In Authr-MakeCred-Resp-1 P-04, if the security key signs the attestation with a hash algorithm other than SHA-256 (e.g. SHA-384, SHA3-512), the verification fails.
In verifySignature@dependencies/cryptodep.js:192, the hash algorithm for the signature is hardcoded to SHA-256. The function doesn't use the alg field to map the signature algorithm to the hash using _COSE_ALGHASH.
By submitting this issue you are acknowledging that any information regarding this issue will be publicly available.
If you have privacy concerns, please email conformance-tools@fidoalliance.org
FIRST PRE CHECK
What protocol are you implementing?
NOTE: UAF 1.0 certification have been officially sunset. U2F 1.2 only supported version of U2F.
What is your implementation class?
If you are platform authenticator vendor, please email conformance-tools@fidoalliance.org
What is the version of the tool are you using?
1.7.20-4
What is the OS and the version are you running?
For desktop tools
For UAF mobile tools
Issue description
In Authr-MakeCred-Resp-1 P-04, if the security key signs the attestation with a hash algorithm other than SHA-256 (e.g. SHA-384, SHA3-512), the verification fails.
In verifySignature@dependencies/cryptodep.js:192, the hash algorithm for the signature is hardcoded to SHA-256. The function doesn't use the alg field to map the signature algorithm to the hash using _COSE_ALGHASH.