search

kjur / jsrsasign

The 'jsrsasign' (RSA-Sign JavaScript Library) is an opensource free cryptography library supporting RSA/RSAPSS/ECDSA/DSA signing/validation, ASN.1, PKCS#1/5/8 private/public key, X.509 certificate, CRL, OCSP, CMS SignedData, TimeStamp, CAdES and JSON Web Signature/Token in pure JavaScript.
https://kjur.github.io/jsrsasign
Other
3.25k stars 646 forks source link

crypto-js PBKDF2 vulnerability #599

Closed returnSky closed 9 months ago

returnSky commented 9 months ago

Hi,

crypto-js fixed a vulnerability related to PBKDF2 recently.
Does this vulnerability also affect jsrsasign? If any impact, when will your start to fix it?

Thanks.

References:

kjur commented 9 months ago

Yes, it seems to affect to jsrsasign. When you generate encrypted PKCS#8 private key, it uses PBKDF2. I'll update it and fix the issue.

kjur commented 9 months ago

I've released 10.9.0 today. https://github.com/kjur/jsrsasign/releases/tag/10.9.0 Regarding to encrypted PKCS#8 private key generation, default encryptionScheme have been updated from des-EDE3-CBC to aes256-CBC and default prf have been updated from hmacWithSHA1 to hmacWithSHA256. Also you can set iteration count.