8.0.13 release

Author: kjur

ChangeLog.txt

@@ -1,6 +1,19 @@
 
 ChangeLog for jsrsasign
 
+* Changes from 8.0.12 to 8.0.13 (2020-Mar-31)
+  - LICENSE.txt
+    - fixed wrong description from BSD to MIT License
+  - ext/ec.js
+    - mitigate Minerva timing attack in ECPointFp.multiply method
+　　　https://minerva.crocs.fi.muni.cz/
+  - test/qunit-do-crypto-ecdsa.html
+    - testcase fix
+  - sample_node/tsr2certs added
+    - script to extract certificates from timestamp response or token
+  - npm
+    - ECPointFp, ECCurveFp and ECFieldElementFp are now exported.
+
 * Changes from 8.0.11 to 8.0.12 (2018-Apr-22)
   - base64x 1.1.13 to 1.1.14
     - function iptohex added

LICENSE.txt

@@ -21,7 +21,7 @@ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 THE SOFTWARE.
 
-LICENSE: BSD License
+LICENSE: MIT License
 ----
 
 RSA and ECC in JavaScript

Makefile

@@ -22,6 +22,7 @@ FILES_MIN = \
 	min/jwsjs-2.0.min.js
 
 FILES_EXT_MIN = \
+	ext/ec-min.js \
 	ext/rsa-min.js \
 	ext/rsa2-min.js
 

bower.json

@@ -1,6 +1,6 @@
 {
   "name": "kjur-jsrsasign",
-  "version": "8.0.12",
+  "version": "8.0.13",
   "main": "jsrsasign-all-min.js",
   "description": "The 'jsrsasign' (RSA-Sign JavaScript Library) is an opensource free cryptography library supporting RSA/RSAPSS/ECDSA/DSA signing/validation, ASN.1, PKCS#1/5/8 private/public key, X.509 certificate, CRL, OCSP, CMS SignedData, TimeStamp, CAdES, JWS and JWT in pure JavaScript.",
   "license": "MIT",

ext/ec-min.js

@@ -182,16 +182,25 @@ function pointFpTwice() {
 
 // Simple NAF (Non-Adjacent Form) multiplication algorithm
 // TODO: modularize the multiplication algorithm
+// UPDATE: 2020.03.30 mitigate Minerva timing attack https://minerva.crocs.fi.muni.cz/
+//                    Constant time execution on multiply method.
 function pointFpMultiply(k) {
     if(this.isInfinity()) return this;
     if(k.signum() == 0) return this.curve.getInfinity();
 
-    var e = k;
+    // initialize for multiply
+    var e = k; // e = k
     var h = e.multiply(new BigInteger("3"));
-
     var neg = this.negate();
     var R = this;
 
+    // initialize for dummy to mitigate timing attack
+    var e2 = this.curve.q.subtract(k); // e2 = q - k
+    var h2 = e2.multiply(new BigInteger("3"));
+    var R2 = new ECPointFp(this.curve, this.x, this.y);
+    var neg2 = R2.negate();
+
+    // calculate multiply
     var i;
     for(i = h.bitLength() - 2; i > 0; --i) {
 	R = R.twice();
@@ -204,6 +213,18 @@ function pointFpMultiply(k) {
 	}
     }
 
+    // calculate dummy to mitigate timing attack
+    for(i = h2.bitLength() - 2; i > 0; --i) {
+	R2 = R2.twice();
+
+	var h2Bit = h2.testBit(i);
+	var e2Bit = e2.testBit(i);
+
+	if (h2Bit != e2Bit) {
+	    R2 = R2.add(h2Bit ? R2 : neg2);
+	}
+    }
+
     return R;
 }