PKI-Lite is a cryptographic library that provides Public Key Infrastructure (PKI) operations. Security is of paramount importance for this project, as it handles sensitive cryptographic operations including certificate management, digital signatures, and key operations.
We provide security updates for the following versions:
| Version | Supported |
|---|---|
| 1.0.x | ✅ |
| < 1.0 | ❌ |
Please do not report security vulnerabilities through public GitHub issues.
If you discover a security vulnerability in PKI-Lite, please report it privately using one of the following methods:
- Go to the Security tab of this repository
- Click "Report a vulnerability"
- Fill out the security advisory form with details about the vulnerability
Send details to: jakeshirley2@gmail.com
Please include the following information in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact and severity
- Any suggested fixes or mitigations
- Your contact information for follow-up
- Acknowledgment: We will acknowledge receipt of your vulnerability report within 48 hours
- Investigation: We will investigate the issue and determine its severity and impact
- Fix Development: We will develop and test a fix for the vulnerability
- Disclosure: We will coordinate with you on the disclosure timeline
- Release: We will release a patched version and publish a security advisory
When using PKI-Lite in your applications, please follow these security best practices:
- Generate strong keys: Use appropriate key sizes (RSA ≥ 2048 bits, ECDSA ≥ 256 bits)
- Secure key storage: Store private keys securely and never expose them in logs or error messages
- Key rotation: Implement regular key rotation policies
- Hardware Security Modules (HSMs): Consider using HSMs for high-security environments
- Full chain validation: Always validate the complete certificate chain
- Revocation checking: Implement proper CRL and OCSP checking
- Certificate expiration: Regularly monitor and renew certificates before expiration
- Trusted root stores: Maintain and update trusted root certificate stores
- Use recommended algorithms: Prefer modern, secure algorithms over legacy ones
- Secure random number generation: Ensure proper entropy for cryptographic operations
- Timing attack prevention: Be aware of potential timing attacks in cryptographic operations
- Memory management: Clear sensitive data from memory when no longer needed
- Input validation: Validate all inputs, especially when parsing certificates or keys
- Error handling: Implement secure error handling that doesn't leak sensitive information
- Logging: Avoid logging sensitive cryptographic material
- Dependencies: Keep dependencies updated and monitor for security vulnerabilities
- This library relies on the underlying JavaScript runtime's cryptographic capabilities
- Web browsers may have limitations on cryptographic operations
- Node.js environments provide more complete cryptographic support
- ASN.1 parsing can be complex and error-prone
- Malformed ASN.1 data could potentially cause issues
- We recommend validating ASN.1 structures from untrusted sources
We encourage security testing and welcome reports of security issues. When conducting security testing:
- Responsible disclosure: Follow responsible disclosure practices
- No disruption: Do not disrupt services or access unauthorized data
- Documentation: Document your findings clearly
- Coordination: Coordinate with us before public disclosure
This software is provided under the MIT License. While we make every effort to ensure security, users are responsible for:
- Conducting their own security assessments
- Implementing appropriate security controls for their use case
- Staying informed about security updates and best practices
Last updated: October 2025