Update dependency jsrsasign to v11 (main)

[mend-for-github-com]

This PR contains the following updates:

Package	Type	Update	Change
jsrsasign (source)	dependencies	major	^10.3.0 → ^11.0.0

By merging this PR, the issue #1484 will be automatically resolved and closed:

Severity	CVSS Score	Vulnerability	Reachability
Critical	9.1	CVE-2026-4599	Unreachable
High	8.7	CVE-2026-4601	Unreachable
High	7.7	CVE-2022-25898	Unreachable
High	7.5	CVE-2024-21484	Unreachable
High	7.5	CVE-2026-4598	Unreachable
High	7.5	CVE-2026-4602	Unreachable
High	7.4	CVE-2026-4600	Unreachable
Medium	5.9	CVE-2026-4603	Unreachable

---

Release Notes

kjur/jsrsasign (jsrsasign)

v11.1.1

Compare Source

v11.1.0: restore KJUR.crypto.Cipher class without RSA/RSAOAEP support

Compare Source

• Changes from 11.0.0 to 11.1.0 (2024-Feb-01)
  • src/crypto.js
    • restore KJUR.crypto.Cipher class without RSA and RSAOAEP encryption/decryption support

v11.0.0: remove RSA and RSAOAEP encryption for Marvin attack

Compare Source

• Changes from 10.9.0 to 11.0.0 (2024-Jan-16)
  • remove RSA PKCS#1.5 end OAEP encryption/decryption for Marvin attack (#​598)
  • src/crypto.js
    • remove KJUR.crypto.Cipher class for RSA and RSAOAEP encryption/decryption
  • ext/{rsa,rsa2}.js
    remove encrypt/decrypt/encryptOAEP/decryptOAEP for RSAKey class

v10.9.0: enhanced support for encrypted PKCS8

Compare Source

• Changes from 10.8.6 to 10.9.0 (2023-Nov-27)
  • KEYUTIL.getPEM is updated not to use weak ciphers (#​599)
    • default encryptionScheme is changed from des-EDE3-CBC to aes256-CBC
    • default prf is changed from hmacWithSHA1 to hmacWithSHA256
  • src/keyutil.js
    • more encrypted PKCS#8 private key support
      • KEYUTIL.getKey now supports encrypted PKCS#8 private key with
        aes128-CBC, aes256-CBC encrypted and using hmacWithSHA224/256/384/512 as
        psudorandom function.
      • KEYUTIL.getPEM now supports such as above encrypted PKCS#8 PEM
        priavte key.
  • src/crypto.js
    • Cipher.decrypt/encrypt now supports symmetric ciphers (des-EDE3-CBC,aes128-CBC,aes256-CBC)
  • src/base64x.js
    • function inttohex and twoscompl are added
  • src/asn1.js
    • ASN1Util.bigIntToMinTwosComplementsHex is now DEPRECATED. use twoscompl.
  • src/asn1x509.js
    • aes*-CBC and hmacWithSHA* OIDs are added
  • test/qunit-do-{base64x,crypto-cipher,keyutil-eprv,keyutil,keyutil-p8egen}.html
    • update and add some test cases for above
  • stop bower support (bower.json removed)

v10.8.6: X509.getExtSubjectDirectoryAttributes another bugfix

Compare Source

• Changes from 10.8.5 to 10.8.6 (2023-Apr-26)
  • src/x509.js
    • another bugfix X509.getExtSubjectDirectoryAttributes method

v10.8.5: X509.getExtSubjectDirectoryAttributes bugfix

Compare Source

• Changes from 10.8.4 to 10.8.5 (2023-Apr-26)
  • src/x509.js
    • bugfix X509.getExtSubjectDirectoryAttributes method

v10.8.4: more SubjectDirectoryExtension support

Compare Source

• Changes from 10.8.3 to 10.8.4 (2023-Apr-26)
  • src/asn1x509.js
    • SubjectDirectoryAttributes class
      • add array of array support for arbitrary attribute value
  • src/x509.js
    • add X509.getExtSubjectDirectoryAttributes method for
      ExtSubjectDirectoryAttributes extension
    • update X509.getExtParam method
      • support SubjectDirectoryAttributes
      • parse unknown extension as ASN.1
  • src/base64x.js
    • bugfix foldnl function: when length of s is multiple of n,
      result has unnecessary new line in the end of string.
  • qunit-do-{asn1x509,x509-ext,base64x,x500-param}.html
    • update and add some test cases for above

v10.8.3: CABF SMIMEBR OID support

Compare Source

• Changes from 10.8.2 to 10.8.3 (2023-Apr-20)
  • src/asn1x509.js
    • Add OIDs for CABR S/MIME BR policy OIDs and GN givenName attribute type

v10.8.2: RSA OAEP encryption fix

Compare Source

• Changes from 10.8.1 to 10.8.2 (2023-Apr-15)
  • ext/rsa.js
    • fix RSAEncryptOAEP for RSA OAEP encryption #​582 #​583
      In rare cases, it have been generated ciphertext that
      could not be decrpyted.

v10.8.1: npm export missing fix

Compare Source

• Changes from 10.8.0 to 10.8.1 (2023-Apr-09)
  • npm/{package.json, lib/footer.js}

v10.8.0: UserNotice of CertificatePolicies support and more

Compare Source

• Changes from 10.7.0 to 10.8.0 (2023-Apr-8)
  • x509.js
    • X509.getUserNotice supports NoticeReference
    • add asn1ToDisplayText method
  • base64x.js
    • add function msectozulu
    • add aryval for nested JSON value access
  • asn1.js
    • DERInteger refactoring
  • test/qunit-do-{asn1,asn1x509,base64x,x509-ext}.html
    • update and add some test cases for above

v10.7.0: custom X.509 extension support and utility functions

Compare Source

• Changes from 10.6.1 to 10.7.0 (2023-Mar-12)
  • x509.js
    • add X509.registExtParser(): register custom extension parser
  • base64x.js
    • add utility functions
      • b64topem() Base64 string to PEM
      • pemtob64() PEM to Base64 string
      • foldnl() wrap string to fit in specified width
      • timetogen() align to UTCTime to GeneralizedTime
  • test/qunit-do-{x509-ext,base64x}.html
    • update and add some test cases for above

v10.6.1: Add PolicyMappings, PolicyConstraints and InhibitAnyPolicy extension support

Compare Source

• Changes from 10.6.0 to 10.6.1 (2022-Nov-20)
  • asn1x509.js
    • KJUR.asn1.x509.{PolicyMappings,PolicyConstraints,InhibitAnyPolicy} class added
    • KJUR.asn1.x509.Extension updated to support
      PolicyMappings, PolicyConstraints and InhibitAnyPolicy
  • x509.js
    • X509.getExt{PolicyMappings,PolicyConstraints,InhibitAnyPolicy} method added
    • X509.getCriticalExtV utility method added
    • X509.getExtParam updated to support
      {PolicyMappings,PolicyConstraints,InhibitAnyPolicy}
    • X509.getInfo updated to support
      {PolicyMappings,PolicyConstraints,InhibitAnyPolicy}
  • test/qunit-do-{asn1x509-tbscert,x509-ext,x509-getinfo,x509-param}.html
    • update and add some test cases for above

v10.6.0: StringPrep DN canonicalization support and some fix

Compare Source

z* Changes from 10.5.27 to 10.6.0 (2022-Nov-04)

• x509.js
  • X509.getParam
    • add support for optional parameter "dncanon" and "dnhex"
  • X509.getInfo
    • update representation for AltName
  • X509.{getIssuer,getSubect}
    • add support for optional argument flagCanon, flagHex
  • X509.c14RDNArray added to convert from RDN array to canonicalized
    DN name (a.k.a. StringPrep).
  • X509.getX500Name
    • API document updated
  • X509.getOtherName
    • member name changed from "other" to "value" for
      consistency with KJUR.asn1.x509.OtherName class constructor.
    • Also oid member value in return object will be an oid name if defined.
  • X509.setCanonicalizedDN added to set "canon" member value
• asn1x509.js
  • smtpUTF8Mailbox oid added to OID class
  • API document fix
• asn1.js
  • DERTaggedObject API document update
• test/qunit-do-{asn1x509,x509-ext,x509-getinfo,x509-param,x509}.html
  • update some test cases for above

v10.5.27: extend CertificationRequestInfo class for challengePassword and unstructuredName

Compare Source

• Changes from 10.5.26 to 10.5.27 (2022-Aug-19)
  • src/asn1csr.js
    • CertificationRequestInfo class
      • add support for challengePassword and unstructuredName (#​522)
      • "attrs" member support in constructure argument
  • test/qunit-do-asn1csr.html

v10.5.26: CSRUtil class enhancement

Compare Source

• Changes from 10.5.25 to 10.5.26 (2022-Jul-14)
  • src/asn1csr.js
    • CSRUtil.verifySignature method added
    • CSRUtil.getParam enhanced to support optional argument flagTBS
  • test/qunit-do-asn1csr.html
    • update some test cases for above

v10.5.25: CVE-2022-25898 Security fix in JWS and JWT validation

Compare Source

• Changes from 10.5.24 to 10.5.25 (2022-Jun-23)
  • src/jws.js
    • JWS.verify and JWS.verifyJWT
      • CVE-2022-25898 SECURITY FIX:
        verify and verifyJWT may accept signature with special characters
        or \number characters by mistake.
        Please see security advisory:
        GHSA-3fvg-4v2m-98jf
  • src/base64x.js
    • function isBase64URLDot added
  • test/qunit-do-jwt-veri.html

v10.5.24: X509.getParam bugfix for v1 certificate

Compare Source

• Changes from 10.5.23 to 10.5.24 (2022-Jun-04)
  • src/x509.js
    • X509.getParam bugfix for X.509v1 certificate without extension

v10.5.23: BitString parsing bug fix

Compare Source

• Changes from 10.5.22 to 10.5.23 (2022-May-27)
  • src/base64x.js
    • bitstrtobinstr bugfix fix
  • src/asn1hex.js
    • ASN1HEX.parse change for bin string range
  • npm/lib/footers.js
    • add missed exports (bitstrtobinstr, binstrtobitstr,
      namearraytobinstr, extendClass)
  • test/qunit-do-{asn1hex-parse,base64x}.html
    • add and fix some test cases for above

v10.5.22: DERBitString, KeyUsage and tsp PKIFailureInfo critical bug fix

Compare Source

• Changes from 10.5.21 to 10.5.22 (2022-May-24)
  • src/asn1.js
    • DERBitString critical bugfix
  • src/asn1tsp.js
    • PKIFailureInfo critical bugfix
  • src/asn1x509.js
    • KeyUsage critical bugfix
  • src/base64.x
    • namearraytobinstr critical bugfix
  • test/qunit-do-{asn1,asn1tsp,asn1x509,base64x}.html
    • add and fix some test cases for above

v10.5.21

Compare Source

v10.5.20: OCSP ResponderID object udpate

Compare Source

• Changes from 10.5.19 to 10.5.20 (2022-Apr-25)
  • src/asn1ocsp.js
    • ResponderID class now also supports PEM certificate or
      X509 object for key and name field.
  • test/qunit-do-asn1ocsp.html
    • add some test cases and fix for above
  • remove silver sponsor

v10.5.19: Time stamp package update

Compare Source

• Changes from 10.5.18 to 10.5.19 (2022-Apr-23)
  • src/asn1tsp.js
    • TimeStampResp class update to statusinfo member
      will be optional. If omitted, it will be "granted" by default.
    • API manual update for more detail

v10.5.18: Time stamp package update

Compare Source

• Changes from 10.5.17 to 10.5.18 (2022-Apr-22)
  • src/asn1tsp.js
    • TSPParser.getTimeStampReq added
    • TSPUtil.parse{TimeStampReq,MessageImprint} now DEPRECATED. Please use TSPParser.
  • test/qunit-do-asn1tsp.html
    • add some test cases and fix for above

v10.5.17: CIDR subnet mask support in iptohex and hextoip

Compare Source

• Changes from 10.5.16 to 10.5.17 (2022-Apr-14)
  • src/asn1x509.js
    • add IP address support in NameConstraints class
    • bugfix in NameConstraints ip address
    • wrong ASN.1 encoder in NameConstraints class bug fix (wrong explicit tag)
  • src/base64x.js
    • add CIDR subnet mask support in iptohex and hextoip
    • iptohex, hextoip refactoring
  • test/qunit-do-{x509-ext,base64x,asn1x509-tbscert,asn1x509}.html
    • add some test cases and fix for above

v10.5.16: Add NameConstraints extension and modify getEncodedHex to tohex

Compare Source

• Changes from 10.5.15 to 10.5.16 (2022-Apr-08)
  • src/asn1x509.js
    • NameConstraints and GeneralSubtree class added
    • add support for nameConstraints in Extensions class
    • remove old GeneralName code
  • src/x509.js
    • getExtNameConstraints and getGeneralSubbtree method added
    • add support for nameConstraints in getParam method
    • X509.getParam supports optional arguments:
      • tbshex: to return hexadecimal tbsCertificate value
      • nodnarray: delete array member of subject and issuer
        in the result.
  • src/x509crl.js
    • X509CRL.getParam supports optional arguments:
      • tbshex: to return hexadecimal tbsCertList value
      • nodnarray: delete array member of subject and issuer
        in the result.
  • src/asn1.js
    • ASN1Object.tohex() method added
    • ASN1Object.getEncodedHex() method is now DEPRECATED.
      Please use ASN1Object.tohex() instead.
    • clean up some codes
  • src/*.js
    • update for ASN1Object.tohex()
  • test/qunit-do-x509-ext.html
    • getExtNameConstraints and getGeneralSubtree method test added
  • test/qunit-do-asn1x509.html
    • NameConstraints and GeneralSubtree class test added
  • test/qunit-do-asn1-newobj.html
    • int and tag test refactoring
    • bugfix

v10.5.15: X509.getExtCRLDistributionPointsURI small fix

Compare Source

• Changes from 10.5.14 to 10.5.15 (2022-Apr-06)
  • src/x509.js
    • fix X509.getExtCRLDistributionPointsURI. This returns
      undefined when no CDP extension as specified in document
      even though it is deprecated method.

v10.5.14: KEYUTIL.getPEM small fix

Compare Source

• Changes from 10.5.13 to 10.5.14 (2022-Mar-28)
  • src/keyutil.js
    • fix KEYUTIL.getPEM when public key is not specified for ECDSA object.
      optional public key field will be omitted in such case. (#​549)
  • test/qunit-do-*.html
    • test case added for above updates.

v10.5.13: RSA key private generation fix

Compare Source

• Changes from 10.5.12 to 10.5.13 (2022-Mar-18)
  • ext/rsa2.js
    • fix RSAGenerate for checking |p - q| (#​546)

v10.5.12: support ISO 8859-1 TeletexString and BMPString for X500Name

Compare Source

• Changes from 10.5.11 to 10.5.12 (2022-Mar-13)
  • src/asn1hex.js
    • ASN1HEX.parse fixed for TeletexString and BMPString
    • ASN1HEX.parse TeletexString supports non-ASCII
      ISO 8859-1 Latin1 characters. Before this version,
      only supports ASCII characters.
    • hextoipv6 bug fix raised in some of enviroment
  • src/base64x.js
    • iso88591hextoutf8/utf8toiso88591hex added
    • iso88591hextoutf8hex/utf8hextoiso88591hex added
    • hextoipv6 fixed
  • src/x509.js
    • refactoring for X509.get{X500NameArray,RDN,AttrTypeAndValue}.
      Add support for Teletex/BMPString and more attrTypes
  • test/qunit-do-*.html
    • test case added for above updates.
      • qunit-do-base64x: add iso8859-1 / utf-8 converter tests
      • qunit-do-asn1hex-parse: add TeletexString parse tests
      • qunit-do-x509-ext: add NumericString/TeletexString X500Name tests

v10.5.11: asn1hex update

Compare Source

• Changes from 10.5.10 to 10.5.11 (2022-Mar-12)
  • src/ash1hex.js
    • ASN1HEX.parse add NumericStiring(x12) support
    • ASN1HEX.parse fix for "8x" tag (non structured tag)
  • test/qunit-do-asn1hex.html
    • test case added for above updates.

v10.5.10: hextoipv6 fix

Compare Source

• Changes from 10.5.9 to 10.5.10 (2022-Mar-10)
  • src/base64x.js
    • fix hextoipv6 for shrinking leading zeros (#​536)
  • test/qunit-do-base64x.html
    • test case added for above updates.

v10.5.9: small fix

Compare Source

• Changes from 10.5.8 to 10.5.9 (2022-Mar-10)
  • src/base64x.js
    • fix zulutosec (#​538)
  • src/asn1csr.js
    • fix CSRUtil.getParam (#​544)
  • test/qunit-do-{base64x,asn1csr}.html
    • test case update for above updates.

v10.5.8: OCSP CertID and X509 class update

Compare Source

• Changes from 10.5.7 to 10.5.8 (2022-Feb-25)
  • src/asn1ocsp.js
    • CertID class refactoring
    • CertID.getParamByCerts method added
  • src/x509.js
    • DEPRECATED getPublicKeyHex method (use getSPKI instead)
    • getSPKI, getSPKIValue method added
    • getExtCRLDistributionPointsURI bugfix
    • API document fix
  • test/qunit-do-{asn1ocsp,x509-ext,x509,x509-v1}.html
    • test case update and bugfix for above updates.

v10.5.7: X509CRL.findRevCert bugfix for empty revCerts

Compare Source

• Changes from 10.5.6 to 10.5.7 (2022-Feb-19)
  • src/x509crl.js
    • X509CRL.{findRevCert,findRevCertBySN} method fix for empty revCerts

v10.5.6: X509CRL.findRevCert bugfix

Compare Source

• Changes from 10.5.5 to 10.5.6 (2022-Feb-17)
  • src/x509crl.js X509CRL class
    • fix sn error in findRevCert

v10.5.5: CRL parser update

Compare Source

• Changes from 10.5.4 to 10.5.5 (2022-Feb-17)
  • src/x509crl.js X509CRL class
    • add getIssuerHex method
    • add findRevCert method
    • add findRevCertBySN method
  • test/x509crl.html update

v10.5.4: ASN.1 parser update and fix

Compare Source

• Changes from 10.5.3 to 10.5.4 (2022-Feb-15)
  • src/asn1.js
    • DERTaggedObject
      • refactoring
      • add {tag: xx, str:"aaa"} parameter support
      • add {tag: xx, hex:"616161"} parameter support
      • setASN1Object method now deprecated. Please use setByParam
  • src/asn1hex.js
    • ASN1HEX.parse
      • add encapsulated OctetString, BitString support
      • add encapsulated structured TaggedObject support
      • changed to return binary string for 3byte or less BitString value
      • ObjectIdentifier fix when undefined OID name
  • src/base64x.js
    • added bitstrtobinstr/binstrtobitstr
    • utf8tohex fix for lower case hexadecimal string
    • hextoutf8 fix for improper hexadecimal string for UTF-8
    • bitstrtoint/inttobitstr fix for error case return
  • test/qunit-do-asn1.html
    • TaggedObject test case update
  • test/qunit-do-asn1hex-parse.html
    • BitString, TaggedObject test case update
  • test/qunit-do-base64x.html
    • hextoutf8/utf8tohex testcase update
    • bitstrtobinstr/binstrtobitstr testcase added

v10.5.3: add OtherName support in GeneralName

Compare Source

• Changes from 10.5.2 to 10.5.3 (2022-Feb-10)
  • add otherName support in GeneralName by PR
    with small update (#​535)
  • src/asn1x509.js
    • add otherName of GeneralName support (#​535)
    • GeneralName class refactoring
    • add OtherName class
  • src/x509.js
    • add otherName of GeneralName support
  • src/asn1hex.js
    • add ASN1HEX.parse method
  • src/asn1.js
    • API doc and error exception fix
  • test/qunit-do-{asn1x509,x509-ext}.html
    • test case added
  • test/qunit-do-asn1hex-parse.html added

v10.5.2: small update for OID and JWK

Compare Source

• Changes from 10.5.1 to 10.5.2 (2022-Feb-08)
  • src/asn1x509.js
    • add OID.{registerOIDs,checkOIDs} method
  • src/keyutil.js
    • getJWK, getJWKFromKey API doc update
  • test/qunit-do-asn1x509.html updated
    • test case added

v10.5.1: add KEYUTIL.getJWK, fix EC P-521 concat signature value and add support for P-521 JWS JWK

Compare Source

• Changes from 10.5.0 to 10.5.1 (2021-Dec-01)
  • fix ECC P-521 curve issues (#​528)
    • src/ecdsa-modified.js
      • asn1SigToConcatSig fix P521 issue
      • concatSigToASN1Sig fix P521 issue
    • src/jws.js
      • add ES512 support
    • src/keyutil.js
      • fix P-521 issue in getKey,getJWKFromKey,
    • tool/tool_jwt.html
      • add ES512 support
    • test/qunit-do-ecdsamod-s.html
      • add P-521 asn1SigToConcatSig tests
      • add P-521 concatSigToASN1Sig tests
    • test/qunit-do-ecdsamod.html
      • add sha512 tests
    • test/qunit-do-jws-sign.html
      • add signing and verification ES512 test
    • test/qunit-do-keyutil-ec.html
      • add P-521 key test
    • test/qunit-do-keyutil-jwk.html
      • add P-521 private key test
    • test/qunit-do-x509-key.html
      • add P-521 certificate test
  • JWK from X509 certificate (#​529)
    • this PR was merged but
      • X509.getPublicKeyJWK was moved to KEYUTIL.getJWK
      • some tests in qunit-do-x509-jwk was moved to
        qunit-do-keyutil-jwk
      • readCertJWK was removed
  • src/keyutil
    • KEYUTIL.getJWK added and x5c/x5t/x5t#S256/kid member support
    • KEYUTIL.getJWKFromKey now deprecated
  • src/ecdsa-modified.js
    • missing variable definition fix (#​527)
  • test/qunit-do-x509.html test error fix
  • Great appreciate for @​cplussharp 's contribution.

v10.5.0: Add EC support for secp521r1 secp224r1 secp192r1

Compare Source

• Changes from 10.4.1 to 10.5.0
  • Add EC support for secp521r1 secp224r1 secp192r1 (#​521 #​519)
    Thank you indeed for @​cplussharp 's great work.
    • EC key length bugs for newly supported curves are fixed.
      • src/ecdsa-modified: key length fixes
      • src/ecparam.js: add keycharlen property
      • src/asn1x509.js: add secp521r1 OID
      • test/qunit-do-ecdsamod.html: all test code passed
      • test/qunit-do-ecdsamod-unsupport.html: all test code passed
      • test/qunit-do-ecdsamod-s.html: all test code passed
      • test/qunit-do-ecdsamod-nisttv.html: added for NIST EC keygen test
      • sample/sample-ecdsa.html: add P-521
  • sample/sample-rsasign.html
    • fix to trim non hexadecimal strings (#​517)

v10.4.1: GeneralizedTime, UTCTime refactoring and some bug fix

Compare Source

• Changes from 10.4.0 to 10.4.1 release
  • src/asn1.js
    • refactoring of DERUTCTime, DERGeneralizedTime and DERAbstractTime
    • now DERUTCTime support fraction of second
  • src/asn1x509.js
    • update Time class to follow DER{UTC,Generalized}Time update
  • tool/tool_tsreq.html
    • messageImprint bug fix (#​504)
  • tool/tool_tsres.html
    • serialNumber bug fix (#​505)
  • jsrsasign-*-min.js
    • header URL fix to kjur.github.io (#​503)
      (will be fixed in next release while rebuild)
  • test/qunit-do-{asn1,asn1x509}.html updated
    • KJUR.asn1.DER{UTC,Generalized}Time, KJUR.asn1.x509.Time class
      test case added and updated.

v10.4.0: Full support for parsing OCSP response

Compare Source

• Changes from 10.3.2 to 10.4.0 (2021-08-17)
  • asn1ocsp.js
    • add OCSP response parser support in OCSPParser class (request #​501)
    • OCSPParser.get{OCSPResponse,ResponseBytes,BasicOCSPResponse,ResponseData,ResponderID,SingleResponseList,SingleResponse,CertStatus} methods added
    • DEPRECATED: OCSPUtil.getOCSPResponseInfo
  • test/qunit-do-asn1ocsp.html updated
    • add test for OCSP response parser

v10.3.2: fix wrong OCSPRequest for EC public key certificate

Compare Source

• Changes from 10.3.1 to 10.3.2
  • asn1ocsp.js
    • CertID.setByCert fixed for issuer EC public key (#​500)

---

• If you want to rebase/retry this PR, check this box