Private certs included in the NPM package.

kjur / jsrsasign

The 'jsrsasign' (RSA-Sign JavaScript Library) is an opensource free cryptography library supporting RSA/RSAPSS/ECDSA/DSA signing/validation, ASN.1, PKCS#1/5/8 private/public key, X.509 certificate, CRL, OCSP, CMS SignedData, TimeStamp, CAdES and JSON Web Signature/Token in pure JavaScript.

https://kjur.github.io/jsrsasign

Other

3.25k stars 646 forks source link

Private certs included in the NPM package. #590

Closed Chengxuan closed 1 year ago

Chengxuan commented 1 year ago

Both https://github.com/kjur/jsrsasign/blob/master/npm/test/t_rsasign.js and https://github.com/kjur/jsrsasign/blob/master/npm/test/t_sig_rsasha1.js contains private keys used for testing. They are flagged during the security scan and they've been shipped as part of the npm release.

Were they included intentionally?

kjur commented 1 year ago

Those are included intentionally just for testing. OpenSSL also concludes testing private key.