Replace jsrsasign dependency with alternatives#2414
Conversation
…MENTATION.md file.
|
Due diligence check on libraries added:
|
Yeah, these were my criteria when looking for replacements. |
The comment was mostly for my colleagues to indicate that a maintainer had done those checks (and specifically before kicking off the CI run) |
Ah, OK. I do think it's important that this PR be reviewed thoroughly. While I did my best, I did have to rely on AI to assist me for various parts. The code seems valid and it passes the tests. But still... |
|
Our concern with this one is that it moves a lot of code out of libraries and into the CyberChef code base leaving us with ongoing maintenance overhead. This is doubly so as it is crypto-related code, and as all the adages say - you should never try to roll your own crypto (and likely particularly so when that code has been AI generated/assisted). We'll continue to look at it, but it probably isn't worth spending a lot of time polishing it (merging from master etc) until we come to a conclusion about whether it's the way to go. |
2 participants
Summary
Removes the unmaintained
jsrsasignlibrary (which has reached end-of-support) and replaces it with actively-maintained, audited alternatives across all 14 affected operations and library files.This PR fixes issue #2325.
Motivation
jsrsasignannounced end-of-support. Continuing to ship an unmaintained cryptography library is a security risk. This PR completes a full migration to drop it entirely.Replacement Libraries
@noble/curves^2.2.0@peculiar/x509^1.14.3asn1js^3node-forge(already a dep)PubKeyFromPrivKeyonly@peculiar/x509is pinned to^1.14.3(not v2) because v2 requires areflect-metadatapolyfill at every webpack entry point.Changes
New library files
src/core/lib/Asn1.mjs— OID encode/decode, DER-to-PEM, ASN.1 hex tree dumpsrc/core/lib/Ecdsa.mjs— shared ECDSA helpers (key load, sign/verify, signature format conversions, key generation)src/core/lib/KeyConvert.mjs— RSA/EC/DSA PEM⇄JWK⇄SPKI/PKCS#8 conversion helperssrc/core/lib/X509.mjs— shared X.509 helpers (SPKI describer, SAN/GeneralName formatter, sig-OID table, etc.)Migrated operations
HexToObjectIdentifier,ObjectIdentifierToHex,HexToPEM,ParseASN1HexStringECDSASign,ECDSAVerify,ECDSASignatureConversion,GenerateECDSAKeyPairPEMToJWK,JWKToPem,PubKeyFromPrivKeyParseX509Certificate,PubKeyFromCert,ParseCSR,ParseX509CRLsrc/core/lib/SM2.mjs— full rewrite on@noble/curvesabstract WeierstrassNew test coverage
tests/operations/tests/ASN1.mjs— OID round-trips, PEM line-wrapping, ASN.1 dumpstests/operations/tests/ParseX509Certificate.mjs— golden output for RSA and P-256 certs, empty-input guardDocumentation
CRYPTO_IMPLEMENTATION.md(new) — captures library choices, coding conventions, and maintenance guidance established during this migration. Intended as a long-term reference for future contributors working on cryptographic operations.CHANGELOG.md— updated to note the removal and accepted cosmetic output-format driftCosmetic output drift (accepted)
Text output of
ParseX509Certificate,ParseCSR,ParseX509CRL, andParseASN1HexStringmay differ slightly from the jsrsasign-based output (e.g. extension ordering, ECDSA r/s byte representation). All changes are corrections or reformatting — not regressions — and are documented inCHANGELOG.md.Note on
PLAN_JSRSASIGN-REMOVAL.mdPLAN_JSRSASIGN-REMOVAL.mdis included in this branch as a detailed record of the migration plan and decisions made across each phase. It should be deleted before merging if you do not want it in the main repository; it was retained here as a reference for reviewers who want to understand the rationale and scope of the work.AI Disclosure
Claude Code (Anthropic) was used to assist with the implementation of this migration — specifically to generate the replacement library code, translate jsrsasign API calls to their equivalents, write new test fixtures, and verify cryptographic correctness of the output. All generated code was reviewed and tested before inclusion.