node-forge 0.9.2 → 1.2.0

package/CHANGELOG.md

@@ -1,7 +1,99 @@
 Forge ChangeLog
 ===============
 
-## 0.9.2 - 2019-09-01
+## 1.2.0 - 2022-01-07
+
+### Fixed
+- [x509] 'Expected' and 'Actual' issuers were backwards in verification failure
+  message.
+
+### Added
+- [oid,x509]: Added OID `1.3.14.3.2.29 / sha1WithRSASignature` for sha1 with
+  RSA. Considered a deprecated equivalent to `1.2.840.113549.1.1.5 /
+  sha1WithRSAEncryption`. See [discussion and
+  links](https://github.com/digitalbazaar/forge/issues/825).
+
+### Changed
+- [x509]: Reduce duplicate code. Add helper function to create a signature
+  digest given an signature algorithm OID. Add helper function to verify
+  signatures.
+
+## 1.1.0 - 2022-01-06
+
+### Fixed
+- [x509]: Correctly compute certificate issuer and subject hashes to match
+  behavior of openssl.
+- [pem]: Accept certificate requests with "NEW" in the label. "BEGIN NEW
+  CERTIFICATE REQUEST" handled as "BEGIN CERTIFICATE REQUEST".
+
+## 1.0.0 - 2022-01-04
+
+### Notes
+- **1.0.0**!
+- This project is over a decade old! Time for a 1.0.0 release.
+- The URL related changes may expose bugs in some of the networking related
+  code (unrelated to the much wider used cryptography code). The automated and
+  manual test coverage for this code is weak at best. Issues or patches to
+  update the code or tests would be appreciated.
+
+### Removed
+- **SECURITY**, **BREAKING**: Remove `forge.debug` API. The API has the
+  potential for prototype pollution. This API was only briefly used by the
+  maintainers for internal project debug purposes and was never intended to be
+  used with untrusted user inputs. This API was not documented or advertised
+  and is being removed rather than fixed.
+- **SECURITY**, **BREAKING**: Remove `forge.util.parseUrl()` (and
+  `forge.http.parseUrl` alias) and use the [WHATWG URL
+  Standard](https://url.spec.whatwg.org/). `URL` is supported by modern browers
+  and modern Node.js. This change is needed to address URL parsing security
+  issues. If `forge.util.parseUrl()` is used directly or through `forge.xhr` or
+  `forge.http` APIs, and support is needed for environments without `URL`
+  support, then a polyfill must be used.
+- **BREAKING**: Remove `forge.task` API. This API was never used, documented,
+  or advertised by the maintainers. If anyone was using this API and wishes to
+  continue development it in other project, please let the maintainers know.
+  Due to use in the test suite, a modified version is located in
+  `tests/support/`.
+- **BREAKING**: Remove `forge.util.makeLink`, `forge.util.makeRequest`,
+  `forge.util.parseFragment`, `forge.util.getQueryVariables`. Replace with
+  `URL`, `URLSearchParams`, and custom code as needed.
+
+### Changed
+- **BREAKING**: Increase supported Node.js version to 6.13.0 for URL support.
+- **BREAKING**: Renamed `master` branch to `main`.
+- **BREAKING**: Release process updated to use tooling that prefixes versions
+  with `v`. Other tools, scripts, or scanners may need to adapt.
+- **BREAKING**: Remove docs related to Bower and
+  [forge-dist](https://github.com/digitalbazaar/forge-dist). Install using
+  [another method](./README.md#installation).
+
+### Added
+- OIDs for `surname`, `title`, and `givenName`.
+
+### Fixed
+- **BREAKING**: OID 2.5.4.5 name fixed from `serialName` to `serialNumber`.
+  Depending on how applications used this id to name association it could cause
+  compatibility issues.
+
+## 0.10.0 - 2020-09-01
+
+### Changed
+- **BREAKING**: Node.js 4 no longer supported. The code *may* still work, and
+  non-invasive patches to keep it working will be considered. However, more
+  modern tools no longer support old Node.js versions making testing difficult.
+
+### Removed
+- **BREAKING**: Remove `util.getPath`, `util.setPath`, and `util.deletePath`.
+  `util.setPath` had a potential prototype pollution security issue when used
+  with unsafe inputs. These functions are not used by `forge` itself. They date
+  from an early time when `forge` was targeted at providing general helper
+  functions. The library direction changed to be more focused on cryptography.
+  Many other excellent libraries are more suitable for general utilities. If
+  you need a replacement for these functions, consider `get`, `set`, and `unset`
+  from [lodash](https://lodash.com/). But also consider the potential similar
+  security issues with those APIs.
+
+## 0.9.2 - 2020-09-01
 
 ### Changed
 - Added `util.setPath` security note to function docs and to README.

package/README.md

@@ -2,7 +2,7 @@
 
 [![npm package](https://nodei.co/npm/node-forge.png?downloads=true&downloadRank=true&stars=true)](https://nodei.co/npm/node-forge/)
 
-[![Build status](https://img.shields.io/travis/digitalbazaar/forge.svg?branch=master)](https://travis-ci.org/digitalbazaar/forge)
+[![Build Status](https://github.com/digitalbazaar/forge/workflows/Main%20Checks/badge.svg)](https://github.com/digitalbazaar/forge/actions?query=workflow%3A%22Main+Checks%22)
 
 A native implementation of [TLS][] (and various other cryptographic tools) in
 [JavaScript][].
@@ -80,7 +80,6 @@ Documentation
 * [Tasks](#task)
 * [Utilities](#util)
 * [Logging](#log)
-* [Debugging](#debug)
 * [Flash Networking Support](#flash)
 
 ### Other
@@ -106,7 +105,7 @@ not be regularly updated.
 
 If you want to use forge with [Node.js][], it is available through `npm`:
 
-https://npmjs.org/package/node-forge
+https://www.npmjs.com/package/node-forge
 
 Installation:
 
@@ -121,24 +120,12 @@ var forge = require('node-forge');
 The npm package includes pre-built `forge.min.js`, `forge.all.min.js`, and
 `prime.worker.min.js` using the [UMD][] format.
 
-### Bundle / Bower
-
-Each release is published in a separate repository as pre-built and minimized
-basic forge bundles using the [UMD][] format.
-
-https://github.com/digitalbazaar/forge-dist
-
-This bundle can be used in many environments. In particular it can be installed
-with [Bower][]:
-
-    bower install forge
-
 ### jsDelivr CDN
 
 To use it via [jsDelivr](https://www.jsdelivr.com/package/npm/node-forge) include this in your html:
 
 ```html
-<script src="https://cdn.jsdelivr.net/npm/node-forge@0.7.0/dist/forge.min.js"></script>
+<script src="https://cdn.jsdelivr.net/npm/node-forge@1.0.0/dist/forge.min.js"></script>
 ```
 
 ### unpkg CDN
@@ -146,7 +133,7 @@ To use it via [jsDelivr](https://www.jsdelivr.com/package/npm/node-forge) includ
 To use it via [unpkg](https://unpkg.com/#/) include this in your html:
 
 ```html
-<script src="https://unpkg.com/node-forge@0.7.0/dist/forge.min.js"></script>
+<script src="https://unpkg.com/node-forge@1.0.0/dist/forge.min.js"></script>
 ```
 
 ### Development Requirements
@@ -1452,7 +1439,7 @@ __Examples__
 
 ```js
 // generate a key pair
-var keys = forge.pki.rsa.generateKeyPair(1024);
+var keys = forge.pki.rsa.generateKeyPair(2048);
 
 // create a certification request (CSR)
 var csr = forge.pki.createCertificationRequest();
@@ -1969,10 +1956,6 @@ var nodeBuffer = Buffer.from(forgeBuffer.getBytes(), 'binary');
 // make sure you specify the encoding as 'binary'
 var nodeBuffer = Buffer.from('CAFE', 'hex');
 var forgeBuffer = forge.util.createBuffer(nodeBuffer.toString('binary'));
-
-// parse a URL
-var parsed = forge.util.parseUrl('http://example.com/foo?bar=baz');
-// parsed.scheme, parsed.host, parsed.port, parsed.path, parsed.fullHost
 ```
 
 <a name="log" />
@@ -1988,19 +1971,6 @@ __Examples__
 // TODO
 ```
 
-<a name="debug" />
-
-### Debugging
-
-Provides storage of debugging information normally inaccessible in
-closures for viewing/investigation.
-
-__Examples__
-
-```js
-// TODO
-```
-
 <a name="flash" />
 
 ### Flash Networking Support
@@ -2021,8 +1991,8 @@ When using this code please keep the following in mind:
   runtime characteristics, runtime optimization, code optimization, code
   minimization, code obfuscation, bundling tools, possible bugs, the Forge code
   itself, and so on.
-- If using pre-built bundles from [Bower][] or similar be aware someone else
-  ran the tools to create those files.
+- If using pre-built bundles from [NPM][], another CDN, or similar, be aware
+  someone else ran the tools to create those files.
 - Use a secure transport channel such as [TLS][] to load scripts and consider
   using additional security mechanisms such as [Subresource Integrity][] script
   attributes.
@@ -2035,8 +2005,6 @@ When using this code please keep the following in mind:
 - Certain features in this library are less susceptible to attacks depending on
   usage. This primarily includes features that deal with data format
   manipulation or those that are not involved in communication.
-- Do not pass unsafe inputs to `util.setPath`. Doing so could expose a
-  prototype pollution security issue.
 
 Library Background
 ------------------
@@ -2050,7 +2018,8 @@ Contact
 * Code: https://github.com/digitalbazaar/forge
 * Bugs: https://github.com/digitalbazaar/forge/issues
 * Email: support@digitalbazaar.com
-* IRC: [#forgejs][] on [freenode][]
+* IRC: [#forgejs][] on [Libera.Chat][] (people may also be on [freenode][] for
+  historical reasons).
 
 Donations
 ---------
@@ -2065,7 +2034,6 @@ Financial support is welcome and helps contribute to futher development:
 [3DES]: https://en.wikipedia.org/wiki/Triple_DES
 [AES]: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
 [ASN.1]: https://en.wikipedia.org/wiki/ASN.1
-[Bower]: https://bower.io/
 [Browserify]: http://browserify.org/
 [CBC]: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
 [CFB]: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
@@ -2078,7 +2046,9 @@ Financial support is welcome and helps contribute to futher development:
 [HMAC]: https://en.wikipedia.org/wiki/HMAC
 [JavaScript]: https://en.wikipedia.org/wiki/JavaScript
 [Karma]: https://karma-runner.github.io/
+[Libera.Chat]: https://libera.chat/
 [MD5]: https://en.wikipedia.org/wiki/MD5
+[NPM]: https://www.npmjs.com/
 [Node.js]: https://nodejs.org/
 [OFB]: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
 [PKCS#10]: https://en.wikipedia.org/wiki/Certificate_signing_request