npm - node-forge - Versions diffs - 1.3.2 → 1.4.0 - Mend

node-forge 1.3.2 → 1.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/lib/oids.js CHANGED Viewed

@@ -123,6 +123,7 @@ _IN('2.5.4.13', 'description');
 _IN('2.5.4.15', 'businessCategory');
 _IN('2.5.4.17', 'postalCode');
 _IN('2.5.4.42', 'givenName');
+_IN('2.5.4.65', 'pseudonym');
 _IN('1.3.6.1.4.1.311.60.2.1.2', 'jurisdictionOfIncorporationStateOrProvinceName');
 _IN('1.3.6.1.4.1.311.60.2.1.3', 'jurisdictionOfIncorporationCountryName');

package/lib/pkcs12.js CHANGED Viewed

@@ -168,6 +168,7 @@ var pfxValidator = {
           capture: 'macAlgorithm'
         }, {
           name: 'PFX.macData.mac.digestAlgorithm.parameters',
+          optional: true,
           tagClass: asn1.Class.UNIVERSAL,
           captureAsn1: 'macAlgorithmParameters'
         }]

package/lib/rsa.js CHANGED Viewed

@@ -1133,6 +1133,9 @@ pki.setRsaPublicKey = pki.rsa.setPublicKey = function(n, e) {
    *          _parseAllDigestBytes testing flag to control parsing of all
    *            digest bytes. Unsupported and not for general usage.
    *            (default: true)
+   *          _skipPaddingChecks testing flag to skip some padding checks to
+   *            test other checks. Unsupported and not for general usage.
+   *            (default: false)
    *
    * @return true if the signature was verified, false if not.
    */
@@ -1144,27 +1147,32 @@ pki.setRsaPublicKey = pki.rsa.setPublicKey = function(n, e) {
     }
     if(options === undefined) {
       options = {
-        _parseAllDigestBytes: true
+        _parseAllDigestBytes: true,
+        _skipPaddingChecks: false
       };
     }
     if(!('_parseAllDigestBytes' in options)) {
       options._parseAllDigestBytes = true;
     }
+    if(!('_skipPaddingChecks' in options)) {
+      options._skipPaddingChecks = false;
+    }
     if(scheme === 'RSASSA-PKCS1-V1_5') {
       scheme = {
         verify: function(digest, d) {
           // remove padding
-          d = _decodePkcs1_v1_5(d, key, true);
+          d = _decodePkcs1_v1_5(d, key, true, undefined, options);
           // d is ASN.1 BER-encoded DigestInfo
           var obj = asn1.fromDer(d, {
             parseAllBytes: options._parseAllDigestBytes
           });
-          // validate DigestInfo
+          // validate DigestInfo structure and element count
           var capture = {};
           var errors = [];
-          if(!asn1.validate(obj, digestInfoValidator, capture, errors)) {
+          if(!asn1.validate(obj, digestInfoValidator, capture, errors) ||
+            obj.value.length !== 2) {
             var error = new Error(
               'ASN.1 object does not contain a valid RSASSA-PKCS1-v1_5 ' +
               'DigestInfo value.');
@@ -1208,7 +1216,7 @@ pki.setRsaPublicKey = pki.rsa.setPublicKey = function(n, e) {
       scheme = {
         verify: function(digest, d) {
           // remove padding
-          d = _decodePkcs1_v1_5(d, key, true);
+          d = _decodePkcs1_v1_5(d, key, true, undefined, options);
           return digest === d;
         }
       };
@@ -1626,10 +1634,11 @@ function _encodePkcs1_v1_5(m, key, bt) {
  * @param key the RSA key to use.
  * @param pub true if the key is a public key, false if it is private.
  * @param ml the message length, if specified.
+ * @param options testing options.
  *
  * @return the decoded bytes.
  */
-function _decodePkcs1_v1_5(em, key, pub, ml) {
+function _decodePkcs1_v1_5(em, key, pub, ml, options) {
   // get the length of the modulus in bytes
   var k = Math.ceil(key.n.bitLength() / 8);
@@ -1649,7 +1658,7 @@ function _decodePkcs1_v1_5(em, key, pub, ml) {
   var bt = eb.getByte();
   if(first !== 0x00 ||
     (pub && bt !== 0x00 && bt !== 0x01) ||
-    (!pub && bt != 0x02) ||
+    (!pub && bt !== 0x02) ||
     (pub && bt === 0x00 && typeof(ml) === 'undefined')) {
     throw new Error('Encryption block is invalid.');
   }
@@ -1673,6 +1682,11 @@ function _decodePkcs1_v1_5(em, key, pub, ml) {
       }
       ++padNum;
     }
+    // RFC 2313 8.1 note 6
+    if(padNum < 8 && !(options ? options._skipPaddingChecks : false)) {
+      throw new Error('Encryption block is invalid.');
+    }
   } else if(bt === 0x02) {
     // look for 0x00 byte
     padNum = 0;
@@ -1683,6 +1697,11 @@ function _decodePkcs1_v1_5(em, key, pub, ml) {
       }
       ++padNum;
     }
+    // RFC 2313 8.1 note 6
+    if(padNum < 8 && !(options ? options._skipPaddingChecks : false)) {
+      throw new Error('Encryption block is invalid.');
+    }
   }
   // zero must be 0x00 and padNum must be (k - 3 - message length)

package/lib/x509.js CHANGED Viewed

@@ -3167,6 +3167,15 @@ pki.verifyCertificateChain = function(caStore, chain, options) {
           };
         }
       }
+      // check for absent basicConstraints on non-leaf certificates
+      if(error === null && bcExt === null) {
+        error = {
+          message:
+            'Certificate is missing basicConstraints extension and cannot ' +
+            'be used as a CA.',
+          error: pki.certificateError.bad_certificate
+        };
+      }
       // basic constraints cA flag must be set
       if(error === null && bcExt !== null && !bcExt.cA) {
         // bad certificate

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "node-forge",
-  "version": "1.3.2",
+  "version": "1.4.0",
   "description": "JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.",
   "homepage": "https://github.com/digitalbazaar/forge",
   "author": {

package/flash/README.md DELETED Viewed

@@ -1,48 +0,0 @@
-Forge Flash Support
-===================
-SocketPool.swf
---------------
-Some special networking features can optionally use a Flash component.
-Building the output SWF file requires the [Flex SDK][].  A pre-built component
-is included: `swf/SocketPool.swf`.
-Building the output SWF requires the `mxmlc` tool from the [Flex SDK][]. If
-that tools is already installed then look in the `package.json` file for the
-commands to rebuild it. If you need the SDK installed, there is a npm module that installs it:
-    npm install
-To build a regular component:
-    npm run build
-Additional debug support can be built in with the following:
-    npm run build-debug
-Policy Server
--------------
-Flash support requires the use of a Policy Server.
-### Apache Flash Socket Policy Module
-[mod_fsp](./mod_fsp) provides an [Apache][] module that can serve up a Flash
-Socket Policy. See `mod_fsp/README` for more details. This module makes it easy
-to modify an [Apache][] server to allow cross domain requests to be made to it.
-### Simple Python Policy Server
-`policyserver.py` provides a very simple test policy server.
-### Simple Node.js Policy Server
-`policyserver.js` provides a very simple test policy server.  If a server is
-needed for production environments, please use another option such as perhaps
-[nodejs_socket_policy_server][].
-[Apache]: http://httpd.apache.org/
-[Flex SDK]: https://flex.apache.org/
-[nodejs_socket_policy_server]: https://github.com/bichinger/nodejs_socket_policy_server