From 9d286917dba012b6e2c991f694763c590671a967 Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Tue, 1 Sep 2020 22:02:28 -0400
Subject: [PATCH 01/33] Start 0.10.1.
---
package.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/package.json b/package.json
index f5cc879f9..997982278 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
{
"name": "node-forge",
- "version": "0.10.0",
+ "version": "0.10.1-dev",
"description": "JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.",
"homepage": "https://github.com/digitalbazaar/forge",
"author": {
From 588c41062d9a13f8dc91be3723b159c6cc434b15 Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Wed, 2 Sep 2020 10:28:14 -0400
Subject: [PATCH 02/33] Fix release dates.
---
CHANGELOG.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 81176fa81..91d13bdbb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,7 +1,7 @@
Forge ChangeLog
===============
-## 0.10.0 - 2019-09-01
+## 0.10.0 - 2020-09-01
### Changed
- **BREAKING**: Node.js 4 no longer supported. The code *may* still work, and
@@ -19,7 +19,7 @@ Forge ChangeLog
from [lodash](https://lodash.com/). But also consider the potential similar
security issues with those APIs.
-## 0.9.2 - 2019-09-01
+## 0.9.2 - 2020-09-01
### Changed
- Added `util.setPath` security note to function docs and to README.
From e06afc4faa100f4363b013ea6f70002308072c6c Mon Sep 17 00:00:00 2001
From: troyfactor4 <5209556+troyfactor4@users.noreply.github.com>
Date: Mon, 16 Nov 2020 01:45:48 -0400
Subject: [PATCH 03/33] fix: make PKCS#7 parameter optional as per RFC 5280
---
lib/pkcs7.js | 2 +-
lib/pkcs7asn1.js | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/lib/pkcs7.js b/lib/pkcs7.js
index bb87de363..95c54e361 100644
--- a/lib/pkcs7.js
+++ b/lib/pkcs7.js
@@ -837,7 +837,7 @@ function _recipientFromAsn1(obj) {
serialNumber: forge.util.createBuffer(capture.serial).toHex(),
encryptedContent: {
algorithm: asn1.derToOid(capture.encAlgorithm),
- parameter: capture.encParameter.value,
+ parameter: capture.encParameter ? capture.encParameter.value : null,
content: capture.encKey
}
};
diff --git a/lib/pkcs7asn1.js b/lib/pkcs7asn1.js
index a2ac01f85..0e13c8915 100644
--- a/lib/pkcs7asn1.js
+++ b/lib/pkcs7asn1.js
@@ -397,7 +397,8 @@ p7v.recipientInfoValidator = {
name: 'RecipientInfo.keyEncryptionAlgorithm.parameter',
tagClass: asn1.Class.UNIVERSAL,
constructed: false,
- captureAsn1: 'encParameter'
+ captureAsn1: 'encParameter',
+ optional: true
}]
}, {
name: 'RecipientInfo.encryptedKey',
From 8d7595b95e0c0c39ef82d8fdb5b3d890debd2bb7 Mon Sep 17 00:00:00 2001
From: troyfactor4 <5209556+troyfactor4@users.noreply.github.com>
Date: Tue, 17 Nov 2020 13:11:56 -0400
Subject: [PATCH 04/33] fix: null check ec.parameter
---
lib/pkcs7.js | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/lib/pkcs7.js b/lib/pkcs7.js
index 95c54e361..3e6cfe931 100644
--- a/lib/pkcs7.js
+++ b/lib/pkcs7.js
@@ -1124,8 +1124,10 @@ function _encryptedContentToAsn1(ec) {
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false,
asn1.oidToDer(ec.algorithm).getBytes()),
// Parameters (IV)
- asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false,
- ec.parameter.getBytes())
+ ( ec.parameter ?
+ asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false,
+ ec.parameter.getBytes()) : undefined
+ )
]),
// [0] EncryptedContent
asn1.create(asn1.Class.CONTEXT_SPECIFIC, 0, true, [
From 4292496097d8756bdaeabd85b9cb7520cd80e5f4 Mon Sep 17 00:00:00 2001
From: Dave Longley <dlongley@digitalbazaar.com>
Date: Wed, 18 Nov 2020 15:14:56 -0500
Subject: [PATCH 05/33] Apply suggestions from code review.
---
lib/pkcs7.js | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
diff --git a/lib/pkcs7.js b/lib/pkcs7.js
index 3e6cfe931..3a5d845c5 100644
--- a/lib/pkcs7.js
+++ b/lib/pkcs7.js
@@ -837,7 +837,7 @@ function _recipientFromAsn1(obj) {
serialNumber: forge.util.createBuffer(capture.serial).toHex(),
encryptedContent: {
algorithm: asn1.derToOid(capture.encAlgorithm),
- parameter: capture.encParameter ? capture.encParameter.value : null,
+ parameter: capture.encParameter ? capture.encParameter.value : undefined,
content: capture.encKey
}
};
@@ -1124,10 +1124,11 @@ function _encryptedContentToAsn1(ec) {
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false,
asn1.oidToDer(ec.algorithm).getBytes()),
// Parameters (IV)
- ( ec.parameter ?
- asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false,
- ec.parameter.getBytes()) : undefined
- )
+ !ec.parameter ?
+ undefined :
+ asn1.create(
+ asn1.Class.UNIVERSAL, asn1.Type.OCTETSTRING, false,
+ ec.parameter.getBytes())
]),
// [0] EncryptedContent
asn1.create(asn1.Class.CONTEXT_SPECIFIC, 0, true, [
From c666282c812d6dc18e97b419b152dd6ad98c802c Mon Sep 17 00:00:00 2001
From: Daniel Hensby <dhensby@users.noreply.github.com>
Date: Thu, 25 Mar 2021 10:21:35 +0000
Subject: [PATCH 06/33] Remove link to nodeguide.com
It appears nodeguide.com domain has been taken over by domain squatters and the style.html page appears to push a questionable PDF download.
---
CONTRIBUTING.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index c5f08e8b1..299d2711c 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -6,7 +6,7 @@ Want to contribute to forge? Great! Here are a few notes:
Code
----
-* In general, follow the current code style or the [Node.js Style Guide][].
+* In general, follow the current code style.
* Read the [contributing](./README.md#contributing) notes.
* Ensure [tests pass](./README.md#testing).
@@ -15,5 +15,4 @@ Release Process
Maintainers should refer to the [release instructions](./RELEASE.md).
-[Node.js Style Guide]: http://nodeguide.com/style.html
[Semantic Versioning]: http://semver.org/
From 724158f264be5ad691d1546347a94a6214bd25cf Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Wed, 7 Apr 2021 03:21:46 -0400
Subject: [PATCH 07/33] Remove `forge.task` API.
Task API still used in tests so moved to `tests/support/` and files
updated appropriately.
---
CHANGELOG.md | 9 +++++++++
lib/index.js | 1 -
tests/issues/issue-428.html | 1 +
tests/issues/issue-428.js | 2 +-
tests/legacy/common.html | 1 +
tests/legacy/common.js | 2 +-
tests/legacy/tasks.html | 1 +
tests/legacy/tasks.js | 4 ++--
tests/legacy/xhr.html | 1 +
tests/legacy/xhr.js | 2 +-
tests/server.js | 2 ++
{lib => tests/support}/task.js | 21 +++++++++------------
12 files changed, 29 insertions(+), 18 deletions(-)
rename {lib => tests/support}/task.js (97%)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 91d13bdbb..cfe650070 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,15 @@
Forge ChangeLog
===============
+## 0.11.0 - 2021-xx-xx
+
+### Removed
+- **BREAKING**: Remove `forge.task` API. This API was never used, documented,
+ or advertised by the maintainers. If anyone was using this API and wishes to
+ continue development it in other project, please let the maintainers know.
+ Due to use in the test suite, a modified version is located in
+ `tests/support/`.
+
## 0.10.0 - 2020-09-01
### Changed
diff --git a/lib/index.js b/lib/index.js
index ea8c14cf9..ffb931286 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -30,6 +30,5 @@ require('./pss');
require('./random');
require('./rc2');
require('./ssh');
-require('./task');
require('./tls');
require('./util');
diff --git a/tests/issues/issue-428.html b/tests/issues/issue-428.html
index fc9af30c6..1685c3e1f 100644
--- a/tests/issues/issue-428.html
+++ b/tests/issues/issue-428.html
@@ -4,6 +4,7 @@
<title>Forge Issue 428 Test</title>
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>
<script type="text/javascript" src="/forge/forge.js"></script>
+ <script type="text/javascript" src="/support/task.js"></script>
<script type="text/javascript" src="issue-428.js"></script>
<link type="text/css" rel="stylesheet" media="all" href="/tests.css" />
diff --git a/tests/issues/issue-428.js b/tests/issues/issue-428.js
index 7b9427e4a..179477d42 100644
--- a/tests/issues/issue-428.js
+++ b/tests/issues/issue-428.js
@@ -52,7 +52,7 @@ jQuery(function($) {
$('#start').attr('disabled', 'true');
$('#stop').attr('disabled', '');
// meta! use tasks to run the task tests
- forge.task.start({
+ forge_task.start({
type: 'test',
run: function(task) {
task.next('starting', function(task) {
diff --git a/tests/legacy/common.html b/tests/legacy/common.html
index 9ee073117..d835af37f 100644
--- a/tests/legacy/common.html
+++ b/tests/legacy/common.html
@@ -4,6 +4,7 @@
<title>Forge Common Tests</title>
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>
<script type="text/javascript" src="/forge/forge.all.js"></script>
+ <script type="text/javascript" src="/support/task.js"></script>
<script type="text/javascript" src="common.js"></script>
<link type="text/css" rel="stylesheet" media="all" href="/tests.css" />
diff --git a/tests/legacy/common.js b/tests/legacy/common.js
index 57dfbc4ba..4c08e1319 100644
--- a/tests/legacy/common.js
+++ b/tests/legacy/common.js
@@ -39,7 +39,7 @@ jQuery(function($)
{
$('#start').attr('disabled', 'true');
// meta! use tasks to run the task tests
- forge.task.start({
+ forge_task.start({
type: 'test',
run: function(task) {
task.next('starting', function(task) {
diff --git a/tests/legacy/tasks.html b/tests/legacy/tasks.html
index dc7e48d60..5456faded 100644
--- a/tests/legacy/tasks.html
+++ b/tests/legacy/tasks.html
@@ -4,6 +4,7 @@
<title>Forge Tasks Tests</title>
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>
<script type="text/javascript" src="/forge/forge.js"></script>
+ <script type="text/javascript" src="/support/task.js"></script>
<script type="text/javascript" src="tasks.js"></script>
<link type="text/css" rel="stylesheet" media="all" href="/tests.css" />
diff --git a/tests/legacy/tasks.js b/tests/legacy/tasks.js
index 2c99a9d36..eef594a19 100644
--- a/tests/legacy/tasks.js
+++ b/tests/legacy/tasks.js
@@ -33,7 +33,7 @@ jQuery(function($)
{
$('#start').attr('disabled', 'disabled');
// meta! use tasks to run the task tests
- forge.task.start({
+ forge_task.start({
type: 'test',
run: function(task) {
task.next('starting', function(task) {
@@ -365,7 +365,7 @@ jQuery(function($)
for(var i = 0; i < count; ++i)
{
- forge.task.start(tasks[i]);
+ forge_task.start(tasks[i]);
}
});
diff --git a/tests/legacy/xhr.html b/tests/legacy/xhr.html
index 5aa868f54..fbb086f2a 100644
--- a/tests/legacy/xhr.html
+++ b/tests/legacy/xhr.html
@@ -5,6 +5,7 @@
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/swfobject/2.2/swfobject.js"></script>
<script type="text/javascript" src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js"></script>
<script type="text/javascript" src="/forge/forge.all.js"></script>
+ <script type="text/javascript" src="/support/task.js"></script>
<script type="text/javascript" src="xhr.js"></script>
<link type="text/css" rel="stylesheet" media="all" href="/tests.css" />
diff --git a/tests/legacy/xhr.js b/tests/legacy/xhr.js
index 1beb48799..fbe202cda 100644
--- a/tests/legacy/xhr.js
+++ b/tests/legacy/xhr.js
@@ -60,7 +60,7 @@ jQuery(function($)
{
$('#start').attr('disabled', 'disabled');
// meta! use tasks to run the task tests
- forge.task.start({
+ forge_task.start({
type: 'test',
run: function(task) {
task.next('starting', function(task) {
diff --git a/tests/server.js b/tests/server.js
index 85af534f2..5537b7b99 100644
--- a/tests/server.js
+++ b/tests/server.js
@@ -30,6 +30,8 @@ function contentServer(callback) {
// forge
app.use('/forge', express.static(path.join(__dirname, '..', 'dist')));
+ app.use('/support', express.static(path.join(__dirname, 'support')));
+ app.use('/issues', express.static(path.join(__dirname, 'issues')));
// unit tests support
app.use('/mocha',
diff --git a/lib/task.js b/tests/support/task.js
similarity index 97%
rename from lib/task.js
rename to tests/support/task.js
index df4866001..5bf8e465a 100644
--- a/lib/task.js
+++ b/tests/support/task.js
@@ -7,13 +7,10 @@
*
* Copyright (c) 2009-2013 Digital Bazaar, Inc.
*/
-var forge = require('./forge');
-require('./debug');
-require('./log');
-require('./util');
+// 'forge' should be a global
// logging category
-var cat = 'forge.task';
+var cat = 'forge.tests.task';
// verbose level
// 0: off, 1: a little, 2: a whole lot
@@ -277,7 +274,7 @@ Task.prototype.parallel = function(name, subrun) {
// closure and changes as the loop changes -- causing i
// to always be set to its highest value
var startParallelTask = function(pname, pi) {
- forge.task.start({
+ forge_task.start({
type: pname,
run: function(task) {
subrun[pi](task);
@@ -345,7 +342,7 @@ Task.prototype.block = function(n) {
* running once enough permits have been released via unblock() calls.
*
* If multiple processes need to synchronize with a single task then
- * use a condition variable (see forge.task.createCondition). It is
+ * use a condition variable (see task.createCondition). It is
* an error to unblock a task more times than it has been blocked.
*
* @param n number of permits to release (default: 1).
@@ -381,7 +378,7 @@ Task.prototype.sleep = function(n) {
/**
* Waits on a condition variable until notified. The next task will
* not be scheduled until notification. A condition variable can be
- * created with forge.task.createCondition().
+ * created with task.createCondition().
*
* Once cond.notify() is called, the task will continue.
*
@@ -618,7 +615,7 @@ var finish = function(task, suppressCallbacks) {
};
/* Tasks API */
-module.exports = forge.task = forge.task || {};
+window.forge_task = {};
/**
* Starts a new task that will run the passed function asynchronously.
@@ -642,7 +639,7 @@ module.exports = forge.task = forge.task || {};
*
* @param options the object as described above.
*/
-forge.task.start = function(options) {
+forge_task.start = function(options) {
// create a new task
var task = new Task({
run: options.run,
@@ -673,7 +670,7 @@ forge.task.start = function(options) {
*
* @param type the type of task to cancel.
*/
-forge.task.cancel = function(type) {
+forge_task.cancel = function(type) {
// find the task queue
if(type in sTaskQueues) {
// empty all but the current task from the queue
@@ -688,7 +685,7 @@ forge.task.cancel = function(type) {
*
* @return the condition variable.
*/
-forge.task.createCondition = function() {
+forge_task.createCondition = function() {
var cond = {
// all tasks that are blocked
tasks: {}
From 07942ef36461e6fff9bb50dcdabb0dac78643fb5 Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Thu, 27 May 2021 21:55:10 -0400
Subject: [PATCH 08/33] Update eslint dependencies.
---
package.json | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/package.json b/package.json
index 997982278..0636212bb 100644
--- a/package.json
+++ b/package.json
@@ -18,8 +18,8 @@
"browserify": "^16.5.2",
"commander": "^2.20.0",
"cross-env": "^5.2.1",
- "eslint": "^7.8.1",
- "eslint-config-digitalbazaar": "^2.5.0",
+ "eslint": "^7.27.0",
+ "eslint-config-digitalbazaar": "^2.8.0",
"express": "^4.16.2",
"karma": "^4.4.1",
"karma-browserify": "^7.0.0",
From 5d09946b713ff54bd963c47dfee56d9d3d54c680 Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Thu, 27 May 2021 21:55:25 -0400
Subject: [PATCH 09/33] Add eslint config for tests.
---
tests/.eslintrc.js | 5 +++++
1 file changed, 5 insertions(+)
create mode 100644 tests/.eslintrc.js
diff --git a/tests/.eslintrc.js b/tests/.eslintrc.js
new file mode 100644
index 000000000..bf3479fb6
--- /dev/null
+++ b/tests/.eslintrc.js
@@ -0,0 +1,5 @@
+module.exports = {
+ env: {
+ mocha: true
+ }
+};
From 51228083550dde97701ac8e06c629a5184117562 Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Thu, 27 May 2021 21:58:45 -0400
Subject: [PATCH 10/33] Remove `forge.debug` API.
The API has the potential for prototype pollution. This API was only
briefly used by the maintainers for internal project debug purposes and
was never inteneded to be used with untrusted user intputs. This API was
not documented or advertised and is being removed rather than fixed.
---
CHANGELOG.md | 5 +++
README.md | 14 --------
lib/debug.js | 78 -------------------------------------------
lib/http.js | 11 ------
lib/index.js | 1 -
tests/support/task.js | 4 ---
6 files changed, 5 insertions(+), 108 deletions(-)
delete mode 100644 lib/debug.js
diff --git a/CHANGELOG.md b/CHANGELOG.md
index cfe650070..86241ba04 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,11 @@ Forge ChangeLog
## 0.11.0 - 2021-xx-xx
### Removed
+- **SECURITY**, **BREAKING**: Remove `forge.debug` API. The API has the
+ potential for prototype pollution. This API was only briefly used by the
+ maintainers for internal project debug purposes and was never inteneded to be
+ used with untrusted user intputs. This API was not documented or advertised
+ and is being removed rather than fixed.
- **BREAKING**: Remove `forge.task` API. This API was never used, documented,
or advertised by the maintainers. If anyone was using this API and wishes to
continue development it in other project, please let the maintainers know.
diff --git a/README.md b/README.md
index 40bf29561..bfc640fee 100644
--- a/README.md
+++ b/README.md
@@ -80,7 +80,6 @@ Documentation
* [Tasks](#task)
* [Utilities](#util)
* [Logging](#log)
-* [Debugging](#debug)
* [Flash Networking Support](#flash)
### Other
@@ -1988,19 +1987,6 @@ __Examples__
// TODO
```
-<a name="debug" />
-
-### Debugging
-
-Provides storage of debugging information normally inaccessible in
-closures for viewing/investigation.
-
-__Examples__
-
-```js
-// TODO
-```
-
<a name="flash" />
### Flash Networking Support
diff --git a/lib/debug.js b/lib/debug.js
deleted file mode 100644
index 26756350e..000000000
--- a/lib/debug.js
+++ /dev/null
@@ -1,78 +0,0 @@
-/**
- * Debugging support for web applications.
- *
- * @author David I. Lehn <dlehn@digitalbazaar.com>
- *
- * Copyright 2008-2013 Digital Bazaar, Inc.
- */
-var forge = require('./forge');
-
-/* DEBUG API */
-module.exports = forge.debug = forge.debug || {};
-
-// Private storage for debugging.
-// Useful to expose data that is otherwise unviewable behind closures.
-// NOTE: remember that this can hold references to data and cause leaks!
-// format is "forge._debug.<modulename>.<dataname> = data"
-// Example:
-// (function() {
-// var cat = 'forge.test.Test'; // debugging category
-// var sState = {...}; // local state
-// forge.debug.set(cat, 'sState', sState);
-// })();
-forge.debug.storage = {};
-
-/**
- * Gets debug data. Omit name for all cat data Omit name and cat for
- * all data.
- *
- * @param cat name of debugging category.
- * @param name name of data to get (optional).
- * @return object with requested debug data or undefined.
- */
-forge.debug.get = function(cat, name) {
- var rval;
- if(typeof(cat) === 'undefined') {
- rval = forge.debug.storage;
- } else if(cat in forge.debug.storage) {
- if(typeof(name) === 'undefined') {
- rval = forge.debug.storage[cat];
- } else {
- rval = forge.debug.storage[cat][name];
- }
- }
- return rval;
-};
-
-/**
- * Sets debug data.
- *
- * @param cat name of debugging category.
- * @param name name of data to set.
- * @param data data to set.
- */
-forge.debug.set = function(cat, name, data) {
- if(!(cat in forge.debug.storage)) {
- forge.debug.storage[cat] = {};
- }
- forge.debug.storage[cat][name] = data;
-};
-
-/**
- * Clears debug data. Omit name for all cat data. Omit name and cat for
- * all data.
- *
- * @param cat name of debugging category.
- * @param name name of data to clear or omit to clear entire category.
- */
-forge.debug.clear = function(cat, name) {
- if(typeof(cat) === 'undefined') {
- forge.debug.storage = {};
- } else if(cat in forge.debug.storage) {
- if(typeof(name) === 'undefined') {
- delete forge.debug.storage[cat];
- } else {
- delete forge.debug.storage[cat][name];
- }
- }
-};
diff --git a/lib/http.js b/lib/http.js
index 1dcb0a65e..0ae863050 100644
--- a/lib/http.js
+++ b/lib/http.js
@@ -6,7 +6,6 @@
* Copyright (c) 2010-2014 Digital Bazaar, Inc. All rights reserved.
*/
var forge = require('./forge');
-require('./debug');
require('./tls');
require('./util');
@@ -16,11 +15,6 @@ var http = module.exports = forge.http = forge.http || {};
// logging category
var cat = 'forge.http';
-// add array of clients to debug storage
-if(forge.debug) {
- forge.debug.set('forge.http', 'clients', []);
-}
-
// normalizes an http header field name
var _normalize = function(name) {
return name.toLowerCase().replace(/(^.)|(-.)/g,
@@ -484,11 +478,6 @@ http.createClient = function(options) {
true : options.persistCookies
};
- // add client to debug storage
- if(forge.debug) {
- forge.debug.get('forge.http', 'clients').push(client);
- }
-
// load cookies from disk
_loadCookies(client);
diff --git a/lib/index.js b/lib/index.js
index ffb931286..6cdd5a9cc 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -10,7 +10,6 @@ require('./aes');
require('./aesCipherSuites');
require('./asn1');
require('./cipher');
-require('./debug');
require('./des');
require('./ed25519');
require('./hmac');
diff --git a/tests/support/task.js b/tests/support/task.js
index 5bf8e465a..4607ecb12 100644
--- a/tests/support/task.js
+++ b/tests/support/task.js
@@ -24,13 +24,9 @@ var sVL = 0;
// track tasks for debugging
var sTasks = {};
var sNextTaskId = 0;
-// debug access
-forge.debug.set(cat, 'tasks', sTasks);
// a map of task type to task queue
var sTaskQueues = {};
-// debug access
-forge.debug.set(cat, 'queues', sTaskQueues);
// name for unnamed tasks
var sNoTaskName = '?';
From 7aa796efd838422cfd216f6472e7444c1b57bf0d Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Thu, 9 Sep 2021 22:33:10 -0400
Subject: [PATCH 11/33] Switch from travis to github actions.
---
.github/workflows/main.yml | 72 ++++++++++++++++++++++++++++++++++++++
.travis.yml | 27 --------------
package.json | 1 +
3 files changed, 73 insertions(+), 27 deletions(-)
create mode 100644 .github/workflows/main.yml
delete mode 100644 .travis.yml
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
new file mode 100644
index 000000000..927425990
--- /dev/null
+++ b/.github/workflows/main.yml
@@ -0,0 +1,72 @@
+name: Node.js CI
+
+on: [push]
+
+jobs:
+ test-node:
+ runs-on: ubuntu-latest
+ timeout-minutes: 10
+ strategy:
+ matrix:
+ node-version: [6.x, 8.x, 10.x, 12.x, 14.x]
+ steps:
+ - uses: actions/checkout@v2
+ - name: Use Node.js ${{ matrix.node-version }}
+ uses: actions/setup-node@v1
+ with:
+ node-version: ${{ matrix.node-version }}
+ - run: npm install
+ - name: Run test with Node.js ${{ matrix.node-version }}
+ run: npm run test-node
+ test-karma:
+ runs-on: ubuntu-latest
+ timeout-minutes: 10
+ strategy:
+ matrix:
+ node-version: [14.x]
+ env:
+ BUNDLER: [webpack, browserify]
+ steps:
+ - uses: actions/checkout@v2
+ - name: Use Node.js ${{ matrix.node-version }}
+ uses: actions/setup-node@v1
+ with:
+ node-version: ${{ matrix.node-version }}
+ - run: npm install
+ - name: Run karma tests
+ run: npm run test-karma
+ lint:
+ runs-on: ubuntu-latest
+ timeout-minutes: 10
+ strategy:
+ matrix:
+ node-version: [14.x]
+ steps:
+ - uses: actions/checkout@v2
+ - name: Use Node.js ${{ matrix.node-version }}
+ uses: actions/setup-node@v1
+ with:
+ node-version: ${{ matrix.node-version }}
+ - run: npm install
+ - name: Run eslint
+ run: npm run lint
+ coverage:
+ runs-on: ubuntu-latest
+ timeout-minutes: 10
+ strategy:
+ matrix:
+ node-version: [14.x]
+ steps:
+ - uses: actions/checkout@v2
+ - name: Use Node.js ${{ matrix.node-version }}
+ uses: actions/setup-node@v1
+ with:
+ node-version: ${{ matrix.node-version }}
+ - run: npm install
+ - name: Generate coverage report
+ run: npm run coverage-ci
+ - name: Upload coverage to Codecov
+ uses: codecov/codecov-action@v1
+ with:
+ file: ./coverage/lcov.info
+ fail_ci_if_error: true
diff --git a/.travis.yml b/.travis.yml
deleted file mode 100644
index 6ea8d7085..000000000
--- a/.travis.yml
+++ /dev/null
@@ -1,27 +0,0 @@
-language: node_js
-node_js:
- - "6"
- - "8"
- - "10"
- - "12"
- - "14"
- - "node"
-sudo: false
-install:
- - npm install
-script:
- - if [ "x$BUNDLER" = "x" ]; then npm test; fi
- - if [ "x$BUNDLER" != "x" ]; then npm run test-karma; fi
-# only run karma tests for one node version
-matrix:
- include:
- - name: "Browser Unit Tests (webpack)"
- node_js: "14"
- env: BUNDLER=webpack
- - name: "Browser Unit Tests (browserify)"
- node_js: "14"
- env: BUNDLER=browserify
-notifications:
- email:
- on_success: change
- on_failure: change
diff --git a/package.json b/package.json
index 0636212bb..60fb1f83c 100644
--- a/package.json
+++ b/package.json
@@ -102,6 +102,7 @@
"test-server-ws": "node tests/websockets/server-ws.js",
"test-server-webid": "node tests/websockets/server-webid.js",
"coverage": "rm -rf coverage && nyc --reporter=lcov --reporter=text-summary npm test",
+ "coverage-ci": "rm -rf coverage && nyc --reporter=lcovonly npm test",
"coverage-report": "nyc report",
"lint": "eslint *.js lib/*.js tests/*.js tests/**/*.js examples/*.js flash/*.js"
},
From cbebc13ffdf4ed97cab5d0b4a2cefaff4e4c6fc8 Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Thu, 9 Sep 2021 22:39:41 -0400
Subject: [PATCH 12/33] Fix workflow.
---
.github/workflows/main.yml | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 927425990..2223c7a94 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -24,8 +24,7 @@ jobs:
strategy:
matrix:
node-version: [14.x]
- env:
- BUNDLER: [webpack, browserify]
+ bundler: [webpack, browserify]
steps:
- uses: actions/checkout@v2
- name: Use Node.js ${{ matrix.node-version }}
@@ -35,6 +34,8 @@ jobs:
- run: npm install
- name: Run karma tests
run: npm run test-karma
+ env:
+ BUNDLER: ${{ matrix.bundler }}
lint:
runs-on: ubuntu-latest
timeout-minutes: 10
From bff212370e595f77faa9e4e4063e3b2c636026d6 Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Thu, 9 Sep 2021 22:43:25 -0400
Subject: [PATCH 13/33] Add 'test-node' script target.
---
package.json | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/package.json b/package.json
index 60fb1f83c..f54ff72d3 100644
--- a/package.json
+++ b/package.json
@@ -95,7 +95,8 @@
"prepublish": "npm run build",
"build": "webpack",
"test-build": "webpack --config webpack-tests.config.js",
- "test": "cross-env NODE_ENV=test mocha -t 30000 -R ${REPORTER:-spec} tests/unit/index.js",
+ "test": "npm run test-node",
+ "test-node": "cross-env NODE_ENV=test mocha -t 30000 -R ${REPORTER:-spec} tests/unit/index.js",
"test-karma": "karma start",
"test-karma-sauce": "karma start karma-sauce.conf",
"test-server": "node tests/server.js",
From 423b2f32b2b81153acbf4699ca6da234dd45368e Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Thu, 9 Sep 2021 22:45:16 -0400
Subject: [PATCH 14/33] Disable lint check.
Code is not even close to ready for the modern digitalbazaar linting
style.
---
.github/workflows/main.yml | 30 +++++++++++++++---------------
1 file changed, 15 insertions(+), 15 deletions(-)
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 2223c7a94..3549c9294 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -36,21 +36,21 @@ jobs:
run: npm run test-karma
env:
BUNDLER: ${{ matrix.bundler }}
- lint:
- runs-on: ubuntu-latest
- timeout-minutes: 10
- strategy:
- matrix:
- node-version: [14.x]
- steps:
- - uses: actions/checkout@v2
- - name: Use Node.js ${{ matrix.node-version }}
- uses: actions/setup-node@v1
- with:
- node-version: ${{ matrix.node-version }}
- - run: npm install
- - name: Run eslint
- run: npm run lint
+# lint:
+# runs-on: ubuntu-latest
+# timeout-minutes: 10
+# strategy:
+# matrix:
+# node-version: [14.x]
+# steps:
+# - uses: actions/checkout@v2
+# - name: Use Node.js ${{ matrix.node-version }}
+# uses: actions/setup-node@v1
+# with:
+# node-version: ${{ matrix.node-version }}
+# - run: npm install
+# - name: Run eslint
+# run: npm run lint
coverage:
runs-on: ubuntu-latest
timeout-minutes: 10
From dc9aa5e270b3bb7c200d8cac1f161eab2867b802 Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Thu, 9 Sep 2021 22:54:51 -0400
Subject: [PATCH 15/33] Rename main workflow.
---
.github/workflows/main.yml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 3549c9294..a63a29963 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -1,4 +1,4 @@
-name: Node.js CI
+name: Main Checks
on: [push]
From 99676ae88403178285f25f9948e55510d39c4734 Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Thu, 9 Sep 2021 22:55:11 -0400
Subject: [PATCH 16/33] Update main checks workflow badge.
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index bfc640fee..2e7ec3e64 100644
--- a/README.md
+++ b/README.md
@@ -2,7 +2,7 @@
[](https://nodei.co/npm/node-forge/)
-[](https://travis-ci.org/digitalbazaar/forge)
+[](https://github.com/digitalbazaar/forge/actions?query=workflow%3A%22Main+Checks%22)
A native implementation of [TLS][] (and various other cryptographic tools) in
[JavaScript][].
From f981667d2d3c0f7437090a8e2bff520252df78da Mon Sep 17 00:00:00 2001
From: Renze Nicolai <renze@rnplus.nl>
Date: Sun, 14 Mar 2021 13:13:18 +0100
Subject: [PATCH 17/33] Add OIDs for surname, title and givenName
---
lib/oids.js | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/oids.js b/lib/oids.js
index 6a937f571..1c8d65a1f 100644
--- a/lib/oids.js
+++ b/lib/oids.js
@@ -104,6 +104,7 @@ _IN('2.16.840.1.101.3.4.1.42', 'aes256-CBC');
// certificate issuer/subject OIDs
_IN('2.5.4.3', 'commonName');
+_IN('2.5.4.4', 'surname');
_IN('2.5.4.5', 'serialName');
_IN('2.5.4.6', 'countryName');
_IN('2.5.4.7', 'localityName');
@@ -111,9 +112,11 @@ _IN('2.5.4.8', 'stateOrProvinceName');
_IN('2.5.4.9', 'streetAddress');
_IN('2.5.4.10', 'organizationName');
_IN('2.5.4.11', 'organizationalUnitName');
+_IN('2.5.4.12', 'title');
_IN('2.5.4.13', 'description');
_IN('2.5.4.15', 'businessCategory');
_IN('2.5.4.17', 'postalCode');
+_IN('2.5.4.42', 'givenName');
_IN('1.3.6.1.4.1.311.60.2.1.2', 'jurisdictionOfIncorporationStateOrProvinceName');
_IN('1.3.6.1.4.1.311.60.2.1.3', 'jurisdictionOfIncorporationCountryName');
From 4d9a7939314815623885bd601e1cc64a934aa175 Mon Sep 17 00:00:00 2001
From: Renze Nicolai <renze@rnplus.nl>
Date: Fri, 26 Mar 2021 14:12:31 +0100
Subject: [PATCH 18/33] Fix spacing
Co-authored-by: Daniel Hensby <dhensby@users.noreply.github.com>
---
lib/oids.js | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/oids.js b/lib/oids.js
index 1c8d65a1f..2148297c4 100644
--- a/lib/oids.js
+++ b/lib/oids.js
@@ -104,7 +104,7 @@ _IN('2.16.840.1.101.3.4.1.42', 'aes256-CBC');
// certificate issuer/subject OIDs
_IN('2.5.4.3', 'commonName');
-_IN('2.5.4.4', 'surname');
+_IN('2.5.4.4', 'surname');
_IN('2.5.4.5', 'serialName');
_IN('2.5.4.6', 'countryName');
_IN('2.5.4.7', 'localityName');
From 66145112894b8cefa94a58f1f4656407d243e9ee Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Thu, 9 Sep 2021 23:26:12 -0400
Subject: [PATCH 19/33] Update changelog.
---
CHANGELOG.md | 3 +++
1 file changed, 3 insertions(+)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 86241ba04..8060d8eb6 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -15,6 +15,9 @@ Forge ChangeLog
Due to use in the test suite, a modified version is located in
`tests/support/`.
+### Added
+- OIDs for `surname`, `title`, and `givenName`.
+
## 0.10.0 - 2020-09-01
### Changed
From e01b2ee72cf1901258ebfcb2e9852a917eb40bfe Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Thu, 9 Sep 2021 23:33:31 -0400
Subject: [PATCH 20/33] Fix typos.
---
CHANGELOG.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8060d8eb6..5e06ef755 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,8 +6,8 @@ Forge ChangeLog
### Removed
- **SECURITY**, **BREAKING**: Remove `forge.debug` API. The API has the
potential for prototype pollution. This API was only briefly used by the
- maintainers for internal project debug purposes and was never inteneded to be
- used with untrusted user intputs. This API was not documented or advertised
+ maintainers for internal project debug purposes and was never intended to be
+ used with untrusted user inputs. This API was not documented or advertised
and is being removed rather than fixed.
- **BREAKING**: Remove `forge.task` API. This API was never used, documented,
or advertised by the maintainers. If anyone was using this API and wishes to
@@ -32,7 +32,7 @@ Forge ChangeLog
from an early time when `forge` was targeted at providing general helper
functions. The library direction changed to be more focused on cryptography.
Many other excellent libraries are more suitable for general utilities. If
- you need a replacement for these functions, consier `get`, `set`, and `unset`
+ you need a replacement for these functions, consider `get`, `set`, and `unset`
from [lodash](https://lodash.com/). But also consider the potential similar
security issues with those APIs.
From 219bbb2a566d6f8169739d4887a4ab55d6a220b6 Mon Sep 17 00:00:00 2001
From: Ziding Zhang <zidingz@gmail.com>
Date: Fri, 10 Sep 2021 12:57:38 +0100
Subject: [PATCH 21/33] Create SECURITY.md
A simple instruction for security researchers. Closes #907
---
SECURITY.md | 5 +++++
1 file changed, 5 insertions(+)
create mode 100644 SECURITY.md
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..dc070c111
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,5 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+Please report security issues to `security@digitalbazaar.com`
From c90cd85104e9167703e7a25f6b88e7febc9aa35a Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Fri, 10 Sep 2021 12:43:30 -0400
Subject: [PATCH 22/33] Use plain email.
Plain email will let markdown render as a mailto link.
---
SECURITY.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/SECURITY.md b/SECURITY.md
index dc070c111..090cbbc12 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,4 +2,4 @@
## Reporting a Vulnerability
-Please report security issues to `security@digitalbazaar.com`
+Please report security issues to security@digitalbazaar.com.
From c0bb359afca73bb0f3ba6feb3f93bbcb9166af2e Mon Sep 17 00:00:00 2001
From: Kevin Backhouse <kevinbackhouse@github.com>
Date: Mon, 11 Oct 2021 18:07:48 +0100
Subject: [PATCH 23/33] Fix double call of String.fromCharCode.
---
lib/prng.js | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/prng.js b/lib/prng.js
index c2f5f0518..d3bd22e05 100644
--- a/lib/prng.js
+++ b/lib/prng.js
@@ -317,7 +317,7 @@ prng.create = function(plugin) {
// throw in more pseudo random
next = seed >>> (i << 3);
next ^= Math.floor(Math.random() * 0x0100);
- b.putByte(String.fromCharCode(next & 0xFF));
+ b.putByte(next & 0xFF);
}
}
}
From 6a10f7c5bad32286fd2a02eac350109f2333a272 Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Thu, 9 Sep 2021 23:35:17 -0400
Subject: [PATCH 24/33] Fix OID `serialName` to `serialNumber`.
- OID 2.5.4.5 should be `serialNumber`.
---
CHANGELOG.md | 5 +++++
lib/oids.js | 2 +-
2 files changed, 6 insertions(+), 1 deletion(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 5e06ef755..3071b09ad 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,11 @@ Forge ChangeLog
### Added
- OIDs for `surname`, `title`, and `givenName`.
+### Fixed
+- **BREAKING**: OID 2.5.4.5 name fixed from `serialName` to `serialNumber`.
+ Depending on how applications used this id to name association it could cause
+ compatibility issues.
+
## 0.10.0 - 2020-09-01
### Changed
diff --git a/lib/oids.js b/lib/oids.js
index 2148297c4..1c86c2189 100644
--- a/lib/oids.js
+++ b/lib/oids.js
@@ -105,7 +105,7 @@ _IN('2.16.840.1.101.3.4.1.42', 'aes256-CBC');
// certificate issuer/subject OIDs
_IN('2.5.4.3', 'commonName');
_IN('2.5.4.4', 'surname');
-_IN('2.5.4.5', 'serialName');
+_IN('2.5.4.5', 'serialNumber');
_IN('2.5.4.6', 'countryName');
_IN('2.5.4.7', 'localityName');
_IN('2.5.4.8', 'stateOrProvinceName');
From e1a740d0be6c773af1840e0f0620994b8beeb020 Mon Sep 17 00:00:00 2001
From: ctcpip <ctcpip@users.noreply.github.com>
Date: Fri, 20 Aug 2021 14:10:25 -0500
Subject: [PATCH 25/33] =?UTF-8?q?=F0=9F=94=92=20change=20CSR=20examples=20?=
=?UTF-8?q?to=20use=202048=20bits?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
README.md | 2 +-
examples/create-cert.js | 4 ++--
examples/create-csr.js | 4 ++--
examples/create-pkcs12.js | 4 ++--
examples/sign-p7.js | 4 ++--
5 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/README.md b/README.md
index 2e7ec3e64..c308ebe06 100644
--- a/README.md
+++ b/README.md
@@ -1451,7 +1451,7 @@ __Examples__
```js
// generate a key pair
-var keys = forge.pki.rsa.generateKeyPair(1024);
+var keys = forge.pki.rsa.generateKeyPair(2048);
// create a certification request (CSR)
var csr = forge.pki.createCertificationRequest();
diff --git a/examples/create-cert.js b/examples/create-cert.js
index 365f5a782..03df72c95 100644
--- a/examples/create-cert.js
+++ b/examples/create-cert.js
@@ -1,7 +1,7 @@
var forge = require('..');
-console.log('Generating 1024-bit key-pair...');
-var keys = forge.pki.rsa.generateKeyPair(1024);
+console.log('Generating 2048-bit key-pair...');
+var keys = forge.pki.rsa.generateKeyPair(2048);
console.log('Key-pair created.');
console.log('Creating self-signed certificate...');
diff --git a/examples/create-csr.js b/examples/create-csr.js
index e5be773a2..8961a31fd 100644
--- a/examples/create-csr.js
+++ b/examples/create-csr.js
@@ -1,7 +1,7 @@
var forge = require('..');
-console.log('Generating 1024-bit key-pair...');
-var keys = forge.pki.rsa.generateKeyPair(1024);
+console.log('Generating 2048-bit key-pair...');
+var keys = forge.pki.rsa.generateKeyPair(2048);
console.log('Key-pair created.');
console.log('Creating certification request (CSR) ...');
diff --git a/examples/create-pkcs12.js b/examples/create-pkcs12.js
index 1125fc0f1..d41965fb1 100644
--- a/examples/create-pkcs12.js
+++ b/examples/create-pkcs12.js
@@ -2,8 +2,8 @@ var forge = require('..');
try {
// generate a keypair
- console.log('Generating 1024-bit key-pair...');
- var keys = forge.pki.rsa.generateKeyPair(1024);
+ console.log('Generating 2048-bit key-pair...');
+ var keys = forge.pki.rsa.generateKeyPair(2048);
console.log('Key-pair created.');
// create a certificate
diff --git a/examples/sign-p7.js b/examples/sign-p7.js
index 406ce787e..73d07e566 100644
--- a/examples/sign-p7.js
+++ b/examples/sign-p7.js
@@ -42,8 +42,8 @@ function createSigner(name) {
console.log('Creating signer "' + name + '"...');
// generate a keypair
- console.log('Generating 1024-bit key-pair...');
- var keys = forge.pki.rsa.generateKeyPair(1024);
+ console.log('Generating 2048-bit key-pair...');
+ var keys = forge.pki.rsa.generateKeyPair(2048);
console.log('Key-pair created:');
console.log(forge.pki.privateKeyToPem(keys.privateKey));
console.log(forge.pki.publicKeyToPem(keys.publicKey));
From db8016c805371e72b06d8e2edfe0ace0df934a5e Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Thu, 21 Oct 2021 20:15:32 -0400
Subject: [PATCH 26/33] Remove forge.util.parseUrl.
- Switch URL parsing to the WHATWG URL Standard `URL` API.
- Older browser or Node.js usage of related code might now require a URL
polyfill.
---
CHANGELOG.md | 16 +++++++++++++
README.md | 4 ----
lib/http.js | 39 +++++++++++++-------------------
lib/util.js | 37 ------------------------------
lib/xhr.js | 14 +++++++-----
package.json | 2 +-
tests/websockets/server-webid.js | 7 +++---
7 files changed, 45 insertions(+), 74 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3071b09ad..0bd63e496 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,12 +9,22 @@ Forge ChangeLog
maintainers for internal project debug purposes and was never intended to be
used with untrusted user inputs. This API was not documented or advertised
and is being removed rather than fixed.
+- **SECURITY**, **BREAKING**: Remove `forge.util.parseUrl()` (and
+ `forge.http.parseUrl` alias) and use the [WHATWG URL
+ Standard](https://url.spec.whatwg.org/). `URL` is supported by modern browers
+ and modern Node.js. This change is needed to address URL parsing security
+ issues. If `forge.util.parseUrl()` is used directly or through `forge.xhr` or
+ `forge.http` APIs, and support is needed for environments without `URL`
+ support, then a polyfill must be used.
- **BREAKING**: Remove `forge.task` API. This API was never used, documented,
or advertised by the maintainers. If anyone was using this API and wishes to
continue development it in other project, please let the maintainers know.
Due to use in the test suite, a modified version is located in
`tests/support/`.
+### Changed
+- **BREAKING**: Increase supported Node.js version to 6.13.0 for URL support.
+
### Added
- OIDs for `surname`, `title`, and `givenName`.
@@ -23,6 +33,12 @@ Forge ChangeLog
Depending on how applications used this id to name association it could cause
compatibility issues.
+### Notes
+- The URL related changes may expose bugs in some of the networking related
+ code (unrelated to the much wider used cryptography code). The automated and
+ manual test coverage for this code is weak at best. Issues or patches to
+ update the code or tests would be appriciated.
+
## 0.10.0 - 2020-09-01
### Changed
diff --git a/README.md b/README.md
index c308ebe06..bddcffe6e 100644
--- a/README.md
+++ b/README.md
@@ -1968,10 +1968,6 @@ var nodeBuffer = Buffer.from(forgeBuffer.getBytes(), 'binary');
// make sure you specify the encoding as 'binary'
var nodeBuffer = Buffer.from('CAFE', 'hex');
var forgeBuffer = forge.util.createBuffer(nodeBuffer.toString('binary'));
-
-// parse a URL
-var parsed = forge.util.parseUrl('http://example.com/foo?bar=baz');
-// parsed.scheme, parsed.host, parsed.port, parsed.path, parsed.fullHost
```
<a name="log" />
diff --git a/lib/http.js b/lib/http.js
index 0ae863050..fe52986b1 100644
--- a/lib/http.js
+++ b/lib/http.js
@@ -33,8 +33,8 @@ var _getStorageId = function(client) {
// browsers (if this is undesirable)
// navigator.userAgent
return 'forge.http.' +
- client.url.scheme + '.' +
- client.url.host + '.' +
+ client.url.protocol.slice(0, -1) + '.' +
+ client.url.hostname + '.' +
client.url.port;
};
@@ -121,7 +121,7 @@ var _doRequest = function(client, socket) {
// connect
socket.options.request.connectTime = +new Date();
socket.connect({
- host: client.url.host,
+ host: client.url.hostname,
port: client.url.port,
policyPort: client.policyPort,
policyUrl: client.policyUrl
@@ -310,7 +310,7 @@ var _initSocket = function(client, socket, tlsOptions) {
// prime socket by connecting and caching TLS session, will do
// next request from there
socket.connect({
- host: client.url.host,
+ host: client.url.hostname,
port: client.url.port,
policyPort: client.policyPort,
policyUrl: client.policyUrl
@@ -405,7 +405,7 @@ var _readCookies = function(client, response) {
*
* @param options:
* url: the url to connect to (scheme://host:port).
- * socketPool: the flash socket pool to use.
+ * socketPool: the flash socket pool to use.
* policyPort: the flash policy port to use (if other than the
* socket pool default), use 0 for flash default.
* policyUrl: the flash policy file URL to use (if provided will
@@ -441,8 +441,10 @@ http.createClient = function(options) {
// get scheme, host, and port from url
options.url = (options.url ||
window.location.protocol + '//' + window.location.host);
- var url = http.parseUrl(options.url);
- if(!url) {
+ var url;
+ try {
+ url = new URL(options.url);
+ } catch(e) {
var error = new Error('Invalid url.');
error.details = {url: options.url};
throw error;
@@ -469,7 +471,7 @@ http.createClient = function(options) {
// idle sockets
idle: [],
// whether or not the connections are secure
- secure: (url.scheme === 'https'),
+ secure: (url.protocol === 'https:'),
// cookie jar (key'd off of name and then path, there is only 1 domain
// and one setting for secure per client so name+path is unique)
cookies: {},
@@ -497,7 +499,7 @@ http.createClient = function(options) {
if(depth === 0 && verified === true) {
// compare common name to url host
var cn = certs[depth].subject.getField('CN');
- if(cn === null || client.url.host !== cn.value) {
+ if(cn === null || client.url.hostname !== cn.value) {
verified = {
message: 'Certificate common name does not match url host.'
};
@@ -512,7 +514,7 @@ http.createClient = function(options) {
tlsOptions = {
caStore: caStore,
cipherSuites: options.cipherSuites || null,
- virtualHost: options.virtualHost || url.host,
+ virtualHost: options.virtualHost || url.hostname,
verify: options.verify || _defaultCertificateVerify,
getCertificate: options.getCertificate || null,
getPrivateKey: options.getPrivateKey || null,
@@ -552,7 +554,7 @@ http.createClient = function(options) {
client.send = function(options) {
// add host header if not set
if(options.request.getField('Host') === null) {
- options.request.setField('Host', client.url.fullHost);
+ options.request.setField('Host', client.url.origin);
}
// set default dummy handlers
@@ -1307,15 +1309,6 @@ http.createResponse = function() {
return response;
};
-/**
- * Parses the scheme, host, and port from an http(s) url.
- *
- * @param str the url string.
- *
- * @return the parsed url object or null if the url is invalid.
- */
-http.parseUrl = forge.util.parseUrl;
-
/**
* Returns true if the given url is within the given cookie's domain.
*
@@ -1336,11 +1329,11 @@ http.withinCookieDomain = function(url, cookie) {
// ensure domain starts with a '.'
// parse URL as necessary
if(typeof url === 'string') {
- url = http.parseUrl(url);
+ url = new URL(url);
}
- // add '.' to front of URL host to match against domain
- var host = '.' + url.host;
+ // add '.' to front of URL hostname to match against domain
+ var host = '.' + url.hostname;
// if the host ends with domain then it falls within it
var idx = host.lastIndexOf(domain);
diff --git a/lib/util.js b/lib/util.js
index 98dfd3427..5100eab6e 100644
--- a/lib/util.js
+++ b/lib/util.js
@@ -2258,43 +2258,6 @@ util.clearItems = function(api, id, location) {
_callStorageFunction(_clearItems, arguments, location);
};
-/**
- * Parses the scheme, host, and port from an http(s) url.
- *
- * @param str the url string.
- *
- * @return the parsed url object or null if the url is invalid.
- */
-util.parseUrl = function(str) {
- // FIXME: this regex looks a bit broken
- var regex = /^(https?):\/\/([^:&^\/]*):?(\d*)(.*)$/g;
- regex.lastIndex = 0;
- var m = regex.exec(str);
- var url = (m === null) ? null : {
- full: str,
- scheme: m[1],
- host: m[2],
- port: m[3],
- path: m[4]
- };
- if(url) {
- url.fullHost = url.host;
- if(url.port) {
- if(url.port !== 80 && url.scheme === 'http') {
- url.fullHost += ':' + url.port;
- } else if(url.port !== 443 && url.scheme === 'https') {
- url.fullHost += ':' + url.port;
- }
- } else if(url.scheme === 'http') {
- url.port = 80;
- } else if(url.scheme === 'https') {
- url.port = 443;
- }
- url.full = url.scheme + '://' + url.fullHost;
- }
- return url;
-};
-
/* Storage for query variables */
var _queryVariables = null;
diff --git a/lib/xhr.js b/lib/xhr.js
index e493c3b60..fa928352b 100644
--- a/lib/xhr.js
+++ b/lib/xhr.js
@@ -151,7 +151,7 @@ xhrApi.init = function(options) {
getPrivateKey: options.getPrivateKey,
getSignature: options.getSignature
});
- _clients[_client.url.full] = _client;
+ _clients[_client.url.origin] = _client;
forge.log.debug(cat, 'ready');
};
@@ -380,8 +380,10 @@ xhrApi.create = function(options) {
// use default
_state.client = _client;
} else {
- var url = http.parseUrl(options.url);
- if(!url) {
+ var url;
+ try {
+ url = new URL(options.url);
+ } catch(e) {
var error = new Error('Invalid url.');
error.details = {
url: options.url
@@ -389,9 +391,9 @@ xhrApi.create = function(options) {
}
// find client
- if(url.full in _clients) {
+ if(url.origin in _clients) {
// client found
- _state.client = _clients[url.full];
+ _state.client = _clients[url.origin];
} else {
// create client
_state.client = http.createClient({
@@ -409,7 +411,7 @@ xhrApi.create = function(options) {
getPrivateKey: options.getPrivateKey,
getSignature: options.getSignature
});
- _clients[url.full] = _state.client;
+ _clients[url.origin] = _state.client;
}
}
diff --git a/package.json b/package.json
index f54ff72d3..22ff40e46 100644
--- a/package.json
+++ b/package.json
@@ -60,7 +60,7 @@
"dist/*.min.js.map"
],
"engines": {
- "node": ">= 6.0.0"
+ "node": ">= 6.13.0"
},
"keywords": [
"aes",
diff --git a/tests/websockets/server-webid.js b/tests/websockets/server-webid.js
index 6f7cf37b8..5319372bb 100644
--- a/tests/websockets/server-webid.js
+++ b/tests/websockets/server-webid.js
@@ -174,9 +174,10 @@ var fetchUrl = function(url, callback, redirects) {
console.log('Fetching URL: \"' + url + '\"');
// parse URL
- url = forge.util.parseUrl(url);
- var client = http.createClient(
- url.port, url.fullHost, url.scheme === 'https');
+ url = new URL(url);
+ var client = http.createClient({
+ url: url
+ });
var request = client.request('GET', url.path, {
Host: url.host,
Accept: 'application/rdf+xml'
From aea85c5cb9e7a1a180298cb4fd84e39cea254e03 Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Tue, 28 Dec 2021 00:11:31 -0500
Subject: [PATCH 27/33] Remove URL related APIs.
**BREAKING**: Remove `forge.util.makeLink`, `forge.util.makeRequest`,
`forge.util.parseFragment`, `forge.util.getQueryVariables`. Replace with
`URL`, `URLSearchParams`, and custom code as needed.
---
CHANGELOG.md | 3 +
lib/log.js | 15 ++-
lib/util.js | 218 --------------------------------------
tests/legacy/loginDemo.js | 10 +-
4 files changed, 18 insertions(+), 228 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0bd63e496..1e4bd343e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -21,6 +21,9 @@ Forge ChangeLog
continue development it in other project, please let the maintainers know.
Due to use in the test suite, a modified version is located in
`tests/support/`.
+- **BREAKING**: Remove `forge.util.makeLink`, `forge.util.makeRequest`,
+ `forge.util.parseFragment`, `forge.util.getQueryVariables`. Replace with
+ `URL`, `URLSearchParams`, and custom code as needed.
### Changed
- **BREAKING**: Increase supported Node.js version to 6.13.0 for URL support.
diff --git a/lib/log.js b/lib/log.js
index 8d36f4a89..b8a265c20 100644
--- a/lib/log.js
+++ b/lib/log.js
@@ -298,15 +298,20 @@ if(typeof(console) !== 'undefined' && 'log' in console) {
* that could otherwise be limited by a user config.
*/
if(sConsoleLogger !== null) {
- var query = forge.util.getQueryVariables();
- if('console.level' in query) {
+ var query;
+ if(typeof(window) !== 'undefined' && window.location) {
+ query = new URL(window.location.href).searchParams;
+ } else {
+ query = new URLSearchParams();
+ }
+ if(query.has('console.level')) {
// set with last value
forge.log.setLevel(
- sConsoleLogger, query['console.level'].slice(-1)[0]);
+ sConsoleLogger, query.get('console.level').slice(-1)[0]);
}
- if('console.lock' in query) {
+ if(query.has('console.lock')) {
// set with last value
- var lock = query['console.lock'].slice(-1)[0];
+ var lock = query.get('console.lock').slice(-1)[0];
if(lock == 'true') {
forge.log.lock(sConsoleLogger);
}
diff --git a/lib/util.js b/lib/util.js
index 5100eab6e..aaede5ad2 100644
--- a/lib/util.js
+++ b/lib/util.js
@@ -2258,224 +2258,6 @@ util.clearItems = function(api, id, location) {
_callStorageFunction(_clearItems, arguments, location);
};
-/* Storage for query variables */
-var _queryVariables = null;
-
-/**
- * Returns the window location query variables. Query is parsed on the first
- * call and the same object is returned on subsequent calls. The mapping
- * is from keys to an array of values. Parameters without values will have
- * an object key set but no value added to the value array. Values are
- * unescaped.
- *
- * ...?k1=v1&k2=v2:
- * {
- * "k1": ["v1"],
- * "k2": ["v2"]
- * }
- *
- * ...?k1=v1&k1=v2:
- * {
- * "k1": ["v1", "v2"]
- * }
- *
- * ...?k1=v1&k2:
- * {
- * "k1": ["v1"],
- * "k2": []
- * }
- *
- * ...?k1=v1&k1:
- * {
- * "k1": ["v1"]
- * }
- *
- * ...?k1&k1:
- * {
- * "k1": []
- * }
- *
- * @param query the query string to parse (optional, default to cached
- * results from parsing window location search query).
- *
- * @return object mapping keys to variables.
- */
-util.getQueryVariables = function(query) {
- var parse = function(q) {
- var rval = {};
- var kvpairs = q.split('&');
- for(var i = 0; i < kvpairs.length; i++) {
- var pos = kvpairs[i].indexOf('=');
- var key;
- var val;
- if(pos > 0) {
- key = kvpairs[i].substring(0, pos);
- val = kvpairs[i].substring(pos + 1);
- } else {
- key = kvpairs[i];
- val = null;
- }
- if(!(key in rval)) {
- rval[key] = [];
- }
- // disallow overriding object prototype keys
- if(!(key in Object.prototype) && val !== null) {
- rval[key].push(unescape(val));
- }
- }
- return rval;
- };
-
- var rval;
- if(typeof(query) === 'undefined') {
- // set cached variables if needed
- if(_queryVariables === null) {
- if(typeof(window) !== 'undefined' && window.location && window.location.search) {
- // parse window search query
- _queryVariables = parse(window.location.search.substring(1));
- } else {
- // no query variables available
- _queryVariables = {};
- }
- }
- rval = _queryVariables;
- } else {
- // parse given query
- rval = parse(query);
- }
- return rval;
-};
-
-/**
- * Parses a fragment into a path and query. This method will take a URI
- * fragment and break it up as if it were the main URI. For example:
- * /bar/baz?a=1&b=2
- * results in:
- * {
- * path: ["bar", "baz"],
- * query: {"k1": ["v1"], "k2": ["v2"]}
- * }
- *
- * @return object with a path array and query object.
- */
-util.parseFragment = function(fragment) {
- // default to whole fragment
- var fp = fragment;
- var fq = '';
- // split into path and query if possible at the first '?'
- var pos = fragment.indexOf('?');
- if(pos > 0) {
- fp = fragment.substring(0, pos);
- fq = fragment.substring(pos + 1);
- }
- // split path based on '/' and ignore first element if empty
- var path = fp.split('/');
- if(path.length > 0 && path[0] === '') {
- path.shift();
- }
- // convert query into object
- var query = (fq === '') ? {} : util.getQueryVariables(fq);
-
- return {
- pathString: fp,
- queryString: fq,
- path: path,
- query: query
- };
-};
-
-/**
- * Makes a request out of a URI-like request string. This is intended to
- * be used where a fragment id (after a URI '#') is parsed as a URI with
- * path and query parts. The string should have a path beginning and
- * delimited by '/' and optional query parameters following a '?'. The
- * query should be a standard URL set of key value pairs delimited by
- * '&'. For backwards compatibility the initial '/' on the path is not
- * required. The request object has the following API, (fully described
- * in the method code):
- * {
- * path: <the path string part>.
- * query: <the query string part>,
- * getPath(i): get part or all of the split path array,
- * getQuery(k, i): get part or all of a query key array,
- * getQueryLast(k, _default): get last element of a query key array.
- * }
- *
- * @return object with request parameters.
- */
-util.makeRequest = function(reqString) {
- var frag = util.parseFragment(reqString);
- var req = {
- // full path string
- path: frag.pathString,
- // full query string
- query: frag.queryString,
- /**
- * Get path or element in path.
- *
- * @param i optional path index.
- *
- * @return path or part of path if i provided.
- */
- getPath: function(i) {
- return (typeof(i) === 'undefined') ? frag.path : frag.path[i];
- },
- /**
- * Get query, values for a key, or value for a key index.
- *
- * @param k optional query key.
- * @param i optional query key index.
- *
- * @return query, values for a key, or value for a key index.
- */
- getQuery: function(k, i) {
- var rval;
- if(typeof(k) === 'undefined') {
- rval = frag.query;
- } else {
- rval = frag.query[k];
- if(rval && typeof(i) !== 'undefined') {
- rval = rval[i];
- }
- }
- return rval;
- },
- getQueryLast: function(k, _default) {
- var rval;
- var vals = req.getQuery(k);
- if(vals) {
- rval = vals[vals.length - 1];
- } else {
- rval = _default;
- }
- return rval;
- }
- };
- return req;
-};
-
-/**
- * Makes a URI out of a path, an object with query parameters, and a
- * fragment. Uses jQuery.param() internally for query string creation.
- * If the path is an array, it will be joined with '/'.
- *
- * @param path string path or array of strings.
- * @param query object with query parameters. (optional)
- * @param fragment fragment string. (optional)
- *
- * @return string object with request parameters.
- */
-util.makeLink = function(path, query, fragment) {
- // join path parts if needed
- path = jQuery.isArray(path) ? path.join('/') : path;
-
- var qstr = jQuery.param(query || {});
- fragment = fragment || '';
- return path +
- ((qstr.length > 0) ? ('?' + qstr) : '') +
- ((fragment.length > 0) ? ('#' + fragment) : '');
-};
-
/**
* Check if an object is empty.
*
diff --git a/tests/legacy/loginDemo.js b/tests/legacy/loginDemo.js
index 35dab6b18..dc0d301db 100644
--- a/tests/legacy/loginDemo.js
+++ b/tests/legacy/loginDemo.js
@@ -29,11 +29,11 @@ var init = function($)
try
{
// get query variables
- var query = forge.util.getQueryVariables();
- var domain = query.domain || '';
- var auth = query.auth || '';
- var redirect = query.redirect || '';
- var pport = query.pport || 843;
+ var query = new URL(window.location.href).searchParams;
+ var domain = query.get('domain') || '';
+ var auth = query.get('auth') || '';
+ var redirect = query.get('redirect') || '';
+ var pport = parseInt(query.get('pport')) || 843;
redirect = 'https://' + domain + '/' + redirect;
if(domain)
{
From a3f48e4078211ec0176b6e387d83bbc3f8470b0a Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dil@lehn.org>
Date: Tue, 4 Jan 2022 18:31:54 -0500
Subject: [PATCH 28/33] Fix spelling.
Co-authored-by: Dave Longley <dlongley@digitalbazaar.com>
---
CHANGELOG.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1e4bd343e..c572f3817 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -40,7 +40,7 @@ Forge ChangeLog
- The URL related changes may expose bugs in some of the networking related
code (unrelated to the much wider used cryptography code). The automated and
manual test coverage for this code is weak at best. Issues or patches to
- update the code or tests would be appriciated.
+ update the code or tests would be appreciated.
## 0.10.0 - 2020-09-01
From 27286feec0f9ac0094a6b7a3041e5c1a412ad7a5 Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dil@lehn.org>
Date: Tue, 4 Jan 2022 18:32:19 -0500
Subject: [PATCH 29/33] Fix style.
Co-authored-by: Dave Longley <dlongley@digitalbazaar.com>
---
lib/log.js | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/log.js b/lib/log.js
index b8a265c20..5228047f6 100644
--- a/lib/log.js
+++ b/lib/log.js
@@ -299,7 +299,7 @@ if(typeof(console) !== 'undefined' && 'log' in console) {
*/
if(sConsoleLogger !== null) {
var query;
- if(typeof(window) !== 'undefined' && window.location) {
+ if(typeof window !== 'undefined' && window.location) {
query = new URL(window.location.href).searchParams;
} else {
query = new URLSearchParams();
From 5f8d5c215f157faf8d2e1d8061c4d6086363f871 Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Tue, 4 Jan 2022 20:54:48 -0500
Subject: [PATCH 30/33] Update docs.
- Update to v1.0.0.
- Update changelog.
- Update release details.
- Remove mentions of bower and forge-dist.
- Rename master to main.
- Add Libera.Chat IRC channel.
- Minor other fixes.
---
.gitignore | 1 -
CHANGELOG.md | 22 ++++++++++-----
README.md | 28 ++++++-------------
RELEASE.md | 78 +++++++---------------------------------------------
4 files changed, 34 insertions(+), 95 deletions(-)
diff --git a/.gitignore b/.gitignore
index 134b7dedd..01519a399 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,7 +1,6 @@
*.py[co]
*.sw[nop]
*~
-.bower.json
.cdtproject
.classpath
.cproject
diff --git a/CHANGELOG.md b/CHANGELOG.md
index c572f3817..39c7139e4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,7 +1,15 @@
Forge ChangeLog
===============
-## 0.11.0 - 2021-xx-xx
+## 1.0.0 - 2022-xx-xx
+
+### Notes
+- **1.0.0**!
+- This project is over a decade old! Time for a 1.0.0 release.
+- The URL related changes may expose bugs in some of the networking related
+ code (unrelated to the much wider used cryptography code). The automated and
+ manual test coverage for this code is weak at best. Issues or patches to
+ update the code or tests would be appreciated.
### Removed
- **SECURITY**, **BREAKING**: Remove `forge.debug` API. The API has the
@@ -27,6 +35,12 @@ Forge ChangeLog
### Changed
- **BREAKING**: Increase supported Node.js version to 6.13.0 for URL support.
+- **BREAKING**: Renamed `master` branch to `main`.
+- **BREAKING**: Release process updated to use tooling that prefixes versions
+ with `v`. Other tools, scripts, or scanners may need to adapt.
+- **BREAKING**: Remove docs related to Bower and
+ [forge-dist](https://github.com/digitalbazaar/forge-dist). Use [NPM][] or
+ another CDN. (Also be sure to read "Security Considerations" in the README.)
### Added
- OIDs for `surname`, `title`, and `givenName`.
@@ -36,12 +50,6 @@ Forge ChangeLog
Depending on how applications used this id to name association it could cause
compatibility issues.
-### Notes
-- The URL related changes may expose bugs in some of the networking related
- code (unrelated to the much wider used cryptography code). The automated and
- manual test coverage for this code is weak at best. Issues or patches to
- update the code or tests would be appreciated.
-
## 0.10.0 - 2020-09-01
### Changed
diff --git a/README.md b/README.md
index bddcffe6e..6f3279efb 100644
--- a/README.md
+++ b/README.md
@@ -105,7 +105,7 @@ not be regularly updated.
If you want to use forge with [Node.js][], it is available through `npm`:
-https://npmjs.org/package/node-forge
+https://www.npmjs.com/package/node-forge
Installation:
@@ -120,24 +120,12 @@ var forge = require('node-forge');
The npm package includes pre-built `forge.min.js`, `forge.all.min.js`, and
`prime.worker.min.js` using the [UMD][] format.
-### Bundle / Bower
-
-Each release is published in a separate repository as pre-built and minimized
-basic forge bundles using the [UMD][] format.
-
-https://github.com/digitalbazaar/forge-dist
-
-This bundle can be used in many environments. In particular it can be installed
-with [Bower][]:
-
- bower install forge
-
### jsDelivr CDN
To use it via [jsDelivr](https://www.jsdelivr.com/package/npm/node-forge) include this in your html:
```html
-<script src="https://cdn.jsdelivr.net/npm/node-forge@0.7.0/dist/forge.min.js"></script>
+<script src="https://cdn.jsdelivr.net/npm/node-forge@1.0.0/dist/forge.min.js"></script>
```
### unpkg CDN
@@ -145,7 +133,7 @@ To use it via [jsDelivr](https://www.jsdelivr.com/package/npm/node-forge) includ
To use it via [unpkg](https://unpkg.com/#/) include this in your html:
```html
-<script src="https://unpkg.com/node-forge@0.7.0/dist/forge.min.js"></script>
+<script src="https://unpkg.com/node-forge@1.0.0/dist/forge.min.js"></script>
```
### Development Requirements
@@ -2003,8 +1991,8 @@ When using this code please keep the following in mind:
runtime characteristics, runtime optimization, code optimization, code
minimization, code obfuscation, bundling tools, possible bugs, the Forge code
itself, and so on.
-- If using pre-built bundles from [Bower][] or similar be aware someone else
- ran the tools to create those files.
+- If using pre-built bundles from [NPM][], another CDN, or similar, be aware
+ someone else ran the tools to create those files.
- Use a secure transport channel such as [TLS][] to load scripts and consider
using additional security mechanisms such as [Subresource Integrity][] script
attributes.
@@ -2030,7 +2018,8 @@ Contact
* Code: https://github.com/digitalbazaar/forge
* Bugs: https://github.com/digitalbazaar/forge/issues
* Email: support@digitalbazaar.com
-* IRC: [#forgejs][] on [freenode][]
+* IRC: [#forgejs][] on [Libera.Chat][] (people may also be on [freenode][] for
+ historical reasons).
Donations
---------
@@ -2045,7 +2034,6 @@ Financial support is welcome and helps contribute to futher development:
[3DES]: https://en.wikipedia.org/wiki/Triple_DES
[AES]: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
[ASN.1]: https://en.wikipedia.org/wiki/ASN.1
-[Bower]: https://bower.io/
[Browserify]: http://browserify.org/
[CBC]: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
[CFB]: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
@@ -2058,7 +2046,9 @@ Financial support is welcome and helps contribute to futher development:
[HMAC]: https://en.wikipedia.org/wiki/HMAC
[JavaScript]: https://en.wikipedia.org/wiki/JavaScript
[Karma]: https://karma-runner.github.io/
+[Libera.Chat]: https://libera.chat/
[MD5]: https://en.wikipedia.org/wiki/MD5
+[NPM]: https://www.npmjs.com/
[Node.js]: https://nodejs.org/
[OFB]: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation
[PKCS#10]: https://en.wikipedia.org/wiki/Certificate_signing_request
diff --git a/RELEASE.md b/RELEASE.md
index c90a249f4..92c01d248 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -1,77 +1,19 @@
Forge Release Process
=====================
-Versioning
-----------
+Prepare a Release
+-----------------
* Follow the [Semantic Versioning][] guidelines.
-* Use version X.Y.Z-dev in dev mode.
-* Use version X.Y.Z for releases.
-
-Master Branch Release Process
------------------------------
-
* Ensure [tests pass](./README.md#testing).
+* Ensure [CHANGELOG.md](./CHANGELOG.md) is up-to-date using [Keep a
+ CHANGELOG][] style.
-## Update the main repository:
-
-* Commit changes.
-* Update the [CHANGELOG](./CHANGELOG.md) as needed using rougly
- [Keep a CHANGELOG][] style.
-* `$EDITOR package.json`: update to release version and remove `-dev` suffix.
-* `git commit package.json -m "Release {version}."`
-* `git tag {version}`
-* `$EDITOR package.json`: update to next version and add `-dev` suffix.
-* `git commit package.json -m "Start {next-version}."`
-* `git push`
-* `git push --tags`
-
-## Publish to NPM:
-
-To ensure a clean upload, use a clean updated checkout, and run the following:
-
-* `git checkout {version}`
-* `npm install`
-* `npm publish`
-
-## Update bundled distribution
-
-This is kept in a different repository to avoid the accumulated size when
-adding per-release bundles.
-
-* Checkout [forge-dist][].
-* Build a clean Forge version you want to distribute:
- * `git checkout {version}`
- * `npm install`
- * `npm run build`
-* Copy files to `forge-dist`:
- * `cp dist/forge.min.js{,.map} dist/prime.worker.min.js{,.map} FORGEDIST/dist/`
-* Release `forge-dist`:
- * `git commit -a -m "Release {version}."`
- * `git tag {version}`
- * `git push`
- * `git push origin {version}`
-
-Older Branch Release Process
-----------------------------
-
-In order to provide support for Bower (and similar) for current built bundle
-releases and historical releases the [forge-dist][] repository needs to be
-updated with code changes and tags from the main repository. Once a historical
-branch, like 0.6.x, on the main repository is updated and tagged, do the
-following:
+Publish to NPM
+--------------
-* Checkout [forge-dist][].
-* Setup an upstream branch:
- * `git remote add upstream git@github.com:digitalbazaar/forge.git`
- * `git fetch upstream`
-* Merge changes:
- * `git checkout 0.6.x`
- * `git merge upstream/0.6.x`
-* Push code and tag(s):
- * `git push`
- * `git push origin {version}`
+As of Forge 1.0.0 publishing is performed using the `pubnpm` script from
+https://github.com/digitalbazaar/publish-script.
-[Keep a CHANGELOG]: http://keepachangelog.com/
-[Semantic Versioning]: http://semver.org/
-[forge-dist]: https://github.com/digitalbazaar/forge-dist
+[Keep a CHANGELOG]: https://keepachangelog.com/
+[Semantic Versioning]: https://semver.org/
From 69395d0684eb56ee0cdd9a0ea0e541a4013dafd2 Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Tue, 4 Jan 2022 20:59:12 -0500
Subject: [PATCH 31/33] Fix install note.
---
CHANGELOG.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 39c7139e4..8a63b7089 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -39,8 +39,8 @@ Forge ChangeLog
- **BREAKING**: Release process updated to use tooling that prefixes versions
with `v`. Other tools, scripts, or scanners may need to adapt.
- **BREAKING**: Remove docs related to Bower and
- [forge-dist](https://github.com/digitalbazaar/forge-dist). Use [NPM][] or
- another CDN. (Also be sure to read "Security Considerations" in the README.)
+ [forge-dist](https://github.com/digitalbazaar/forge-dist). Install using
+ [another method](./README.md#installation).
### Added
- OIDs for `surname`, `title`, and `givenName`.
From 9055d6f6099e5199d7e62027e8eb0f5860d33938 Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Tue, 4 Jan 2022 22:00:24 -0500
Subject: [PATCH 32/33] Update changelog.
---
CHANGELOG.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8a63b7089..981521ce3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,7 +1,7 @@
Forge ChangeLog
===============
-## 1.0.0 - 2022-xx-xx
+## 1.0.0 - 2022-01-04
### Notes
- **1.0.0**!
From bc1a8d8837ef29672dbd320c5d03f06068ae4116 Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Tue, 4 Jan 2022 22:00:24 -0500
Subject: [PATCH 33/33] Release 1.0.0.
---
package.json | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/package.json b/package.json
index 22ff40e46..1d010d195 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
{
"name": "node-forge",
- "version": "0.10.1-dev",
+ "version": "1.0.0",
"description": "JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.",
"homepage": "https://github.com/digitalbazaar/forge",
"author": {