Forge
A native implementation of TLS (and various other cryptographic tools) in
JavaScript.
Introduction
The Forge software is a fully native implementation of the TLS protocol in
JavaScript as well as a set of tools for developing Web Apps that utilize many
network resources.
Performance
Forge is fast. Benchmarks against other popular JavaScript cryptography
libraries can be found here:
http://dominictarr.github.io/crypto-bench/
http://cryptojs.altervista.org/test/simulate-threading-speed_test.html
Getting Started
Node.js
If you want to use forge with node.js, it is available through npm
:
https://npmjs.org/package/node-forge
Installation:
npm install node-forge
You can then use forge as a regular module:
var forge = require('node-forge');
Requirements
- General
- Optional: GNU autotools for the build infrastructure if using Flash.
- Building a Browser Bundle:
- Testing
- Optional: Flash
Building a browser bundle
To create a minimized JavaScript bundle, run the following:
npm install
npm run minify
Note for Windows users: If you have trouble running the
npm run bundle
command, try this instead:
node node_modules\requirejs\bin\r.js -o minify.js
This will create a single minimized file that can be included in
the browser:
js/forge.min.js
Include the file via:
<script src="js/forge.min.js"></script>
Note that the minify script depends on the requirejs package,
and that the requirejs binary 'r.js' assumes that the name of
the node binary is 'node' not 'nodejs', as it is on some
systems. You may need to change the hashbang line to use
'nodejs' or run the command manually.
To create a single non-minimized file that can be included in
the browser:
npm install
npm run bundle
Note for Windows users: If you have trouble running the
npm run bundle
command, try this instead:
node node_modules\requirejs\bin\r.js -o minify.js optimize=none out=js/forge.bundle.js
This will create:
js/forge.bundle.js
Include the file via:
<script src="js/forge.bundle.js"></script>
The above bundles will synchronously create a global 'forge' object.
Keep in mind that these bundles will not include any WebWorker
scripts (eg: prime.worker.js) or their dependencies, so these will
need to be accessible from the browser if any WebWorkers are used.
### Testing with NodeJS & RequireJS ###
A test server for node.js can be found at ./nodejs
. The following are included:
- Example of how to use
forge
within NodeJS in the form of a mocha test. - Example of how to serve
forge
to the browser using RequireJS.
To run:
cd nodejs
npm install
npm test
npm start
Old build system that includes flash support
To build the whole project, including Flash, run the following:
$ ./build-setup
$ make
This will create the SWF, symlink all the JavaScript files, and build a Python
SSL module for testing. To see configure options, run ./configure --help
.
Old test system including flash support
A test server is provided which can be run in TLS mode and non-TLS mode. Use
the --help option to get help for configuring ports. The server will print out
the local URL you can vist to run tests.
Some of the simplier tests should be run with just the non-TLS server::
$ ./tests/server.py
More advanced tests need TLS enabled::
$ ./tests/server.py --tls
Contributing
Any contributions (eg: PRs) that are accepted will be brought under the same
license used by the rest of the Forge project. This license allows Forge to
be used under the terms of either the BSD License or the GNU General Public
License (GPL) Version 2.
See: LICENSE
If a contribution contains 3rd party source code with its own license, it
may retain it, so long as that license is compatible with the Forge license.
Documentation
Transports
Ciphers
PKI
Message Digests
Utilities
If at any time you wish to disable the use of native code, where available,
for particular forge features like its secure random number generator, you
may set the disableNativeCode
flag on forge
to true
. It
is not recommended that you set this flag as native code is typically more
performant and may have stronger security properties. It may be useful to
set this flag to test certain features that you plan to run in environments
that are different from your testing environment.
To disable native code when including forge in the browser:
forge = {disableNativeCode: true};
forge = forge({disableNativeCode: true});
(function(forge) {
})(forge({disableNativeCode: true}));
To disable native code when using node.js:
var forge = require('node-forge')({disableNativeCode: true});
Transports
### TLS
Provides a native javascript client and server-side TLS implementation.
Examples
var client = forge.tls.createConnection({
server: false,
caStore: ,
sessionCache: {},
cipherSuites: [
forge.tls.CipherSuites.TLS_RSA_WITH_AES_128_CBC_SHA,
forge.tls.CipherSuites.TLS_RSA_WITH_AES_256_CBC_SHA],
virtualHost: 'example.com',
verify: function(connection, verified, depth, certs) {
if(depth === 0) {
var cn = certs[0].subject.getField('CN').value;
if(cn !== 'example.com') {
verified = {
alert: forge.tls.Alert.Description.bad_certificate,
message: 'Certificate common name does not match hostname.'
};
}
}
return verified;
},
connected: function(connection) {
console.log('connected');
connection.prepare(forge.util.encodeUtf8('Hi server!'));
},
getPrivateKey: function(connection, cert) {
return myClientPrivateKey;
},
tlsDataReady: function(connection) {
sendToServerSomehow(connection.tlsData.getBytes());
},
dataReady: function(connection) {
console.log('the server sent: ' +
forge.util.decodeUtf8(connection.data.getBytes()));
connection.close();
},
closed: function(connection) {
console.log('disconnected');
},
error: function(connection, error) {
console.log('uh oh', error);
}
});
client.handshake();
client.process(encryptedBytesFromServer);
var server = forge.tls.createConnection({
server: true,
caStore: ,
sessionCache: {},
cipherSuites: [
forge.tls.CipherSuites.TLS_RSA_WITH_AES_128_CBC_SHA,
forge.tls.CipherSuites.TLS_RSA_WITH_AES_256_CBC_SHA],
verifyClient: true,
verify: function(connection, verified, depth, certs) {
if(depth === 0) {
var cn = certs[0].subject.getField('CN').value;
if(cn !== 'the-client') {
verified = {
alert: forge.tls.Alert.Description.bad_certificate,
message: 'Certificate common name does not match expected client.'
};
}
}
return verified;
},
connected: function(connection) {
console.log('connected');
connection.prepare(forge.util.encodeUtf8('Hi client!'));
},
getCertificate: function(connection, hint) {
return myServerCertificate;
},
getPrivateKey: function(connection, cert) {
return myServerPrivateKey;
},
tlsDataReady: function(connection) {
sendToClientSomehow(connection.tlsData.getBytes());
},
dataReady: function(connection) {
console.log('the client sent: ' +
forge.util.decodeUtf8(connection.data.getBytes()));
connection.close();
},
closed: function(connection) {
console.log('disconnected');
},
error: function(connection, error) {
console.log('uh oh', error);
}
});
server.process(encryptedBytesFromClient);
Connect to a TLS server using node's net.Socket:
var socket = new net.Socket();
var client = forge.tls.createConnection({
server: false,
verify: function(connection, verified, depth, certs) {
console.log('[tls] server certificate verified');
return true;
},
connected: function(connection) {
console.log('[tls] connected');
client.prepare('GET / HTTP/1.0\r\n\r\n');
},
tlsDataReady: function(connection) {
var data = connection.tlsData.getBytes();
socket.write(data, 'binary');
},
dataReady: function(connection) {
var data = connection.data.getBytes();
console.log('[tls] data received from the server: ' + data);
},
closed: function() {
console.log('[tls] disconnected');
},
error: function(connection, error) {
console.log('[tls] error', error);
}
});
socket.on('connect', function() {
console.log('[socket] connected');
client.handshake();
});
socket.on('data', function(data) {
client.process(data.toString('binary'));
});
socket.on('end', function() {
console.log('[socket] disconnected');
});
socket.connect(443, 'google.com');
### HTTP
Provides a native JavaScript mini-implementation of an http client that
uses pooled sockets.
Examples
var request = forge.http.createRequest({method: 'GET', path: url.path});
sendSomehow(request.toString());
var buffer = forge.util.createBuffer();
var response = forge.http.createResponse();
var someAsyncDataHandler = function(bytes) {
if(!response.bodyReceived) {
buffer.putBytes(bytes);
if(!response.headerReceived) {
if(response.readHeader(buffer)) {
console.log('HTTP response header: ' + response.toString());
}
}
if(response.headerReceived && !response.bodyReceived) {
if(response.readBody(buffer)) {
console.log('HTTP response body: ' + response.body);
}
}
}
};
### SSH
Provides some SSH utility functions.
Examples
forge.ssh.privateKeyToPutty(privateKey, passphrase, comment);
forge.ssh.publicKeyToOpenSSH(key, comment);
forge.ssh.privateKeyToOpenSSH(privateKey, passphrase);
forge.ssh.getPublicKeyFingerprint(key);
forge.ssh.getPublicKeyFingerprint(key, {encoding: 'hex', delimiter: ':'});
### XHR
Provides an XmlHttpRequest implementation using forge.http as a backend.
Examples
### Sockets
Provides an interface to create and use raw sockets provided via Flash.
Examples
Ciphers
### CIPHER
Provides a basic API for block encryption and decryption. There is built-in
support for the ciphers: AES, 3DES, and DES, and for the modes
of operation: ECB, CBC, CFB, OFB, CTR, and GCM.
These algorithms are currently supported:
- AES-ECB
- AES-CBC
- AES-CFB
- AES-OFB
- AES-CTR
- AES-GCM
- 3DES-ECB
- 3DES-CBC
- DES-ECB
- DES-CBC
When using an AES algorithm, the key size will determine whether
AES-128, AES-192, or AES-256 is used (all are supported). When a DES
algorithm is used, the key size will determine whether 3DES or regular
DES is used. Use a 3DES algorithm to enforce Triple-DES.
Examples
var key = forge.random.getBytesSync(16);
var iv = forge.random.getBytesSync(16);
var cipher = forge.cipher.createCipher('AES-CBC', key);
cipher.start({iv: iv});
cipher.update(forge.util.createBuffer(someBytes));
cipher.finish();
var encrypted = cipher.output;
console.log(encrypted.toHex());
var decipher = forge.cipher.createDecipher('AES-CBC', key);
decipher.start({iv: iv});
decipher.update(encrypted);
decipher.finish();
console.log(decipher.output.toHex());
var cipher = forge.cipher.createCipher('AES-GCM', key);
cipher.start({
iv: iv,
additionalData: 'binary-encoded string',
tagLength: 128
});
cipher.update(forge.util.createBuffer(someBytes));
cipher.finish();
var encrypted = cipher.output;
var tag = cipher.mode.tag;
console.log(encrypted.toHex());
console.log(tag.toHex());
var decipher = forge.cipher.createDecipher('AES-GCM', key);
decipher.start({
iv: iv,
additionalData: 'binary-encoded string',
tagLength: 128,
tag: tag
});
decipher.update(encrypted);
var pass = decipher.finish();
if(pass) {
console.log(decipher.output.toHex());
}
Using forge in node.js to match openssl's "enc" command line tool (Note: OpenSSL "enc" uses a non-standard file format with a custom key derivation function and a fixed iteration count of 1, which some consider less secure than alternatives such as OpenPGP/GnuPG):
var forge = require('node-forge');
var fs = require('fs');
function encrypt(password) {
var input = fs.readFileSync('input.txt', {encoding: 'binary'});
var keySize = 24;
var ivSize = 8;
var salt = forge.random.getBytesSync(8);
var derivedBytes = forge.pbe.opensslDeriveBytes(
password, salt, keySize + ivSize);
var buffer = forge.util.createBuffer(derivedBytes);
var key = buffer.getBytes(keySize);
var iv = buffer.getBytes(ivSize);
var cipher = forge.cipher.createCipher('3DES-CBC', key);
cipher.start({iv: iv});
cipher.update(forge.util.createBuffer(input, 'binary'));
cipher.finish();
var output = forge.util.createBuffer();
if(salt !== null) {
output.putBytes('Salted__');
output.putBytes(salt);
}
output.putBuffer(cipher.output);
fs.writeFileSync('input.enc', output.getBytes(), {encoding: 'binary'});
}
function decrypt(password) {
var input = fs.readFileSync('input.enc', {encoding: 'binary'});
input = forge.util.createBuffer(input, 'binary');
input.getBytes('Salted__'.length);
var salt = input.getBytes(8);
var keySize = 24;
var ivSize = 8;
var derivedBytes = forge.pbe.opensslDeriveBytes(
password, salt, keySize + ivSize);
var buffer = forge.util.createBuffer(derivedBytes);
var key = buffer.getBytes(keySize);
var iv = buffer.getBytes(ivSize);
var decipher = forge.cipher.createDecipher('3DES-CBC', key);
decipher.start({iv: iv});
decipher.update(input);
var result = decipher.finish();
fs.writeFileSync(
'input.dec.txt', decipher.output.getBytes(), {encoding: 'binary'});
}
### AES
Provides AES encryption and decryption in CBC, CFB, OFB,
CTR, and GCM modes. See CIPHER for examples.
### DES
Provides 3DES and DES encryption and decryption in ECB and
CBC modes. See CIPHER for examples.
### RC2
Examples
var key = forge.random.getBytesSync(16);
var iv = forge.random.getBytesSync(8);
var cipher = forge.rc2.createEncryptionCipher(key);
cipher.start(iv);
cipher.update(forge.util.createBuffer(someBytes));
cipher.finish();
var encrypted = cipher.output;
console.log(encrypted.toHex());
var cipher = forge.rc2.createDecryptionCipher(key);
cipher.start(iv);
cipher.update(encrypted);
cipher.finish();
console.log(cipher.output.toHex());
PKI
Provides X.509 certificate and RSA public and private key encoding,
decoding, encryption/decryption, and signing/verifying.
### RSA
Examples
var rsa = forge.pki.rsa;
var keypair = rsa.generateKeyPair({bits: 2048, e: 0x10001});
rsa.generateKeyPair({bits: 2048, workers: 2}, function(err, keypair) {
});
var state = rsa.createKeyPairGenerationState(2048, 0x10001);
var step = function() {
if(!rsa.stepKeyPairGenerationState(state, 100)) {
setTimeout(step, 1);
}
else {
}
};
setTimeout(step);
var md = forge.md.sha1.create();
md.update('sign this', 'utf8');
var signature = privateKey.sign(md);
var verified = publicKey.verify(md.digest().bytes(), signature);
var md = forge.md.sha1.create();
md.update('sign this', 'utf8');
var pss = forge.pss.create({
md: forge.md.sha1.create(),
mgf: forge.mgf.mgf1.create(forge.md.sha1.create()),
saltLength: 20
});
var signature = privateKey.sign(md, pss);
var pss = forge.pss.create({
md: forge.md.sha1.create(),
mgf: forge.mgf.mgf1.create(forge.md.sha1.create()),
saltLength: 20
});
var md = forge.md.sha1.create();
md.update('sign this', 'utf8');
publicKey.verify(md.digest().getBytes(), signature, pss);
var encrypted = publicKey.encrypt(bytes);
var decrypted = privateKey.decrypt(encrypted);
var encrypted = publicKey.encrypt(bytes, 'RSAES-PKCS1-V1_5');
var decrypted = privateKey.decrypt(encrypted, 'RSAES-PKCS1-V1_5');
var encrypted = publicKey.encrypt(bytes, 'RSA-OAEP');
var decrypted = privateKey.decrypt(encrypted, 'RSA-OAEP');
var encrypted = publicKey.encrypt(bytes, 'RSA-OAEP', {
md: forge.md.sha256.create()
});
var decrypted = privateKey.decrypt(encrypted, 'RSA-OAEP', {
md: forge.md.sha256.create()
});
var encrypted = publicKey.encrypt(bytes, 'RSA-OAEP', {
md: forge.md.sha256.create(),
mgf1: {
md: forge.md.sha1.create()
}
});
var decrypted = privateKey.decrypt(encrypted, 'RSA-OAEP', {
md: forge.md.sha256.create(),
mgf1: {
md: forge.md.sha1.create()
}
});
### RSA-KEM
Examples
forge.rsa.generateKeyPair({bits: 2048, workers: -1}, function(err, keypair) {
});
var kdf1 = new forge.kem.kdf1(forge.md.sha1.create());
var kem = forge.kem.rsa.create(kdf1);
var result = kem.encrypt(keypair.publicKey, 16);
var iv = forge.random.getBytesSync(12);
var someBytes = 'hello world!';
var cipher = forge.cipher.createCipher('AES-GCM', result.key);
cipher.start({iv: iv});
cipher.update(forge.util.createBuffer(someBytes));
cipher.finish();
var encrypted = cipher.output.getBytes();
var tag = cipher.mode.tag.getBytes();
var kdf1 = new forge.kem.kdf1(forge.md.sha1.create());
var kem = forge.kem.rsa.create(kdf1);
var key = kem.decrypt(keypair.privateKey, result.encapsulation, 16);
var decipher = forge.cipher.createDecipher('AES-GCM', key);
decipher.start({iv: iv, tag: tag});
decipher.update(forge.util.createBuffer(encrypted));
var pass = decipher.finish();
if(pass) {
console.log(decipher.output.getBytes());
}
### X.509
Examples
var pki = forge.pki;
var publicKey = pki.publicKeyFromPem(pem);
var pem = pki.publicKeyToPem(publicKey);
var publicKey = pki.publicKeyFromAsn1(subjectPublicKeyInfo);
var subjectPublicKeyInfo = pki.publicKeyToAsn1(publicKey);
pki.getPublicKeyFingerprint(key);
pki.getPublicKeyFingerprint(key, {type: 'SubjectPublicKeyInfo'});
pki.getPublicKeyFingerprint(key, {encoding: 'hex', delimiter: ':'});
pki.getPublicKeyFingerprint(key, {
type: 'SubjectPublicKeyInfo',
encoding: 'hex',
delimiter: ':'
});
pki.getPublicKeyFingerprint(key, {
md: forge.md.md5.create(),
encoding: 'hex',
delimiter: ':'
});
var caStore = pki.createCaStore([, ...]);
caStore.addCertificate(certObjectOrPemString);
var issuerCert = caStore.getIssuer(subjectCert);
pki.verifyCertificateChain(caStore, chain, customVerifyCallback);
cert.sign(privateKey);
cert.sign(privateKey, forge.md.sha256.create());
var verified = issuer.verify(issued);
var keys = pki.rsa.generateKeyPair(2048);
var cert = pki.createCertificate();
cert.publicKey = keys.publicKey;
cert.serialNumber = '01';
cert.validity.notBefore = new Date();
cert.validity.notAfter = new Date();
cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 1);
var attrs = [{
name: 'commonName',
value: 'example.org'
}, {
name: 'countryName',
value: 'US'
}, {
shortName: 'ST',
value: 'Virginia'
}, {
name: 'localityName',
value: 'Blacksburg'
}, {
name: 'organizationName',
value: 'Test'
}, {
shortName: 'OU',
value: 'Test'
}];
cert.setSubject(attrs);
cert.setIssuer(attrs);
cert.setExtensions([{
name: 'basicConstraints',
cA: true
}, {
name: 'keyUsage',
keyCertSign: true,
digitalSignature: true,
nonRepudiation: true,
keyEncipherment: true,
dataEncipherment: true
}, {
name: 'extKeyUsage',
serverAuth: true,
clientAuth: true,
codeSigning: true,
emailProtection: true,
timeStamping: true
}, {
name: 'nsCertType',
client: true,
server: true,
email: true,
objsign: true,
sslCA: true,
emailCA: true,
objCA: true
}, {
name: 'subjectAltName',
altNames: [{
type: 6,
value: 'http://example.org/webid#me'
}, {
type: 7,
ip: '127.0.0.1'
}]
}, {
name: 'subjectKeyIdentifier'
}]);
cert.sign(keys.privateKey);
var pem = pki.certificateToPem(cert);
var cert = pki.certificateFromPem(pem);
var cert = pki.certificateFromAsn1(obj);
var asn1Cert = pki.certificateToAsn1(cert);
### PKCS#5
Provides the password-based key-derivation function from PKCS#5.
Examples
var salt = forge.random.getBytesSync(128);
var derivedKey = forge.pkcs5.pbkdf2('password', salt, numIterations, 16);
forge.pkcs5.pbkdf2('password', salt, numIterations, 16, function(err, derivedKey) {
});
### PKCS#7
Provides cryptographically protected messages from PKCS#7.
Examples
var p7 = forge.pkcs7.messageFromPem(pem);
var recipient = p7.findRecipient(cert);
p7.decrypt(p7.recipients[0], privateKey);
var p7 = forge.pkcs7.createEnvelopedData();
var cert = forge.pki.certificateFromPem(certPem);
p7.addRecipient(cert);
p7.content = forge.util.createBuffer('Hello');
p7.encrypt();
var pem = forge.pkcs7.messageToPem(p7);
var p7 = forge.pkcs7.createSignedData();
p7.addCertificate(certOrCertPem1);
p7.addCertificate(certOrCertPem2);
var pem = forge.pkcs7.messageToPem(p7);
var p7 = forge.pkcs7.createSignedData();
p7.content = forge.util.createBuffer('Some content to be signed.', 'utf8');
p7.addCertificate(certOrCertPem);
p7.addSigner({
key: privateKeyAssociatedWithCert,
certificate: certOrCertPem,
digestAlgorithm: forge.pki.oids.sha256,
authenticatedAttributes: [{
type: forge.pki.oids.contentType,
value: forge.pki.oids.data
}, {
type: forge.pki.oids.messageDigest
}, {
type: forge.pki.oids.signingTime,
value: new Date()
}]
});
p7.sign();
var pem = forge.pkcs7.messageToPem(p7);
### PKCS#8
Examples
var pki = forge.pki;
var privateKey = pki.privateKeyFromPem(pem);
var pem = pki.privateKeyToPem(privateKey);
var privateKey = pki.privateKeyFromAsn1(rsaPrivateKey);
var rsaPrivateKey = pki.privateKeyToAsn1(privateKey);
var privateKeyInfo = pki.wrapRsaPrivateKey(rsaPrivateKey);
var pem = pki.privateKeyInfoToPem(privateKeyInfo);
var encryptedPrivateKeyInfo = pki.encryptPrivateKeyInfo(
privateKeyInfo, 'password', {
algorithm: 'aes256',
});
var privateKeyInfo = pki.decryptPrivateKeyInfo(
encryptedPrivateKeyInfo, 'password');
var pem = pki.encryptedPrivateKeyToPem(encryptedPrivateKeyInfo);
var encryptedPrivateKeyInfo = pki.encryptedPrivateKeyFromPem(pem);
var pem = pki.encryptRsaPrivateKey(privateKey, 'password');
var pem = pki.encryptRsaPrivateKey(privateKey, 'password', {legacy: true});
var privateKey = pki.decryptRsaPrivateKey(pem, 'password');
var publicKey = pki.setRsaPublicKey(privateKey.n, privateKey.e);
### PKCS#10
Provides certification requests or certificate signing requests (CSR) from
PKCS#10.
Examples
var keys = forge.pki.rsa.generateKeyPair(1024);
var csr = forge.pki.createCertificationRequest();
csr.publicKey = keys.publicKey;
csr.setSubject([{
name: 'commonName',
value: 'example.org'
}, {
name: 'countryName',
value: 'US'
}, {
shortName: 'ST',
value: 'Virginia'
}, {
name: 'localityName',
value: 'Blacksburg'
}, {
name: 'organizationName',
value: 'Test'
}, {
shortName: 'OU',
value: 'Test'
}]);
csr.setAttributes([{
name: 'challengePassword',
value: 'password'
}, {
name: 'unstructuredName',
value: 'My Company, Inc.'
}, {
name: 'extensionRequest',
extensions: [{
name: 'subjectAltName',
altNames: [{
type: 2,
value: 'test.domain.com'
}, {
type: 2,
value: 'other.domain.com',
}, {
type: 2,
value: 'www.domain.net'
}]
}]
}]);
csr.sign(keys.privateKey);
var verified = csr.verify();
var pem = forge.pki.certificationRequestToPem(csr);
var csr = forge.pki.certificationRequestFromPem(pem);
csr.getAttribute({name: 'challengePassword'});
csr.getAttribute({name: 'extensionRequest'}).extensions;
### PKCS#12
Provides the cryptographic archive file format from PKCS#12.
Note for Chrome/Firefox/iOS/similar users: If you have trouble importing
a PKCS#12 container, try using the TripleDES algorithm. It can be passed
to forge.pkcs12.toPkcs12Asn1
using the {algorithm: '3des'}
option.
Examples
var p12Der = forge.util.decode64(p12b64);
var p12Asn1 = forge.asn1.fromDer(p12Der);
var p12 = forge.pkcs12.pkcs12FromAsn1(p12Asn1, 'password');
var p12 = forge.pkcs12.pkcs12FromAsn1(p12Asn1, false, 'password');
var p12 = forge.pkcs12.pkcs12FromAsn1(p12Asn1);
var p12 = forge.pkcs12.pkcs12FromAsn1(p12Asn1, '');
var bags = p12.getBags({friendlyName: 'test'});
var cert = bags.friendlyName[0];
var bags = p12.getBags({localKeyId: buffer});
var cert = bags.localKeyId[0];
var bags = p12.getBags({localKeyIdHex: '7b59377ff142d0be4565e9ac3d396c01401cd879'});
var cert = bags.localKeyId[0];
var bags = p12.getBags({bagType: forge.pki.oids.certBag});
var cert = bags[forge.pki.oids.certBag][0];
var bags = p12.getBags({
friendlyName: 'test',
bagType: forge.pki.oids.certBag
});
var bags = p12.getBags({bagType: forge.pki.oids.keyBag});
var bag = bags[forge.pki.oids.keyBag][0];
var key = bag.key;
if(bag.key === null) {
var keyAsn1 = bag.asn1;
}
var p12Asn1 = forge.pkcs12.toPkcs12Asn1(
privateKey, certificateChain, 'password');
var p12Asn1 = forge.pkcs12.toPkcs12Asn1(
privateKey, certificateChain, 'password',
{algorithm: '3des'});
var p12Der = forge.asn1.toDer(p12Asn1).getBytes();
var p12b64 = forge.util.encode64(p12Der);
var a = document.createElement('a');
a.download = 'example.p12';
a.setAttribute('href', 'data:application/x-pkcs12;base64,' + p12b64);
a.appendChild(document.createTextNode('Download'));
### ASN.1
Provides ASN.1 DER encoding and decoding.
Examples
var asn1 = forge.asn1;
var subjectPublicKeyInfo =
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.OID, false,
asn1.oidToDer(pki.oids['rsaEncryption']).getBytes()),
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.NULL, false, '')
]),
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.BITSTRING, false, [
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.SEQUENCE, true, [
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false,
_bnToBytes(key.n)),
asn1.create(asn1.Class.UNIVERSAL, asn1.Type.INTEGER, false,
_bnToBytes(key.e))
])
])
]);
var derBuffer = asn1.toDer(subjectPublicKeyInfo);
var object = asn1.fromDer(derBuffer);
var derOidBuffer = asn1.oidToDer('1.2.840.113549.1.1.5');
console.log(asn1.derToDer(derOidBuffer));
var publicKeyValidator = {
name: 'SubjectPublicKeyInfo',
tagClass: asn1.Class.UNIVERSAL,
type: asn1.Type.SEQUENCE,
constructed: true,
captureAsn1: 'subjectPublicKeyInfo',
value: [{
name: 'SubjectPublicKeyInfo.AlgorithmIdentifier',
tagClass: asn1.Class.UNIVERSAL,
type: asn1.Type.SEQUENCE,
constructed: true,
value: [{
name: 'AlgorithmIdentifier.algorithm',
tagClass: asn1.Class.UNIVERSAL,
type: asn1.Type.OID,
constructed: false,
capture: 'publicKeyOid'
}]
}, {
name: 'SubjectPublicKeyInfo.subjectPublicKey',
tagClass: asn1.Class.UNIVERSAL,
type: asn1.Type.BITSTRING,
constructed: false,
value: [{
name: 'SubjectPublicKeyInfo.subjectPublicKey.RSAPublicKey',
tagClass: asn1.Class.UNIVERSAL,
type: asn1.Type.SEQUENCE,
constructed: true,
optional: true,
captureAsn1: 'rsaPublicKey'
}]
}]
};
var capture = {};
var errors = [];
if(!asn1.validate(
publicKeyValidator, subjectPublicKeyInfo, validator, capture, errors)) {
throw 'ASN.1 object is not a SubjectPublicKeyInfo.';
}
var oid = asn1.derToOid(capture.publicKeyOid);
if(oid !== pki.oids['rsaEncryption']) {
throw 'Unsupported OID.';
}
asn1.prettyPrint(object);
Message Digests
### SHA1
Provides SHA-1 message digests.
Examples
var md = forge.md.sha1.create();
md.update('The quick brown fox jumps over the lazy dog');
console.log(md.digest().toHex());
### SHA256
Provides SHA-256 message digests.
Examples
var md = forge.md.sha256.create();
md.update('The quick brown fox jumps over the lazy dog');
console.log(md.digest().toHex());
### SHA384
Provides SHA-384 message digests.
Examples
var md = forge.md.sha384.create();
md.update('The quick brown fox jumps over the lazy dog');
console.log(md.digest().toHex());
### SHA512
Provides SHA-512 message digests.
Examples
var md = forge.md.sha512.create();
md.update('The quick brown fox jumps over the lazy dog');
console.log(md.digest().toHex());
var md = forge.md.sha512.sha224.create();
md.update('The quick brown fox jumps over the lazy dog');
console.log(md.digest().toHex());
var md = forge.md.sha512.sha256.create();
md.update('The quick brown fox jumps over the lazy dog');
console.log(md.digest().toHex());
### MD5
Provides MD5 message digests.
Examples
var md = forge.md.md5.create();
md.update('The quick brown fox jumps over the lazy dog');
console.log(md.digest().toHex());
### HMAC
Provides HMAC w/any supported message digest algorithm.
Examples
var hmac = forge.hmac.create();
hmac.start('sha1', 'Jefe');
hmac.update('what do ya want for nothing?');
console.log(hmac.digest().toHex());
Utilities
### Prime
Provides an API for generating large, random, probable primes.
Examples
var bits = 1024;
forge.prime.generateProbablePrime(bits, function(err, num) {
console.log('random prime', num.toString(16));
});
var bits = 1024;
var options = {
algorithm: {
name: 'PRIMEINC',
workers: -1
}
};
forge.prime.generateProbablePrime(bits, options, function(err, num) {
console.log('random prime', num.toString(16));
});
### PRNG
Provides a Fortuna-based cryptographically-secure pseudo-random number
generator, to be used with a cryptographic function backend, e.g. AES. An
implementation using AES as a backend is provided. An API for collecting
entropy is given, though if window.crypto.getRandomValues is available, it will
be used automatically.
Examples
var bytes = forge.random.getBytesSync(32);
console.log(forge.util.bytesToHex(bytes));
forge.random.getBytes(32, function(err, bytes) {
console.log(forge.util.bytesToHex(bytes));
});
forge.random.collect(someRandomBytes);
jQuery().mousemove(function(e) {
forge.random.collectInt(e.clientX, 16);
forge.random.collectInt(e.clientY, 16);
});
forge.random.seedFileSync = function(needed) {
return fetchedRandomBytes;
};
forge.random.seedFile = function(needed, callback) {
callback(null, fetchedRandomBytes);
});
forge.random.registerWorker(self);
var myPrng = forge.random.createInstance();
### Tasks
Provides queuing and synchronizing tasks in a web application.
Examples
### Utilities
Provides utility functions, including byte buffer support, base64,
bytes to/from hex, zlib inflate/deflate, etc.
Examples
var encoded = forge.util.encode64(str);
var str = forge.util.decode64(encoded);
var encoded = forge.util.encodeUtf8(str);
var str = forge.util.decodeUtf8(encoded);
var bytes = forge.util.hexToBytes(hex);
var hex = forge.util.bytesToHex(bytes);
var buffer = forge.util.createBuffer();
var buffer = forge.util.createBuffer(input, 'raw');
var buffer = forge.util.createBuffer(input, 'utf8');
buffer.length();
buffer.putBytes(bytes);
buffer.putInt32(10);
buffer.toHex();
bytes.bytes();
bytes.getBytes();
var forgeBuffer = forge.util.createBuffer();
var nodeBuffer = new Buffer(forgeBuffer.getBytes(), 'binary');
var nodeBuffer = new Buffer();
var forgeBuffer = forge.util.createBuffer(nodeBuffer.toString('binary'));
var parsed = forge.util.parseUrl('http://example.com/foo?bar=baz');
### Logging
Provides logging to a javascript console using various categories and
levels of verbosity.
Examples
### Debugging
Provides storage of debugging information normally inaccessible in
closures for viewing/investigation.
Examples
### Flash Socket Policy Module
Provides an Apache module "mod_fsp" that can serve up a Flash Socket
Policy. See mod_fsp/README
for more details. This module makes it easy to
modify an Apache server to allow cross domain requests to be made to it.
Library Details
Contact
Donations
Financial support is welcome and helps contribute to futher development: