Snap for 7482982 from 6e061db49f3565cfbc7c81bea8fe1b8aa27b75e1 to sc-release

Change-Id: I009efdbd2de335a008af486a0001bc4a7720f0f8
author: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> 2021-06-23 01:10:10 +0000
committer: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> 2021-06-23 01:10:10 +0000
commit: 28de854249a0bcc1565e9810efa5236d663e61e0 (patch)
tree: a7f4ae26447ed0e708c2fda8f5553695717e3410
parent: c1994b29177d3f46f6824ade3f0c8a6978c0fb79 (diff)
parent: 6e061db49f3565cfbc7c81bea8fe1b8aa27b75e1 (diff)
download: keymaster-28de854249a0bcc1565e9810efa5236d663e61e0.tar.gz
3 files changed, 17 insertions, 23 deletions
diff --git a/android_keymaster/remote_provisioning_utils.cpp b/android_keymaster/remote_provisioning_utils.cpp
index c882b21..0e869fc 100644
--- a/android_keymaster/remote_provisioning_utils.cpp
+++ b/android_keymaster/remote_provisioning_utils.cpp
@@ -59,7 +59,7 @@ validateAndExtractEekPubAndId(bool testMode, const KeymasterBlob& endpointEncryp
     std::vector<uint8_t> lastPubKey;
     for (size_t i = 0; i < certArr->size(); ++i) {
         auto cosePubKey =
-            verifyAndParseCoseSign1(testMode, certArr->get(i)->asArray(), lastPubKey, {} /* AAD */);
+            verifyAndParseCoseSign1(certArr->get(i)->asArray(), lastPubKey, {} /* AAD */);
         if (!cosePubKey) {
             LOG_E("Failed to validate EEK chain: %s", cosePubKey.moveMessage().c_str());
             return kStatusInvalidEek;
diff --git a/cppcose/cppcose.cpp b/cppcose/cppcose.cpp
index b37900e..bfe9928 100644
--- a/cppcose/cppcose.cpp
+++ b/cppcose/cppcose.cpp
@@ -170,7 +170,7 @@ ErrMsgOr<cppbor::Array> constructCoseSign1(const bytevec& key, const bytevec& pa
     return constructCoseSign1(key, {} /* protectedParams */, payload, aad);
 }
 
-ErrMsgOr<bytevec> verifyAndParseCoseSign1(bool ignoreSignature, const cppbor::Array* coseSign1,
+ErrMsgOr<bytevec> verifyAndParseCoseSign1(const cppbor::Array* coseSign1,
                                           const bytevec& signingCoseKey, const bytevec& aad) {
     if (!coseSign1 || coseSign1->size() != kCoseSign1EntryCount) {
         return "Invalid COSE_Sign1";
@@ -197,25 +197,23 @@ ErrMsgOr<bytevec> verifyAndParseCoseSign1(bool ignoreSignature, const cppbor::Ar
         return "Unsupported signature algorithm";
     }
 
-    if (!ignoreSignature) {
-        const cppbor::Bstr* signature = coseSign1->get(kCoseSign1Signature)->asBstr();
-        if (!signature || signature->value().empty()) {
-            return "Missing signature input";
-        }
+    const cppbor::Bstr* signature = coseSign1->get(kCoseSign1Signature)->asBstr();
+    if (!signature || signature->value().empty()) {
+        return "Missing signature input";
+    }
 
-        bool selfSigned = signingCoseKey.empty();
-        auto key = CoseKey::parseEd25519(selfSigned ? payload->value() : signingCoseKey);
-        if (!key || key->getBstrValue(CoseKey::PUBKEY_X)->empty()) {
-            return "Bad signing key: " + key.moveMessage();
-        }
+    bool selfSigned = signingCoseKey.empty();
+    auto key = CoseKey::parseEd25519(selfSigned ? payload->value() : signingCoseKey);
+    if (!key || key->getBstrValue(CoseKey::PUBKEY_X)->empty()) {
+        return "Bad signing key: " + key.moveMessage();
+    }
 
-        bytevec signatureInput =
-            cppbor::Array().add("Signature1").add(*protectedParams).add(aad).add(*payload).encode();
+    bytevec signatureInput =
+        cppbor::Array().add("Signature1").add(*protectedParams).add(aad).add(*payload).encode();
 
-        if (!ED25519_verify(signatureInput.data(), signatureInput.size(), signature->value().data(),
-                            key->getBstrValue(CoseKey::PUBKEY_X)->data())) {
-            return "Signature verification failed";
-        }
+    if (!ED25519_verify(signatureInput.data(), signatureInput.size(), signature->value().data(),
+                        key->getBstrValue(CoseKey::PUBKEY_X)->data())) {
+        return "Signature verification failed";
     }
 
     return payload->value();
diff --git a/include/keymaster/cppcose/cppcose.h b/include/keymaster/cppcose/cppcose.h
index a4d902b..0f97388 100644
--- a/include/keymaster/cppcose/cppcose.h
+++ b/include/keymaster/cppcose/cppcose.h
@@ -255,17 +255,13 @@ ErrMsgOr<cppbor::Array> constructCoseSign1(const bytevec& key, cppbor::Map extra
 /**
  * Verify and parse a COSE_Sign1 message, returning the payload.
  *
- * @param ignoreSignature indicates whether signature verification should be skipped.  If true, no
- *        verification of the signature will be done.
- *
  * @param coseSign1 is the COSE_Sign1 to verify and parse.
  *
  * @param signingCoseKey is a CBOR-encoded COSE_Key to use to verify the signature.  The bytevec may
  *        be empty, in which case the function assumes that coseSign1's payload is the COSE_Key to
  *        use, i.e. that coseSign1 is a self-signed "certificate".
  */
-ErrMsgOr<bytevec /* payload */> verifyAndParseCoseSign1(bool ignoreSignature,
-                                                        const cppbor::Array* coseSign1,
+ErrMsgOr<bytevec /* payload */> verifyAndParseCoseSign1(const cppbor::Array* coseSign1,
                                                         const bytevec& signingCoseKey,
                                                         const bytevec& aad);
author	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	2021-06-23 01:10:10 +0000
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	2021-06-23 01:10:10 +0000
commit	28de854249a0bcc1565e9810efa5236d663e61e0 (patch)
tree	a7f4ae26447ed0e708c2fda8f5553695717e3410
parent	c1994b29177d3f46f6824ade3f0c8a6978c0fb79 (diff)
parent	6e061db49f3565cfbc7c81bea8fe1b8aa27b75e1 (diff)
download	keymaster-28de854249a0bcc1565e9810efa5236d663e61e0.tar.gz