investigate potential signature parsing bug

[getify]

Reference: https://gist.github.com/philholden/50120652bfe0498958fd5926694ba354#gistcomment-5229287

Claim is, some signatures may parse/verify incorrectly because of missing 2s-complement math on the parsed integers.

Apparent signature example:

const c = {
  id: 'dcYrMAXFosJ2vNyjsjlCKjL_lSk',
  rawId: 'dcYrMAXFosJ2vNyjsjlCKjL_lSk',
  response: {
    authenticatorData: 'SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2MdAAAAAA',
    clientDataJSON: 'eyJ0eXBlIjoid2ViYXV0aG4uZ2V0IiwiY2hhbGxlbmdlIjoiUWwzVzJuVkxWTlFNNEd3VFJ0U084QSIsIm9yaWdpbiI6Imh0dHA6Ly9sb2NhbGhvc3Q6ODA4MCJ9',
    signature: 'MEMCHwZ-ACr2CSpvtWwBE8nMdO_rvK5iV-VCWx0R9QGX3TICIFRXY-hO2J4w52BsIZ0aJKROxyOICPitFP8IgxuAvoYm',
    userHandle: 'ZBSnLGMxtip1ZNiryx-I0Q',
  },
  authenticatorAttachment: 'platform',
  clientExtensionResults: {},
  type: 'public-key',
}
// note plain Base64 encoding
const pk = 'MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEJX4iup4PhjtjZYjAo44MYoG879m4+foQSsGMv/qqavFPusUdOilEXVWyFlaJQ6Cd0znXdZoXDrCdBkOHmZE/6A=='

The code that might be affected:

function parseSignature(algoCOSE,signature) {
	if (isPublicKeyAlgorithm("ES256",algoCOSE)) {
		// this algorithm's signature comes back ASN.1 encoded, per spec:
		//   https://www.w3.org/TR/webauthn-2/#sctn-signature-attestation-types
		let der = ASN1.parseVerbose(signature);
		return new Uint8Array([ ...der.children[0].value, ...der.children[1].value, ]);
	}
	// also per spec, other signature algorithms SHOULD NOT come back
	// in ASN.1, so for those, we just pass through without any parsing
	return signature;
}