secp256k1: verifyDetached method works differently from EdDSA implementation

[alexkravets]

For these methods to work consistently and return false on verification failure, I had to wrap into try / catch like here:

const verifyDetached = async (jws, credentialDigestBuffer, publicKeyJwk) => {
  try {
    await _verifyDetached(jws, credentialDigestBuffer, publicKeyJwk)

  } catch (error) {
    const isVerificationFailed = error.message.includes('ECDSA Verify Failed')

    if (isVerificationFailed) {
      return false
    }

    throw error
  }

  return true
}

Wondering which implementation secp256k1 or EdDSA supposed to be original one.

[OR13]

Thanks for reporting this... this is bad.

The reason is for this bug is confusion over trying to match the behavior of JWS.verify in jose, which returns the verified payload or throws an error....

I think the correct behavior for "verifyDetached"... should be:

(detachedJws:string, messageDigest:Buffer, publicKeyJwk: any): Promise<Boolean>