Initial commit

.editorconfig

+# http://editorconfig.org
+
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+
+[*.{js,json,yaml,yml}]
+indent_style = space
+indent_size = 2
+
+[*.py]
+indent_style = space
+indent_size = 4

.eslintrc.js

+module.exports = {
+  root: true,
+  env: {
+    browser: true,
+    commonjs: true,
+    node: true
+  },
+  extends: [
+    'digitalbazaar'
+  ],
+  parserOptions: {
+    ecmaVersion: 5,
+    sourceType: 'script'
+  },
+  rules: {
+    // overrides to support ES5, remove when updated to ES20xx
+    'no-unused-vars': 'warn',
+    'no-var': 'off',
+    'object-shorthand': 'off',
+    'prefer-const': 'off',
+    // fix when code is globally reformatted
+    'max-len': 'off'
+  }
+};

.github/workflows/main.yml

+name: Main Checks
+
+on: [push]
+
+jobs:
+  test-node:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    strategy:
+      matrix:
+        node-version: [6.x, 8.x, 10.x, 12.x, 14.x]
+    steps:
+    - uses: actions/checkout@v2
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v1
+      with:
+        node-version: ${{ matrix.node-version }}
+    - run: npm install
+    - name: Run test with Node.js ${{ matrix.node-version }}
+      run: npm run test-node
+  test-karma:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    strategy:
+      matrix:
+        node-version: [14.x]
+        bundler: [webpack, browserify]
+    steps:
+    - uses: actions/checkout@v2
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v1
+      with:
+        node-version: ${{ matrix.node-version }}
+    - run: npm install
+    - name: Run karma tests
+      run: npm run test-karma
+      env:
+        BUNDLER: ${{ matrix.bundler }}
+#  lint:
+#    runs-on: ubuntu-latest
+#    timeout-minutes: 10
+#    strategy:
+#      matrix:
+#        node-version: [14.x]
+#    steps:
+#    - uses: actions/checkout@v2
+#    - name: Use Node.js ${{ matrix.node-version }}
+#      uses: actions/setup-node@v1
+#      with:
+#        node-version: ${{ matrix.node-version }}
+#    - run: npm install
+#    - name: Run eslint
+#      run: npm run lint
+  coverage:
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    strategy:
+      matrix:
+        node-version: [14.x]
+    steps:
+    - uses: actions/checkout@v2
+    - name: Use Node.js ${{ matrix.node-version }}
+      uses: actions/setup-node@v1
+      with:
+        node-version: ${{ matrix.node-version }}
+    - run: npm install
+    - name: Generate coverage report
+      run: npm run coverage-ci
+    - name: Upload coverage to Codecov
+      uses: codecov/codecov-action@v1
+      with:
+        file: ./coverage/lcov.info
+        fail_ci_if_error: true

.gitignore

+*.py[co]
+*.sw[nop]
+*~
+.cdtproject
+.classpath
+.cproject
+.nyc_output
+.project
+.settings
+.vscode
+TAGS
+coverage
+dist
+node_modules
+npm-debug.log

.istanbul.yml

+instrumentation:
+  root: .

CHANGELOG.md

+Forge ChangeLog
+===============
+
+## 1.2.1 - 2022-01-11
+
+### Fixed
+- [tests]: Load entire module to improve top-level testing and coverage
+  reporting.
+- [log]: Refactor logging setup to avoid use of `URLSearchParams`.
+
+## 1.2.0 - 2022-01-07
+
+### Fixed
+- [x509] 'Expected' and 'Actual' issuers were backwards in verification failure
+  message.
+
+### Added
+- [oid,x509]: Added OID `1.3.14.3.2.29 / sha1WithRSASignature` for sha1 with
+  RSA. Considered a deprecated equivalent to `1.2.840.113549.1.1.5 /
+  sha1WithRSAEncryption`. See [discussion and
+  links](https://github.com/digitalbazaar/forge/issues/825).
+
+### Changed
+- [x509]: Reduce duplicate code. Add helper function to create a signature
+  digest given an signature algorithm OID. Add helper function to verify
+  signatures.
+
+## 1.1.0 - 2022-01-06
+
+### Fixed
+- [x509]: Correctly compute certificate issuer and subject hashes to match
+  behavior of openssl.
+- [pem]: Accept certificate requests with "NEW" in the label. "BEGIN NEW
+  CERTIFICATE REQUEST" handled as "BEGIN CERTIFICATE REQUEST".
+
+## 1.0.0 - 2022-01-04
+
+### Notes
+- **1.0.0**!
+- This project is over a decade old! Time for a 1.0.0 release.
+- The URL related changes may expose bugs in some of the networking related
+  code (unrelated to the much wider used cryptography code). The automated and
+  manual test coverage for this code is weak at best. Issues or patches to
+  update the code or tests would be appreciated.
+
+### Removed
+- **SECURITY**, **BREAKING**: Remove `forge.debug` API. The API has the
+  potential for prototype pollution. This API was only briefly used by the
+  maintainers for internal project debug purposes and was never intended to be
+  used with untrusted user inputs. This API was not documented or advertised
+  and is being removed rather than fixed.
+- **SECURITY**, **BREAKING**: Remove `forge.util.parseUrl()` (and
+  `forge.http.parseUrl` alias) and use the [WHATWG URL
+  Standard](https://url.spec.whatwg.org/). `URL` is supported by modern browers
+  and modern Node.js. This change is needed to address URL parsing security
+  issues. If `forge.util.parseUrl()` is used directly or through `forge.xhr` or
+  `forge.http` APIs, and support is needed for environments without `URL`
+  support, then a polyfill must be used.
+- **BREAKING**: Remove `forge.task` API. This API was never used, documented,
+  or advertised by the maintainers. If anyone was using this API and wishes to
+  continue development it in other project, please let the maintainers know.
+  Due to use in the test suite, a modified version is located in
+  `tests/support/`.
+- **BREAKING**: Remove `forge.util.makeLink`, `forge.util.makeRequest`,
+  `forge.util.parseFragment`, `forge.util.getQueryVariables`. Replace with
+  `URL`, `URLSearchParams`, and custom code as needed.
+
+### Changed
+- **BREAKING**: Increase supported Node.js version to 6.13.0 for URL support.
+- **BREAKING**: Renamed `master` branch to `main`.
+- **BREAKING**: Release process updated to use tooling that prefixes versions
+  with `v`. Other tools, scripts, or scanners may need to adapt.
+- **BREAKING**: Remove docs related to Bower and
+  [forge-dist](https://github.com/digitalbazaar/forge-dist). Install using
+  [another method](./README.md#installation).
+
+### Added
+- OIDs for `surname`, `title`, and `givenName`.
+
+### Fixed
+- **BREAKING**: OID 2.5.4.5 name fixed from `serialName` to `serialNumber`.
+  Depending on how applications used this id to name association it could cause
+  compatibility issues.
+
+## 0.10.0 - 2020-09-01
+
+### Changed
+- **BREAKING**: Node.js 4 no longer supported. The code *may* still work, and
+  non-invasive patches to keep it working will be considered. However, more
+  modern tools no longer support old Node.js versions making testing difficult.
+
+### Removed
+- **BREAKING**: Remove `util.getPath`, `util.setPath`, and `util.deletePath`.
+  `util.setPath` had a potential prototype pollution security issue when used
+  with unsafe inputs. These functions are not used by `forge` itself. They date
+  from an early time when `forge` was targeted at providing general helper
+  functions. The library direction changed to be more focused on cryptography.
+  Many other excellent libraries are more suitable for general utilities. If
+  you need a replacement for these functions, consider `get`, `set`, and `unset`
+  from [lodash](https://lodash.com/). But also consider the potential similar
+  security issues with those APIs.
+
+## 0.9.2 - 2020-09-01
+
+### Changed
+- Added `util.setPath` security note to function docs and to README.
+
+### Notes
+- **SECURITY**: The `util.setPath` function has the potential to cause
+  prototype pollution if used with unsafe input.
+  - This function is **not** used internally by `forge`.
+  - The rest of the library is unaffected by this issue.
+  - **Do not** use unsafe input with this function.
+  - Usage with known input should function as expected. (Including input
+    intentionally using potentially problematic keys.)
+  - No code changes will be made to address this issue in 0.9.x. The current
+    behavior *could* be considered a feature rather than a security issue.
+    0.10.0 will be released that removes `util.getPath` and `util.setPath`.
+    Consider `get` and `set` from [lodash](https://lodash.com/) if you need
+    replacements. But also consider the potential similar security issues with
+    those APIs.
+  - https://snyk.io/vuln/SNYK-JS-NODEFORGE-598677
+  - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7720
+
+## 0.9.1 - 2019-09-26
+
+### Fixed
+- Ensure DES-CBC given IV is long enough for block size.
+
+## 0.9.0 - 2019-09-04
+
+### Added
+- Add ed25519.publicKeyFromAsn1 and ed25519.privateKeyFromAsn1 APIs.
+- A few OIDs used in EV certs.
+
+### Fixed
+- Improve ed25519 NativeBuffer check.
+
+## 0.8.5 - 2019-06-18
+
+### Fixed
+- Remove use of `const`.
+
+## 0.8.4 - 2019-05-22
+
+### Changed
+- Replace all instances of Node.js `new Buffer` with `Buffer.from` and `Buffer.alloc`.
+
+## 0.8.3 - 2019-05-15
+
+### Fixed
+- Use basic character set for code.
+
+## 0.8.2 - 2019-03-18
+
+### Fixed
+- Fix tag calculation when continuing an AES-GCM block.
+
+### Changed
+- Switch to eslint.
+
+## 0.8.1 - 2019-02-23
+
+### Fixed
+- Fix off-by-1 bug with kem random generation.
+
+## 0.8.0 - 2019-01-31
+
+### Fixed
+- Handle creation of certificates with `notBefore` and `notAfter` dates less
+  than Jan 1, 1950 or greater than or equal to Jan 1, 2050.
+
+### Added
+- Add OID 2.5.4.13 "description".
+- Add OID 2.16.840.1.113730.1.13 "nsComment".
+  - Also handle extension when creating a certificate.
+- `pki.verifyCertificateChain`:
+  - Add `validityCheckDate` option to allow checking the certificate validity
+    period against an arbitrary `Date` or `null` for no check at all. The
+    current date is used by default.
+- `tls.createConnection`:
+  - Add `verifyOptions` option that passes through to
+    `pki.verifyCertificateChain`. Can be used for the above `validityCheckDate`
+    option.
+
+### Changed
+- Support WebCrypto API in web workers.
+- `rsa.generateKeyPair`:
+  - Use `crypto.generateKeyPair`/`crypto.generateKeyPairSync` on Node.js if
+    available (10.12.0+) and not in pure JS mode.
+  - Use JS fallback in `rsa.generateKeyPair` if `prng` option specified since
+    this isn't supported by current native APIs.
+  - Only run key generation comparison tests if keys will be deterministic.
+- PhantomJS is deprecated, now using Headless Chrome with Karma.
+- **Note**: Using Headless Chrome vs PhantomJS may cause newer JS features to
+  slip into releases without proper support for older runtimes and browsers.
+  Please report such issues and they will be addressed.
+- `pki.verifyCertificateChain`:
+  - Signature changed to `(caStore, chain, options)`. Older `(caStore, chain,
+    verify)` signature is still supported. New style is to to pass in a
+    `verify` option.
+
+## 0.7.6 - 2018-08-14
+
+### Added
+- Test on Node.js 10.x.
+- Support for PKCS#7 detached signatures.
+
+### Changed
+- Improve webpack/browser detection.
+
+## 0.7.5 - 2018-03-30
+
+### Fixed
+- Remove use of `const`.
+
+## 0.7.4 - 2018-03-07
+
+### Fixed
+- Potential regex denial of service in form.js.
+
+### Added
+- Support for ED25519.
+- Support for baseN/base58.
+
+## 0.7.3 - 2018-03-05
+
+- Re-publish with npm 5.6.0 due to file timestamp issues.
+
+## 0.7.2 - 2018-02-27
+
+### Added
+- Support verification of SHA-384 certificates.
+- `1.2.840.10040.4.3'`/`dsa-with-sha1` OID.
+
+### Fixed
+- Support importing PKCS#7 data with no certificates. RFC 2315 sec 9.1 states
+  certificates are optional.
+- `asn1.equals` loop bug.
+- Fortuna implementation bugs.
+
+## 0.7.1 - 2017-03-27
+
+### Fixed
+
+- Fix digestLength for hashes based on SHA-512.
+
+## 0.7.0 - 2017-02-07
+
+### Fixed
+
+- Fix test looping bugs so all tests are run.
+- Improved ASN.1 parsing. Many failure cases eliminated. More sanity checks.
+  Better behavior in default mode of parsing BIT STRINGs. Better handling of
+  parsed BIT STRINGs in `toDer()`. More tests.
+- Improve X.509 BIT STRING handling by using new capture modes.
+
+### Changed
+
+- Major refactor to use CommonJS plus a browser build system.
+- Updated tests, examples, docs.
+- Updated dependencies.
+- Updated flash build system.
+- Improve OID mapping code.
+- Change test servers from Python to JavaScript.
+- Improve PhantomJS support.
+- Move Bower/bundle support to
+  [forge-dist](https://github.com/digitalbazaar/forge-dist).
+- **BREAKING**: Require minimal digest algorithm dependencies from individual
+  modules.
+- Enforce currently supported bit param values for byte buffer access. May be
+  **BREAKING** for code that depended on unspecified and/or incorrect behavior.
+- Improve `asn1.prettyPrint()` BIT STRING display.
+
+### Added
+
+- webpack bundler support via `npm run build`:
+  - Builds `.js`, `.min.js`, and basic sourcemaps.
+  - Basic build: `forge.js`.
+  - Build with extra utils and networking support: `forge.all.js`.
+  - Build WebWorker support: `prime.worker.js`.
+- Browserify support in package.json.
+- Karma browser testing.
+- `forge.options` field.
+- `forge.options.usePureJavaScript` flag.
+- `forge.util.isNodejs` flag (used to select "native" APIs).
+- Run PhantomJS tests in Travis-CI.
+- Add "Donations" section to README.
+- Add IRC to "Contact" section of README.
+- Add "Security Considerations" section to README.
+- Add pbkdf2 usePureJavaScript test.
+- Add rsa.generateKeyPair async and usePureJavaScript tests.
+- Add .editorconfig support.
+- Add `md.all.js` which includes all digest algorithms.
+- Add asn1 `equals()` and `copy()`.
+- Add asn1 `validate()` capture options for BIT STRING contents and value.
+
+### Removed
+
+- **BREAKING**: Can no longer call `forge({...})` to create new instances.
+- Remove a large amount of old cruft.
+
+### Migration from 0.6.x to 0.7.x
+
+- (all) If you used the feature to create a new forge instance with new
+  configuration options you will need to rework your code. That ability has
+  been removed due to implementation complexity. The main rare use was to set
+  the option to use pure JavaScript. That is now available as a library global
+  flag `forge.options.usePureJavaScript`.
+- (npm,bower) If you used the default main file there is little to nothing to
+  change.
+- (npm) If you accessed a sub-resource like `forge/js/pki` you should either
+  switch to just using the main `forge` and access `forge.pki` or update to
+  `forge/lib/pki`.
+- (bower) If you used a sub-resource like `forge/js/pki` you should switch to
+  just using `forge` and access `forge.pki`. The bower release bundles
+  everything in one minified file.
+- (bower) A configured workerScript like
+  `/bower_components/forge/js/prime.worker.js` will need to change to
+  `/bower_components/forge/dist/prime.worker.min.js`.
+- (all) If you used the networking support or flash socket support, you will
+  need to use a custom build and/or adjust where files are loaded from. This
+  functionality is not included in the bower distribution by default and is
+  also now in a different directory.
+- (all) The library should now directly support building custom bundles with
+  webpack, browserify, or similar.
+- (all) If building a custom bundle ensure the correct dependencies are
+  included. In particular, note there is now a `md.all.js` file to include all
+  digest algorithms. Individual files limit what they include by default to
+  allow smaller custom builds. For instance, `pbdkf2.js` has a `sha1` default
+  but does not include any algorithm files by default. This allows the
+  possibility to include only `sha256` without the overhead of `sha1` and
+  `sha512`.
+
+### Notes
+
+- This major update requires updating the version to 0.7.x. The existing
+  work-in-progress "0.7.x" branch will be painfully rebased on top of this new
+  0.7.x and moved forward to 0.8.x or later as needed.
+- 0.7.x is a start of simplifying forge based on common issues and what has
+  appeared to be the most common usage. Please file issues with feedback if the
+  changes are problematic for your use cases.
+
+## 0.6.x - 2016 and earlier
+
+- See Git commit log or https://github.com/digitalbazaar/forge.

CONTRIBUTING.md

+Contributing to Forge
+=====================
+
+Want to contribute to forge? Great! Here are a few notes:
+
+Code
+----
+
+* In general, follow the current code style.
+* Read the [contributing](./README.md#contributing) notes.
+* Ensure [tests pass](./README.md#testing).
+
+Release Process
+---------------
+
+Maintainers should refer to the [release instructions](./RELEASE.md).
+
+[Semantic Versioning]: http://semver.org/

LICENSE

+You may use the Forge project under the terms of either the BSD License or the
+GNU General Public License (GPL) Version 2.
+
+The BSD License is recommended for most projects. It is simple and easy to
+understand and it places almost no restrictions on what you can do with the
+Forge project.
+
+If the GPL suits your project better you are also free to use Forge under
+that license.
+
+You don't have to do anything special to choose one license or the other and
+you don't have to notify anyone which license you are using. You are free to
+use this project in commercial projects as long as the copyright header is
+left intact.
+
+If you are a commercial entity and use this set of libraries in your
+commercial software then reasonable payment to Digital Bazaar, if you can
+afford it, is not required but is expected and would be appreciated. If this
+library saves you time, then it's saving you money. The cost of developing
+the Forge software was on the order of several hundred hours and tens of
+thousands of dollars. We are attempting to strike a balance between helping
+the development community while not being taken advantage of by lucrative
+commercial entities for our efforts.
+
+-------------------------------------------------------------------------------
+New BSD License (3-clause)
+Copyright (c) 2010, Digital Bazaar, Inc.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of Digital Bazaar, Inc. nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL DIGITAL BAZAAR BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+-------------------------------------------------------------------------------
+        GNU GENERAL PUBLIC LICENSE
+           Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.
+ 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+          Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+        GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Program is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+          NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+

RELEASE.md

+Forge Release Process
+=====================
+
+Prepare a Release
+-----------------
+
+* Follow the [Semantic Versioning][] guidelines.
+* Ensure [tests pass](./README.md#testing).
+* Ensure [CHANGELOG.md](./CHANGELOG.md) is up-to-date using [Keep a
+  CHANGELOG][] style.
+
+Publish to NPM
+--------------
+
+As of Forge 1.0.0 publishing is performed using the `pubnpm` script from
+https://github.com/digitalbazaar/publish-script.
+
+[Keep a CHANGELOG]: https://keepachangelog.com/
+[Semantic Versioning]: https://semver.org/

SECURITY.md

+# Security Policy
+
+## Reporting a Vulnerability
+
+Please report security issues to security@digitalbazaar.com.

examples/create-cert.js

+var forge = require('..');
+
+console.log('Generating 2048-bit key-pair...');
+var keys = forge.pki.rsa.generateKeyPair(2048);
+console.log('Key-pair created.');
+
+console.log('Creating self-signed certificate...');
+var cert = forge.pki.createCertificate();
+cert.publicKey = keys.publicKey;
+cert.serialNumber = '01';
+cert.validity.notBefore = new Date();
+cert.validity.notAfter = new Date();
+cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 1);
+var attrs = [{
+  name: 'commonName',
+  value: 'example.org'
+}, {
+  name: 'countryName',
+  value: 'US'
+}, {
+  shortName: 'ST',
+  value: 'Virginia'
+}, {
+  name: 'localityName',
+  value: 'Blacksburg'
+}, {
+  name: 'organizationName',
+  value: 'Test'
+}, {
+  shortName: 'OU',
+  value: 'Test'
+}];
+cert.setSubject(attrs);
+cert.setIssuer(attrs);
+cert.setExtensions([{
+  name: 'basicConstraints',
+  cA: true/*,
+  pathLenConstraint: 4*/
+}, {
+  name: 'keyUsage',
+  keyCertSign: true,
+  digitalSignature: true,
+  nonRepudiation: true,
+  keyEncipherment: true,
+  dataEncipherment: true
+}, {
+  name: 'extKeyUsage',
+  serverAuth: true,
+  clientAuth: true,
+  codeSigning: true,
+  emailProtection: true,
+  timeStamping: true
+}, {
+  name: 'nsCertType',
+  client: true,
+  server: true,
+  email: true,
+  objsign: true,
+  sslCA: true,
+  emailCA: true,
+  objCA: true
+}, {
+  name: 'subjectAltName',
+  altNames: [{
+    type: 6, // URI
+    value: 'http://example.org/webid#me'
+  }, {
+    type: 7, // IP
+    ip: '127.0.0.1'
+  }]
+}, {
+  name: 'subjectKeyIdentifier'
+}]);
+// FIXME: add authorityKeyIdentifier extension
+
+// self-sign certificate
+cert.sign(keys.privateKey/*, forge.md.sha256.create()*/);
+console.log('Certificate created.');
+
+// PEM-format keys and cert
+var pem = {
+  privateKey: forge.pki.privateKeyToPem(keys.privateKey),
+  publicKey: forge.pki.publicKeyToPem(keys.publicKey),
+  certificate: forge.pki.certificateToPem(cert)
+};
+
+console.log('\nKey-Pair:');
+console.log(pem.privateKey);
+console.log(pem.publicKey);
+
+console.log('\nCertificate:');
+console.log(pem.certificate);
+
+// verify certificate
+var caStore = forge.pki.createCaStore();
+caStore.addCertificate(cert);
+try {
+  forge.pki.verifyCertificateChain(caStore, [cert],
+    function(vfd, depth, chain) {
+      if(vfd === true) {
+        console.log('SubjectKeyIdentifier verified: ' +
+          cert.verifySubjectKeyIdentifier());
+        console.log('Certificate verified.');
+      }
+      return true;
+    });
+} catch(ex) {
+  console.log('Certificate verification failure: ' +
+    JSON.stringify(ex, null, 2));
+}

examples/create-csr.js

+var forge = require('..');
+
+console.log('Generating 2048-bit key-pair...');
+var keys = forge.pki.rsa.generateKeyPair(2048);
+console.log('Key-pair created.');
+
+console.log('Creating certification request (CSR) ...');
+var csr = forge.pki.createCertificationRequest();
+csr.publicKey = keys.publicKey;
+csr.setSubject([{
+  name: 'commonName',
+  value: 'example.org'
+}, {
+  name: 'countryName',
+  value: 'US'
+}, {
+  shortName: 'ST',
+  value: 'Virginia'
+}, {
+  name: 'localityName',
+  value: 'Blacksburg'
+}, {
+  name: 'organizationName',
+  value: 'Test'
+}, {
+  shortName: 'OU',
+  value: 'Test'
+}]);
+// add optional attributes
+csr.setAttributes([{
+  name: 'challengePassword',
+  value: 'password'
+}, {
+  name: 'unstructuredName',
+  value: 'My company'
+}]);
+
+// sign certification request
+csr.sign(keys.privateKey/*, forge.md.sha256.create()*/);
+console.log('Certification request (CSR) created.');
+
+// PEM-format keys and csr
+var pem = {
+  privateKey: forge.pki.privateKeyToPem(keys.privateKey),
+  publicKey: forge.pki.publicKeyToPem(keys.publicKey),
+  csr: forge.pki.certificationRequestToPem(csr)
+};
+
+console.log('\nKey-Pair:');
+console.log(pem.privateKey);
+console.log(pem.publicKey);
+
+console.log('\nCertification Request (CSR):');
+console.log(pem.csr);
+
+// verify certification request
+try {
+  if(csr.verify()) {
+    console.log('Certification request (CSR) verified.');
+  } else {
+    throw new Error('Signature not verified.');
+  }
+} catch(err) {
+  console.log('Certification request (CSR) verification failure: ' +
+    JSON.stringify(err, null, 2));
+}

examples/create-pkcs12.js

+var forge = require('..');
+
+try {
+  // generate a keypair
+  console.log('Generating 2048-bit key-pair...');
+  var keys = forge.pki.rsa.generateKeyPair(2048);
+  console.log('Key-pair created.');
+
+  // create a certificate
+  console.log('Creating self-signed certificate...');
+  var cert = forge.pki.createCertificate();
+  cert.publicKey = keys.publicKey;
+  cert.serialNumber = '01';
+  cert.validity.notBefore = new Date();
+  cert.validity.notAfter = new Date();
+  cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 1);
+  var attrs = [{
+    name: 'commonName',
+    value: 'example.org'
+  }, {
+    name: 'countryName',
+    value: 'US'
+  }, {
+    shortName: 'ST',
+    value: 'Virginia'
+  }, {
+    name: 'localityName',
+    value: 'Blacksburg'
+  }, {
+    name: 'organizationName',
+    value: 'Test'
+  }, {
+    shortName: 'OU',
+    value: 'Test'
+  }];
+  cert.setSubject(attrs);
+  cert.setIssuer(attrs);
+  cert.setExtensions([{
+    name: 'basicConstraints',
+    cA: true
+  }, {
+    name: 'keyUsage',
+    keyCertSign: true,
+    digitalSignature: true,
+    nonRepudiation: true,
+    keyEncipherment: true,
+    dataEncipherment: true
+  }, {
+    name: 'subjectAltName',
+    altNames: [{
+      type: 6, // URI
+      value: 'http://example.org/webid#me'
+    }]
+  }]);
+
+  // self-sign certificate
+  cert.sign(keys.privateKey);
+  console.log('Certificate created.');
+
+  // create PKCS12
+  console.log('\nCreating PKCS#12...');
+  var password = 'password';
+  var newPkcs12Asn1 = forge.pkcs12.toPkcs12Asn1(
+    keys.privateKey, [cert], password,
+    {generateLocalKeyId: true, friendlyName: 'test'});
+  var newPkcs12Der = forge.asn1.toDer(newPkcs12Asn1).getBytes();
+
+  console.log('\nBase64-encoded new PKCS#12:');
+  console.log(forge.util.encode64(newPkcs12Der));
+
+  // create CA store (w/own certificate in this example)
+  var caStore = forge.pki.createCaStore([cert]);
+
+  console.log('\nLoading new PKCS#12 to confirm...');
+  loadPkcs12(newPkcs12Der, password, caStore);
+} catch(ex) {
+  if(ex.stack) {
+    console.log(ex.stack);
+  } else {
+    console.log('Error', ex);
+  }
+}
+
+function loadPkcs12(pkcs12Der, password, caStore) {
+  var pkcs12Asn1 = forge.asn1.fromDer(pkcs12Der);
+  var pkcs12 = forge.pkcs12.pkcs12FromAsn1(pkcs12Asn1, false, password);
+
+  // load keypair and cert chain from safe content(s) and map to key ID
+  var map = {};
+  for(var sci = 0; sci < pkcs12.safeContents.length; ++sci) {
+    var safeContents = pkcs12.safeContents[sci];
+    console.log('safeContents ' + (sci + 1));
+
+    for(var sbi = 0; sbi < safeContents.safeBags.length; ++sbi) {
+      var safeBag = safeContents.safeBags[sbi];
+      console.log('safeBag.type: ' + safeBag.type);
+
+      var localKeyId = null;
+      if(safeBag.attributes.localKeyId) {
+        localKeyId = forge.util.bytesToHex(
+          safeBag.attributes.localKeyId[0]);
+        console.log('localKeyId: ' + localKeyId);
+        if(!(localKeyId in map)) {
+          map[localKeyId] = {
+            privateKey: null,
+            certChain: []
+          };
+        }
+      } else {
+        // no local key ID, skip bag
+        continue;
+      }
+
+      // this bag has a private key
+      if(safeBag.type === forge.pki.oids.pkcs8ShroudedKeyBag) {
+        console.log('found private key');
+        map[localKeyId].privateKey = safeBag.key;
+      } else if(safeBag.type === forge.pki.oids.certBag) {
+        // this bag has a certificate
+        console.log('found certificate');
+        map[localKeyId].certChain.push(safeBag.cert);
+      }
+    }
+  }
+
+  console.log('\nPKCS#12 Info:');
+
+  for(var localKeyId in map) {
+    var entry = map[localKeyId];
+    console.log('\nLocal Key ID: ' + localKeyId);
+    if(entry.privateKey) {
+      var privateKeyP12Pem = forge.pki.privateKeyToPem(entry.privateKey);
+      var encryptedPrivateKeyP12Pem = forge.pki.encryptRsaPrivateKey(
+        entry.privateKey, password);
+
+      console.log('\nPrivate Key:');
+      console.log(privateKeyP12Pem);
+      console.log('Encrypted Private Key (password: "' + password + '"):');
+      console.log(encryptedPrivateKeyP12Pem);
+    } else {
+      console.log('');
+    }
+    if(entry.certChain.length > 0) {
+      console.log('Certificate chain:');
+      var certChain = entry.certChain;
+      for(var i = 0; i < certChain.length; ++i) {
+        var certP12Pem = forge.pki.certificateToPem(certChain[i]);
+        console.log(certP12Pem);
+      }
+
+      var chainVerified = false;
+      try {
+        chainVerified = forge.pki.verifyCertificateChain(caStore, certChain);
+      } catch(ex) {
+        chainVerified = ex;
+      }
+      console.log('Certificate chain verified: ', chainVerified);
+    }
+  }
+}

examples/imap.js

+var forge = require('..');
+var net = require('net');
+
+var socket = new net.Socket();
+
+var client = forge.tls.createConnection({
+  server: false,
+  verify: function(connection, verified, depth, certs) {
+    // skip verification for testing
+    return true;
+  },
+  connected: function(connection) {
+    console.log('[tls] connected');
+  },
+  tlsDataReady: function(connection) {
+    // encrypted data is ready to be sent to the server
+    var data = connection.tlsData.getBytes();
+    socket.write(data, 'binary');
+  },
+  dataReady: function(connection) {
+    // clear data from the server is ready
+    var data = connection.data.getBytes();
+    console.log('[tls] received from the server: ' + data);
+    client.close();
+  },
+  closed: function() {
+    console.log('[tls] disconnected');
+  },
+  error: function(connection, error) {
+    console.log('[tls] error', error);
+  }
+});
+
+socket.on('connect', function() {
+  console.log('[socket] connected');
+  client.handshake();
+});
+socket.on('data', function(data) {
+  client.process(data.toString('binary'));
+});
+socket.on('end', function() {
+  console.log('[socket] disconnected');
+});
+
+// connect to gmail's imap server
+socket.connect(993, 'imap.gmail.com');

examples/sign-p7.js

+var forge = require('..');
+
+try {
+  // create PKCS#7 signed data
+  var p7 = forge.pkcs7.createSignedData();
+  p7.content = forge.util.createBuffer('Some content to be signed.', 'utf8');
+  var signers = ['a', 'b'];
+  for(var i = 0; i < signers.length; ++i) {
+    var signer = createSigner(signers[i]);
+    p7.addCertificate(signer.certificate);
+    p7.addSigner({
+      key: signer.keys.privateKey,
+      certificate: signer.certificate,
+      digestAlgorithm: forge.pki.oids.sha256,
+      authenticatedAttributes: [{
+        type: forge.pki.oids.contentType,
+        value: forge.pki.oids.data
+      }, {
+        type: forge.pki.oids.messageDigest
+        // value will be auto-populated at signing time
+      }, {
+        type: forge.pki.oids.signingTime
+        // value will be auto-populated at signing time
+        //value: new Date('2050-01-01T00:00:00Z')
+      }]
+    });
+  }
+
+  p7.sign();
+
+  var pem = forge.pkcs7.messageToPem(p7);
+  console.log('Signed PKCS #7 message:\n' + pem);
+} catch(ex) {
+  if(ex.stack) {
+    console.log(ex.stack);
+  } else {
+    console.log('Error', ex);
+  }
+}
+
+function createSigner(name) {
+  console.log('Creating signer "' + name + '"...');
+
+  // generate a keypair
+  console.log('Generating 2048-bit key-pair...');
+  var keys = forge.pki.rsa.generateKeyPair(2048);
+  console.log('Key-pair created:');
+  console.log(forge.pki.privateKeyToPem(keys.privateKey));
+  console.log(forge.pki.publicKeyToPem(keys.publicKey));
+
+  // create a certificate
+  var certificate = createCertificate(name, keys);
+  console.log('Signer "' + name + '" created.');
+
+  return {
+    name: name,
+    keys: keys,
+    certificate: certificate
+  };
+}
+
+function createCertificate(name, keys) {
+  // create a certificate
+  console.log('Creating self-signed certificate...');
+  var cert = forge.pki.createCertificate();
+  cert.publicKey = keys.publicKey;
+  cert.serialNumber = '01';
+  cert.validity.notBefore = new Date();
+  cert.validity.notAfter = new Date();
+  cert.validity.notAfter.setFullYear(cert.validity.notBefore.getFullYear() + 1);
+  var attrs = [{
+    name: 'commonName',
+    value: name
+  }, {
+    name: 'countryName',
+    value: 'US'
+  }, {
+    shortName: 'ST',
+    value: 'Virginia'
+  }, {
+    name: 'localityName',
+    value: 'Blacksburg'
+  }, {
+    name: 'organizationName',
+    value: 'Test'
+  }, {
+    shortName: 'OU',
+    value: 'Test'
+  }];
+  cert.setSubject(attrs);
+  cert.setIssuer(attrs);
+  cert.setExtensions([{
+    name: 'basicConstraints',
+    cA: true
+  }, {
+    name: 'keyUsage',
+    keyCertSign: true,
+    digitalSignature: true,
+    nonRepudiation: true,
+    keyEncipherment: true,
+    dataEncipherment: true
+  }, {
+    name: 'subjectAltName',
+    altNames: [{
+      type: 6, // URI
+      value: 'http://example.org/webid#me'
+    }]
+  }]);
+
+  // self-sign certificate
+  cert.sign(keys.privateKey);
+  console.log('Certificate created: \n' + forge.pki.certificateToPem(cert));
+
+  return cert;
+}

examples/tls.js

+var forge = require('..');
+
+// function to create certificate
+var createCert = function(cn, data) {
+  console.log(
+    'Generating 512-bit key-pair and certificate for \"' + cn + '\".');
+  var keys = forge.pki.rsa.generateKeyPair(512);
+  console.log('key-pair created.');
+
+  var cert = forge.pki.createCertificate();
+  cert.serialNumber = '01';
+  cert.validity.notBefore = new Date();
+  cert.validity.notAfter = new Date();
+  cert.validity.notAfter.setFullYear(
+    cert.validity.notBefore.getFullYear() + 1);
+  var attrs = [{
+    name: 'commonName',
+    value: cn
+  }, {
+    name: 'countryName',
+    value: 'US'
+  }, {
+    shortName: 'ST',
+    value: 'Virginia'
+  }, {
+    name: 'localityName',
+    value: 'Blacksburg'
+  }, {
+    name: 'organizationName',
+    value: 'Test'
+  }, {
+    shortName: 'OU',
+    value: 'Test'
+  }];
+  cert.setSubject(attrs);
+  cert.setIssuer(attrs);
+  cert.setExtensions([{
+    name: 'basicConstraints',
+    cA: true
+  }, {
+    name: 'keyUsage',
+    keyCertSign: true,
+    digitalSignature: true,
+    nonRepudiation: true,
+    keyEncipherment: true,
+    dataEncipherment: true
+  }, {
+    name: 'subjectAltName',
+    altNames: [{
+      type: 6, // URI
+      value: 'http://myuri.com/webid#me'
+    }]
+  }]);
+  // FIXME: add subjectKeyIdentifier extension
+  // FIXME: add authorityKeyIdentifier extension
+  cert.publicKey = keys.publicKey;
+
+  // self-sign certificate
+  cert.sign(keys.privateKey);
+
+  // save data
+  data[cn] = {
+    cert: forge.pki.certificateToPem(cert),
+    privateKey: forge.pki.privateKeyToPem(keys.privateKey)
+  };
+
+  console.log('certificate created for \"' + cn + '\": \n' + data[cn].cert);
+};
+
+var end = {};
+var data = {};
+
+// create certificate for server and client
+createCert('server', data);
+createCert('client', data);
+
+var success = false;
+
+// create TLS client
+end.client = forge.tls.createConnection({
+  server: false,
+  caStore: [data.server.cert],
+  sessionCache: {},
+  // supported cipher suites in order of preference
+  cipherSuites: [
+    forge.tls.CipherSuites.TLS_RSA_WITH_AES_128_CBC_SHA,
+    forge.tls.CipherSuites.TLS_RSA_WITH_AES_256_CBC_SHA],
+  virtualHost: 'server',
+  verify: function(c, verified, depth, certs) {
+    console.log(
+      'TLS Client verifying certificate w/CN: \"' +
+      certs[0].subject.getField('CN').value +
+      '\", verified: ' + verified + '...');
+    return verified;
+  },
+  connected: function(c) {
+    console.log('Client connected...');
+
+    // send message to server
+    setTimeout(function() {
+      c.prepareHeartbeatRequest('heartbeat');
+      c.prepare('Hello Server');
+    }, 1);
+  },
+  getCertificate: function(c, hint) {
+    console.log('Client getting certificate ...');
+    return data.client.cert;
+  },
+  getPrivateKey: function(c, cert) {
+    return data.client.privateKey;
+  },
+  tlsDataReady: function(c) {
+    // send TLS data to server
+    end.server.process(c.tlsData.getBytes());
+  },
+  dataReady: function(c) {
+    var response = c.data.getBytes();
+    console.log('Client received \"' + response + '\"');
+    success = (response === 'Hello Client');
+    c.close();
+  },
+  heartbeatReceived: function(c, payload) {
+    console.log('Client received heartbeat: ' + payload.getBytes());
+  },
+  closed: function(c) {
+    console.log('Client disconnected.');
+    if(success) {
+      console.log('PASS');
+    } else {
+      console.log('FAIL');
+    }
+  },
+  error: function(c, error) {
+    console.log('Client error: ' + error.message);
+  }
+});
+
+// create TLS server
+end.server = forge.tls.createConnection({
+  server: true,
+  caStore: [data.client.cert],
+  sessionCache: {},
+  // supported cipher suites in order of preference
+  cipherSuites: [
+    forge.tls.CipherSuites.TLS_RSA_WITH_AES_128_CBC_SHA,
+    forge.tls.CipherSuites.TLS_RSA_WITH_AES_256_CBC_SHA],
+  connected: function(c) {
+    console.log('Server connected');
+    c.prepareHeartbeatRequest('heartbeat');
+  },
+  verifyClient: true,
+  verify: function(c, verified, depth, certs) {
+    console.log(
+      'Server verifying certificate w/CN: \"' +
+      certs[0].subject.getField('CN').value +
+      '\", verified: ' + verified + '...');
+    return verified;
+  },
+  getCertificate: function(c, hint) {
+    console.log('Server getting certificate for \"' + hint[0] + '\"...');
+    return data.server.cert;
+  },
+  getPrivateKey: function(c, cert) {
+    return data.server.privateKey;
+  },
+  tlsDataReady: function(c) {
+    // send TLS data to client
+    end.client.process(c.tlsData.getBytes());
+  },
+  dataReady: function(c) {
+    console.log('Server received \"' + c.data.getBytes() + '\"');
+
+    // send response
+    c.prepare('Hello Client');
+    c.close();
+  },
+  heartbeatReceived: function(c, payload) {
+    console.log('Server received heartbeat: ' + payload.getBytes());
+  },
+  closed: function(c) {
+    console.log('Server disconnected.');
+  },
+  error: function(c, error) {
+    console.log('Server error: ' + error.message);
+  }
+});
+
+console.log('created TLS client and server, doing handshake...');
+end.client.handshake();

flash/PooledSocket.as

+/*
+ * Copyright (c) 2009 Digital Bazaar, Inc. All rights reserved.
+ *
+ * @author Dave Longley
+ */
+package
+{
+   import flash.net.Socket;
+
+   /**
+    * A helper class that contains the ID for a Socket.
+    */
+   public class PooledSocket extends Socket
+   {
+      // the ID in the related socket pool
+      public var id:String;
+   }
+}

flash/README.md

+Forge Flash Support
+===================
+
+SocketPool.swf
+--------------
+
+Some special networking features can optionally use a Flash component.
+Building the output SWF file requires the [Flex SDK][].  A pre-built component
+is included: `swf/SocketPool.swf`.
+
+Building the output SWF requires the `mxmlc` tool from the [Flex SDK][]. If
+that tools is already installed then look in the `package.json` file for the
+commands to rebuild it. If you need the SDK installed, there is a npm module that installs it:
+
+    npm install
+
+To build a regular component:
+
+    npm run build
+
+Additional debug support can be built in with the following:
+
+    npm run build-debug
+
+Policy Server
+-------------
+
+Flash support requires the use of a Policy Server.
+
+### Apache Flash Socket Policy Module
+
+[mod_fsp](./mod_fsp) provides an [Apache][] module that can serve up a Flash
+Socket Policy. See `mod_fsp/README` for more details. This module makes it easy
+to modify an [Apache][] server to allow cross domain requests to be made to it.
+
+### Simple Python Policy Server
+
+`policyserver.py` provides a very simple test policy server.
+
+### Simple Node.js Policy Server
+
+`policyserver.js` provides a very simple test policy server.  If a server is
+needed for production environments, please use another option such as perhaps
+[nodejs_socket_policy_server][].
+
+[Apache]: http://httpd.apache.org/
+[Flex SDK]: https://flex.apache.org/
+[nodejs_socket_policy_server]: https://github.com/bichinger/nodejs_socket_policy_server

flash/SocketEvent.as

+/*
+ * Copyright (c) 2009 Digital Bazaar, Inc. All rights reserved.
+ *
+ * @author Dave Longley
+ */
+package
+{
+   import flash.events.Event;
+
+   /**
+    * A helper class that contains the ID for a Socket.
+    */
+   public class SocketEvent extends Event
+   {
+      // the associated socket
+      public var socket:PooledSocket;
+      // an associated message
+      public var message:String;
+
+      /**
+       * Creates a new SocketEvent.
+       *
+       * @param type the type of event.
+       * @param socket the associated PooledSocket.
+       * @param message an associated message.
+       */
+      public function SocketEvent(
+         type:String, socket:PooledSocket, message:String = null)
+      {
+         super(type, false, false);
+         this.socket = socket;
+         this.message = message;
+      }
+   }
+}
+