1 files changed, 14 insertions, 20 deletions

diff --git a/security/keymint/support/remote_prov_utils.cpp b/security/keymint/support/remote_prov_utils.cpp
index da10eb258d..33f1ed3353 100644
--- a/security/keymint/support/remote_prov_utils.cpp
+++ b/security/keymint/support/remote_prov_utils.cpp
@@ -78,7 +78,7 @@ ErrMsgOr<EekChain> generateEekChain(size_t length, const bytevec& eekId) {
     return EekChain{eekChain.encode(), pub_key, priv_key};
 }
 
-ErrMsgOr<bytevec> verifyAndParseCoseSign1Cwt(bool ignoreSignature, const cppbor::Array* coseSign1,
+ErrMsgOr<bytevec> verifyAndParseCoseSign1Cwt(const cppbor::Array* coseSign1,
                                              const bytevec& signingCoseKey, const bytevec& aad) {
     if (!coseSign1 || coseSign1->size() != kCoseSign1EntryCount) {
         return "Invalid COSE_Sign1";
@@ -115,27 +115,22 @@ ErrMsgOr<bytevec> verifyAndParseCoseSign1Cwt(bool ignoreSignature, const cppbor:
     auto serializedKey = parsedPayload->asMap()->get(-4670552)->clone();
     if (!serializedKey || !serializedKey->asBstr()) return "Could not find key entry";
 
-    if (!ignoreSignature) {
-        bool selfSigned = signingCoseKey.empty();
-        auto key = CoseKey::parseEd25519(selfSigned ? serializedKey->asBstr()->value()
-                                                    : signingCoseKey);
-        if (!key) return "Bad signing key: " + key.moveMessage();
-
-        bytevec signatureInput = cppbor::Array()
-                                         .add("Signature1")
-                                         .add(*protectedParams)
-                                         .add(aad)
-                                         .add(*payload)
-                                         .encode();
-
-        if (!ED25519_verify(signatureInput.data(), signatureInput.size(), signature->value().data(),
-                            key->getBstrValue(CoseKey::PUBKEY_X)->data())) {
-            return "Signature verification failed";
-        }
+    bool selfSigned = signingCoseKey.empty();
+    auto key =
+            CoseKey::parseEd25519(selfSigned ? serializedKey->asBstr()->value() : signingCoseKey);
+    if (!key) return "Bad signing key: " + key.moveMessage();
+
+    bytevec signatureInput =
+            cppbor::Array().add("Signature1").add(*protectedParams).add(aad).add(*payload).encode();
+
+    if (!ED25519_verify(signatureInput.data(), signatureInput.size(), signature->value().data(),
+                        key->getBstrValue(CoseKey::PUBKEY_X)->data())) {
+        return "Signature verification failed";
     }
 
     return serializedKey->asBstr()->value();
 }
+
 ErrMsgOr<std::vector<BccEntryData>> validateBcc(const cppbor::Array* bcc) {
     if (!bcc || bcc->size() == 0) return "Invalid BCC";
 
@@ -148,8 +143,7 @@ ErrMsgOr<std::vector<BccEntryData>> validateBcc(const cppbor::Array* bcc) {
         if (!entry || entry->size() != kCoseSign1EntryCount) {
             return "Invalid BCC entry " + std::to_string(i) + ": " + prettyPrint(entry);
         }
-        auto payload = verifyAndParseCoseSign1Cwt(false /* ignoreSignature */, entry,
-                                                  std::move(prevKey), bytevec{} /* AAD */);
+        auto payload = verifyAndParseCoseSign1Cwt(entry, std::move(prevKey), bytevec{} /* AAD */);
         if (!payload) {
             return "Failed to verify entry " + std::to_string(i) + ": " + payload.moveMessage();
         }