From 1fd3be8018994ec019637eb0eae64b109c9a9136 Mon Sep 17 00:00:00 2001 From: iadgovuser62 Date: Wed, 15 Apr 2026 13:43:04 -0400 Subject: [PATCH] v3.1_issue_41: Modify CoRIM signing for RIM-Tool bugfix --- .../cbor/ietfCorim/CoRimBuilder.java | 10 +------ .../utils/signature/cose/CoseSignature.java | 29 +++++++++++++++++++ 2 files changed, 30 insertions(+), 9 deletions(-) diff --git a/HIRS_Utils/src/main/java/hirs/utils/rim/unsignedRim/cbor/ietfCorim/CoRimBuilder.java b/HIRS_Utils/src/main/java/hirs/utils/rim/unsignedRim/cbor/ietfCorim/CoRimBuilder.java index b0bd58063..6543bf319 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/rim/unsignedRim/cbor/ietfCorim/CoRimBuilder.java +++ b/HIRS_Utils/src/main/java/hirs/utils/rim/unsignedRim/cbor/ietfCorim/CoRimBuilder.java @@ -32,10 +32,8 @@ import com.fasterxml.jackson.databind.module.SimpleModule; import hirs.utils.crypto.DefaultCrypto; -import hirs.utils.signature.SignatureHelper; import hirs.utils.signature.cose.CoseAlgorithm; import hirs.utils.signature.cose.CoseSignature; -import hirs.utils.rim.unsignedRim.GenericRim; /** * Class containing the logic used to build out a CoRIM from user input. @@ -128,14 +126,8 @@ public static byte[] createSignedCorim(final byte[] unsignedCorim, final String // Add payload coseSign1Items.add(new CBORByteArray(unsignedCorim)); // Add signature - // Create signature block (Sig_structure) and ToBeSigned try { - // byte[] toBeSigned = new CoseSignature().createToBeSigned(cert, - // unsignedCorim, protectedHeader); - final byte[] toBeSigned = new CoseSignature().createToBeSigned( - SignatureHelper.getCoseAlgFromCert(cert), SignatureHelper.getKidFromCert(cert), - unsignedCorim, cert, false, false, - GenericRim.RIMTYPE_CORIM_COMID); // need protectedHeader + final byte[] toBeSigned = new CoseSignature().createToBeSigned(unsignedCorim, protectedHeader); final byte[] signature = cryptoProvider.sign(toBeSigned); coseSign1Items.add(new CBORByteArray(signature)); } catch (final Exception e) { diff --git a/HIRS_Utils/src/main/java/hirs/utils/signature/cose/CoseSignature.java b/HIRS_Utils/src/main/java/hirs/utils/signature/cose/CoseSignature.java index 85fc64d7d..a50195157 100644 --- a/HIRS_Utils/src/main/java/hirs/utils/signature/cose/CoseSignature.java +++ b/HIRS_Utils/src/main/java/hirs/utils/signature/cose/CoseSignature.java @@ -147,6 +147,35 @@ public byte[] createToBeSigned(final int algId, final byte[] kid, final byte[] p return finalizeToBeSigned(payload, pHeader); } + /** + * Create toBeSigned using an already-constructed protected header. + * This ensures that all fields (including corim-meta, etc.) + * are preserved exactly as encoded. + * This method should be used for CoRIM signing where the protected header + * is constructed externally (e.g., via CoRimBuilder). + * + * @param payload the payload to sign + * @param protectedHeader the fully constructed COSE protected header + * @return the encoded Sig_structure + */ + public byte[] createToBeSigned(final byte[] payload, + final COSEProtectedHeader protectedHeader) { + if (coseBuilder == null) { + coseBuilder = new COSESign1Builder(); + } + CBORByteArray encodedPayload = new CBORByteArray(payload); + SigStructure structure = new SigStructureBuilder() + .signature1() + .bodyAttributes(protectedHeader) + .payload(encodedPayload) + .build(); + this.toBeSigned = structure.encode(); + coseBuilder.payload(encodedPayload); + coseBuilder.protectedHeader(protectedHeader); + this.payload = payload.clone(); + return this.toBeSigned.clone(); + } + /** * Follows the "The steps for verifying a signature are" of section 4.4. of rfc9052 Signing * and Verification Process.