar/forge.svg?branch=master)](https://travis-ci.org/digitalbazaar/forge)
+[![Build Status](https://github.com/digitalbazaar/forge/workflows/Main%20Checks/badge.svg)](https://github.com/digitalbazaar/forge/actions?query=workflow%3A%22Main+Checks%22)
 A native implementation of [TLS][] (and various other cryptographic tools) in
 [JavaScript][].
@@ -80,7 +80,6 @@ Documentation
 * [Tasks](#task)
 * [Utilities](#util)
 * [Logging](#log)
-* [Debugging](#debug)
 * [Flash Networking Support](#flash)
 ### Other
@@ -106,7 +105,7 @@ not be regularly updated.
 If you want to use forge with [Node.js][], it is available through `npm`:
-https://npmjs.org/package/node-forge
+https://www.npmjs.com/package/node-forge
 Installation:
@@ -121,24 +120,12 @@ var forge = require('node-forge');
 The npm package includes pre-built `forge.min.js`, `forge.all.min.js`, and
 `prime.worker.min.js` using the [UMD][] format.
-### Bundle / Bower
-Each release is published in a separate repository as pre-built and minimized
-basic forge bundles using the [UMD][] format.
-https://github.com/digitalbazaar/forge-dist
-This bundle can be used in many environments. In particular it can be installed
-with [Bower][]:
-    bower install forge
 ### jsDelivr CDN
 To use it via [jsDelivr](https://www.jsdelivr.com/package/npm/node-forge) include this in your html:
 ```html
-<script src="https://cdn.jsdelivr.net/npm/node-forge@0.7.0/dist/forge.min.js"></script>
+<script src="https://cdn.jsdelivr.net/npm/node-forge@1.0.0/dist/forge.min.js"></script>
 ```
 ### unpkg CDN
@@ -146,7 +133,7 @@ To use it via [jsDelivr](https://www.jsdelivr.com/package/npm/node-forge) includ
 To use it via [unpkg](https://unpkg.com/#/) include this in your html:
 ```html
-<script src="https://unpkg.com/node-forge@0.7.0/dist/forge.min.js"></script>
+<script src="https://unpkg.com/node-forge@1.0.0/dist/forge.min.js"></script>
 ```
 ### Development Requirements
@@ -1452,7 +1439,7 @@ __Examples__
 ```js
 // generate a key pair
-var keys = forge.pki.rsa.generateKeyPair(1024);
+var keys = forge.pki.rsa.generateKeyPair(2048);
 // create a certification request (CSR)
 var csr = forge.pki.createCertificationRequest();
@@ -1969,10 +1956,6 @@ var nodeBuffer = Buffer.from(forgeBuffer.getBytes(), 'binary');
 // make sure you specify the encoding as 'binary'
 var nodeBuffer = Buffer.from('CAFE', 'hex');
 var forgeBuffer = forge.util.createBuffer(nodeBuffer.toString('binary'));
-// parse a URL
-var parsed = forge.util.parseUrl('http://example.com/foo?bar=baz');
-// parsed.scheme, parsed.host, parsed.port, parsed.path, parsed.fullHost
 ```
 <a name="log" />
@@ -1988,19 +1971,6 @@ __Examples__
 // TODO
 ```
-<a name="debug" />
-### Debugging
-Provides storage of debugging information normally inaccessible in
-closures for viewing/investigation.
-__Examples__
-```js
-// TODO
-```
 <a name="flash" />
 ### Flash Networking Support
@@ -2021,8 +1991,8 @@ When using this code please keep the following in mind:
   runtime characteristics, runtime optimization, code optimization, code
   minimization, code obfuscation, bundling tools, possible bugs, the Forge code
   itself, and so on.
-- If using pre-built bundles from [Bower][] or similar be aware someone else
-  ran the tools to create those files.
+- If using pre-built bundles from [NPM][], another CDN, or similar, be aware
+  someone else ran the tools to create those files.
 - Use a secure transport channel such as [TLS][] to load scripts and consider
   using additional security mechanisms such as [Subresource Integrity][] script
   attributes.
@@ -2048,7 +2018,8 @@ Contact
 * Code: https://github.com/digitalbazaar/forge
 * Bugs: https://github.com/digitalbazaar/forge/issues
 * Email: support@digitalbazaar.com
-* IRC: [#forgejs][] on [freenode][]
+* IRC: [#forgejs][] on [Libera.Chat][] (people may also be on [freenode][] for
+  historical reasons).
 Donations
 ---------
@@ -2063,7 +2034,6 @@ Financial support is welcome and helps contribute to futher development:
 [3DES]: https://en.wikipedia.org/wiki/Triple_DES
 [AES]: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
 [ASN.1]: https://en.wikipedia.org/wiki/ASN.1
-[Bower]: https://bower.io/
 [Browserify]: http://browserify.org/
 [CBC]: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
 [CFB]: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
@@ -2076,7 +2046,9 @@ Financial support is welcome and helps contribute to futher development:
 [HMAC]: https://en.wikipedia.org/wiki/HMAC
 [JavaScript]: https://en.wikipedia.org/wiki/JavaScript
 [Karma]: https://karma-runner.github.io/
+[Libera.Chat]: https://libera.chat/
 [MD5]: https://en.wikipedia.org/wiki/MD5
+[NPM]: https://www.npmjs.com/
 [Node.js]: https://nodejs.org/
 [OFB]: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
 [PKCS#10]: https://en.wikipedia.org/wiki/Certificate_signing_request