diff --git a/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp b/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp index a177317297..78f8f08637 100644 --- a/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp +++ b/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp @@ -335,8 +335,7 @@ class CertificateRequestTest : public VtsRemotelyProvisionedComponentTests { ASSERT_TRUE(deviceInfoMap->asMap()); auto& signingKey = bccContents->back().pubKey; - auto macKey = verifyAndParseCoseSign1(/* ignore_signature = */ false, signedMac->asArray(), - signingKey, + auto macKey = verifyAndParseCoseSign1(signedMac->asArray(), signingKey, cppbor::Array() // SignedMacAad .add(challenge_) .add(std::move(deviceInfoMap)) diff --git a/security/keymint/support/remote_prov_utils.cpp b/security/keymint/support/remote_prov_utils.cpp index da10eb258d..33f1ed3353 100644 --- a/security/keymint/support/remote_prov_utils.cpp +++ b/security/keymint/support/remote_prov_utils.cpp @@ -78,7 +78,7 @@ ErrMsgOr generateEekChain(size_t length, const bytevec& eekId) { return EekChain{eekChain.encode(), pub_key, priv_key}; } -ErrMsgOr verifyAndParseCoseSign1Cwt(bool ignoreSignature, const cppbor::Array* coseSign1, +ErrMsgOr verifyAndParseCoseSign1Cwt(const cppbor::Array* coseSign1, const bytevec& signingCoseKey, const bytevec& aad) { if (!coseSign1 || coseSign1->size() != kCoseSign1EntryCount) { return "Invalid COSE_Sign1"; @@ -115,27 +115,22 @@ ErrMsgOr verifyAndParseCoseSign1Cwt(bool ignoreSignature, const cppbor: auto serializedKey = parsedPayload->asMap()->get(-4670552)->clone(); if (!serializedKey || !serializedKey->asBstr()) return "Could not find key entry"; - if (!ignoreSignature) { - bool selfSigned = signingCoseKey.empty(); - auto key = CoseKey::parseEd25519(selfSigned ? serializedKey->asBstr()->value() - : signingCoseKey); - if (!key) return "Bad signing key: " + key.moveMessage(); + bool selfSigned = signingCoseKey.empty(); + auto key = + CoseKey::parseEd25519(selfSigned ? serializedKey->asBstr()->value() : signingCoseKey); + if (!key) return "Bad signing key: " + key.moveMessage(); - bytevec signatureInput = cppbor::Array() - .add("Signature1") - .add(*protectedParams) - .add(aad) - .add(*payload) - .encode(); + bytevec signatureInput = + cppbor::Array().add("Signature1").add(*protectedParams).add(aad).add(*payload).encode(); - if (!ED25519_verify(signatureInput.data(), signatureInput.size(), signature->value().data(), - key->getBstrValue(CoseKey::PUBKEY_X)->data())) { - return "Signature verification failed"; - } + if (!ED25519_verify(signatureInput.data(), signatureInput.size(), signature->value().data(), + key->getBstrValue(CoseKey::PUBKEY_X)->data())) { + return "Signature verification failed"; } return serializedKey->asBstr()->value(); } + ErrMsgOr> validateBcc(const cppbor::Array* bcc) { if (!bcc || bcc->size() == 0) return "Invalid BCC"; @@ -148,8 +143,7 @@ ErrMsgOr> validateBcc(const cppbor::Array* bcc) { if (!entry || entry->size() != kCoseSign1EntryCount) { return "Invalid BCC entry " + std::to_string(i) + ": " + prettyPrint(entry); } - auto payload = verifyAndParseCoseSign1Cwt(false /* ignoreSignature */, entry, - std::move(prevKey), bytevec{} /* AAD */); + auto payload = verifyAndParseCoseSign1Cwt(entry, std::move(prevKey), bytevec{} /* AAD */); if (!payload) { return "Failed to verify entry " + std::to_string(i) + ": " + payload.moveMessage(); }