- Three RSA PKCS#1 v1.5 signature verification issues were reported by Moosa Yahyazadeh (moosa-yahyazadeh@uiowa.edu).
- HIGH: Leniency in checking
digestAlgorithm
structure can lead to signature forgery.- The code is lenient in checking the digest algorithm structure. This can allow a crafted structure that steals padding bytes and uses unchecked portion of the PKCS#1 encoded message to forge a signature when a low public exponent is being used. For more information, please see "Bleichenbacher's RSA signature forgery based on implementation error" by Hal Finney.
- CVE ID: CVE-2022-24771
- GHSA ID: GHSA-cfm4-qjh2-4765
- HIGH: Failing to check tailing garbage bytes can lead to signature
forgery.
- The code does not check for tailing garbage bytes after decoding a
DigestInfo
ASN.1 structure. This can allow padding bytes to be removed and garbage data added to forge a signature when a low public exponent is being used. For more information, please see "Bleichenbacher's RSA signature forgery based on implementation error" by Hal Finney. - CVE ID: CVE-2022-24772
- GHSA ID: GHSA-x4jg-mjrx-434g
- The code does not check for tailing garbage bytes after decoding a
- MEDIUM: Leniency in checking type octet.
DigestInfo
is not properly checked for proper ASN.1 structure. This can lead to successful verification with signatures that contain invalid structures but a valid digest.- CVE ID: CVE-2022-24773
- GHSA ID: GHSA-2r2c-g63r-vccr
- [asn1] Add fallback to pretty print invalid UTF8 data.
- [asn1]
fromDer
is now more strict and will default to ensuring all input bytes are parsed or throw an error. A new optionparseAllBytes
can disable this behavior.- NOTE: The previous behavior is being changed since it can lead to security issues with crafted inputs. It is possible that code doing custom DER parsing may need to adapt to this new behavior and optional flag.
- [rsa] Add and use a validator to check for proper structure of parsed ASN.1
RSASSA-PKCS-v1_5
DigestInfo
data. Additionally check that the hash algorithm identifier is a known value from RFC 8017PKCS1-v1-5DigestAlgorithms
. An invalidDigestInfo
or algorithm identifier will now throw an error.- NOTE: The previous lenient behavior is being changed to be more strict since it could lead to security issues with crafted inputs. It is possible that code may have to handle the errors from these stricter checks.
- [oid] Added missing RFC 8017 PKCS1-v1-5DigestAlgorithms algorithm
identifiers:
1.2.840.113549.2.2
/md2
2.16.840.1.101.3.4.2.4
/sha224
2.16.840.1.101.3.4.2.5
/sha512-224
2.16.840.1.101.3.4.2.6
/sha512-256
- [tests]: Load entire module to improve top-level testing and coverage reporting.
- [log]: Refactor logging setup to avoid use of
URLSearchParams
.
- [x509] 'Expected' and 'Actual' issuers were backwards in verification failure message.
- [oid,x509]: Added OID
1.3.14.3.2.29 / sha1WithRSASignature
for sha1 with RSA. Considered a deprecated equivalent to1.2.840.113549.1.1.5 / sha1WithRSAEncryption
. See discussion and links.
- [x509]: Reduce duplicate code. Add helper function to create a signature digest given an signature algorithm OID. Add helper function to verify signatures.
- [x509]: Correctly compute certificate issuer and subject hashes to match behavior of openssl.
- [pem]: Accept certificate requests with "NEW" in the label. "BEGIN NEW CERTIFICATE REQUEST" handled as "BEGIN CERTIFICATE REQUEST".
- 1.0.0!
- This project is over a decade old! Time for a 1.0.0 release.
- The URL related changes may expose bugs in some of the networking related code (unrelated to the much wider used cryptography code). The automated and manual test coverage for this code is weak at best. Issues or patches to update the code or tests would be appreciated.
- SECURITY, BREAKING: Remove
forge.debug
API. The API has the potential for prototype pollution. This API was only briefly used by the maintainers for internal project debug purposes and was never intended to be used with untrusted user inputs. This API was not documented or advertised and is being removed rather than fixed. - SECURITY, BREAKING: Remove
forge.util.parseUrl()
(andforge.http.parseUrl
alias) and use the WHATWG URL Standard.URL
is supported by modern browers and modern Node.js. This change is needed to address URL parsing security issues. Ifforge.util.parseUrl()
is used directly or throughforge.xhr
orforge.http
APIs, and support is needed for environments withoutURL
support, then a polyfill must be used. - BREAKING: Remove
forge.task
API. This API was never used, documented, or advertised by the maintainers. If anyone was using this API and wishes to continue development it in other project, please let the maintainers know. Due to use in the test suite, a modified version is located intests/support/
. - BREAKING: Remove
forge.util.makeLink
,forge.util.makeRequest
,forge.util.parseFragment
,forge.util.getQueryVariables
. Replace withURL
,URLSearchParams
, and custom code as needed.
- BREAKING: Increase supported Node.js version to 6.13.0 for URL support.
- BREAKING: Renamed
master
branch tomain
. - BREAKING: Release process updated to use tooling that prefixes versions
with
v
. Other tools, scripts, or scanners may need to adapt. - BREAKING: Remove docs related to Bower and forge-dist. Install using another method.
- OIDs for
surname
,title
, andgivenName
.
- BREAKING: OID 2.5.4.5 name fixed from
serialName
toserialNumber
. Depending on how applications used this id to name association it could cause compatibility issues.
- BREAKING: Node.js 4 no longer supported. The code may still work, and non-invasive patches to keep it working will be considered. However, more modern tools no longer support old Node.js versions making testing difficult.
- BREAKING: Remove
util.getPath
,util.setPath
, andutil.deletePath
.util.setPath
had a potential prototype pollution security issue when used with unsafe inputs. These functions are not used byforge
itself. They date from an early time whenforge
was targeted at providing general helper functions. The library direction changed to be more focused on cryptography. Many other excellent libraries are more suitable for general utilities. If you need a replacement for these functions, considerget
,set
, andunset
from lodash. But also consider the potential similar security issues with those APIs.
- Added
util.setPath
security note to function docs and to README.
- SECURITY: The
util.setPath
function has the potential to cause prototype pollution if used with unsafe input.- This function is not used internally by
forge
. - The rest of the library is unaffected by this issue.
- Do not use unsafe input with this function.
- Usage with known input should function as expected. (Including input intentionally using potentially problematic keys.)
- No code changes will be made to address this issue in 0.9.x. The current
behavior could be considered a feature rather than a security issue.
0.10.0 will be released that removes
util.getPath
andutil.setPath
. Considerget
andset
from lodash if you need replacements. But also consider the potential similar security issues with those APIs. - https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7720
- This function is not used internally by
- Ensure DES-CBC given IV is long enough for block size.
- Add ed25519.publicKeyFromAsn1 and ed25519.privateKeyFromAsn1 APIs.
- A few OIDs used in EV certs.
- Improve ed25519 NativeBuffer check.
- Remove use of
const
.
- Replace all instances of Node.js
new Buffer
withBuffer.from
andBuffer.alloc
.
- Use basic character set for code.
- Fix tag calculation when continuing an AES-GCM block.
- Switch to eslint.
- Fix off-by-1 bug with kem random generation.
- Handle creation of certificates with
notBefore
andnotAfter
dates less than Jan 1, 1950 or greater than or equal to Jan 1, 2050.
- Add OID 2.5.4.13 "description".
- Add OID 2.16.840.1.113730.1.13 "nsComment".
- Also handle extension when creating a certificate.
pki.verifyCertificateChain
:- Add
validityCheckDate
option to allow checking the certificate validity period against an arbitraryDate
ornull
for no check at all. The current date is used by default.
- Add
tls.createConnection
:- Add
verifyOptions
option that passes through topki.verifyCertificateChain
. Can be used for the abovevalidityCheckDate
option.
- Add
- Support WebCrypto API in web workers.
rsa.generateKeyPair
:- Use
crypto.generateKeyPair
/crypto.generateKeyPairSync
on Node.js if available (10.12.0+) and not in pure JS mode. - Use JS fallback in
rsa.generateKeyPair
ifprng
option specified since this isn't supported by current native APIs. - Only run key generation comparison tests if keys will be deterministic.
- Use
- PhantomJS is deprecated, now using Headless Chrome with Karma.
- Note: Using Headless Chrome vs PhantomJS may cause newer JS features to slip into releases without proper support for older runtimes and browsers. Please report such issues and they will be addressed.
pki.verifyCertificateChain
:- Signature changed to
(caStore, chain, options)
. Older(caStore, chain, verify)
signature is still supported. New style is to to pass in averify
option.
- Signature changed to
- Test on Node.js 10.x.
- Support for PKCS#7 detached signatures.
- Improve webpack/browser detection.
- Remove use of
const
.
- Potential regex denial of service in form.js.
- Support for ED25519.
- Support for baseN/base58.
- Re-publish with npm 5.6.0 due to file timestamp issues.
- Support verification of SHA-384 certificates.
1.2.840.10040.4.3'
/dsa-with-sha1
OID.
- Support importing PKCS#7 data with no certificates. RFC 2315 sec 9.1 states certificates are optional.
asn1.equals
loop bug.- Fortuna implementation bugs.
- Fix digestLength for hashes based on SHA-512.
- Fix test looping bugs so all tests are run.
- Improved ASN.1 parsing. Many failure cases eliminated. More sanity checks.
Better behavior in default mode of parsing BIT STRINGs. Better handling of
parsed BIT STRINGs in
toDer()
. More tests. - Improve X.509 BIT STRING handling by using new capture modes.
- Major refactor to use CommonJS plus a browser build system.
- Updated tests, examples, docs.
- Updated dependencies.
- Updated flash build system.
- Improve OID mapping code.
- Change test servers from Python to JavaScript.
- Improve PhantomJS support.
- Move Bower/bundle support to forge-dist.
- BREAKING: Require minimal digest algorithm dependencies from individual modules.
- Enforce currently supported bit param values for byte buffer access. May be BREAKING for code that depended on unspecified and/or incorrect behavior.
- Improve
asn1.prettyPrint()
BIT STRING display.
- webpack bundler support via
npm run build
:- Builds
.js
,.min.js
, and basic sourcemaps. - Basic build:
forge.js
. - Build with extra utils and networking support:
forge.all.js
. - Build WebWorker support:
prime.worker.js
.
- Builds
- Browserify support in package.json.
- Karma browser testing.
forge.options
field.forge.options.usePureJavaScript
flag.forge.util.isNodejs
flag (used to select "native" APIs).- Run PhantomJS tests in Travis-CI.
- Add "Donations" section to README.
- Add IRC to "Contact" section of README.
- Add "Security Considerations" section to README.
- Add pbkdf2 usePureJavaScript test.
- Add rsa.generateKeyPair async and usePureJavaScript tests.
- Add .editorconfig support.
- Add
md.all.js
which includes all digest algorithms. - Add asn1
equals()
andcopy()
. - Add asn1
validate()
capture options for BIT STRING contents and value.
- BREAKING: Can no longer call
forge({...})
to create new instances. - Remove a large amount of old cruft.
- (all) If you used the feature to create a new forge instance with new
configuration options you will need to rework your code. That ability has
been removed due to implementation complexity. The main rare use was to set
the option to use pure JavaScript. That is now available as a library global
flag
forge.options.usePureJavaScript
. - (npm,bower) If you used the default main file there is little to nothing to change.
- (npm) If you accessed a sub-resource like
forge/js/pki
you should either switch to just using the mainforge
and accessforge.pki
or update toforge/lib/pki
. - (bower) If you used a sub-resource like
forge/js/pki
you should switch to just usingforge
and accessforge.pki
. The bower release bundles everything in one minified file. - (bower) A configured workerScript like
/bower_components/forge/js/prime.worker.js
will need to change to/bower_components/forge/dist/prime.worker.min.js
. - (all) If you used the networking support or flash socket support, you will need to use a custom build and/or adjust where files are loaded from. This functionality is not included in the bower distribution by default and is also now in a different directory.
- (all) The library should now directly support building custom bundles with webpack, browserify, or similar.
- (all) If building a custom bundle ensure the correct dependencies are
included. In particular, note there is now a
md.all.js
file to include all digest algorithms. Individual files limit what they include by default to allow smaller custom builds. For instance,pbdkf2.js
has asha1
default but does not include any algorithm files by default. This allows the possibility to include onlysha256
without the overhead ofsha1
andsha512
.
- This major update requires updating the version to 0.7.x. The existing work-in-progress "0.7.x" branch will be painfully rebased on top of this new 0.7.x and moved forward to 0.8.x or later as needed.
- 0.7.x is a start of simplifying forge based on common issues and what has appeared to be the most common usage. Please file issues with feedback if the changes are problematic for your use cases.
- See Git commit log or https://github.com/digitalbazaar/forge.