crypto-js PBKDF2 vulnerability
returnSky opened this issue · comments
Hi,
crypto-js
fixed a vulnerability related to PBKDF2 recently.
Does this vulnerability also affect jsrsasign
?
If any impact, when will your start to fix it?
Thanks.
References:
Yes, it seems to affect to jsrsasign. When you generate encrypted PKCS#8 private key, it uses PBKDF2. I'll update it and fix the issue.
I've released 10.9.0 today.
https://github.com/kjur/jsrsasign/releases/tag/10.9.0
Regarding to encrypted PKCS#8 private key generation, default encryptionScheme have been updated from des-EDE3-CBC to aes256-CBC and default prf have been updated from hmacWithSHA1 to hmacWithSHA256. Also you can set iteration count.