ECDSA or RSA?

[vossjannik]

Hey, thank you for sharing this code with us!

I am a confused because the function-name ("checkECDSASignature") refers to Elliptic Curve DSA algorithm whereas the Verify object is instructed to use the RSA algorithm which I believe is always based on the factorization of primes.

https://github.com/ashtuchkin/u2f/blob/a204cc4298c745efd4e7dd039d8f2f28d4d949f0/index.js#L49

Can somebody please point out to me which algorithm is supposed to be used?

[ashtuchkin]

U2F standard uses ECDSA, not sure where the RSA reference is coming from.

-- Alexander Shtuchkin

On Fri, Aug 3, 2018 at 11:45 AM Jannik Voss notifications@github.com wrote:

Hey, thank you for sharing this code with us!

I am a confused because the function-name ("checkECDSASignature") refers to Elliptic Curve DSA algorithm whereas the Verify object is instructed to use the RSA algorithm which I believe is always based on the factorization of primes.

https://github.com/ashtuchkin/u2f/blob/a204cc4298c745efd4e7dd039d8f2f28d4d949f0/index.js#L49

Can somebody please point out to me which algorithm is supposed to be used?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/ashtuchkin/u2f/issues/14, or mute the thread https://github.com/notifications/unsubscribe-auth/AAmVHRgBhES4KNm3xhbLq2HhOrUrdcA_ks5uNJoxgaJpZM4Vuczo .

[ashtuchkin]

Ah, sorry that snippet you referred to wasn't visible in email message.

Node.js crypto module doesn't have "ECDSA-with-SHA256" verification scheme that we need (or at least it didn't when I wrote this module). But, if the signature algorithm is set in the public key, it overrides whatever is given in the constructor. So, by setting the string to "RSA-SHA256", I was setting just the hashing algorithm to SHA256; signature algorithm is overridden in public key and is ECDSA.

The algorithm is set in convertCertToPEM function above, using ASN/DER encoding.