266 lines
9.3 KiB
Markdown
266 lines
9.3 KiB
Markdown
|
Forge ChangeLog
|
||
|
===============
|
||
|
|
||
|
## 0.10.0 - 2019-09-01
|
||
|
|
||
|
### Changed
|
||
|
- **BREAKING**: Node.js 4 no longer supported. The code *may* still work, and
|
||
|
non-invasive patches to keep it working will be considered. However, more
|
||
|
modern tools no longer support old Node.js versions making testing difficult.
|
||
|
|
||
|
### Removed
|
||
|
- **BREAKING**: Remove `util.getPath`, `util.setPath`, and `util.deletePath`.
|
||
|
`util.setPath` had a potential prototype pollution security issue when used
|
||
|
with unsafe inputs. These functions are not used by `forge` itself. They date
|
||
|
from an early time when `forge` was targeted at providing general helper
|
||
|
functions. The library direction changed to be more focused on cryptography.
|
||
|
Many other excellent libraries are more suitable for general utilities. If
|
||
|
you need a replacement for these functions, consier `get`, `set`, and `unset`
|
||
|
from [lodash](https://lodash.com/). But also consider the potential similar
|
||
|
security issues with those APIs.
|
||
|
|
||
|
## 0.9.2 - 2019-09-01
|
||
|
|
||
|
### Changed
|
||
|
- Added `util.setPath` security note to function docs and to README.
|
||
|
|
||
|
### Notes
|
||
|
- **SECURITY**: The `util.setPath` function has the potential to cause
|
||
|
prototype pollution if used with unsafe input.
|
||
|
- This function is **not** used internally by `forge`.
|
||
|
- The rest of the library is unaffected by this issue.
|
||
|
- **Do not** use unsafe input with this function.
|
||
|
- Usage with known input should function as expected. (Including input
|
||
|
intentionally using potentially problematic keys.)
|
||
|
- No code changes will be made to address this issue in 0.9.x. The current
|
||
|
behavior *could* be considered a feature rather than a security issue.
|
||
|
0.10.0 will be released that removes `util.getPath` and `util.setPath`.
|
||
|
Consider `get` and `set` from [lodash](https://lodash.com/) if you need
|
||
|
replacements. But also consider the potential similar security issues with
|
||
|
those APIs.
|
||
|
- https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677
|
||
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7720
|
||
|
|
||
|
## 0.9.1 - 2019-09-26
|
||
|
|
||
|
### Fixed
|
||
|
- Ensure DES-CBC given IV is long enough for block size.
|
||
|
|
||
|
## 0.9.0 - 2019-09-04
|
||
|
|
||
|
### Added
|
||
|
- Add ed25519.publicKeyFromAsn1 and ed25519.privateKeyFromAsn1 APIs.
|
||
|
- A few OIDs used in EV certs.
|
||
|
|
||
|
### Fixed
|
||
|
- Improve ed25519 NativeBuffer check.
|
||
|
|
||
|
## 0.8.5 - 2019-06-18
|
||
|
|
||
|
### Fixed
|
||
|
- Remove use of `const`.
|
||
|
|
||
|
## 0.8.4 - 2019-05-22
|
||
|
|
||
|
### Changed
|
||
|
- Replace all instances of Node.js `new Buffer` with `Buffer.from` and `Buffer.alloc`.
|
||
|
|
||
|
## 0.8.3 - 2019-05-15
|
||
|
|
||
|
### Fixed
|
||
|
- Use basic character set for code.
|
||
|
|
||
|
## 0.8.2 - 2019-03-18
|
||
|
|
||
|
### Fixed
|
||
|
- Fix tag calculation when continuing an AES-GCM block.
|
||
|
|
||
|
### Changed
|
||
|
- Switch to eslint.
|
||
|
|
||
|
## 0.8.1 - 2019-02-23
|
||
|
|
||
|
### Fixed
|
||
|
- Fix off-by-1 bug with kem random generation.
|
||
|
|
||
|
## 0.8.0 - 2019-01-31
|
||
|
|
||
|
### Fixed
|
||
|
- Handle creation of certificates with `notBefore` and `notAfter` dates less
|
||
|
than Jan 1, 1950 or greater than or equal to Jan 1, 2050.
|
||
|
|
||
|
### Added
|
||
|
- Add OID 2.5.4.13 "description".
|
||
|
- Add OID 2.16.840.1.113730.1.13 "nsComment".
|
||
|
- Also handle extension when creating a certificate.
|
||
|
- `pki.verifyCertificateChain`:
|
||
|
- Add `validityCheckDate` option to allow checking the certificate validity
|
||
|
period against an arbitrary `Date` or `null` for no check at all. The
|
||
|
current date is used by default.
|
||
|
- `tls.createConnection`:
|
||
|
- Add `verifyOptions` option that passes through to
|
||
|
`pki.verifyCertificateChain`. Can be used for the above `validityCheckDate`
|
||
|
option.
|
||
|
|
||
|
### Changed
|
||
|
- Support WebCrypto API in web workers.
|
||
|
- `rsa.generateKeyPair`:
|
||
|
- Use `crypto.generateKeyPair`/`crypto.generateKeyPairSync` on Node.js if
|
||
|
available (10.12.0+) and not in pure JS mode.
|
||
|
- Use JS fallback in `rsa.generateKeyPair` if `prng` option specified since
|
||
|
this isn't supported by current native APIs.
|
||
|
- Only run key generation comparison tests if keys will be deterministic.
|
||
|
- PhantomJS is deprecated, now using Headless Chrome with Karma.
|
||
|
- **Note**: Using Headless Chrome vs PhantomJS may cause newer JS features to
|
||
|
slip into releases without proper support for older runtimes and browsers.
|
||
|
Please report such issues and they will be addressed.
|
||
|
- `pki.verifyCertificateChain`:
|
||
|
- Signature changed to `(caStore, chain, options)`. Older `(caStore, chain,
|
||
|
verify)` signature is still supported. New style is to to pass in a
|
||
|
`verify` option.
|
||
|
|
||
|
## 0.7.6 - 2018-08-14
|
||
|
|
||
|
### Added
|
||
|
- Test on Node.js 10.x.
|
||
|
- Support for PKCS#7 detached signatures.
|
||
|
|
||
|
### Changed
|
||
|
- Improve webpack/browser detection.
|
||
|
|
||
|
## 0.7.5 - 2018-03-30
|
||
|
|
||
|
### Fixed
|
||
|
- Remove use of `const`.
|
||
|
|
||
|
## 0.7.4 - 2018-03-07
|
||
|
|
||
|
### Fixed
|
||
|
- Potential regex denial of service in form.js.
|
||
|
|
||
|
### Added
|
||
|
- Support for ED25519.
|
||
|
- Support for baseN/base58.
|
||
|
|
||
|
## 0.7.3 - 2018-03-05
|
||
|
|
||
|
- Re-publish with npm 5.6.0 due to file timestamp issues.
|
||
|
|
||
|
## 0.7.2 - 2018-02-27
|
||
|
|
||
|
### Added
|
||
|
- Support verification of SHA-384 certificates.
|
||
|
- `1.2.840.10040.4.3'`/`dsa-with-sha1` OID.
|
||
|
|
||
|
### Fixed
|
||
|
- Support importing PKCS#7 data with no certificates. RFC 2315 sec 9.1 states
|
||
|
certificates are optional.
|
||
|
- `asn1.equals` loop bug.
|
||
|
- Fortuna implementation bugs.
|
||
|
|
||
|
## 0.7.1 - 2017-03-27
|
||
|
|
||
|
### Fixed
|
||
|
|
||
|
- Fix digestLength for hashes based on SHA-512.
|
||
|
|
||
|
## 0.7.0 - 2017-02-07
|
||
|
|
||
|
### Fixed
|
||
|
|
||
|
- Fix test looping bugs so all tests are run.
|
||
|
- Improved ASN.1 parsing. Many failure cases eliminated. More sanity checks.
|
||
|
Better behavior in default mode of parsing BIT STRINGs. Better handling of
|
||
|
parsed BIT STRINGs in `toDer()`. More tests.
|
||
|
- Improve X.509 BIT STRING handling by using new capture modes.
|
||
|
|
||
|
### Changed
|
||
|
|
||
|
- Major refactor to use CommonJS plus a browser build system.
|
||
|
- Updated tests, examples, docs.
|
||
|
- Updated dependencies.
|
||
|
- Updated flash build system.
|
||
|
- Improve OID mapping code.
|
||
|
- Change test servers from Python to JavaScript.
|
||
|
- Improve PhantomJS support.
|
||
|
- Move Bower/bundle support to
|
||
|
[forge-dist](https://github.com/digitalbazaar/forge-dist).
|
||
|
- **BREAKING**: Require minimal digest algorithm dependencies from individual
|
||
|
modules.
|
||
|
- Enforce currently supported bit param values for byte buffer access. May be
|
||
|
**BREAKING** for code that depended on unspecified and/or incorrect behavior.
|
||
|
- Improve `asn1.prettyPrint()` BIT STRING display.
|
||
|
|
||
|
### Added
|
||
|
|
||
|
- webpack bundler support via `npm run build`:
|
||
|
- Builds `.js`, `.min.js`, and basic sourcemaps.
|
||
|
- Basic build: `forge.js`.
|
||
|
- Build with extra utils and networking support: `forge.all.js`.
|
||
|
- Build WebWorker support: `prime.worker.js`.
|
||
|
- Browserify support in package.json.
|
||
|
- Karma browser testing.
|
||
|
- `forge.options` field.
|
||
|
- `forge.options.usePureJavaScript` flag.
|
||
|
- `forge.util.isNodejs` flag (used to select "native" APIs).
|
||
|
- Run PhantomJS tests in Travis-CI.
|
||
|
- Add "Donations" section to README.
|
||
|
- Add IRC to "Contact" section of README.
|
||
|
- Add "Security Considerations" section to README.
|
||
|
- Add pbkdf2 usePureJavaScript test.
|
||
|
- Add rsa.generateKeyPair async and usePureJavaScript tests.
|
||
|
- Add .editorconfig support.
|
||
|
- Add `md.all.js` which includes all digest algorithms.
|
||
|
- Add asn1 `equals()` and `copy()`.
|
||
|
- Add asn1 `validate()` capture options for BIT STRING contents and value.
|
||
|
|
||
|
### Removed
|
||
|
|
||
|
- **BREAKING**: Can no longer call `forge({...})` to create new instances.
|
||
|
- Remove a large amount of old cruft.
|
||
|
|
||
|
### Migration from 0.6.x to 0.7.x
|
||
|
|
||
|
- (all) If you used the feature to create a new forge instance with new
|
||
|
configuration options you will need to rework your code. That ability has
|
||
|
been removed due to implementation complexity. The main rare use was to set
|
||
|
the option to use pure JavaScript. That is now available as a library global
|
||
|
flag `forge.options.usePureJavaScript`.
|
||
|
- (npm,bower) If you used the default main file there is little to nothing to
|
||
|
change.
|
||
|
- (npm) If you accessed a sub-resource like `forge/js/pki` you should either
|
||
|
switch to just using the main `forge` and access `forge.pki` or update to
|
||
|
`forge/lib/pki`.
|
||
|
- (bower) If you used a sub-resource like `forge/js/pki` you should switch to
|
||
|
just using `forge` and access `forge.pki`. The bower release bundles
|
||
|
everything in one minified file.
|
||
|
- (bower) A configured workerScript like
|
||
|
`/bower_components/forge/js/prime.worker.js` will need to change to
|
||
|
`/bower_components/forge/dist/prime.worker.min.js`.
|
||
|
- (all) If you used the networking support or flash socket support, you will
|
||
|
need to use a custom build and/or adjust where files are loaded from. This
|
||
|
functionality is not included in the bower distribution by default and is
|
||
|
also now in a different directory.
|
||
|
- (all) The library should now directly support building custom bundles with
|
||
|
webpack, browserify, or similar.
|
||
|
- (all) If building a custom bundle ensure the correct dependencies are
|
||
|
included. In particular, note there is now a `md.all.js` file to include all
|
||
|
digest algorithms. Individual files limit what they include by default to
|
||
|
allow smaller custom builds. For instance, `pbdkf2.js` has a `sha1` default
|
||
|
but does not include any algorithm files by default. This allows the
|
||
|
possibility to include only `sha256` without the overhead of `sha1` and
|
||
|
`sha512`.
|
||
|
|
||
|
### Notes
|
||
|
|
||
|
- This major update requires updating the version to 0.7.x. The existing
|
||
|
work-in-progress "0.7.x" branch will be painfully rebased on top of this new
|
||
|
0.7.x and moved forward to 0.8.x or later as needed.
|
||
|
- 0.7.x is a start of simplifying forge based on common issues and what has
|
||
|
appeared to be the most common usage. Please file issues with feedback if the
|
||
|
changes are problematic for your use cases.
|
||
|
|
||
|
## 0.6.x - 2016 and earlier
|
||
|
|
||
|
- See Git commit log or https://github.com/digitalbazaar/forge.
|