node-forge 0.9.0 → 1.0.0

package/CHANGELOG.md

@@ -1,6 +1,100 @@
 Forge ChangeLog
 ===============
 
+## 1.0.0 - 2022-01-04
+
+### Notes
+- **1.0.0**!
+- This project is over a decade old! Time for a 1.0.0 release.
+- The URL related changes may expose bugs in some of the networking related
+  code (unrelated to the much wider used cryptography code). The automated and
+  manual test coverage for this code is weak at best. Issues or patches to
+  update the code or tests would be appreciated.
+
+### Removed
+- **SECURITY**, **BREAKING**: Remove `forge.debug` API. The API has the
+  potential for prototype pollution. This API was only briefly used by the
+  maintainers for internal project debug purposes and was never intended to be
+  used with untrusted user inputs. This API was not documented or advertised
+  and is being removed rather than fixed.
+- **SECURITY**, **BREAKING**: Remove `forge.util.parseUrl()` (and
+  `forge.http.parseUrl` alias) and use the [WHATWG URL
+  Standard](https://url.spec.whatwg.org/). `URL` is supported by modern browers
+  and modern Node.js. This change is needed to address URL parsing security
+  issues. If `forge.util.parseUrl()` is used directly or through `forge.xhr` or
+  `forge.http` APIs, and support is needed for environments without `URL`
+  support, then a polyfill must be used.
+- **BREAKING**: Remove `forge.task` API. This API was never used, documented,
+  or advertised by the maintainers. If anyone was using this API and wishes to
+  continue development it in other project, please let the maintainers know.
+  Due to use in the test suite, a modified version is located in
+  `tests/support/`.
+- **BREAKING**: Remove `forge.util.makeLink`, `forge.util.makeRequest`,
+  `forge.util.parseFragment`, `forge.util.getQueryVariables`. Replace with
+  `URL`, `URLSearchParams`, and custom code as needed.
+
+### Changed
+- **BREAKING**: Increase supported Node.js version to 6.13.0 for URL support.
+- **BREAKING**: Renamed `master` branch to `main`.
+- **BREAKING**: Release process updated to use tooling that prefixes versions
+  with `v`. Other tools, scripts, or scanners may need to adapt.
+- **BREAKING**: Remove docs related to Bower and
+  [forge-dist](https://github.com/digitalbazaar/forge-dist). Install using
+  [another method](./README.md#installation).
+
+### Added
+- OIDs for `surname`, `title`, and `givenName`.
+
+### Fixed
+- **BREAKING**: OID 2.5.4.5 name fixed from `serialName` to `serialNumber`.
+  Depending on how applications used this id to name association it could cause
+  compatibility issues.
+
+## 0.10.0 - 2020-09-01
+
+### Changed
+- **BREAKING**: Node.js 4 no longer supported. The code *may* still work, and
+  non-invasive patches to keep it working will be considered. However, more
+  modern tools no longer support old Node.js versions making testing difficult.
+
+### Removed
+- **BREAKING**: Remove `util.getPath`, `util.setPath`, and `util.deletePath`.
+  `util.setPath` had a potential prototype pollution security issue when used
+  with unsafe inputs. These functions are not used by `forge` itself. They date
+  from an early time when `forge` was targeted at providing general helper
+  functions. The library direction changed to be more focused on cryptography.
+  Many other excellent libraries are more suitable for general utilities. If
+  you need a replacement for these functions, consider `get`, `set`, and `unset`
+  from [lodash](https://lodash.com/). But also consider the potential similar
+  security issues with those APIs.
+
+## 0.9.2 - 2020-09-01
+
+### Changed
+- Added `util.setPath` security note to function docs and to README.
+
+### Notes
+- **SECURITY**: The `util.setPath` function has the potential to cause
+  prototype pollution if used with unsafe input.
+  - This function is **not** used internally by `forge`.
+  - The rest of the library is unaffected by this issue.
+  - **Do not** use unsafe input with this function.
+  - Usage with known input should function as expected. (Including input
+    intentionally using potentially problematic keys.)
+  - No code changes will be made to address this issue in 0.9.x. The current
+    behavior *could* be considered a feature rather than a security issue.
+    0.10.0 will be released that removes `util.getPath` and `util.setPath`.
+    Consider `get` and `set` from [lodash](https://lodash.com/) if you need
+    replacements. But also consider the potential similar security issues with
+    those APIs.
+  - https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677
+  - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7720
+
+## 0.9.1 - 2019-09-26
+
+### Fixed
+- Ensure DES-CBC given IV is long enough for block size.
+
 ## 0.9.0 - 2019-09-04
 
 ### Added

package/README.md

@@ -2,7 +2,7 @@
 
 [![npm package](https://nodei.co/npm/node-forge.png?downloads=true&downloadRank=true&stars=true)](https://nodei.co/npm/node-forge/)
 
-[![Build status](https://img.shields.io/travis/digitalbazaar/forge.svg?branch=master)](https://travis-ci.org/digitalbazaar/forge)
+[![Build Status](https://github.com/digitalbazaar/forge/workflows/Main%20Checks/badge.svg)](https://github.com/digitalbazaar/forge/actions?query=workflow%3A%22Main+Checks%22)
 
 A native implementation of [TLS][] (and various other cryptographic tools) in
 [JavaScript][].
@@ -80,7 +80,6 @@ Documentation
 * [Tasks](#task)
 * [Utilities](#util)
 * [Logging](#log)
-* [Debugging](#debug)
 * [Flash Networking Support](#flash)
 
 ### Other
@@ -106,7 +105,7 @@ not be regularly updated.
 
 If you want to use forge with [Node.js][], it is available through `npm`:
 
-https://npmjs.org/package/node-forge
+https://www.npmjs.com/package/node-forge
 
 Installation:
 
@@ -121,24 +120,12 @@ var forge = require('node-forge');
 The npm package includes pre-built `forge.min.js`, `forge.all.min.js`, and
 `prime.worker.min.js` using the [UMD][] format.
 
-### Bundle / Bower
-
-Each release is published in a separate repository as pre-built and minimized
-basic forge bundles using the [UMD][] format.
-
-https://github.com/digitalbazaar/forge-dist
-
-This bundle can be used in many environments. In particular it can be installed
-with [Bower][]:
-
-    bower install forge
-
 ### jsDelivr CDN
 
 To use it via [jsDelivr](https://www.jsdelivr.com/package/npm/node-forge) include this in your html:
 
 ```html
-<script src="https://cdn.jsdelivr.net/npm/node-forge@0.7.0/dist/forge.min.js"></script>
+<script src="https://cdn.jsdelivr.net/npm/node-forge@1.0.0/dist/forge.min.js"></script>
 ```
 
 ### unpkg CDN
@@ -146,7 +133,7 @@ To use it via [jsDelivr](https://www.jsdelivr.com/package/npm/node-forge) includ
 To use it via [unpkg](https://unpkg.com/#/) include this in your html:
 
 ```html
-<script src="https://unpkg.com/node-forge@0.7.0/dist/forge.min.js"></script>
+<script src="https://unpkg.com/node-forge@1.0.0/dist/forge.min.js"></script>
 ```
 
 ### Development Requirements
@@ -1452,7 +1439,7 @@ __Examples__
 
 ```js
 // generate a key pair
-var keys = forge.pki.rsa.generateKeyPair(1024);
+var keys = forge.pki.rsa.generateKeyPair(2048);
 
 // create a certification request (CSR)
 var csr = forge.pki.createCertificationRequest();
@@ -1969,10 +1956,6 @@ var nodeBuffer = Buffer.from(forgeBuffer.getBytes(), 'binary');
 // make sure you specify the encoding as 'binary'
 var nodeBuffer = Buffer.from('CAFE', 'hex');
 var forgeBuffer = forge.util.createBuffer(nodeBuffer.toString('binary'));
-
-// parse a URL
-var parsed = forge.util.parseUrl('http://example.com/foo?bar=baz');
-// parsed.scheme, parsed.host, parsed.port, parsed.path, parsed.fullHost
 ```
 
 <a name="log" />
@@ -1988,19 +1971,6 @@ __Examples__
 // TODO
 ```
 
-<a name="debug" />
-
-### Debugging
-
-Provides storage of debugging information normally inaccessible in
-closures for viewing/investigation.
-
-__Examples__
-
-```js
-// TODO
-```
-
 <a name="flash" />
 
 ### Flash Networking Support
@@ -2021,8 +1991,8 @@ When using this code please keep the following in mind:
   runtime characteristics, runtime optimization, code optimization, code
   minimization, code obfuscation, bundling tools, possible bugs, the Forge code
   itself, and so on.
-- If using pre-built bundles from [Bower][] or similar be aware someone else
-  ran the tools to create those files.
+- If using pre-built bundles from [NPM][], another CDN, or similar, be aware
+  someone else ran the tools to create those files.
 - Use a secure transport channel such as [TLS][] to load scripts and consider
   using additional security mechanisms such as [Subresource Integrity][] script
   attributes.
@@ -2048,7 +2018,8 @@ Contact
 * Code: https://github.com/digitalbazaar/forge
 * Bugs: https://github.com/digitalbazaar/forge/issues
 * Email: support@digitalbazaar.com
-* IRC: [#forgejs][] on [freenode][]
+* IRC: [#forgejs][] on [Libera.Chat][] (people may also be on [freenode][] for
+  historical reasons).
 
 Donations
 ---------
@@ -2063,7 +2034,6 @@ Financial support is welcome and helps contribute to futher development:
 [3DES]: https://en.wikipedia.org/wiki/Triple_DES
 [AES]: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
 [ASN.1]: https://en.wikipedia.org/wiki/ASN.1
-[Bower]: https://bower.io/
 [Browserify]: http://browserify.org/
 [CBC]: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
 [CFB]: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
@@ -2076,7 +2046,9 @@ Financial support is welcome and helps contribute to futher development:
 [HMAC]: https://en.wikipedia.org/wiki/HMAC
 [JavaScript]: https://en.wikipedia.org/wiki/JavaScript
 [Karma]: https://karma-runner.github.io/
+[Libera.Chat]: https://libera.chat/
 [MD5]: https://en.wikipedia.org/wiki/MD5
+[NPM]: https://www.npmjs.com/
 [Node.js]: https://nodejs.org/
 [OFB]: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
 [PKCS#10]: https://en.wikipedia.org/wiki/Certificate_signing_request