renovate[bot]
commented
7 months ago ⚠ Artifact update problem
Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.
♻ Renovate will retry this branch, including artifacts, only when one of the following happens:
- any of the package files in this branch needs updating, or
- the branch becomes conflicted, or
- you click the rebase/retry checkbox if found above, or
- you rename this PR's title to start with "rebase!" to trigger it manually
The artifact failure details are included below:
File name: amp-update-cache/package-lock.json
This PR contains the following updates:
^8.0.0->^10.0.0GitHub Vulnerability Alerts
CVE-2020-14966
Impact
Jsrsasign supports ECDSA signature validation which signature value is represented by ASN.1 DER encoding. This vulnerablity may accept a wrong ASN.1 DER encoded ECDSA signature such as:
This vulnerability was fixed by strict ASN.1 DER checking.
Here is an assessment of this vulnerability:
As discussed here, there is no standards like X9.62 which requires ASN.1 DER. So ASN.1 BER can be applied to ECDSA however most of implementations like OpenSSL do strict ASN.1 DER checking.
Patches
Users using ECDSA signature validation should upgrade to 8.0.19.
Workarounds
Do strict ASN.1 DER checking for ASN.1 encoded ECDSA signature value.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-14966 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14966 https://vuldb.com/?id.157123 https://github.com/kjur/jsrsasign/issues/437 https://kjur.github.io/jsrsasign/api/symbols/KJUR.crypto.ECDSA.html https://kjur.github.io/jsrsasign/api/symbols/ASN1HEX.html#.checkStrictDER https://www.itu.int/rec/T-REC-X.690
GHSA-g753-jx37-7xwh
Impact
ECDSA side-channel attack named Minerava have been found and it was found that it affects to jsrsasign.
Execution time of thousands signature generation have been observed then EC private key which is scalar value may be recovered since point and scalar multiplication time depends on bits of scalar. In jsrsasign 8.0.13 or later, execution time of EC point and scalar multiplication is almost constant and fixed for the issue.
Patches
Users using ECDSA signature generation should upgrade to 8.0.13 or later.
Workarounds
There is no workarounds in jsrsasign. Update jsrsasign or use other ECDSA library.
ACKNOWLEDGEMENT
Thanks to Jan Jancar @J08nY, Petr Svenda and Vladimir Sedlacek of Masaryk University in Czech Republic to find and report this vulnerability.
References
https://minerva.crocs.fi.muni.cz/ https://www.npmjs.com/advisories/1505 https://github.com/kjur/jsrsasign/issues/411
CVE-2020-14968
Impact
Jsrsasign can verify RSA-PSS signature which value can expressed as BigInteger. When there is a valid RSA-PSS signature value, this vulnerability is also accept value with prepending zeros as a valid signature.
Patches
Users using RSA-PSS signature validation should upgrade to 8.0.17.
Workarounds
Reject RSA-PSS signatures with unnecessary prepending zeros.
References
https://github.com/kjur/jsrsasign/security/advisories/GHSA-q3gh-5r98-j4h3 https://github.com/kjur/jsrsasign/issues/438 https://nvd.nist.gov/vuln/detail/CVE-2020-14968 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14968 https://vuldb.com/?id.157125 https://kjur.github.io/jsrsasign/api/symbols/RSAKey.html#.verifyWithMessageHashPSS
CVE-2020-14967
Impact
Jsrsasign supports RSA PKCS#1 v1.5 (i.e. RSAES-PKCS1-v1_5) and RSA-OAEP encryption and decryption. Its encrypted message is represented as BigInteger. When there is a valid encrypted message, a crafted message with prepending zeros can be decrypted by this vulnerability.
Patches
Users using RSA PKCS1-v1_5 or RSA-OAEP decryption should upgrade to 8.0.18.
Workarounds
Reject RSA PKCS1-v1_5 or RSA-OAEP encrypted message with unnecessary prepending zeros.
References
https://nvd.nist.gov/vuln/detail/CVE-2020-14967 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14967 https://vuldb.com/?id.157124 https://kjur.github.io/jsrsasign/api/symbols/KJUR.crypto.Cipher.html#.decrypt https://github.com/kjur/jsrsasign/issues/439
CVE-2021-30246
Impact
Vulnerable jsrsasign will accept RSA signature with improper PKCS#1.5 padding. Decoded RSA signature value consists following form:
01(ff...(8 or more ffs)...ff)00[ASN.1 OF DigestInfo]Its byte length must be the same as RSA key length, however such checking was not sufficient.To make crafted message for practical attack is very hard.
Patches
Users validating RSA signature should upgrade to 10.2.0 or later.
Workarounds
There is no workaround. Not to use RSA signature validation in jsrsasign.
ACKNOWLEDGEMENT
Thanks to Daniel Yahyazadeh @yahyazadeh for reporting and analyzing this vulnerability.
Release Notes
kjur/jsrsasign (jsrsasign)
### [`v10.2.0`](https://togithub.com/kjur/jsrsasign/releases/tag/10.2.0): CVE-2021-30246 RSAKey.verify issue fix [Compare Source](https://togithub.com/kjur/jsrsasign/compare/10.1.13...10.2.0) - Changes from 10.1.13 to 10.2.0 (2021-04-14) - src/rsasign.js - CVE-2021-30246 RSAKey.verify issue was fixed ([#478](https://togithub.com/kjur/jsrsasign/issues/478)) - src/asn1cms.js - IssuerSerial, IsseruAndSerialNumber API document update - sample_node/asn1extract2 - change to "/usr/bin/env node" ### [`v10.1.13`](https://togithub.com/kjur/jsrsasign/releases/tag/10.1.13): add non-ascii BMPString support [Compare Source](https://togithub.com/kjur/jsrsasign/compare/10.1.12...10.1.13) - Changes from 10.1.12 to 10.1.13 (2021-03-08) - src/base64x.js - add ucs2hextoutf8 function - src/x509.js - X509.getAttrTypeAndValue supports non-ascii BMPString ([#474](https://togithub.com/kjur/jsrsasign/issues/474)) - src/asn1hex.js - ASN1HEX.dump supports non-ascii BMPString - test/qunit-do-{asn1hex-dump,x509-ext,base64x}.html - updated to follow above ### [`v10.1.12`](https://togithub.com/kjur/jsrsasign/releases/tag/10.1.12): fix for wrong UTF-8 encoding in distinguished name parser [Compare Source](https://togithub.com/kjur/jsrsasign/compare/10.1.11...10.1.12) - Changes from 10.1.11 to 10.1.12 (2021-02-25) - src/x509.js - fix X509.getAttrTypeValue ([#473](https://togithub.com/kjur/jsrsasign/issues/473)) - attribute value is converted by hextoutf8 not hextorstr - X509.getIssuerString update to use getIssuer - X509.getSubjectString update to use getSubject - X509.dnarraytostr fix to escape "+" and "/" - X509.hex2dn update to use getX500Name - test/qunit-do-x509-ext.html - updated to follow above ### [`v10.1.11`](https://togithub.com/kjur/jsrsasign/releases/tag/10.1.11): update X509.getVersion and add jsrsasign-util saveFileJSON [Compare Source](https://togithub.com/kjur/jsrsasign/compare/10.1.10...10.1.11) - Changes from 10.1.10 to 10.1.11 (2021-02-19) - src/x509.js - X509.getVersion supports other than empty(DEFAULT =v1) and \[0] {INTEGER 2} (=v3). Thus version checking is relaxed. ([#471](https://togithub.com/kjur/jsrsasign/issues/471)) - src/nodeutil.js (jsrsasign-util 1.0.4) - add saveFileUTF8 - saveFileJSON API document fix ### [`v10.1.10`](https://togithub.com/kjur/jsrsasign/releases/tag/10.1.10): extend support for distinguished name [Compare Source](https://togithub.com/kjur/jsrsasign/compare/10.1.9...10.1.10) - Changes from 10.1.9 to 10.1.10 release (2021-02-14) - src/asn1x509.js - AttributeTypeAndValue - add support for OID and oid name constructor AttributeTypeAndValue({str: "/streetAddress=foo"}) AttributeTypeAndValue({str: "/2.5.4.9=foo"}) - OID.name2oidList - add givenName - test/qunit-do-asn1x509.html - updated to follow above ### [`v10.1.9`](https://togithub.com/kjur/jsrsasign/releases/tag/10.1.9): Add SubjectDirectoryAttributes extension support [Compare Source](https://togithub.com/kjur/jsrsasign/compare/10.1.8...10.1.9) - Changes from 10.1.8 to 10.1.9 release (2021-02-12) - src/asn1x509.js - SubjectDirectoryAttributes class added - Extensions class updated to support SubjectDirectoryAttributes - OID class update to support OIDs such as gender, placeOfBirth et.al. for SubjectDirectoryAttributes. - SubjectDirectoryAttributes parser is needed to be implemented in X509.js future. - test/qunit-do-asn1x509.html - updated to follow above ### [`v10.1.8`](https://togithub.com/kjur/jsrsasign/releases/tag/10.1.8): KEYUTIL supports PKCS8 private key with extension - Changes from 10.1.5 to 10.1.8 release (2021-02-08) - src/keyutil.js - KEYUTIL.parsePlainPrivatePKCS8Hex now supports private key extsion and and issue [#454](https://togithub.com/kjur/jsrsasign/issues/454) fixed. - test/qunit-do-keyutil-eprv.html - updated to follow above ### [`v10.1.5`](https://togithub.com/kjur/jsrsasign/releases/tag/10.1.5): CAdES-T support update and fix [Compare Source](https://togithub.com/kjur/jsrsasign/compare/10.1.4...10.1.5) - Changes from 10.1.4 to 10.1.5 release (2021-01-17) - tool/tool_cades.html fix ([#465](https://togithub.com/kjur/jsrsasign/issues/465)) - now works fine again for CAdES-T demo - src/asn1cms.js - SignerInfo class - unsigned attribute support again - Attribute class - add signaturePolicyIdentifier support - add signatureTimeStamp support - CMSParser class - add signaturePolicyIdentifier support - add setSignaturePolicyIdentifier method - src/asn1cades.js - CAdESUtil class - parseSignedDataForAddingUnsigned modified to use CMSParser - addSigTS removed since it was empty method - parseSignerInfoForAddingUnsigned is deprecated since parseSignedDataForAddingUnsigned will not call it. - src/crypto.js - Mac API document fix ([#466](https://togithub.com/kjur/jsrsasign/issues/466)) ### [`v10.1.4`](https://togithub.com/kjur/jsrsasign/releases/tag/10.1.4): TSPParser.getPKIStatusInfo bugfix [Compare Source](https://togithub.com/kjur/jsrsasign/compare/10.1.3...10.1.4) - Changes from 10.1.3 to 10.1.4 release (2020-11-23) - asn1tsp.js - TSPParser class - getPKIStatusInfo out parameter name bugfix - test/qunit-do-asn1hex.html - updated to follow above ### [`v10.1.3`](https://togithub.com/kjur/jsrsasign/releases/tag/10.1.3): TSPParser.getPKIStatusInfo update [Compare Source](https://togithub.com/kjur/jsrsasign/compare/10.1.2...10.1.3) - Changes from 10.1.2 to 10.1.3 release (2020-11-22) - asn1tsp.js - TSPParser class - getPKIStatusInfo updated to supports PKIFreeText and PKIFailureInfo - getPKIFreeText added - getPKIFailureInfo added - asn1hex.js - ASN1HEX class - getString added - getInt method updated to supports ASN.1 BitString - base64x.js - function bitstrtoint, inttobitstr added - test/qunit-do-{asn1hex,asn1tsp,base64x}.html - updated to follow above ### [`v10.1.2`](https://togithub.com/kjur/jsrsasign/releases/tag/10.1.2): add SigningCertificateV2 for CMSParser and issue fix [Compare Source](https://togithub.com/kjur/jsrsasign/compare/10.1.1...10.1.2) - Changes from 10.1.1 to 10.1.2 release (2020-11-21) - src/asn1cms.js - CMSParser - getAttribute updated to support SigningCertificateV2 - add setSigningCertificateV2 method - add getESSCertIDv2 method - change sortflag of result parameter to true in CMSParser.getCertificateSet - test/qunit-do-asn1cms.html - updated to follow above ### [`v10.1.1`](https://togithub.com/kjur/jsrsasign/releases/tag/10.1.1): CMSSignedData and TimeStamp parser bugfix [Compare Source](https://togithub.com/kjur/jsrsasign/compare/10.1.0...10.1.1) - Changes from 10.1.0 to 10.1.1 release (2020-11-20) - src/asn1tsp.js - "serialNumber" parameter was changed to "serial" in TSTInfo class and TSPParser.getTSTInfo method. - src/asn1cms.js - change method name CMSParser.getAttributeArray to CMSParser.getAttributeList to align to the name AttributeList class. - getAttributeList returns JSON parameter which can be accepted by AttributeList constructor. - wrong sighex value for signature value by getSignerInfo method was fixed. - test/qunit-do-asn1tsp.html - updated to follow above ### [`v10.1.0`](https://togithub.com/kjur/jsrsasign/releases/tag/10.1.0): add new CMSSignedData and TimeStamp parser and X500Name update [Compare Source](https://togithub.com/kjur/jsrsasign/compare/10.0.5...10.1.0) - Changes from 10.0.5 to 10.1.0 release - add new CMSSignedData and TimeStamp parser - X500.get{X500Name,GeneralName,GeneralNames} result change - src/asn1cms.js - new CMSParser class for CMS SignedData - get{CMSSignedData,SignedData,HashAlgArray, EContent,SignerInfos,SignerInfo,SignerIdentifier, IssuerAndSerialNumber,AttributeArray, Attribute,ESSCertID,IssuerSerial,CertificateSet} - set{ContentType,SigningTime,MessageDigest, SigningCertificate} - src/asn1tsp.js - new TSPParser class to parser RFC 3161 TSP protocol - get{Response,Token,TSTInfo,Accuracy,MessageImprint, PKIStatusInfo} - setTSTInfo - src/asn1.js - DERObjectIdentifier class update to use new oidtohex - src/asn1hex.js - add ASN1HEX.{getInt,getOID,getOIDName} - src/asn1csr.js - CSRUtil.getParam result "subject" parameter result is changed because of X509.getX500Name update. - src/asn1x509.js - small update for Time class - small update for Certificate.sign method - document fix (issue [#463](https://togithub.com/kjur/jsrsasign/issues/463)) - src/base64x.js - function "oidtohex" and "hextooid" added. - function "ishex" added - KJUR.lang.String.isHex now *DEPRECATED*. Please use "ishex". - src/x509.js - X509.getX500Name update - X509.get{Issuer,Subject,GeneralNames,GeneralName} - add X509.{getX500NameArray,dnarraytostr} - src/x509crl.js - X509CRL.getIssuer update for X509.getX500Name update - test/qunit-do-{asn1tsp,asn1cms,asn1hex,asn1x509-newcert-veri, base64x,x509-ext,x509crl}.html - updated to follow above ### [`v10.0.5`](https://togithub.com/kjur/jsrsasign/releases/tag/10.0.5): small issue fixes and updates [Compare Source](https://togithub.com/kjur/jsrsasign/compare/10.0.4...10.0.5) - Changes from 10.0.4 to 10.0.5 release - src/base64x.js - utf8tob64u, b64utoutf8 replace new Buffer() to Buffer.from() for Node.JS deprecation (issue [#460](https://togithub.com/kjur/jsrsasign/issues/460)) - src/asn1x509.js - P-256 oid added in OID class (PR [#461](https://togithub.com/kjur/jsrsasign/issues/461) [#333](https://togithub.com/kjur/jsrsasign/issues/333)) - src/x509.js - document fix - tool/tool_csr.html - update to show ASN.1 dump of CSR - test/qunit-do-base64x.html, npm/test/t_base64x.js - update test code to follow above ### [`v10.0.4`](https://togithub.com/kjur/jsrsasign/releases/tag/10.0.4): add methods to modify some extension parameters [Compare Source](https://togithub.com/kjur/jsrsasign/compare/10.0.3...10.0.4) - Changes from 10.0.3 to 10.0.4 (2020-Oct-23) - src/x509.js - add X509.updateExt{CDPFullURI,AIAOCSP,AIACAIssuer} method - src/nodeutil.js - add read{JSON,JSONC},saveJSON,printJSON method added - jrsasign-util npm package updated - test/qunit-do-x509-param.html - updated to follow above ### [`v10.0.3`](https://togithub.com/kjur/jsrsasign/releases/tag/10.0.3): add findExt method in X509 class [Compare Source](https://togithub.com/kjur/jsrsasign/compare/10.0.2...10.0.3) - Changes from 10.0.2 to 10.0.3 (2020-Oct-21) - src/x509.js - add X509.findExt method - test/qunit-do-x509-param.html - updated to follow above ### [`v10.0.2`](https://togithub.com/kjur/jsrsasign/releases/tag/10.0.2): AdobeTimeStamp X.509v3 extension parser bugfix [Compare Source](https://togithub.com/kjur/jsrsasign/compare/10.0.1...10.0.2) - Changes from 10.0.1 to 10.0.2 (2020-Oct-14) - src/x509.js - X509.getExtAdobeTimeStamp method bugfix ### [`v10.0.1`](https://togithub.com/kjur/jsrsasign/releases/tag/10.0.1): AdobeTimeStamp X.509v3 certificate extension added [Compare Source](https://togithub.com/kjur/jsrsasign/compare/10.0.0...10.0.1) - Changes from 10.0.0 to 10.0.1 (2020-Oct-13) - src/asn1x509.js - AdobeTimeStamp class added - add AdobeTimeStamp support in Extension class - add "adobeTimeStamp" OID in OID class - src/x509.js - add getExtAdobeTimeStamp method to X509 class - add "adobeTimeStamp" support in getExtParam - src/asn1.js - DERBoolean add support for "false" value. - test/qunit-do-{asn1,asn1x509,x509}.html - updated to follow above ### [`v10.0.0`](https://togithub.com/kjur/jsrsasign/releases/tag/10.0.0): Major update for CMS SigneData TimeStamp and CAdES [Compare Source](https://togithub.com/kjur/jsrsasign/compare/9.1.9...10.0.0) - Changes from 9.1.9 to 10.0.0 (2020-Sep-24) - major update for CMS SignedData related classes to allow more simple ASN.1 generation - src/asn1cms.js - new architecture updates in SignedData, Attribute - all implemented Attributes such as ContentType, SigningTime are also updated. - new class added - ESSCertID - ESSCertIDv2 - SignerIdentifier - SubjectKeyIdentifier - CertificateSet - RevocationInfoChoices - RevocationInfoChoice - OtherRevocationFormat - following class/methods are now *deprecated* - CMSUtil.newSignedData - src/asn1tsp.js - aligned to new architecture: - TSTInfo, Accuracy, PKIStatusInfo, PKIStatus, PKIFreeText, PKIFailureInfo, - new class added - TimeStampToken - following class/methods are now *deprecated* - SimpleTSAAdapter, FixedTSAAdapter, TSPUtil.newTimeStampToken - src/asn1cades.js - aligned to new architecture - SignaturePolicyIdentifier, OtherHashAlgAndValue, SignatureTimeStamp, CompleteCertificateRefs, OtherCertID, OtherHash - new class added - SignaturePolicyId, OtherHashValue - src/asn1.js - DERTaggedObject add support for simple argument for explicit "tage" and implicit "tagi" - newObject add support for "asn1" property - DERObjectIdentifier constructor argument now accepts name and OID. method setValueNameOrOid added. - src/x509.js - X509(certPemOrHex) X509 class constructor add support for PEM or hex string of certificate as argument. - src/asn1x509.js - OID class: signaturePolicyIdentifier attribute OID added. ### [`v9.1.9`](https://togithub.com/kjur/jsrsasign/releases/tag/9.1.9): wrong encoding in CRLReason in OCSP CertStatus fixed [Compare Source](https://togithub.com/kjur/jsrsasign/compare/9.1.8...9.1.9) - Changes from 9.1.8 to 9.1.9 (2020-Sep-08) - src/asn1ocsp.js - BUGFIX: wrong encoding in CRLeason in OCSP CertStatus fixed - test/qunit-do-asn1ocsp.html - follow to above update ### [`v9.1.8`](https://togithub.com/kjur/jsrsasign/releases/tag/9.1.8): wrong encoding in byKey of OCSP ResponderID fixed [Compare Source](https://togithub.com/kjur/jsrsasign/compare/9.1.7...9.1.8) - Changes from 9.1.7 to 9.1.8 (2020-Sep-08) - src/asn1ocsp.js - BUGFIX: wrong encoding in byKey of OCSP ResponderID fixed - test/qunit-do-asn1ocsp.html - follow to above update ### [`v9.1.7`](https://togithub.com/kjur/jsrsasign/releases/tag/9.1.7): nextUpdate encoding bugfix in ocsp SingleResponse [Compare Source](https://togithub.com/kjur/jsrsasign/compare/9.1.6...9.1.7) - Changes from 9.1.6 to 9.1.7 (2020-Sep-08) - src/asn1ocsp.js - BUGFIX: nextUpdate encoding fix in SingleResponse - CertStatus document fix - test/qunit-do-asn1ocsp.html - follow to above update ### [`v9.1.6`](https://togithub.com/kjur/jsrsasign/releases/tag/9.1.6): add OCSP response and request encoder [Compare Source](https://togithub.com/kjur/jsrsasign/compare/9.1.5...9.1.6) - Changes from 9.1.5 to 9.1.6 (2020-Sep-05) - src/asn1ocsp.js - OCSPResponse class added - ResponseBytes class added - BasicOCSPResponse class added - ResponseData class added - ResponderID class added - SingleResponseList class added - SingleResponse class added - CertID class updated - changed properties to specify isserNameHash, issuerKeyHash and serialNumber without backward compatibility - CertStatus class added - OCSPParser class added - only OCSP request parser methods are available - src/asn1x509.js - OCSPNonce class OCSP extension added - OCSPNoCheck class certificate extension added - Extensios class supports OCSPNonce and OCSPNoCheck - OID clas supports ocspNonce, ocspNoCheck and ocspBasic - src/x509.js - X509.getExtParam supports OCSPNonce and OCSPNoCheck - X509.getExtOCSPNoCheck added - X509.getExtOCSPNonce added - src/asn1.js - ASN1Object class: add tlv parameter support - src/asn1hex.js - ASN1HEX.dump: enable to show tagged primitive ### [`v9.1.5`](https://togithub.com/kjur/jsrsasign/releases/tag/9.1.5): ASN1HEX getChildIdx bug for too many children [Compare Source](https://togithub.com/kjur/jsrsasign/compare/9.1.4...9.1.5) - Changes from 9.1.4 to 9.1.5 (2020-Aug-29) - src/asn1hex.js - BUGFIX: ASN1HEX.getChildIdx didn't returns proper result when too many child items such as over 200 children. - add ASN1HEX.getTLVblen method - DEPRECATED: getNextSiblingIdx. Please use getTLVblen instead. ### [`v9.1.4`](https://togithub.com/kjur/jsrsasign/releases/tag/9.1.4): X509CRL parser revokedCertificate bugfix X509CRL parser revokedCertificate bugfix - Changes from 9.1.3 to 9.1.4 (2020-Aug-28) - src/asn1hex.js - get{Idx,V,TLV}byList return value aligned to get{Idx,V,TLV}byListEx. - src/x509crl.js - BUGFIX: error when nextUpdate exists and no revokedCertificates missed to export X509CRL in npm package - Changes from 9.1.2 to 9.1.3 (2020-Aug-28) - npm/lib/footer.js - export X509CRL - NOTE: only npm package released ### [`v9.1.2`](https://togithub.com/kjur/jsrsasign/releases/tag/9.1.2): add private extension support for Cert CRL and CSR [Compare Source](https://togithub.com/kjur/jsrsasign/compare/9.1.1...9.1.2) - Changes from 9.1.1 to 9.1.2 (2020-Aug-27) - undefined extension regarded as private extesion in extension parser X509.getExtParam. Thus certificate, CRL and CSR parser will not raise error when undefined extension is parsed. - src/x509.js - unknown extension is parsed as private extension. - test/qunit-do-{x509-param}.html - add test case to follow above update ### [`v9.1.1`](https://togithub.com/kjur/jsrsasign/releases/tag/9.1.1): new CRL parser and private extension encoder support [Compare Source](https://togithub.com/kjur/jsrsasign/compare/9.1.0...9.1.1) - Changes from 9.1.0 to 9.1.1 (2020-Aug-27) - add new X509CRL class for CRL parser - add Certificate, CSR and CRL private extension support - src/x509crl.js (new) - X509CRL class - src/x509.js - new X509.getExtCRLNumber method for extension parser - new X509.getExtCRLReason method for extension parser - new X509.getExtParam method for parsing one extension - NOTE: not yet support for private extension - src/asn1x509.js - Extensions class: add support for private extension - PrivateExtension class added - OID.name2oid: add support OID (ex. "1.2.3.4") as argument - src/asn1csr.js - CSRUtil.getParam update to support X509.getExtParamArray and not using X509.parseExt - src/asn1.js - getLengthHexFromValue small update for exception - test/qunit-do-{asn1x509,asn1x509-tbscert,x509}.html - update to follow above updates - test/x509csr.html (new) ### [`v9.1.0`](https://togithub.com/kjur/jsrsasign/releases/tag/9.1.0): new CRL APIs and other updates [Compare Source](https://togithub.com/kjur/jsrsasign/compare/9.0.3...9.1.0) - Changes from 9.0.3 to 9.1.0 (2020-Aug-24) - CRL constructor update to align Certificate class without backward compatibility. - BUGFIX: SigningCertificate{,V2} encoding bugifx - src/asn1cms.js - BUGFIX: SigningCertificate{,V2} encoding have been missign SEQUENCE. ([#448](https://togithub.com/kjur/jsrsasign/issues/448)) - src/asn1csr.js - CertificationRequestInfo class updated to new KJUR.asn1.x509.Extension class. - src/asn1x509.js - CRL and TBSCertList class constructor have been updated to align Certificate and CertificationRequestInfo style in 9.0.0 without backward compatibility. - this update makes more extension and entry extension support in the future. - CRLEntry class is *deprecated* since no more used in updated TBSCertList. - new CRLNumber extension class added - new CRLReason entry extension class added - OID class updated to support cRLNumber and cRLReason oids - TBSCertificate.getExtDERSequence method was moved to new Extensions class. - ASN1HEX.dump updated to support ENUMERATED - test/qunit-do-{asn1cms,asn1tsp,asn1x509-tbscert, asn1x509} updated to follow above updates. ### [`v9.0.3`](https://togithub.com/kjur/jsrsasign/releases/tag/9.0.3): TimeStampToken ASN.1 encoding error fix [Compare Source](https://togithub.com/kjur/jsrsasign/compare/9.0.2...9.0.3) - Changes from 9.0.2 to 9.0.3 (2020-Aug-22) - BUGFIX: tsa field of TSTInfo was not encoded properly. ([#450](https://togithub.com/kjur/jsrsasign/issues/450)) - BUGFIX: CMSSignedData version of TimestampToken was not 3. ([#448](https://togithub.com/kjur/jsrsasign/issues/448)) - src/asn1tsp.js - TSTInfo tsa field fix - TSTUtil.newTimeStampToken method to set CMSVersion 3. ### [`v9.0.2`](https://togithub.com/kjur/jsrsasign/releases/tag/9.0.2): PolicyInformation named policy OID bug fix [Compare Source](https://togithub.com/kjur/jsrsasign/compare/9.0.1...9.0.2) - Changes from 9.0.1 to 9.0.2 (2020-Aug-22) - BUGFIX: KJUR.asn1.tsp.PolicyInformation class constructor have not been accepted named policy OID such as "anyPolicy". The issue was fixed. - src/asn1x509.js - PolicyInformation bugfix for above. - test/qunit-do-asn1x509.html - updated to follow above. ### [`v9.0.1`](https://togithub.com/kjur/jsrsasign/releases/tag/9.0.1): TimeStampToken contentType attribute bug fix [Compare Source](https://togithub.com/kjur/jsrsasign/compare/9.0.0...9.0.1) - Changes from 9.0.0 to 9.0.1 (2020-Aug-21) - BUGFIX: KJUR.asn1.tsp.TimeStampToken class generates have generated with wrong contentType attribute with value "data". ([#448](https://togithub.com/kjur/jsrsasign/issues/448)) - src/asn1tsp.js - TimeStampToken class constructor will add contentType attribute with "tstinfo" for bugfix. ([#448](https://togithub.com/kjur/jsrsasign/issues/448)). - src/asn1cms.js - SignerInfo.setForContentAndHash class constructor parameter can have "contentType" property additionaly to set "tstinfo" as above. - src/asn1x509.js - some attribute type oids for CMS signedData are added to OID.name2oidList. ### [`v9.0.0`](https://togithub.com/kjur/jsrsasign/releases/tag/9.0.0): Certificate and CSR generator and parser API major updates [Compare Source](https://togithub.com/kjur/jsrsasign/compare/8.0.24...9.0.0) - Changes from 8.0.24 to 9.0.0 (2020-Aug-19) - Please see migration notes in wiki: https://github.com/kjur/jsrsasign/wiki/NOTE-jsrsasign-8.0.x-to-9.0.0-Certificate-and-CSR-API-migration-guide - CAUTION: some certificate and CSR APIs are missing backward compatibility so you may need to change your code to upgrade jsrsasign 9.0.0. - src/asn1x509.js - JSON argument format of Certificate and all certificate extension class were changed without backward compatibility. - They can accept JSON objects from ASN.1 parser methods in X509 class as an parameter arguments. - Certificate class constructor can automatically generate TBSCertificate and sign by params argument. So no need to call sign method or TBSCertificate constructor. - JSON argument format are aligned to the same manner among all certificate extension class. - For CRLDistributionPoints class, JSON argument format of DistributionPoint and DistributionPointName was changed. - Extension.appendByNameToArray method was removed. - "array" key was added to X500Name class constructor JSON argument. - AttributeTypeAndValue constructor argument also extended to support {type:"CN",value:"Test",ds:"prn"} style JSON object. - X509Util.newCertPEM argument format is updated to align Certificate class and is *deprecated*. - src/x509.js - returned JSON object format by all "get\*" parser method was changed to accept by related class defined in asn1x509.js without backward compatibility. - all certificate extension parsing methods are changed to have "hExtV" and "critical" as arguments. - following methods are added: getAlgorithmIdentifierName, getIssuer, getSubject, getGeneralNames, getGeneralName, getDistributionPoint, getDistributionPointName, getExtAuthorityInfoAccess, getPolicyInformation, getPolicyQualifierInfo, getUserNotice, getDisplayText, getX500NameRule, getX500Name, getRDN, getAttrTypeAndValue, getParam, getExtParamArray - following methods are *deprecated*: getExtSubjectAltName2, getExtAIAInfo, getExtCRLDistributionPointsURI. - X509Util.newCertPEM bugfix. Got error when cakey is [PKCS#5](https://togithub.com/PKCS/jsrsasign/issues/5) plain PEM key string - src/asn1csr.js - JSON argument format was changed in CertificationRequest, CertificationRequestInfo, CSRUtil.netCSRPEM without backward compatibility. - CSRUtil.getInfo was renamed to CSRUtil.getParam - CSRUtil.netCSRPEM is now *deprecated* - src/asn1.js - ASN1Util.newObject can also conclude ASN1Object as well as JSON parameter. - tool/tool\_{ca,ca2}.html - changed to follow above updates. - test/\*.html - following test pages are updated to follow above: qunit-do-{asn1csr,asn1tsp,asn1x509-newcrt,asn1x509,base64x, ecdsmod-s,keyutil-getpem,package-jwths,x509-ext, x509-key,x509-kid,x509}.html - following test pages are added: qunit-do-{asn1x509-tbscert,x509-param}.html ### [`v8.0.24`](https://togithub.com/kjur/jsrsasign/releases/tag/8.0.24): fix SigningCertificate v1 v2 attribute ASN.1 encoding [Compare Source](https://togithub.com/kjur/jsrsasign/compare/8.0.23...8.0.24) - Changes from 8.0.23 to 8.0.24 (2020-Aug-18) - KJUR.asn1.cms.{SigningCertificate,SigningCertificateV2} wrong ASN.1 encoding issue was fixed ([#448](https://togithub.com/kjur/jsrsasign/issues/448)) - src/asn1cms.js - KJUR.asn1.cms.{SigningCertificate,SigningCertificateV2} ASN.1 encoding issue fixed ([#448](https://togithub.com/kjur/jsrsasign/issues/448)) - added KJUR.asn1.cms.IssuerSerial - test/qunit-do-asn1{cms,tsp}.html - updated for above issue ### [`v8.0.23`](https://togithub.com/kjur/jsrsasign/releases/tag/8.0.23): add CertificatePolicies BMPString and VisibleString support [Compare Source](https://togithub.com/kjur/jsrsasign/compare/8.0.22...8.0.23) - Changes from 8.0.22 to 8.0.23 (2020-Aug-06) - src/asn1x509.js - CertificatePolicies class added - update Extension.appendByNameToArray for CertificatePolicies - PolicyInformation, PolicyQualifierInfo, UserNotice, NoticeReference and DisplayText class added - src/asn1.js - BMPString and VisibleString class added - update ASN1Util.newObject for {BMP,Visible}String - src/asn1hex.js - update ASN1HEX.dump for {BMP,Visible}String - test qunit-do-{asn1,asn1-newobj,asn1x509,asn1hex-dump}.html ### [`v8.0.22`](https://togithub.com/kjur/jsrsasign/releases/tag/8.0.22): ASN1HEX and X509 class minior bug fix [Compare Source](https://togithub.com/kjur/jsrsasign/compare/8.0.21...8.0.22) - Changes from 8.0.21 to 8.0.22 (2020-Aug-05) - src/asn1hex.js - dump method update for BitString encapsulated - src/x509.js - getKeyUsageBin bugfix for such keyCertSign and cRLSign only - fix to stop raising error when X509 constructor called and asn1x509 doesn't loaded - TODO: getKeyUsageBin still has bug when decipherOnly(8) bit exists - test - qunit-do-{asn1hex-dump,x509-{ext,key}}.html to follow above updates ### [`v8.0.21`](https://togithub.com/kjur/jsrsasign/releases/tag/8.0.21): Donation program started, more RSA-PSS support and add ASN1HEX.get{Idx,TLV,V}byListEx [Compare Source](https://togithub.com/kjur/jsrsasign/compare/8.0.20...8.0.21) - Changes from 8.0.20 to 8.0.21 (2020-Aug-01) - *donation program* have been started. Please consider donation to sustain this project https://github.com/kjur/jsrsasign#donations - RSA-PSS support in AlgorithmIdentifier, Signature, X509 and newCertPEM - new method to access ASN.1 decendant object ASN1HEX.get{Idx,TLV,V}byListEx added Its tutorial page will be provided by following URL near in future https://github.com/kjur/jsrsasign/wiki/Tutorial-for-accessing-deep-inside-of-ASN.1-structure-by-using-new-ASN1HEX.getIdxbyListEx - src/x509.js - update getSignatureAlgorithmField to support RSA-PSS(SHA{,256,384,512}withRSAandMGF1) algorithms - update verifySignature to support RSA-PSS(SHA{,256,384,512}withRSAandMGF1) algorithms - src/crypto.js - Signature class - SHAwithRSAandMGF1 supported (the same as SHA1withRSAandMGF1) - src/asn1hex.js - ASN1HEX.getIdxbyList - add get{Idx,TLV,V}byListEx for context specific tag - add ASN1HEX.isContextTag to check context specific tag - get{Idx,TLV,V} will be deprecated near in the future version Please consider to move get{Idx,TLV,V}byListEx. - src/{asn1csr,dsa,rsapem,ecdsa-modified}.js - replace to use get{Idx,TLV,V}byListEx - test/qunit-do-asn1x509.html - add Certificate class test for RSA-PSS - add TBSCertificate class test for RSA-PSS - add AlgorithmIdentifier class test for SHA{,256,384,512}withRSAandMGF1 - test/qunit-do-crypto-pss.html - add Signature class test for SHAwithRSAandMGF1. - test/qunit-do-asn1x509-newcrt.html - add newCertPEM test for RSA-PSS - test/qunit-do-x509.html - add getSignatureAlgorithmField test for SHA{,256,384,512}withRSAandMGF1 - sample_node/asn1extract2 - bug fix for -v(--vonly) option - test/qunit-do-asn1hex.html - add test for ASN1HEX.isContextTag ### [`v8.0.20`](https://togithub.com/kjur/jsrsasign/releases/tag/8.0.20): add CSR support for subjectAltName [Compare Source](https://togithub.com/kjur/jsrsasign/compare/8.0.19...8.0.20) - Changes From 8.0.19 to 8.0.20 - src/asn1csr.js - CSRUtil.getInfo - add ext parameter to show subjectAltName property - change not to raise error when subject name is empty in CSR - src/x509.js - X509.parseExt - add support for CSR extension request field - src/asn1hex.js - ASN1HEX.getIdxbyList - small update for exception - test/ - qunit-do-{asn1csr, x509}.html to add tests for above. ### [`v8.0.19`](https://togithub.com/kjur/jsrsasign/releases/tag/8.0.19): ECDSA signature validation maleability fix and others [Compare Source](https://togithub.com/kjur/jsrsasign/compare/8.0.18...8.0.19) **JSRSASIGN SECURITY ADVISORY** : [2020.06.22 CVE-2020-14966 ECDSA signature validation vulnerability by accepting wrong ASN.1 encoding](https://togithub.com/kjur/jsrsasign/security/advisories/GHSA-p8c3-7rj8-q963) - Changes from 8.0.18 to 8.0.19 - src/ecdsa-mod.js - ECDSA.verifyHex fixed for some types of maleability ([#437](https://togithub.com/kjur/jsrsasign/issues/437)) - src/asn1hex.js - ASN1HEX.checkStrictDER added - src/asn1x509.js - It's founded that OpenSSL's DN representation like "/C=US/O=test" is "compat" format. So those methods are added and existing method is now deprecated. - X500Name.{ldapToOneline, onelineToLdap} are now deprecated. - X500Name.{ldapToCompat, compatToLdap} are added. - src/x509.js - update for compatToLdap and ldapToCompat - src/crypto.js - document update ### [`v8.0.18`](https://togithub.com/kjur/jsrsasign/releases/tag/8.0.18): RSA decryption and RSA signature validation maleability fix [Compare Source](https://togithub.com/kjur/jsrsasign/compare/8.0.17...8.0.18) **JSRSASIGN SECURITY ADVISORY** : [2020.06.22 CVE-2020-14967 RSA RSAES-PKCS1-v1\_5 and RSA-OAEP decryption vulnerability with prepending zeros](https://togithub.com/kjur/jsrsasign/security/advisories/GHSA-xxxq-chmp-67g4) - Changes from 8.0.17 to 8.0.18 - ext/rsa2.js - RSADecrypt fixed for zero prepending maleability ([#439](https://togithub.com/kjur/jsrsasign/issues/439)) - RSADecryptOAEP fixed for zero prepending maleability - src/rsasign.js - verifyWithMessageHash fixed for zero prepending maleability - test - qunit-do-crypto-cipher.html: some test case added for above ### [`v8.0.17`](https://togithub.com/kjur/jsrsasign/releases/tag/8.0.17): RSAPSS verification maleability fix and others [Compare Source](https://togithub.com/kjur/jsrsasign/compare/8.0.16...8.0.17) **JSRSASIGN SECURITY ADVISORY** : [2020.06.22 CVE-2020-14968 RSA-PSS signature validation vulnerability by prepending zeros](https://togithub.com/kjur/jsrsasign/security/advisories/GHSA-q3gh-5r98-j4h3) - Changes from 8.0.16 to 8.0.17 - src/rsasign.js - verifyWithMessageHashPSS fixed for prepending zeros maleability ([#438](https://togithub.com/kjur/jsrsasign/issues/438)) - src/asn1x509.js - allow alternative algorithms to sign CRLs ([#440](https://togithub.com/kjur/jsrsasign/issues/440)) - src/asn1cms.js - improve CMSUtil.newSignedData helper with detached signatures ([#441](https://togithub.com/kjur/jsrsasign/issues/441)) - ext/rsa2.js - RSAGenerate fixed for not having requesting key length ([#442](https://togithub.com/kjur/jsrsasign/issues/442)) - sample_node - pemtobin was fixed for pemtohex function - test - qunit-do-rsagenkeylen.html new test code for ([#442](https://togithub.com/kjur/jsrsasign/issues/442)) - qunit-do-rsasign-pss.html add maleability test code ([#438](https://togithub.com/kjur/jsrsasign/issues/438)) - index.html, qunit-do-x509.html link update ### [`v8.0.16`](https://togithub.com/kjur/jsrsasign/releases/tag/8.0.16): extended Authority/SubjectKeyIdentifier support [Compare Source](https://togithub.com/kjur/jsrsasign/compare/8.0.15...8.0.16) - Changes from 8.0.15 to 8.0.16 (2020-Mar-29) - src/asn1x509.js - AuthorityKeyIdentifier class - issuerDN ASN.1 encoding bug fixed - now keyIdentifier is automatically calculated by certificate or key - issuer dn and serial number can be set by certificate - SubjectKeyIdentifier class - now keyIdentifier is automatically calculated by certificate or key - X500Name class - certissuer and certsubject parameter is added to set value by issuer or subject of certificate. - GeneralName class - dn parameter support was updated. - src/keyutil.js - getKeyID method added to calcalate a key identifier for certificate. - crypto.js - Util.isKey static method added - Signature.{sign,verify} method bug fix for ECDSA - code refactoring - src/asn1csr.js - strict mode fix (pull [#410](https://togithub.com/kjur/jsrsasign/issues/410)) - src/jws.js - strict mode fix (pull [#347](https://togithub.com/kjur/jsrsasign/issues/347)) - src/jwsjs.js - readJWSJS fix (pull [#373](https://togithub.com/kjur/jsrsasign/issues/373)) - sample_node/asn1extract2 - sample added. more flexible use than asn1extract. - test/qunit-do-crypto.html - getRandom test fix - test/qunit-do-asn1x509-newcrt.html - test case expected value fix ### [`v8.0.15`](https://togithub.com/kjur/jsrsasign/releases/tag/8.0.15): SHA384/512withECDSA wrong signature fix and add some curves support [Compare Source](https://togithub.com/kjur/jsrsasign/compare/8.0.14...8.0.15) - src/ecdsa-modified.js - SHA384withECDSA, SHA512withECDSA signature wrong validation result issue was fixed (issue [#394](https://togithub.com/kjur/jsrsasign/issues/394)) - secp192k1, secp224r1 curve are now supported - test/qunit-do-ecdsamod.html testcase added for SHA1/SHA384/SHA512 and secp192k1/secp224r1 - sample_node command added - genkey: keypair generation - eckey2hex: show EC [PKCS#1](https://togithub.com/PKCS/jsrsasign/issues/1)/8 private/public key in hex format ### [`v8.0.14`](https://togithub.com/kjur/jsrsasign/releases/tag/8.0.14): SubjectKeyIdentifier and KEYUTIL update [Compare Source](https://togithub.com/kjur/jsrsasign/compare/8.0.13...8.0.14) - Changes from 8.0.13 to 8.0.14 (2020-Apr-03) - src/asn1x509-1.0.js - add SubjectKeyIdentifier class (issue [#402](https://togithub.com/kjur/jsrsasign/issues/402)) - add SubjectKeyIdentifier support in TBSCertificate.appendExtensionByName method - test/qunit-do-asn1x509.html SubjectKeyIdentifier test added - src/base64x.js - add multi section support for pemtohex such as EC PRIVATE KEY and EC PARAMETRS - test/qunit-do-base64x.html pemtohex testcase added - src/keyutil.js (pull [#415](https://togithub.com/kjur/jsrsasign/issues/415)) - add support for multi section plain [PKCS#5](https://togithub.com/PKCS/jsrsasign/issues/5) EC PRIVATE KEY - test/qunit-do-keyutil-ec.html plain [PKCS#5](https://togithub.com/PKCS/jsrsasign/issues/5) EC PRIVATE KEY testcase added - src/asn1csr-1.0.js document fix (pull [#356](https://togithub.com/kjur/jsrsasign/issues/356)) - npm_util/Makefile merged (pull [#216](https://togithub.com/kjur/jsrsasign/issues/216)) - src/rsasign-1.2.js merged for RegExp (pull [#419](https://togithub.com/kjur/jsrsasign/issues/419)) - src/asn1-1.0.js merged for strict fix (pull [#389](https://togithub.com/kjur/jsrsasign/issues/389)) - src/crypto-1.0.js document fix in return of decrypt method (issue [#383](https://togithub.com/kjur/jsrsasign/issues/383)) - src/x509-1.1.js onelineToLDAP sample added in document (issue [#428](https://togithub.com/kjur/jsrsasign/issues/428)) ### [`v8.0.13`](https://togithub.com/kjur/jsrsasign/releases/tag/8.0.13): mitigate minerva attack [Compare Source](https://togithub.com/kjur/jsrsasign/compare/8.0.12...8.0.13) - Changes from 8.0.12 to 8.0.13 (2020-Mar-31) - LICENSE.txt - fixed wrong description from BSD to MIT License - ext/ec.js - mitigate Minerva timing attack in ECPointFp.multiply method https://minerva.crocs.fi.muni.cz/ - test/qunit-do-crypto-ecdsa.html - testcase fix - sample_node/tsr2certs added - script to extract certificates from timestamp response or token - npm - ECPointFp, ECCurveFp and ECFieldElementFp are now exported. ##### SECURITY ADVISORY jsrsasign from 4.0.0 to 8.0.12 affects Minerva timing attack vulnerability. https://minerva.crocs.fi.muni.cz/ - Minerva is one of timing attack or side channel attack for EC. - If you don't use ECDSA class, you are not affected the vulnerability. - The vulnerability is that attacker may guess private key by checking processing time of EC key generation or ECDSA signing. - The cause issue is that point multiplication processing time in ECDSA signing is depends on private key value. - After 8.0.13, processing time of point multiplication in ECDSA signing have become constant for key value in theory. - See also [this security advisory](https://togithub.com/kjur/jsrsasign/security/advisories/GHSA-g753-jx37-7xwh) in detail.Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.