Research
Malicious fezbox npm Package Steals Browser Passwords from Cookies via Innovative QR Code Steganographic Technique
A malicious package uses a QR code as steganography in an innovative technique.
By Olivia Brown - Sep 22, 2025
jsrsasign
Advanced tools
jsrsasign
opensource free pure JavaScript cryptographic library supports RSA/RSAPSS/ECDSA/DSA signing/validation, ASN.1, PKCS#1/5/8 private/public key, X.509 certificate, CRL, CMS SignedData, TimeStamp and CAdES and JSON Web Signature(JWS)/Token(JWT)/Key(JWK).
What is jsrsasign?
The jsrsasign npm package is a comprehensive library for cryptographic operations, including RSA/DSA/ECDSA key generation, digital signatures, X.509 certificate handling, and more. It is widely used for implementing security features in JavaScript applications.
What are jsrsasign's main functionalities?
RSA Key Generation
This feature allows you to generate RSA key pairs. The code sample demonstrates generating a 2048-bit RSA key pair using the KEYUTIL.generateKeypair method.
const rsaKeypair = KEYUTIL.generateKeypair('RSA', 2048);
console.log(rsaKeypair);Digital Signature
This feature allows you to create digital signatures. The code sample shows how to sign a message using an RSA private key and the SHA256withRSA algorithm.
const rsa = new RSAKey();
rsa.readPrivateKeyFromPEMString('-----BEGIN PRIVATE KEY-----...');
const sig = new KJUR.crypto.Signature({alg: 'SHA256withRSA'});
sig.init(rsa);
sig.updateString('message');
const signature = sig.sign();
console.log(signature);X.509 Certificate Handling
This feature allows you to handle X.509 certificates. The code sample demonstrates reading a PEM-encoded certificate and extracting the subject string.
const pemCert = '-----BEGIN CERTIFICATE-----...';
const x509 = new X509();
x509.readCertPEM(pemCert);
console.log(x509.getSubjectString());JWT (JSON Web Token) Handling
This feature allows you to create and verify JSON Web Tokens (JWT). The code sample shows how to sign a JWT using the HS256 algorithm and a secret key.
const header = {alg: 'HS256', typ: 'JWT'};
const payload = {sub: '1234567890', name: 'John Doe', iat: 1516239022};
const sHeader = JSON.stringify(header);
const sPayload = JSON.stringify(payload);
const sJWT = KJUR.jws.JWS.sign('HS256', sHeader, sPayload, 'secret');
console.log(sJWT);Other packages similar to jsrsasign
crypto
The 'crypto' module is a built-in Node.js module that provides cryptographic functionality, including a set of wrappers for OpenSSL's hash, HMAC, cipher, decipher, sign, and verify functions. It is more low-level compared to jsrsasign and is typically used for server-side cryptographic operations.
jsonwebtoken
The 'jsonwebtoken' package is a popular library for creating and verifying JSON Web Tokens (JWT). It is more specialized than jsrsasign, focusing specifically on JWT handling, and is widely used in authentication and authorization scenarios.
node-forge
The 'node-forge' package is a comprehensive library for implementing various cryptographic operations in JavaScript. It provides functionalities for key generation, digital signatures, encryption/decryption, and more. It is similar to jsrsasign in terms of the breadth of cryptographic features it offers.
jsrsasign
The 'jsrsasign' (RSA-Sign JavaScript Library) is an opensource free pure JavaScript cryptographic library supports RSA/RSAPSS/ECDSA/DSA signing/validation, ASN.1, PKCS#1/5/8 private/public key, X.509 certificate, CRL, CMS SignedData, TimeStamp and CAdES and JSON Web Signature(JWS)/Token(JWT)/Key(JWK).
Public page is http://kjur.github.com/jsrsasign .
github TOP|API doc|Wiki|Node sample
DIFFERENCE WITH CRYPTO MODULE
Here is the difference between bundled 'Crypto' module and this 'jsrsasign' module.
- Crypto module
- fast
- works only on Node.js
- OpenSSL based
- lacking ASN.1 functionality
- provides symmetric ciphers
- lacking RSAPSS signing
- jsrsasign module
- slow
- implemented in pure JavaScript
- works on both Node.js(server) and browsers(client)
- provides ASN.1 parsing/generation functionality
- lacking symmetric ciphers
- provides RSAPSS signing
- also provides support for JSON Web Signatures (JWS) and JSON Web Token (JWT)
AVAILABLE CLASSES AND METHODS
Most of the classes and methods defined in jsrsasign and jsjws are available in this jsrsasign npm module.
After loading the module,
> var r = require('jsrsasign');
You can refer name spaces, classes, methods and functions by following variables:
- r.BigInteger - BigInteger class
- r.RSAKey - RSAKey class
- r.ECDSA - KJUR.crypto.ECDSA class
- r.DSA - KJUR.crypto.DSA class
- r.Signature - KJUR.crypto.Signature class
- r.MessageDigest - KJUR.crypto.MessageDigest class
- r.Mac - KJUR.crypto.Mac class
- r.KEYUTIL - KEYUTIL class
- r.ASN1HEX - ASN1HEX class
- r.crypto - KJUR.crypto name space
- r.asn1 - KJUR.asn1 name space
- r.jws - KJUR.jws name space
Please see API reference in the above links.
EXAMPLE(1) SIGNATURE
Loading encrypted PKCS#5 private key:
> var fs = require('fs');
> var pem = fs.readFileSync('z1.prv.p5e.pem', 'binary');
> var prvKey = a.KEYUTIL.getKey(pem, 'passwd');
Sign string 'aaa' with the loaded private key:
> var sig = new a.Signature({alg: 'SHA1withRSA'});
> sig.init(prvKey);
> sig.updateString('aaa');
> var sigVal = sig.sign();
> sigVal
'd764dcacb...'
MORE TUTORIALS AND SAMPLES
FAQs
opensource free pure JavaScript cryptographic library supports RSA/RSAPSS/ECDSA/DSA signing/validation, ASN.1, PKCS#1/5/8 private/public key, X.509 certificate, CRL, OCSP, CMS SignedData, TimeStamp and CAdES and JSON Web Signature(JWS)/Token(JWT)/Key(JWK)
The npm package jsrsasign receives a total of 440,705 weekly downloads. As such, jsrsasign popularity was classified as popular.
We found that jsrsasign demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 05 Aug 2016
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Research
/Security News
Identifying and Preventing Fraudulent Engineering Candidates: An Investigation into 80 Confirmed Cases
Socket identified 80 fake candidates targeting engineering roles, including suspected North Korean operators, exposing the new reality of hiring as a security function.
By Lauren Valencia, Kirill Boychenko - Sep 17, 2025
Application Security
/Research
/Security News
Updated and Ongoing Supply Chain Attack Targets CrowdStrike npm Packages
Socket detected multiple compromised CrowdStrike npm packages, continuing the "Shai-Hulud" supply chain attack that has now impacted nearly 500 packages.
By Kush Pandya, Peter van der Zee, Olivia Brown, Socket Research Team - Sep 16, 2025