The 'jsrsasign' (RSA-Sign JavaScript Library) is an opensource free cryptography library supporting RSA/RSAPSS/ECDSA/DSA signing/validation, ASN.1, PKCS#1/5/8 private/public key, X.509 certificate, CRL, OCSP, CMS SignedData, TimeStamp, CAdES JSON Web Signature/Token/Key in pure JavaScript.
Public page is https://kjur.github.io/jsrsasign .
Your bugfix and pull request contribution are always welcomed :)
- 2021-Apr-14: Security advisory and update for CVE-2021-30246 RSA signature validation vulnerability published
- 2020-Oct-05: jsrsasign won Google Open Source Peer Bonus Award. Thank you Google.
- 2020-Sep-23: 10.0.0 released for CMS SignedData related class including timestamp and CAdES architecture update
- 2020-Aug-24: 9.1.0 released to new CRL APIs align with certificate
- 2020-Aug-19: 9.0.0 released for major update of certificate and CSR generation and parsing without backward compatibility. Please see migration guide in detail.
- 2020-Aug-02: twitter account @jsrsasign started for announcement. please follow.
- Swiss Army Knife style all in one package crypto and PKI library
- available on Node.js and browsers
- very easy API to use
- powerful various format key loader and ASN.1 API
- rich document and samples
- no dependency to other library
- no dependency to W3C Web Cryptography API nor OpenSSL
- no dependency on newer ECMAScirpt function. So old browsers also supported.
- very popular crypto library with 0.6M+ npm downloads/month
> npm install jsrsasign jsrsasign-util
> bower install jsrsasign
> <script src="https://cdnjs.cloudflare.com/ajax/libs/jsrsasign/8.0.20/jsrsasign-all-min.js"></script>
Loading encrypted PKCS#5 private key:
> var rs = require('jsrsasign');
> var rsu = require('jsrsasign-util');
> var pem = rsu.readFile('z1.prv.p5e.pem');
> var prvKey = rs.KEYUTIL.getKey(pem, 'passwd');
Sign string 'aaa' with the loaded private key:
> var sig = new a.Signature({alg: 'SHA1withRSA'});
> sig.init(prvKey);
> sig.updateString('aaa');
> var sigVal = sig.sign();
> sigVal
'd764dcacb...'
published | fixed version | title/advisory | CVE | CVSS |
---|---|---|---|---|
2021Apr14 | 10.2.0 | RSA signature validation vulnerability on maleable encoded message | CVE-2021-30246 | 9.1 |
2020Jun22 | 8.0.19 | ECDSA signature validation vulnerability by accepting wrong ASN.1 encoding | CVE-2020-14966 | 5.5 |
2020Jun22 | 8.0.18 | RSA RSAES-PKCS1-v1_5 and RSA-OAEP decryption vulnerability with prepending zeros | CVE-2020-14967 | 4.8 |
2020Jun22 | 8.0.17 | RSA-PSS signature validation vulnerability by prepending zeros | CVE-2020-14968 | 4.2 |
Here is full published security advisory list.
If you like jsrsasign and my other project, you can support their development by donation through any of the platform/services below. Thank you as always.
You can sponsor jsrsasign with the GitHub Sponsors program.
You can donate cryptocurrency to jsrsasign using the following addresses:
- Bitcoin(BTC): 34vSRe7XHoMy78HKgps9YJ5BrBLYJLeM22
- Ethereum(ETH): 0x9c4cdbb531e5b84796ff5f91a9f652704761e64e
- Litecoin(LTC): LPf3VDJVamwPcNJNjjVtrUQuJQ17ZyWzeU
- Bitcoin Cash(BCH): bitcoincash:pq3hy08pc9vm57q6ddgsc06cqdffmfzwwqxd9yejyf