UNPKG

9.55 kBMarkdownView Raw
1Forge ChangeLog
2===============
3
4## 0.10.0 - 2019-09-01
5
6### Changed
7- **BREAKING**: Node.js 4 no longer supported. The code *may* still work, and
8 non-invasive patches to keep it working will be considered. However, more
9 modern tools no longer support old Node.js versions making testing difficult.
10
11### Removed
12- **BREAKING**: Remove `util.getPath`, `util.setPath`, and `util.deletePath`.
13 `util.setPath` had a potential prototype pollution security issue when used
14 with unsafe inputs. These functions are not used by `forge` itself. They date
15 from an early time when `forge` was targeted at providing general helper
16 functions. The library direction changed to be more focused on cryptography.
17 Many other excellent libraries are more suitable for general utilities. If
18 you need a replacement for these functions, consier `get`, `set`, and `unset`
19 from [lodash](https://lodash.com/). But also consider the potential similar
20 security issues with those APIs.
21
22## 0.9.2 - 2019-09-01
23
24### Changed
25- Added `util.setPath` security note to function docs and to README.
26
27### Notes
28- **SECURITY**: The `util.setPath` function has the potential to cause
29 prototype pollution if used with unsafe input.
30 - This function is **not** used internally by `forge`.
31 - The rest of the library is unaffected by this issue.
32 - **Do not** use unsafe input with this function.
33 - Usage with known input should function as expected. (Including input
34 intentionally using potentially problematic keys.)
35 - No code changes will be made to address this issue in 0.9.x. The current
36 behavior *could* be considered a feature rather than a security issue.
37 0.10.0 will be released that removes `util.getPath` and `util.setPath`.
38 Consider `get` and `set` from [lodash](https://lodash.com/) if you need
39 replacements. But also consider the potential similar security issues with
40 those APIs.
41 - https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677
42 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7720
43
44## 0.9.1 - 2019-09-26
45
46### Fixed
47- Ensure DES-CBC given IV is long enough for block size.
48
49## 0.9.0 - 2019-09-04
50
51### Added
52- Add ed25519.publicKeyFromAsn1 and ed25519.privateKeyFromAsn1 APIs.
53- A few OIDs used in EV certs.
54
55### Fixed
56- Improve ed25519 NativeBuffer check.
57
58## 0.8.5 - 2019-06-18
59
60### Fixed
61- Remove use of `const`.
62
63## 0.8.4 - 2019-05-22
64
65### Changed
66- Replace all instances of Node.js `new Buffer` with `Buffer.from` and `Buffer.alloc`.
67
68## 0.8.3 - 2019-05-15
69
70### Fixed
71- Use basic character set for code.
72
73## 0.8.2 - 2019-03-18
74
75### Fixed
76- Fix tag calculation when continuing an AES-GCM block.
77
78### Changed
79- Switch to eslint.
80
81## 0.8.1 - 2019-02-23
82
83### Fixed
84- Fix off-by-1 bug with kem random generation.
85
86## 0.8.0 - 2019-01-31
87
88### Fixed
89- Handle creation of certificates with `notBefore` and `notAfter` dates less
90 than Jan 1, 1950 or greater than or equal to Jan 1, 2050.
91
92### Added
93- Add OID 2.5.4.13 "description".
94- Add OID 2.16.840.1.113730.1.13 "nsComment".
95 - Also handle extension when creating a certificate.
96- `pki.verifyCertificateChain`:
97 - Add `validityCheckDate` option to allow checking the certificate validity
98 period against an arbitrary `Date` or `null` for no check at all. The
99 current date is used by default.
100- `tls.createConnection`:
101 - Add `verifyOptions` option that passes through to
102 `pki.verifyCertificateChain`. Can be used for the above `validityCheckDate`
103 option.
104
105### Changed
106- Support WebCrypto API in web workers.
107- `rsa.generateKeyPair`:
108 - Use `crypto.generateKeyPair`/`crypto.generateKeyPairSync` on Node.js if
109 available (10.12.0+) and not in pure JS mode.
110 - Use JS fallback in `rsa.generateKeyPair` if `prng` option specified since
111 this isn't supported by current native APIs.
112 - Only run key generation comparison tests if keys will be deterministic.
113- PhantomJS is deprecated, now using Headless Chrome with Karma.
114- **Note**: Using Headless Chrome vs PhantomJS may cause newer JS features to
115 slip into releases without proper support for older runtimes and browsers.
116 Please report such issues and they will be addressed.
117- `pki.verifyCertificateChain`:
118 - Signature changed to `(caStore, chain, options)`. Older `(caStore, chain,
119 verify)` signature is still supported. New style is to to pass in a
120 `verify` option.
121
122## 0.7.6 - 2018-08-14
123
124### Added
125- Test on Node.js 10.x.
126- Support for PKCS#7 detached signatures.
127
128### Changed
129- Improve webpack/browser detection.
130
131## 0.7.5 - 2018-03-30
132
133### Fixed
134- Remove use of `const`.
135
136## 0.7.4 - 2018-03-07
137
138### Fixed
139- Potential regex denial of service in form.js.
140
141### Added
142- Support for ED25519.
143- Support for baseN/base58.
144
145## 0.7.3 - 2018-03-05
146
147- Re-publish with npm 5.6.0 due to file timestamp issues.
148
149## 0.7.2 - 2018-02-27
150
151### Added
152- Support verification of SHA-384 certificates.
153- `1.2.840.10040.4.3'`/`dsa-with-sha1` OID.
154
155### Fixed
156- Support importing PKCS#7 data with no certificates. RFC 2315 sec 9.1 states
157 certificates are optional.
158- `asn1.equals` loop bug.
159- Fortuna implementation bugs.
160
161## 0.7.1 - 2017-03-27
162
163### Fixed
164
165- Fix digestLength for hashes based on SHA-512.
166
167## 0.7.0 - 2017-02-07
168
169### Fixed
170
171- Fix test looping bugs so all tests are run.
172- Improved ASN.1 parsing. Many failure cases eliminated. More sanity checks.
173 Better behavior in default mode of parsing BIT STRINGs. Better handling of
174 parsed BIT STRINGs in `toDer()`. More tests.
175- Improve X.509 BIT STRING handling by using new capture modes.
176
177### Changed
178
179- Major refactor to use CommonJS plus a browser build system.
180- Updated tests, examples, docs.
181- Updated dependencies.
182- Updated flash build system.
183- Improve OID mapping code.
184- Change test servers from Python to JavaScript.
185- Improve PhantomJS support.
186- Move Bower/bundle support to
187 [forge-dist](https://github.com/digitalbazaar/forge-dist).
188- **BREAKING**: Require minimal digest algorithm dependencies from individual
189 modules.
190- Enforce currently supported bit param values for byte buffer access. May be
191 **BREAKING** for code that depended on unspecified and/or incorrect behavior.
192- Improve `asn1.prettyPrint()` BIT STRING display.
193
194### Added
195
196- webpack bundler support via `npm run build`:
197 - Builds `.js`, `.min.js`, and basic sourcemaps.
198 - Basic build: `forge.js`.
199 - Build with extra utils and networking support: `forge.all.js`.
200 - Build WebWorker support: `prime.worker.js`.
201- Browserify support in package.json.
202- Karma browser testing.
203- `forge.options` field.
204- `forge.options.usePureJavaScript` flag.
205- `forge.util.isNodejs` flag (used to select "native" APIs).
206- Run PhantomJS tests in Travis-CI.
207- Add "Donations" section to README.
208- Add IRC to "Contact" section of README.
209- Add "Security Considerations" section to README.
210- Add pbkdf2 usePureJavaScript test.
211- Add rsa.generateKeyPair async and usePureJavaScript tests.
212- Add .editorconfig support.
213- Add `md.all.js` which includes all digest algorithms.
214- Add asn1 `equals()` and `copy()`.
215- Add asn1 `validate()` capture options for BIT STRING contents and value.
216
217### Removed
218
219- **BREAKING**: Can no longer call `forge({...})` to create new instances.
220- Remove a large amount of old cruft.
221
222### Migration from 0.6.x to 0.7.x
223
224- (all) If you used the feature to create a new forge instance with new
225 configuration options you will need to rework your code. That ability has
226 been removed due to implementation complexity. The main rare use was to set
227 the option to use pure JavaScript. That is now available as a library global
228 flag `forge.options.usePureJavaScript`.
229- (npm,bower) If you used the default main file there is little to nothing to
230 change.
231- (npm) If you accessed a sub-resource like `forge/js/pki` you should either
232 switch to just using the main `forge` and access `forge.pki` or update to
233 `forge/lib/pki`.
234- (bower) If you used a sub-resource like `forge/js/pki` you should switch to
235 just using `forge` and access `forge.pki`. The bower release bundles
236 everything in one minified file.
237- (bower) A configured workerScript like
238 `/bower_components/forge/js/prime.worker.js` will need to change to
239 `/bower_components/forge/dist/prime.worker.min.js`.
240- (all) If you used the networking support or flash socket support, you will
241 need to use a custom build and/or adjust where files are loaded from. This
242 functionality is not included in the bower distribution by default and is
243 also now in a different directory.
244- (all) The library should now directly support building custom bundles with
245 webpack, browserify, or similar.
246- (all) If building a custom bundle ensure the correct dependencies are
247 included. In particular, note there is now a `md.all.js` file to include all
248 digest algorithms. Individual files limit what they include by default to
249 allow smaller custom builds. For instance, `pbdkf2.js` has a `sha1` default
250 but does not include any algorithm files by default. This allows the
251 possibility to include only `sha256` without the overhead of `sha1` and
252 `sha512`.
253
254### Notes
255
256- This major update requires updating the version to 0.7.x. The existing
257 work-in-progress "0.7.x" branch will be painfully rebased on top of this new
258 0.7.x and moved forward to 0.8.x or later as needed.
259- 0.7.x is a start of simplifying forge based on common issues and what has
260 appeared to be the most common usage. Please file issues with feedback if the
261 changes are problematic for your use cases.
262
263## 0.6.x - 2016 and earlier
264
265- See Git commit log or https://github.com/digitalbazaar/forge.