search

transmute-industries / did-key.js

A DID Key Implementation in TypeScript
https://did.key.transmute.industries/
Apache License 2.0
54 stars 15 forks source link

secp256k1: verifyDetached method works differently from EdDSA implementation #65

Open alexkravets opened 3 years ago

alexkravets commented 3 years ago

For these methods to work consistently and return false on verification failure, I had to wrap into try / catch like here:

const verifyDetached = async (jws, credentialDigestBuffer, publicKeyJwk) => {
  try {
    await _verifyDetached(jws, credentialDigestBuffer, publicKeyJwk)

  } catch (error) {
    const isVerificationFailed = error.message.includes('ECDSA Verify Failed')

    if (isVerificationFailed) {
      return false
    }

    throw error
  }

  return true
}

Wondering which implementation secp256k1 or EdDSA supposed to be original one.

OR13 commented 3 years ago

Thanks for reporting this... this is bad.

The reason is for this bug is confusion over trying to match the behavior of JWS.verify in jose, which returns the verified payload or throws an error....

I think the correct behavior for "verifyDetached"... should be:

(detachedJws:string, messageDigest:Buffer, publicKeyJwk: any): Promise<Boolean>