nsacyber · iadgovuser59 · Apr 17, 2026 · Apr 15, 2026
diff --git a/HIRS_Utils/src/main/java/hirs/utils/rim/unsignedRim/cbor/ietfCorim/CoRimBuilder.java b/HIRS_Utils/src/main/java/hirs/utils/rim/unsignedRim/cbor/ietfCorim/CoRimBuilder.java
@@ -32,10 +32,8 @@
 import com.fasterxml.jackson.databind.module.SimpleModule;
 
 import hirs.utils.crypto.DefaultCrypto;
-import hirs.utils.signature.SignatureHelper;
 import hirs.utils.signature.cose.CoseAlgorithm;
 import hirs.utils.signature.cose.CoseSignature;
-import hirs.utils.rim.unsignedRim.GenericRim;
 
 /**
  * Class containing the logic used to build out a CoRIM from user input.
@@ -128,14 +126,8 @@ public static byte[] createSignedCorim(final byte[] unsignedCorim, final String
         // Add payload
         coseSign1Items.add(new CBORByteArray(unsignedCorim));
         // Add signature
-        // Create signature block (Sig_structure) and ToBeSigned
         try {
-            // byte[] toBeSigned = new CoseSignature().createToBeSigned(cert,
-            // unsignedCorim, protectedHeader);
-            final byte[] toBeSigned = new CoseSignature().createToBeSigned(
-                    SignatureHelper.getCoseAlgFromCert(cert), SignatureHelper.getKidFromCert(cert),
-                    unsignedCorim, cert, false, false,
-                    GenericRim.RIMTYPE_CORIM_COMID); // need protectedHeader
+            final byte[] toBeSigned = new CoseSignature().createToBeSigned(unsignedCorim, protectedHeader);
             final byte[] signature = cryptoProvider.sign(toBeSigned);
             coseSign1Items.add(new CBORByteArray(signature));
         } catch (final Exception e) {

diff --git a/HIRS_Utils/src/main/java/hirs/utils/signature/cose/CoseSignature.java b/HIRS_Utils/src/main/java/hirs/utils/signature/cose/CoseSignature.java
@@ -147,6 +147,35 @@ public byte[] createToBeSigned(final int algId, final byte[] kid, final byte[] p
         return finalizeToBeSigned(payload, pHeader);
     }
 
+    /**
+     * Create toBeSigned using an already-constructed protected header.
+     * This ensures that all fields (including corim-meta, etc.)
+     * are preserved exactly as encoded.
+     * This method should be used for CoRIM signing where the protected header
+     * is constructed externally (e.g., via CoRimBuilder).
+     *
+     * @param payload the payload to sign
+     * @param protectedHeader the fully constructed COSE protected header
+     * @return the encoded Sig_structure
+     */
+    public byte[] createToBeSigned(final byte[] payload,
+                                   final COSEProtectedHeader protectedHeader) {
+        if (coseBuilder == null) {
+            coseBuilder = new COSESign1Builder();
+        }
+        CBORByteArray encodedPayload = new CBORByteArray(payload);
+        SigStructure structure = new SigStructureBuilder()
+                .signature1()
+                .bodyAttributes(protectedHeader)
+                .payload(encodedPayload)
+                .build();
+        this.toBeSigned = structure.encode();
+        coseBuilder.payload(encodedPayload);
+        coseBuilder.protectedHeader(protectedHeader);
+        this.payload = payload.clone();
+        return this.toBeSigned.clone();
+    }
+
     /**
      * Follows the "The steps for verifying a signature are" of section 4.4. of rfc9052 Signing
      * and Verification Process.