From f547b0d292745094190ecb250429d21e8804a375 Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Tue, 25 Nov 2025 14:24:12 -0500
Subject: [PATCH 1/7] Start 1.3.3-0.

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 2a9d83b2f..c10dc0f08 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "node-forge",
-  "version": "1.3.2",
+  "version": "1.3.3-0",
   "description": "JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.",
   "homepage": "https://github.com/digitalbazaar/forge",
   "author": {

From 6f70043a6db1abb9f3304f3d432efed3ba50fcca Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Tue, 25 Nov 2025 21:38:30 -0500
Subject: [PATCH 2/7] Update CVE details.

---
 CHANGELOG.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4f91e618e..765bafdfa 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,7 +11,7 @@ Forge ChangeLog
     divergence that may bypass downstream cryptographic verifications and
     security decisions.
   - Reported by Hunter Wodzenski.
-  - CVE ID: [CVE-2025-12816](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12816)
+  - CVE ID: [CVE-2025-12816](https://www.cve.org/CVERecord?id=CVE-2025-12816)
   - GHSA ID: [GHSA-5gfm-wpxj-wjgq](https://github.com/digitalbazaar/forge/security/advisories/GHSA-5gfm-wpxj-wjgq)
 - **HIGH**: ASN.1 Unbounded Recursion
   - An Uncontrolled Recursion (CWE-674) vulnerability in node-forge versions
@@ -20,6 +20,7 @@ Forge ChangeLog
     Denial-of-Service (DoS) via stack exhaustion when parsing untrusted DER
     inputs.
   - Reported by Hunter Wodzenski.
+  - CVE ID: [CVE-2025-66031](https://www.cve.org/CVERecord?id=CVE-2025-66031)
   - GHSA ID: [GHSA-554w-wpv2-vw27](https://github.com/digitalbazaar/forge/security/advisories/GHSA-554w-wpv2-vw27)
 - **MODERATE**: ASN.1 OID Integer Truncation
   - An Integer Overflow (CWE-190) vulnerability in node-forge versions 1.3.1
@@ -28,6 +29,7 @@ Forge ChangeLog
     as smaller, trusted OIDs due to 32-bit bitwise truncation, enabling the
     bypass of downstream OID-based security decisions.
   - Reported by Hunter Wodzenski.
+  - CVE ID: [CVE-2025-66030](https://www.cve.org/CVERecord?id=CVE-2025-66030)
   - GHSA ID: [GHSA-65ch-62r8-g69g](https://github.com/digitalbazaar/forge/security/advisories/GHSA-65ch-62r8-g69g)
 
 ### Fixed

From c3b3b32a8c157ac57752934d3af63b5f798b58b8 Mon Sep 17 00:00:00 2001
From: wodzen <wodzen@proton.me>
Date: Tue, 2 Dec 2025 01:41:04 -0800
Subject: [PATCH 3/7] Make digestAlgorithm parameters optional

Make `digestAlgorithm.parameters` optional per modern specs.
https://datatracker.ietf.org/doc/html/rfc5280#section-4.1.1.2
```
AlgorithmIdentifier  ::=  SEQUENCE  {
     algorithm               OBJECT IDENTIFIER,
     parameters              ANY DEFINED BY algorithm OPTIONAL
}
```
---
 lib/pkcs12.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/pkcs12.js b/lib/pkcs12.js
index dee8b36ad..c184229a9 100644
--- a/lib/pkcs12.js
+++ b/lib/pkcs12.js
@@ -168,6 +168,7 @@ var pfxValidator = {
           capture: 'macAlgorithm'
         }, {
           name: 'PFX.macData.mac.digestAlgorithm.parameters',
+          optional: true,
           tagClass: asn1.Class.UNIVERSAL,
           captureAsn1: 'macAlgorithmParameters'
         }]

From 503979b0295cf633a30199d6bd937f4a222481a0 Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Tue, 2 Dec 2025 14:08:46 -0500
Subject: [PATCH 4/7] Update changelog.

---
 CHANGELOG.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 765bafdfa..9cb2a3bc4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,6 +1,12 @@
 Forge ChangeLog
 ===============
 
+## 1.3.3 - 2025-12-02
+
+### Fixed
+- [pkcs12] Make digestAlgorithm parameters optional to fix PKCS#12/PFX issues
+  introduced in 1.3.2.
+
 ## 1.3.2 - 2025-11-25
 
 ### Security

From e4f3961406395dd8e985dcf841852ceca73ac3a9 Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Tue, 2 Dec 2025 14:11:20 -0500
Subject: [PATCH 5/7] Fix changelog for release.

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9cb2a3bc4..f4e848149 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,7 +1,7 @@
 Forge ChangeLog
 ===============
 
-## 1.3.3 - 2025-12-02
+## 1.3.3 - 2025-12-xx
 
 ### Fixed
 - [pkcs12] Make digestAlgorithm parameters optional to fix PKCS#12/PFX issues

From 5265989cf5e54cfe1e27a10d71523007ce0507b1 Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Tue, 2 Dec 2025 14:12:00 -0500
Subject: [PATCH 6/7] Update changelog.

---
 CHANGELOG.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f4e848149..9cb2a3bc4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,7 +1,7 @@
 Forge ChangeLog
 ===============
 
-## 1.3.3 - 2025-12-xx
+## 1.3.3 - 2025-12-02
 
 ### Fixed
 - [pkcs12] Make digestAlgorithm parameters optional to fix PKCS#12/PFX issues

From 1cea0aff4901589ae86e314f25782bbe312f9f69 Mon Sep 17 00:00:00 2001
From: "David I. Lehn" <dlehn@digitalbazaar.com>
Date: Tue, 2 Dec 2025 14:12:01 -0500
Subject: [PATCH 7/7] Release 1.3.3.

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index c10dc0f08..4f7ad0a33 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "node-forge",
-  "version": "1.3.3-0",
+  "version": "1.3.3",
   "description": "JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.",
   "homepage": "https://github.com/digitalbazaar/forge",
   "author": {