Porting IRPC functionality.

This is the change that removes the functionality that has been shifted
over to appropriate classes and contexts in system/keymaster.

Test: atest VtsHalRemotelyProvisionedComponentTargetTest
Change-Id: I491f4ef823868322ea6a804d88ca09662c099a44
diff --git a/security/keymint/aidl/default/Android.bp b/security/keymint/aidl/default/Android.bp
index ebdc9b7..1187717 100644
--- a/security/keymint/aidl/default/Android.bp
+++ b/security/keymint/aidl/default/Android.bp
@@ -62,7 +62,7 @@
         "android.hardware.security.keymint-V1-ndk_platform",
         "libbinder_ndk",
         "libcppbor_external",
-        "libcppcose",
+        "libcppcose_rkp",
         "libcrypto",
         "libkeymaster_portable",
         "libkeymint",
diff --git a/security/keymint/aidl/default/RemotelyProvisionedComponent.cpp b/security/keymint/aidl/default/RemotelyProvisionedComponent.cpp
index 5b02729..6007663 100644
--- a/security/keymint/aidl/default/RemotelyProvisionedComponent.cpp
+++ b/security/keymint/aidl/default/RemotelyProvisionedComponent.cpp
@@ -23,7 +23,7 @@
 #include <cppbor_parse.h>
 
 #include <KeyMintUtils.h>
-#include <cppcose/cppcose.h>
+#include <keymaster/cppcose/cppcose.h>
 #include <keymaster/keymaster_configuration.h>
 #include <remote_prov/remote_prov_utils.h>
 
@@ -46,18 +46,8 @@
 
 namespace {
 
-// Hard-coded set of acceptable public keys that can act as roots of EEK chains.
-inline const vector<bytevec> kAuthorizedEekRoots = {
-        // TODO(drysdale): replace this random value with real root pubkey(s).
-        {0x5c, 0xea, 0x4b, 0xd2, 0x31, 0x27, 0x15, 0x5e, 0x62, 0x94, 0x70,
-         0x53, 0x94, 0x43, 0x0f, 0x9a, 0x89, 0xd5, 0xc5, 0x0f, 0x82, 0x9b,
-         0xcd, 0x10, 0xe0, 0x79, 0xef, 0xf3, 0xfa, 0x40, 0xeb, 0x0a},
-};
-
 constexpr auto STATUS_FAILED = RemotelyProvisionedComponent::STATUS_FAILED;
-constexpr auto STATUS_INVALID_EEK = RemotelyProvisionedComponent::STATUS_INVALID_EEK;
-constexpr auto STATUS_INVALID_MAC = RemotelyProvisionedComponent::STATUS_INVALID_MAC;
-constexpr uint32_t kAffinePointLength = 32;
+
 struct AStatusDeleter {
     void operator()(AStatus* p) { AStatus_delete(p); }
 };
@@ -125,167 +115,10 @@
     std::optional<T> value_;
 };
 
-StatusOr<std::pair<bytevec /* EEK pub */, bytevec /* EEK ID */>> validateAndExtractEekPubAndId(
-        bool testMode, const bytevec& endpointEncryptionCertChain) {
-    auto [item, newPos, errMsg] = cppbor::parse(endpointEncryptionCertChain);
-
-    if (!item || !item->asArray()) {
-        return Status("Error parsing EEK chain" + errMsg);
-    }
-
-    const cppbor::Array* certArr = item->asArray();
-    bytevec lastPubKey;
-    for (int i = 0; i < certArr->size(); ++i) {
-        auto cosePubKey = verifyAndParseCoseSign1(testMode, certArr->get(i)->asArray(),
-                                                  std::move(lastPubKey), bytevec{} /* AAD */);
-        if (!cosePubKey) {
-            return Status(STATUS_INVALID_EEK,
-                          "Failed to validate EEK chain: " + cosePubKey.moveMessage());
-        }
-        lastPubKey = *std::move(cosePubKey);
-
-        // In prod mode the first pubkey should match a well-known Google public key.
-        if (!testMode && i == 0 &&
-            std::find(kAuthorizedEekRoots.begin(), kAuthorizedEekRoots.end(), lastPubKey) ==
-                    kAuthorizedEekRoots.end()) {
-            return Status(STATUS_INVALID_EEK, "Unrecognized root of EEK chain");
-        }
-    }
-
-    auto eek = CoseKey::parseX25519(lastPubKey, true /* requireKid */);
-    if (!eek) return Status(STATUS_INVALID_EEK, "Failed to get EEK: " + eek.moveMessage());
-
-    return std::make_pair(eek->getBstrValue(CoseKey::PUBKEY_X).value(),
-                          eek->getBstrValue(CoseKey::KEY_ID).value());
-}
-
-StatusOr<bytevec /* pubkeys */> validateAndExtractPubkeys(bool testMode,
-                                                          const vector<MacedPublicKey>& keysToSign,
-                                                          const bytevec& macKey) {
-    auto pubKeysToMac = cppbor::Array();
-    for (auto& keyToSign : keysToSign) {
-        auto [macedKeyItem, _, coseMacErrMsg] = cppbor::parse(keyToSign.macedKey);
-        if (!macedKeyItem || !macedKeyItem->asArray() ||
-            macedKeyItem->asArray()->size() != kCoseMac0EntryCount) {
-            return Status("Invalid COSE_Mac0 structure");
-        }
-
-        auto protectedParms = macedKeyItem->asArray()->get(kCoseMac0ProtectedParams)->asBstr();
-        auto unprotectedParms = macedKeyItem->asArray()->get(kCoseMac0UnprotectedParams)->asMap();
-        auto payload = macedKeyItem->asArray()->get(kCoseMac0Payload)->asBstr();
-        auto tag = macedKeyItem->asArray()->get(kCoseMac0Tag)->asBstr();
-        if (!protectedParms || !unprotectedParms || !payload || !tag) {
-            return Status("Invalid COSE_Mac0 contents");
-        }
-
-        auto [protectedMap, __, errMsg] = cppbor::parse(protectedParms);
-        if (!protectedMap || !protectedMap->asMap()) {
-            return Status("Invalid Mac0 protected: " + errMsg);
-        }
-        auto& algo = protectedMap->asMap()->get(ALGORITHM);
-        if (!algo || !algo->asInt() || algo->asInt()->value() != HMAC_256) {
-            return Status("Unsupported Mac0 algorithm");
-        }
-
-        auto pubKey = CoseKey::parse(payload->value(), EC2, ES256, P256);
-        if (!pubKey) return Status(pubKey.moveMessage());
-
-        bool testKey = static_cast<bool>(pubKey->getMap().get(CoseKey::TEST_KEY));
-        if (testMode && !testKey) {
-            return Status(BnRemotelyProvisionedComponent::STATUS_PRODUCTION_KEY_IN_TEST_REQUEST,
-                          "Production key in test request");
-        } else if (!testMode && testKey) {
-            return Status(BnRemotelyProvisionedComponent::STATUS_TEST_KEY_IN_PRODUCTION_REQUEST,
-                          "Test key in production request");
-        }
-
-        auto macTag = generateCoseMac0Mac(macKey, {} /* external_aad */, payload->value());
-        if (!macTag) return Status(STATUS_INVALID_MAC, macTag.moveMessage());
-        if (macTag->size() != tag->value().size() ||
-            CRYPTO_memcmp(macTag->data(), tag->value().data(), macTag->size()) != 0) {
-            return Status(STATUS_INVALID_MAC, "MAC tag mismatch");
-        }
-
-        pubKeysToMac.add(pubKey->moveMap());
-    }
-
-    return pubKeysToMac.encode();
-}
-
-StatusOr<std::pair<bytevec, bytevec>> buildCosePublicKeyFromKmCert(
-        const keymaster_blob_t* km_cert) {
-    if (km_cert == nullptr) {
-        return Status(STATUS_FAILED, "km_cert is a nullptr");
-    }
-    const uint8_t* temp = km_cert->data;
-    X509* cert = d2i_X509(NULL, &temp, km_cert->data_length);
-    if (cert == nullptr) {
-        return Status(STATUS_FAILED, "d2i_X509 returned null when attempting to get the cert.");
-    }
-    EVP_PKEY* pubKey = X509_get_pubkey(cert);
-    if (pubKey == nullptr) {
-        return Status(STATUS_FAILED, "Boringssl failed to get the public key from the cert");
-    }
-    EC_KEY* ecKey = EVP_PKEY_get0_EC_KEY(pubKey);
-    if (ecKey == nullptr) {
-        return Status(STATUS_FAILED,
-                      "The key in the certificate returned from GenerateKey is not "
-                      "an EC key.");
-    }
-    const EC_POINT* jacobian_coords = EC_KEY_get0_public_key(ecKey);
-    BIGNUM x;
-    BIGNUM y;
-    BN_CTX* ctx = BN_CTX_new();
-    if (ctx == nullptr) {
-        return Status(STATUS_FAILED, "Memory allocation failure for BN_CTX");
-    }
-    if (!EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(ecKey), jacobian_coords, &x, &y,
-                                             ctx)) {
-        return Status(STATUS_FAILED, "Failed to get affine coordinates");
-    }
-    bytevec x_bytestring(kAffinePointLength);
-    bytevec y_bytestring(kAffinePointLength);
-    if (BN_bn2binpad(&x, x_bytestring.data(), kAffinePointLength) != kAffinePointLength) {
-        return Status(STATUS_FAILED, "Wrote incorrect number of bytes for x coordinate");
-    }
-    if (BN_bn2binpad(&y, y_bytestring.data(), kAffinePointLength) != kAffinePointLength) {
-        return Status(STATUS_FAILED, "Wrote incorrect number of bytes for y coordinate");
-    }
-    BN_CTX_free(ctx);
-    return std::make_pair(x_bytestring, y_bytestring);
-}
-
-cppbor::Array buildCertReqRecipients(const bytevec& pubkey, const bytevec& kid) {
-    return cppbor::Array()                   // Array of recipients
-            .add(cppbor::Array()             // Recipient
-                         .add(cppbor::Map()  // Protected
-                                      .add(ALGORITHM, ECDH_ES_HKDF_256)
-                                      .canonicalize()
-                                      .encode())
-                         .add(cppbor::Map()  // Unprotected
-                                      .add(COSE_KEY, cppbor::Map()
-                                                             .add(CoseKey::KEY_TYPE, OCTET_KEY_PAIR)
-                                                             .add(CoseKey::CURVE, cppcose::X25519)
-                                                             .add(CoseKey::PUBKEY_X, pubkey)
-                                                             .canonicalize())
-                                      .add(KEY_ID, kid)
-                                      .canonicalize())
-                         .add(cppbor::Null()));  // No ciphertext
-}
-
-static keymaster_key_param_t kKeyMintEcdsaP256Params[] = {
-        Authorization(TAG_PURPOSE, KM_PURPOSE_ATTEST_KEY),
-        Authorization(TAG_ALGORITHM, KM_ALGORITHM_EC), Authorization(TAG_KEY_SIZE, 256),
-        Authorization(TAG_DIGEST, KM_DIGEST_SHA_2_256),
-        Authorization(TAG_EC_CURVE, KM_EC_CURVE_P_256), Authorization(TAG_NO_AUTH_REQUIRED),
-        // The certificate generated by KM will be discarded, these values don't matter.
-        Authorization(TAG_CERTIFICATE_NOT_BEFORE, 0), Authorization(TAG_CERTIFICATE_NOT_AFTER, 0)};
-
 }  // namespace
 
 RemotelyProvisionedComponent::RemotelyProvisionedComponent(
         std::shared_ptr<keymint::AndroidKeyMintDevice> keymint) {
-    std::tie(devicePrivKey_, bcc_) = generateBcc();
     impl_ = keymint->getKeymasterImpl();
 }
 
@@ -294,43 +127,15 @@
 ScopedAStatus RemotelyProvisionedComponent::generateEcdsaP256KeyPair(bool testMode,
                                                                      MacedPublicKey* macedPublicKey,
                                                                      bytevec* privateKeyHandle) {
-    // TODO(jbires): The following should move from ->GenerateKey to ->GenerateRKPKey and everything
-    //              after the GenerateKey call should basically be moved into that new function call
-    //              as well once the issue with libcppbor in system/keymaster is sorted out
-    GenerateKeyRequest request(impl_->message_version());
-    request.key_description.Reinitialize(kKeyMintEcdsaP256Params,
-                                         array_length(kKeyMintEcdsaP256Params));
-    GenerateKeyResponse response(impl_->message_version());
-    impl_->GenerateKey(request, &response);
+    GenerateRkpKeyRequest request(impl_->message_version());
+    request.test_mode = testMode;
+    GenerateRkpKeyResponse response(impl_->message_version());
+    impl_->GenerateRkpKey(request, &response);
     if (response.error != KM_ERROR_OK) {
-        return km_utils::kmError2ScopedAStatus(response.error);
+        return Status(-static_cast<int32_t>(response.error), "Failure in key generation.");
     }
 
-    if (response.certificate_chain.entry_count != 1) {
-        // Error: Need the single non-signed certificate with the public key in it.
-        return Status(STATUS_FAILED,
-                      "Expected to receive a single certificate from GenerateKey. Instead got: " +
-                              std::to_string(response.certificate_chain.entry_count));
-    }
-    auto affineCoords = buildCosePublicKeyFromKmCert(response.certificate_chain.begin());
-    if (!affineCoords.isOk()) return affineCoords.moveError();
-    cppbor::Map cosePublicKeyMap = cppbor::Map()
-                                           .add(CoseKey::KEY_TYPE, EC2)
-                                           .add(CoseKey::ALGORITHM, ES256)
-                                           .add(CoseKey::CURVE, cppcose::P256)
-                                           .add(CoseKey::PUBKEY_X, affineCoords->first)
-                                           .add(CoseKey::PUBKEY_Y, affineCoords->second);
-    if (testMode) {
-        cosePublicKeyMap.add(CoseKey::TEST_KEY, cppbor::Null());
-    }
-
-    bytevec cosePublicKey = cosePublicKeyMap.canonicalize().encode();
-
-    auto macedKey = constructCoseMac0(testMode ? remote_prov::kTestMacKey : macKey_,
-                                      {} /* externalAad */, cosePublicKey);
-    if (!macedKey) return Status(macedKey.moveMessage());
-
-    macedPublicKey->macedKey = macedKey->encode();
+    macedPublicKey->macedKey = km_utils::kmBlob2vector(response.maced_public_key);
     *privateKeyHandle = km_utils::kmBlob2vector(response.key_blob);
     return ScopedAStatus::ok();
 }
@@ -339,126 +144,25 @@
         bool testMode, const vector<MacedPublicKey>& keysToSign,
         const bytevec& endpointEncCertChain, const bytevec& challenge, DeviceInfo* deviceInfo,
         ProtectedData* protectedData, bytevec* keysToSignMac) {
-    auto pubKeysToSign = validateAndExtractPubkeys(testMode, keysToSign,
-                                                   testMode ? remote_prov::kTestMacKey : macKey_);
-    if (!pubKeysToSign.isOk()) return pubKeysToSign.moveError();
-
-    bytevec ephemeralMacKey = remote_prov::randomBytes(SHA256_DIGEST_LENGTH);
-
-    auto pubKeysToSignMac = generateCoseMac0Mac(ephemeralMacKey, bytevec{}, *pubKeysToSign);
-    if (!pubKeysToSignMac) return Status(pubKeysToSignMac.moveMessage());
-    *keysToSignMac = *std::move(pubKeysToSignMac);
-
-    bytevec devicePrivKey;
-    cppbor::Array bcc;
-    if (testMode) {
-        std::tie(devicePrivKey, bcc) = generateBcc();
-    } else {
-        devicePrivKey = devicePrivKey_;
-        bcc = bcc_.clone();
+    GenerateCsrRequest request(impl_->message_version());
+    request.test_mode = testMode;
+    request.num_keys = keysToSign.size();
+    request.keys_to_sign_array = new KeymasterBlob[keysToSign.size()];
+    for (int i = 0; i < keysToSign.size(); i++) {
+        request.SetKeyToSign(i, keysToSign[i].macedKey.data(), keysToSign[i].macedKey.size());
     }
+    request.SetEndpointEncCertChain(endpointEncCertChain.data(), endpointEncCertChain.size());
+    request.SetChallenge(challenge.data(), challenge.size());
+    GenerateCsrResponse response(impl_->message_version());
+    impl_->GenerateCsr(request, &response);
 
-    std::unique_ptr<cppbor::Map> deviceInfoMap = createDeviceInfo();
-    deviceInfo->deviceInfo = deviceInfoMap->encode();
-    auto signedMac = constructCoseSign1(devicePrivKey /* Signing key */,  //
-                                        ephemeralMacKey /* Payload */,
-                                        cppbor::Array() /* AAD */
-                                                .add(challenge)
-                                                .add(std::move(deviceInfoMap))
-                                                .encode());
-    if (!signedMac) return Status(signedMac.moveMessage());
-
-    bytevec ephemeralPrivKey(X25519_PRIVATE_KEY_LEN);
-    bytevec ephemeralPubKey(X25519_PUBLIC_VALUE_LEN);
-    X25519_keypair(ephemeralPubKey.data(), ephemeralPrivKey.data());
-
-    auto eek = validateAndExtractEekPubAndId(testMode, endpointEncCertChain);
-    if (!eek.isOk()) return eek.moveError();
-
-    auto sessionKey = x25519_HKDF_DeriveKey(ephemeralPubKey, ephemeralPrivKey, eek->first,
-                                            true /* senderIsA */);
-    if (!sessionKey) return Status(sessionKey.moveMessage());
-
-    auto coseEncrypted =
-            constructCoseEncrypt(*sessionKey, remote_prov::randomBytes(kAesGcmNonceLength),
-                                 cppbor::Array()  // payload
-                                         .add(signedMac.moveValue())
-                                         .add(std::move(bcc))
-                                         .encode(),
-                                 {},  // aad
-                                 buildCertReqRecipients(ephemeralPubKey, eek->second));
-
-    if (!coseEncrypted) return Status(coseEncrypted.moveMessage());
-    protectedData->protectedData = coseEncrypted->encode();
-
+    if (response.error != KM_ERROR_OK) {
+        return Status(-static_cast<int32_t>(response.error), "Failure in CSR Generation.");
+    }
+    deviceInfo->deviceInfo = km_utils::kmBlob2vector(response.device_info_blob);
+    protectedData->protectedData = km_utils::kmBlob2vector(response.protected_data_blob);
+    *keysToSignMac = km_utils::kmBlob2vector(response.keys_to_sign_mac);
     return ScopedAStatus::ok();
 }
 
-bytevec RemotelyProvisionedComponent::deriveBytesFromHbk(const string& context,
-                                                         size_t numBytes) const {
-    bytevec fakeHbk(32, 0);
-    bytevec result(numBytes);
-
-    // TODO(swillden): Figure out if HKDF can fail.  It doesn't seem like it should be able to,
-    // but the function does return an error code.
-    HKDF(result.data(), numBytes,               //
-         EVP_sha256(),                          //
-         fakeHbk.data(), fakeHbk.size(),        //
-         nullptr /* salt */, 0 /* salt len */,  //
-         reinterpret_cast<const uint8_t*>(context.data()), context.size());
-
-    return result;
-}
-
-std::unique_ptr<cppbor::Map> RemotelyProvisionedComponent::createDeviceInfo() const {
-    auto result = std::make_unique<cppbor::Map>(cppbor::Map());
-
-    // The following placeholders show how the DeviceInfo map would be populated.
-    // result->add(cppbor::Tstr("brand"), cppbor::Tstr("Google"));
-    // result->add(cppbor::Tstr("manufacturer"), cppbor::Tstr("Google"));
-    // result->add(cppbor::Tstr("product"), cppbor::Tstr("Fake"));
-    // result->add(cppbor::Tstr("model"), cppbor::Tstr("Imaginary"));
-    // result->add(cppbor::Tstr("board"), cppbor::Tstr("Chess"));
-    // result->add(cppbor::Tstr("vb_state"), cppbor::Tstr("orange"));
-    // result->add(cppbor::Tstr("bootloader_state"), cppbor::Tstr("unlocked"));
-    // result->add(cppbor::Tstr("os_version"), cppbor::Tstr("SC"));
-    // result->add(cppbor::Tstr("system_patch_level"), cppbor::Uint(20210331));
-    // result->add(cppbor::Tstr("boot_patch_level"), cppbor::Uint(20210331));
-    // result->add(cppbor::Tstr("vendor_patch_level"), cppbor::Uint(20210331));
-
-    result->canonicalize();
-    return result;
-}
-
-std::pair<bytevec /* privKey */, cppbor::Array /* BCC */>
-RemotelyProvisionedComponent::generateBcc() {
-    bytevec privKey(ED25519_PRIVATE_KEY_LEN);
-    bytevec pubKey(ED25519_PUBLIC_KEY_LEN);
-
-    ED25519_keypair(pubKey.data(), privKey.data());
-
-    auto coseKey = cppbor::Map()
-                           .add(CoseKey::KEY_TYPE, OCTET_KEY_PAIR)
-                           .add(CoseKey::ALGORITHM, EDDSA)
-                           .add(CoseKey::CURVE, ED25519)
-                           .add(CoseKey::KEY_OPS, VERIFY)
-                           .add(CoseKey::PUBKEY_X, pubKey)
-                           .canonicalize()
-                           .encode();
-    auto sign1Payload = cppbor::Map()
-                                .add(1 /* Issuer */, "Issuer")
-                                .add(2 /* Subject */, "Subject")
-                                .add(-4670552 /* Subject Pub Key */, coseKey)
-                                .add(-4670553 /* Key Usage (little-endian order) */,
-                                     std::vector<uint8_t>{0x20} /* keyCertSign = 1<<5 */)
-                                .canonicalize()
-                                .encode();
-    auto coseSign1 = constructCoseSign1(privKey,       /* signing key */
-                                        cppbor::Map(), /* extra protected */
-                                        sign1Payload, {} /* AAD */);
-    assert(coseSign1);
-
-    return {privKey, cppbor::Array().add(coseKey).add(coseSign1.moveValue())};
-}
-
 }  // namespace aidl::android::hardware::security::keymint
diff --git a/security/keymint/aidl/default/RemotelyProvisionedComponent.h b/security/keymint/aidl/default/RemotelyProvisionedComponent.h
index 8185e26..4b012bc 100644
--- a/security/keymint/aidl/default/RemotelyProvisionedComponent.h
+++ b/security/keymint/aidl/default/RemotelyProvisionedComponent.h
@@ -43,14 +43,6 @@
                                              std::vector<uint8_t>* keysToSignMac) override;
 
   private:
-    // TODO(swillden): Move these into an appropriate Context class.
-    std::vector<uint8_t> deriveBytesFromHbk(const std::string& context, size_t numBytes) const;
-    std::unique_ptr<cppbor::Map> createDeviceInfo() const;
-    std::pair<std::vector<uint8_t>, cppbor::Array> generateBcc();
-
-    std::vector<uint8_t> macKey_ = deriveBytesFromHbk("Key to MAC public keys", 32);
-    std::vector<uint8_t> devicePrivKey_;
-    cppbor::Array bcc_;
     std::shared_ptr<::keymaster::AndroidKeymaster> impl_;
 };
 
diff --git a/security/keymint/aidl/vts/functional/Android.bp b/security/keymint/aidl/vts/functional/Android.bp
index 6c7309e..d969dfe 100644
--- a/security/keymint/aidl/vts/functional/Android.bp
+++ b/security/keymint/aidl/vts/functional/Android.bp
@@ -43,7 +43,7 @@
         "android.hardware.security.keymint-V1-ndk_platform",
         "android.hardware.security.secureclock-V1-ndk_platform",
         "libcppbor_external",
-        "libcppcose",
+        "libcppcose_rkp",
         "libkeymint_remote_prov_support",
         "libkeymint_vts_test_utils",
     ],
@@ -75,7 +75,7 @@
         "android.hardware.security.keymint-V1-ndk_platform",
         "android.hardware.security.secureclock-V1-ndk_platform",
         "libcppbor_external",
-        "libcppcose",
+        "libcppcose_rkp",
         "libgmock_ndk",
         "libkeymint_remote_prov_support",
     ],
@@ -92,20 +92,20 @@
     ],
     shared_libs: [
         "libbinder_ndk",
-        "libcppbor_external",
         "libcrypto",
-        "libkeymaster_portable",
-        "libpuresoftkeymasterdevice",
     ],
     static_libs: [
         "android.hardware.security.keymint-V1-ndk_platform",
         "android.hardware.security.secureclock-V1-ndk_platform",
-        "libcppcose",
+        "libcppbor_external",
+        "libcppcose_rkp",
         "libgmock_ndk",
+        "libkeymaster_portable",
         "libkeymint",
         "libkeymint_support",
         "libkeymint_remote_prov_support",
         "libkeymint_vts_test_utils",
+        "libpuresoftkeymasterdevice",
         "libremote_provisioner",
     ],
     test_suites: [
diff --git a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
index 3da0484..0dcc961 100644
--- a/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
+++ b/security/keymint/aidl/vts/functional/KeyMintAidlTestBase.cpp
@@ -23,12 +23,12 @@
 #include <android-base/logging.h>
 #include <android/binder_manager.h>
 #include <cppbor_parse.h>
-#include <cppcose/cppcose.h>
 #include <cutils/properties.h>
 #include <gmock/gmock.h>
 #include <openssl/mem.h>
 #include <remote_prov/remote_prov_utils.h>
 
+#include <keymaster/cppcose/cppcose.h>
 #include <keymint_support/attestation_record.h>
 #include <keymint_support/key_param_output.h>
 #include <keymint_support/keymint_utils.h>
diff --git a/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp b/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
index 9e52b20..6443015 100644
--- a/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
+++ b/security/keymint/aidl/vts/functional/VtsRemotelyProvisionedComponentTests.cpp
@@ -21,8 +21,8 @@
 #include <aidl/android/hardware/security/keymint/SecurityLevel.h>
 #include <android/binder_manager.h>
 #include <cppbor_parse.h>
-#include <cppcose/cppcose.h>
 #include <gmock/gmock.h>
+#include <keymaster/cppcose/cppcose.h>
 #include <keymaster/keymaster_configuration.h>
 #include <keymint_support/authorization_set.h>
 #include <openssl/ec.h>