5.2.2. Generating a signature #332
Comments
|
@jehrensvard wrote:
Actually, performing the hash over the input message (the "concatenation of the authenticatorData and the clientDataHash" in this case) is inherently a part of the signature algorithm (whether RSA [1] or ECDSA [2]). Note that the U2F spec says only " signature. This is a ECDSA signature (on P-256) over the following byte string ..." (e.g., in section 4.3). If folks feel strongly about it we can add a Note explaining this, but I'm not sure it is necessary. [1] hashing the "message" input to the RSA signature algs is done in Section 9 of the PKCS#1 spec (now RFC8017). [2] hashing the "message" input to the ECDSA signature alg is done in Step 4 of "DSA Signature Generation" of Section 2.2 in the poor man's version of ANSI X9.62. |
I just noticed the following in section 5.2.2:
A raw cryptographic signature must assert the integrity of both the client data and the authenticator data. Thus, an authenticator SHALL compute a signature over the concatenation of the authenticatorData and the clientDataHash.
It may go without saying, but for the sake of clarity and consistency, I believe the wording should be:
/.../ compute a signature over the SHA256 HASH OF THE concatenation of the authenticatorData /.../
The text was updated successfully, but these errors were encountered: