util.getPath
, util.setPath
, and util.deletePath
.
util.setPath
had a potential prototype pollution security issue when used
with unsafe inputs. These functions are not used by forge
itself. They date
from an early time when forge
was targeted at providing general helper
functions. The library direction changed to be more focused on cryptography.
Many other excellent libraries are more suitable for general utilities. If
you need a replacement for these functions, consier get
, set
, and unset
from lodash. But also consider the potential similar
security issues with those APIs.util.setPath
security note to function docs and to README.util.setPath
function has the potential to cause
prototype pollution if used with unsafe input.
forge
.util.getPath
and util.setPath
.
Consider get
and set
from lodash if you need
replacements. But also consider the potential similar security issues with
those APIs.ed25519
NativeBuffer check.const
.new Buffer
with Buffer.from
and Buffer.alloc
.notBefore
and notAfter
dates less
than Jan 1, 1950 or greater than or equal to Jan 1, 2050.pki.verifyCertificateChain
:
validityCheckDate
option to allow checking the certificate validity
period against an arbitrary Date
or null
for no check at all. The
current date is used by default.tls.createConnection
:
verifyOptions
option that passes through to
pki.verifyCertificateChain
. Can be used for the above validityCheckDate
option.rsa.generateKeyPair
:
crypto.generateKeyPair
/crypto.generateKeyPairSync
on Node.js if
available (10.12.0+) and not in pure JS mode.rsa.generateKeyPair
if prng
option specified since
this isn't supported by current native APIs.pki.verifyCertificateChain
:
(caStore, chain, options)
. Older (caStore, chain,
verify)
signature is still supported. New style is to to pass in a
verify
option.const
.1.2.840.10040.4.3'
/dsa-with-sha1
OID.asn1.equals
loop bug.toDer()
. More tests.asn1.prettyPrint()
BIT STRING display.npm run build
:
.js
, .min.js
, and basic sourcemaps.forge.js
.forge.all.js
.prime.worker.js
.forge.options
field.forge.options.usePureJavaScript
flag.forge.util.isNodejs
flag (used to select "native" APIs).md.all.js
which includes all digest algorithms.equals()
and copy()
.validate()
capture options for BIT STRING contents and value.forge({...})
to create new instances.forge.options.usePureJavaScript
.forge/js/pki
you should either
switch to just using the main forge
and access forge.pki
or update to
forge/lib/pki
.forge/js/pki
you should switch to
just using forge
and access forge.pki
. The bower release bundles
everything in one minified file./bower_components/forge/js/prime.worker.js
will need to change to
/bower_components/forge/dist/prime.worker.min.js
.md.all.js
file to include all
digest algorithms. Individual files limit what they include by default to
allow smaller custom builds. For instance, pbdkf2.js
has a sha1
default
but does not include any algorithm files by default. This allows the
possibility to include only sha256
without the overhead of sha1
and
sha512
.